Sunday, April 12, 2009

Security and Utility Linkfest Smackdown

I really want to fully dual-boot my Gateway MT6451 Notebook with Windows 7 but it only has a 120 GB Hitachi 4500 rpm drive and I am finding the free-space dwindling fast.

Between all the VHD’s and utilities I keep on it, there isn’t a lot of room for a 2nd OS, even if I go with the Dual Boot Windows 7 on Vista via VHD method.

Because it uses the “older” ATA-6 format drive support, I’m not left with many upgrade options that will give me both performance and space.  At the moment this Newegg.com offered Western Digital WD3200BEVE 320GB 5400 RPM 2.5" ATA-6 Notebook Hard Drive looks to be the best option as it give me the space bump I need as well as some speed increase; and the $99.00 price point is very reasonable.

Alvis and Lavie have some fiscal responsibilities that need to be met first before I can budget for “toys” but I might have to do my part to stimulate this sector of the economy very soon.

New and Improved

  • Autoruns v9.41 – Microsoft Sysinternals - “This release fixes a bug with the hide-Microsoft images options when the signature verification option is enabled.”
  • WhatInStartup – Nirsoft – It was a bit ironic seeing this new tool from Nir Sofer’s factory come out the same time the almighty Autoruns got a version upgrade.  In my mind, Autoruns is hands-down the best autostart entry explorer/tweaker there is.  However, that said, Nir’s tool does bring something special to the table.  While it doesn’t attempt to scan and display the full depth possible that Autoruns does, it does address all the most common areas that most users will need to be poking around in.  Furthermore, it can set to monitor the system and delete pesky auto-run items that will attempt to re-insert themselves back in. Or as Nir Sofer put’s it, “WhatInStartup also supports a special "Permanent Disabling" feature - If a program that you previously disabled added itself again to the startup list of Windows, WhatInStartup will automatically detect the change and disable it again.”  That could be handy when dealing with certain kinds of malware that attempt to re-spawn after removal and reboot. Well worth checking out and getting familiar with.
  • Spybot Search & Destroy competitors are trying to force its removal -- Security News – Betanews – Poor Spybot.  Once the darling of the malware-busting world, it has been a victim of it’s own success with a flooded anti-malware product market and now taking licks from large commercial anti-malware/anti-virus product corporations that seem to bully users into removing Spybot before installing their products. In some cases there may be some feature overlap which could cause conflict, but in most it seems to be scare-tactics.  While I don’t normally reach for Spybot any more on my cleaning jobs, it has been a rare product that has remained free and non-commercialized for a considerable length of time.  For that alone I keep a version updated and handy on my USB stick and keep an eye out for new releases.  With the team hard at work on the 2.0 release, I’m hoping they push through this name-calling and hit the next one out of the park.
  • Malwarebytes’ Anti-Malware version 1.36 – New version does some fixes and adds some more threat detections.  In my own malware incident response work, I prefer to assess the running processes and network connections, grab an image of the system/memory for later analysis, reboot with WinPE in “off-line” mode to manually clean-out the system.  However, if I am in a hurry Malwarebytes is the first anti-malware tool I generally reach for now.  I’ve had excellent success ripping out pesky stuff with this one on home service calls.  Couple this one with an USB based AV/AM Tool (such as VIPRE PC Rescue, or Kaspersky Virus Removal Tool, or the latest find, Prevx Edge) and you have a pretty powerful smackdown to share with the malware.
  • SpywareBlaster v4.2 – While this tool doesn’t “remove” malware from a system, it goes a long way to helping prevent it from taking root in the first place.  This new version works with Internet Explorer 8 and Windows 7 builds.  Other changes: K-Meleon support, Interface improvements, Enhanced support for Flock 2.x , Significantly faster "Disable All Protection" operation , Fixed recurring "run from Admin account" error, Fixed problems detecting some Firefox (and other Gecko-based browser) profiles, and additional small bug fixes, tweaks, and optimizations.
  • Wireshark 1.0.7 – This favorite packet-capture tool just received a good polishing to remove numerous bugs and vulnerabilities.  Nothing new in the feature department but enough was added to make it worthwhile to drop in and upgrade to this newest version.
  • VirtualBox 2.2.0 – While I do prefer VirtualPC 2007 for my workplace virtualizations (we are a Microsoft shop), there are time when I must have USB support (something VPC doesn’t offer) or I need to run Linux distros and certain ones just done behave under VPC.  That’s when VirtualBox really shines.  The last VirtualBox upgrade was a doozie and really whacked out much of what I had gotten comfortable with.  So I was prepared for more of the same. Fortunately, this upgrade/usage was much smoother.  Read the change-log for all gory details.  Suffice it to say that this is truly a major version upgrade with many, many performance improvements, feature additions, and the mandatory bug-fixes.
  • Parted Magic 4.0 – This Linux “LiveCD” distro recently got dusted off and jam-packed with some major fixes and upgrades.Hop the link to read over them all.  Well worth the time to download, burn, and add to your CD case.
  • SystemRescueCd v1.1.7 – This is another amazing “must have” utility LiveCD disk for system administrators.  It has a bazillion tools and useful things to keep systems up and running and to perform CPR in the event something really bad happens. ChangeLog covers the gamut of updates and enhancements added to this latest build.

