Monday, December 31, 2007

Another Year Come and Gone.......

As another year vanishes and a new one starts I would like to take the time to wish every reader a happy new year. With the new year I will try and post more often and keep you all comming back for more information. I have a few things in the works and I am always looking for more projects. If anyone has any ideas drop me a line (mark dot mckinnon at sbcglobal dot net) or if anyone has a good idea for a utility that can be written let me know.

Wishing you all a safe and joyful New Year


Sunday, December 30, 2007

ISystemWiper Analysis

I ran into this program during an examination. The examination was on site and I could not take the image with me so I could not boot it up in vmware and check out the program to see what the settings were. What I did do was take a copy of the directory where the program was installed, the registry keys for the program and the download install file. From there I was able to bring it back into my lab and install it and figure out what settings the user had enabled. I have created a PDF of my notes and it can be downloaded here.

The program is pretty interesting in that it allows you create your own custom plugins to delete user definable items. There are also quite a few plugins that come with the product and by going through the files you can actually learn something about those products. If you check out the program you will see for your self. I did not go through all the plugins as I will leave that up to you if you are curious.

Now is this something that you all would like to see more of? If so then let me know and I can try and create some more. If anyone out there has done any analysis on any programs and would like to share please let me know and I can make you a guest blogger.

As always questions/comments/thoughts/improvements?

Saturday, December 29, 2007

Vinetto - A Thumbs DB Parser/Viewer

A while ago I blogged about a program to view the contents of a thumbs.db file. In the comments Christophe Monniez AKA d-fence (who created the FCCU GNU/Linux boot CD) brought to my attention the open source project Vinetto which is a forensics tool to examine Thumbs.db files written by Michel Roukine. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32). Now I tried it on Cygwin and thought it was a great tool to have in the old tool belt, you can never have enough tools. Since I do not know python I thought it would be a good time to learn it. Well I am still trying to learn it and hopefully in the future will be providing so new tools in it.

Now as most of you know most of my tools will run on Linux (command line) and windows (command line and gui) and I try and strive to make sure that they will work on both (some will only work on windows because that is where the libraries are). Now I saw that Vinetto would work under Cygwin but not win32 natively. So I thought I would see what it would take to make it so it would work natively under win32. Those that just want to use the program and not worry about what I changed can skip to the bottom to the link where the program is (I have compiled the program so there is no need to have python on your system to use the program).

After downloading it and making sure that I had the pre reqs ( Python-2.3 or later and PIL (Python Imaging Library) 1.1.5 or later) installed I opened up the files and looked at what would have to change. Here is all that had to change.

Changes to program vinetto

Line 1 change #!/usr/local/bin/python to #!c:\python25\python
Line 160 chage /usr/share/vinetto/header to ./res/header
Line 161 change /usr/share/vinetto/quantization to ./res/quantization
Line 162 change /usr/share/vinetto/huffman to ./res/huffman
Line 320 change open(outputdir + "/" + NUMBERED_THUMBS_DIR + "/" + TNfname(SIDstr, "2") + ".jpg", \
to open(outputdir + "/" + TNfname(SIDstr, "2") + ".jpg", \

changes to program

Line 62 change /usr/share/vinetto/HtRepTemplate.html to ./res/HtRepTemplate.html

changes to the program

replace everything with the following

from distutils.core import setup
import py2exe


run the following to create the executable

python py2exe

Once the executable has been created (if you already have python and PIL then you do not need to create the executable) you just need to copy the res directory underneath the dist directory (if you are lost here do not worry I have everything compiled for you and if you have done this before you will understand). I then tested it out and it works great (there is one error that states the number of arguments are not correct that I have not looked into) and outputs the files and created the html report.

So future changes/additions for this I think will be to add a autoit gui front end for the windows users who are command line adverse and an option to scan a directory (top most directory) to find all the thumbs.db files. Any other additions I would have to use the program so more

For more information about this program go to the website

To download my changes and an executable copy of the program go here