DHT420

COFEE does not collect as much information as the Incident Response USB tool on this website. Though it does have a nice XML Report Generator. Another big issue is that it doesn't collect information on Vista/7.

Sorry for the delay! XXSlurp v1.1 is now out. Now it is portable, and no longer requires an installation the first time it is run. It can be downloaded from here (README is included): http://sharebee.com/924029b3 VirusTotal Results (1/41): http://www.virustotal.com/analisis/24e5cb6...d150-1247254495 Things I'm looking at in the future: *Allowing more than 8 extensions per run. *Archiving/Encryption of slurped files.

"Decades old information would be worthless" I find that hard to believe. The data maintained by the NSA isn't of evanescent relevance, it remains quite valuable and important. So, why wouldn't they just re-encrypt it? They probably would. But they want the strongest assurance possible. "So why be paranoid" Because that is what they're paid to do. If they are given the choice between 128-bit and 256-bit, and told that 256-bit is stronger, they will go with the stronger solution. In their mind, it is their job to have the utmost highest level of security. I never said it was rational/logical, it is just how the NSA thinks. Just look at the consumer encryption market. Most people want XXX SUPER-ENCRYPTION STANDARD 99999-BITS encryption for their dog photos. It has nothing to do with logical predictions about the security of the algorithm. It's human nature.

The NSA uses AES-256 for Top Secret data because this data may need protecting for decades of time into the future. It has nothing to do with fears about current cryptanalysis, it's a safety measure that is part preparedness and part superstition. As far as NSA making "backdoors", you're either implying that all AES software distributed today has a U.S. government agency-regulated exploit, or that the Rijndael algorithm itself is a giant mathematical mousetrap made in collusion with the NSA. I can assure you, both of these are highly unlikely. Most, if not all, cryptographers attest to AES's security, despite their personal misgivings about it. Bruce Schneier himself believes in the security of AES, even if he prefers Twofish and Blowfish. I don't think we have anything to worry about. If AES was crackable, the NSA would not be using it at ALL.

XXSlurp is a file slurping program that can be operated on Windows 98 and up. It is not tied down to command line tools in Windows like XCOPY or ROBOCOPY, and as such it is much more portable. XXSlurp uses XXCOPY to slurp files. XXCOPY is an extremely robust command line file copier/synchronizer that lacks all of the problems of native Windows tools, and it happens to be very flexible in it's method of copying files. XXSlurp can be run in two ways. You can run the program and specify what files to slurp and it will begin to copy these files to your removable storage, or you can use the Auto-Slurp BAT Creator to create a batch script that, when run, will automatically slurp specified files from a specified location without requiring user input. XXSlurp can slurp files of any extension from any location. It can be downloaded from here (README is included): http://sharebee.com/5749b0f3 VirusTotal Results (0/40): http://www.virustotal.com/analisis/c27c620...1134-1245008513 Screenshots:

It is possible to put information on the CD partition of a U3 drive by manipulating the ISO that gets burnt to it, but the partition itself is very small (around 6mb) so the payload would have to be relatively thin. As mapping drives go, it is not all that difficult. I have seen tutorials on assigning a "permanent" drive letter to a USB drive, but I think that just goes as far as your Home computer and not others. It shouldn't be too hard to have an executable on the CD partition that looks for a drive with a TAG file in it, and then returns that drive letter to the payload script. Maybe it could be done in VBS, but that's over my head.

*sigh* Go figure. :( I got "Everything" (Which is an application, not "everything" as in the whole application) from http://www.voidtools.com/. Here is the Virustotal.com Results: http://www.virustotal.com/analisis/d31354e...c324-1244611403 29/37 scanners detected something. In these cases, it was the NirSoft Password collection tools that registered as malware because of their possible uses. I have included nothing that will in any way will harm a computer, or remain resident after the USB drive is removed. But as they always say, "trust, but verify". Here is the code for the main script: http://pastebin.com/f130d4451. Make sure to note that the main script sits in the same directory as the tools it uses, and it sends logfiles to the "Logfiles" directory which is in the parent directory (ex. drive root). So it looks kind of like this: ------------------------------------------- Root (E:) -Files (E:\Files) --SCRIPT.BAT (E:\Files\SCRIPT.BAT -Logfiles (E:\Logfiles) ------------------------------------------- Of course, it would be altogether easier to just download the script and use it, "antivirus false positive" concerns aside. In addition to the automated data collection, there is a menu that allows you to access other tools for either pouring over the collected data or for manually collecting data. I plan to update the script sometime soon, as I have included a new "podslurping" script that I am eager to see used. BTW, here are some screenshots of my script for those interested. Main menu The Incident Response Payload running...

Incident Response Switchblade 1.7+ --- This is the result of some pretty heavy modifications of the Incident Response Payload. A lot of new functionality has been added. I.E. volumes of information collection, the ability to compress/encrypt output files, calculating the md5s of output files, a scan log detailed what information was collected and when, etc etc. It's really too much for me to describe, and being the lazy idiot that I am I didn't keep a meticulous changelog. In summary, it's a retooling of the Incident Response Payload into a script that toes the line between system information collection and forensic data acquisition. It is not U3 specific, and can operate on any USB drive. You can download it from here http://sharebee.com/e0ef9532