For Sysadmins Only

  • Two Minute Drill: Performance Analysis of Logs Tool (PAL) – Ask the Performance Team blog – All you could possibly want to know and then some regarding the PAL tool.  From the post introduction: “Reviewing Performance Monitor Logs can be one of the most daunting tasks for an administrator, especially if it’s not something that you do on a regular basis.  The Performance Analysis of Logs (PAL) tool can read Performance Monitor counter logs and analyzes them based on some pre-defined thresholds.  PAL includes threshold definitions for most of the major Microsoft products such as IIS, SQL Server, BizTalk Server, Exchange Server and Active Directory.  PAL isn’t intended to replace traditional performance analysis – but, it can help to cut down on some of the analysis time.”
  • Engineering Windows 7 : Delivering a quality upgrade experience – All you want to know and then some regarding the upgrade options available to you under Windows 7.  XP to W7 upgrades aren’t possible…although (currently) one can do an in-place upgrade from Vista SP1 to W7 beta.  For many users, this means you have to transfer your files/settings to off-system storage media, do a clean install of W7, then put stuff back.  The upgrade process between W7 beta and W7 RC builds have also been set by Microsoft to require a clean install (in most cases).  However the post does detail a semi-involved process available (tentatively) to enterprise customers that will allow a bypass of the version pre-install check and allow a build-to-build upgrade in place.

For Hard-Drive Heads

In my recent Cleaning up the Attic: Convert command post, I documented converting (in place, files and all) three partitions on my desktop system from FAT32 to NTFS.

It was easy and painless.

However, Ronald and JC encouraged me to check the cluster size on the new NTFS partitions.  As Ronald pointed out (Default cluster size for FAT and NTFS – MS KB 140365) that using the convert command on some FAT32 formatted partitions results in sectors of 512 byte sizes, and not the default 4K size.  While generally not that big of a deal for home users, moving to the 4K sector size can enhance performance with copy/move file activity.

To perform the cluster size check I ran the "chkdsk X:" command where "X" was the drive letter.

As typical in this case, the covert command did NTFS format all my drives at the 512 byte size. My original NTFS system partition was already at the standard 4K cluster size.

One volume at a time, I copied the files off each volume, then reformatted each volume: format x: /fs:ntfs /v:label /q /y /x

Then I copied the files back.

The copy rate difference was amazingly (not really with the cluster size change) faster going back to the 4K cluster size partition than it was between the 512 byte cluster sized partitions.

I say all that to get to this point: while the chkdsk command is always present and handy for XP/Vista users, you may get some additional information in using it.  Depending on the condition and size of your drive, this can take a lot of time to complete.  It’s a bit of overkill when you just quickly and simply want to get some NTFS drive geometry data.

So I just so happened to be be covering the drive-storage chapter in my Microsoft Windows Internals (4th Edition) book this week and lo-and-behold I found a few more great tools:

  • NTFSInfo – Microsoft Sysinternals – This command-line tool quickly and easily shows you great information regarding your NTFS drives.  The command is simple: NTFSINFO [drive letter]  Then BAM! That’s it.  Take a look below at the instant data I got on my laptop’s system drive:
    • C:\>ntfsinfo c

      NTFS Information Dump V1.01
      Copyright (C) 1997 Mark Russinovich
      http://www.sysinternals.com

      Volume Size
      -----------
      Volume size            : 104328 MB
      Total sectors          : 213664499
      Total clusters         : 26708062
      Free clusters          : 14782470
      Free space             : 57744 MB (55% of drive)

      Allocation Size
      ----------------
      Bytes per sector       : 512
      Bytes per cluster      : 4096
      Bytes per MFT record   : 1024
      Clusters per MFT record: 0

      MFT Information
      ---------------
      MFT size               : 205 MB (0% of drive)
      MFT start cluster      : 786432
      MFT zone clusters      : 20116800 - 20168032
      MFT zone size          : 200 MB (0% of drive)
      MFT mirror start       : 13354031

      Meta-Data files
      ---------------

  • DiskView – Microsoft Sysinternals – Another great tool for looking into files/sectors/and disk-space usage.  This one is GUI based.  From the description, “DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated.”  Want to take a look at the specific sector a file is sitting on? browse to the location and it will point out the details.  Then you can use a HDD sector viewing tool to quickly drill down to that particular section on the drive for eyes-on review.  Pretty cool.
  • Windows NT File System (NTFS) File Sector Information (NFI) Utility – This is another really cool command-line based micro-tool I discovered in the Windows Internal book.  Download and unzip the utility pack from the link above.  The NFI tool is “…used to dump information about an NTFS volume, and determine which volume and file contains a particular sector.”  run the nfi /? command to list the arguments and full roundup of features.  However, among the great things it can provide is the specific sector location of a file/directory (either contiguous or non-contiguous).  For an example, see the output when I wanted to see where the cmd.exe file is located:
    • C:\>nfi c:\windows\system32\cmd.exe
      NTFS File Sector Information Utility.
      Copyright (C) Microsoft Corporation 1999. All rights reserved.

      \Windows\System32\cmd.exe
          $STANDARD_INFORMATION (resident)
          $FILE_NAME (resident)
          $FILE_NAME (resident)
          $DATA (nonresident)
              logical sectors 4807656-4808279 (0x495be8-0x495e57)
          Attribute Type 0x100 $TXF_DATA (resident)

  • DiskEdit - Vienna Computer Products – While DiskEdit is a Microsoft product, it is a pain to get, extract, and then port to a portable version.  Vienna Computer Products’ Peter Kleissner did all the work for us and packaged up everything you need to get it going.  Thanks Peter!
  • Wayne’s World of IT: Viewing NTFS information with nfi and diskedit – Fast and easy to follow post that covers some more examples of nfi and diskedit tool usage.

Forensics and First Responder Finds

DEFT v4.2 DEFT Linux - Computer Forensics live cd – Hot off the presses.

I’m very impressed with this distro.

I’ve got another post building on this from a system-administrator’s perspective.  This version contains the DEFT Extra 1.0 (Gui, Forensics tools for Microsoft Windows and much more) tool on a Windows “auto-run” menu side.  This feature is in line with those that the original Helix CD’s contained.  Enhanced form of which can also be found on the CAINE Live CD.

Anyway…back to those in a future post.

While exploring the DEFT Extra utility inclusions I did spot two programs that I hadn’t seen before and were fascinating enough to want to break-out here for focus.

  • "PC On/Off Time" – freeware - Neuber software – This tool allows a 3-week window view of the system on and off times in an easy to read graphical view.  while not providing specific time information (down to minute/seconds) it does provide a fast way to assess system operational times.  For more detailed information you will have to drill into the System Event logs and/or registry. (RegRipper or Evidence Collector)
  • Nigilant32 - Agile Risk Management LLC – freeware – Very interesting tool that is designed to capture lots of information on a running system with minimal impact.  Includes the SnapShot to “…review and save a report of the running system that includes Processes, Services, User accounts, Scheduled Tasks, Network Ports, etc.” Then there is the Filesystem Review used to “…explore the file system and possibly locate hidden files or folders, recently deleted content, or extract files for offline analysis with limited risk of contamination.” And finally it has Active Memory Imaging to “…image the active physical memory (RAM) of the suspect workstation or server to secure portable media.”  All great tools during incident response and malware event capture and analysis. 

Oh yeah.  Did I mention it runs off a single ~750 kB exe?  Perfectly portable! 

For more awesome incident responder tools similar to nigilant32, check out MANDIANT’s Free Software roundup which includes incident first-responder tools such as memoryze, Red Curtain, and First Response.  All free and quite sophisticated.

Whew!

That was quite a roundup!

Happy Easter Greetings.

--Claus V.

No comments: