Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Profile Information

  • Location

Recent Profile Visitors

2,015 profile views

mleo2003's Achievements


Newbie (1/14)

  1. http://rss.slashdot.org/~r/Slashdot/slashd...-Sold-To-Rapid7 Just saw this come across the reader, and I'm wondering what this will mean for other projects that include this utility, like BackTrack.
  2. BTW, the MovaLiveCD thing is based on QEMU.
  3. Saw this on lifehacker, had to show that someone else has a solution too: http://lifehacker.com/5356882/mobalivecd-u...b-drive-support
  4. If your birthday is today (from what I read, it is), happy birthday, and you share your birthday with my wife. Makes things weird for me...
  5. http://blogs.computerworld.com/twitter_phishing Did someone leave Evil Server alone for too long? I saw the title of this on Slashdot, and couldn't believe my eyes. I guess it was only a matter of time before someone took the crew serious about something like this.
  6. No noob-lube here, just something I heard before: JavaSpaces. Anything that can run Java, can be used as part of a cluster. For people of this site, search in the archives of cons for a "Distributed Password Cracking" talk by "Bern". He goes over most distributed system options, and his talk helped connect the dots for me.
  7. I do it with the USB version, only thing I had to do was pick a lower option that didn't try xconf first, just startx. It was on down the list, Safe VGA or something like that.
  8. @paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;) @TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes. As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one. Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.
  9. I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine. VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.
  10. I'm not sure about Autoruns either. Looking on their website, there are options for the program to save output to files, as CSV and XML, so that might be an option. As to the VSS, it is a little more in-depth than the normal dump, but it would record hidden data, as well as preserve time stamps that those hives might contain. It might be a good follow up technique, but this tool is designed to be a first response in a forensics investigation. I'd say the MBR dump, and bootable environment were also secondary techniques, not to be done right off the bat. As for a good environment to use, instead of making one, try the Helix project, it was designed to do a lot of this on its own.
  11. I'm sure that, if some problems arise with licensing, I'm sure some members of the forums would be willing to help you by making programs that emulate the features you want. I know I'd be willing to make a few free programs to help with this. To everyone suggesting normal SwitchBlade things to add to this, keep in mind that this tool wasn't designed to steal anything from someone, but be a first response action in the event of an forensics investigation. The necessary information for this is very different than just a dump and go that we are used to. Just try to keep that in mind when suggesting things. As for my suggestion, the Autoruns program would probably be a very good idea, as it would also go through the Startup folder for users and show what is listed there to startup, as well as the registry, and I can see both lists being needed in this kind of information. Also, as to the registry, there is a trick using the Shadow Copy service to get a copy of each actual hive, which would include hidden info that the regular export may not get. I have some information on it, if your interested. Only problem is it requires that service to be on to actually work, so it might be a good secondary measure if possible. Just my recent thoughts on this.
  12. I was doing my daily stroll around the web, checking to see what all had come out recently, and I came across this: MobaLiveCD In a nutshell, it allows you to run a VM (using Qemu) of an ISO from one executable, no install needed, and can be ran from a Thumbdrive (I think qemu can do that by itself, but this is pretty and handles a lot of things for you). Well, after seeing that, I remembered seeing Mubix's blog post on a DVD that has multiple LiveCDs on it. (It is here for those interested). That would be a good pairing, but then I read down near the bottom where Mubix referenced uNetBootin which lets you boot ISO's from a USB key, if I read that right. I put all this together in my head, and you should be able to create a USB drive that not only can boot from 1 of 10 (or more) Live CDs on it, but then, if you already have a running Windows Machine, you can then run the same Live CDs just on Windows and not even have to reboot. Just thought I'd share this idea with the people here, and see what others thought about doing this.
  13. Another good solution, if your afraid to go the Linux route, is a BartPE disc with DriveXML added to it. The compilation of tools called the Ultimate Boot CD for Windows has this already on it. I've used it, and it works very nice, especially in a Windows environment. As for something a little more enterprise oriented, look on Sourceforge for a project called FOG. Allows you to use PXE to reimage machines across a network. Haven't had the time to play with that one, but it looks very interesting.
  14. This is a little old school, but seeing you talk of this reminded me of an old segment on Hak5. An NSLU2 was used to make an Asterisk box in episode 2x03, and I've always thought that was very cool. After doing some research today, I found that some very smart people have found a way to run Debian on the NSLU2, which fits perfectly with what your looking for: a small device that could attach to the network, and dump files off to somewhere else (or even another USB drive, as the device was intended to work as a NAS). The only catch is, according to Wikipedia, the device has been discontinued by Linksys, though only in this year, so you should be able to get one easily. Seeing this was also good for me, as I have a few ideas on how to use this differently.
  15. What exactly are you looking for in a MD5 program? FastSum looks pretty good, but if you don't like it, it might be good to know what your baseline requirements are. As to what I use, I don't (due to not only running Ubuntu on my desktop, but just not doing MD5 stuff on the Windows machines I use anyway, or the Ubuntu machine either). If I did, I'd probably hack something together myself. Just as a general question, does keeping MD5 values of files really help with integrity? Most of the time for me, if stuff starts corrupting, it's a whole disk. I don't download that much stuff (mainly due to being on dialup still), so I guess that's why it's slightly lost to me how helpful this could be.
  • Create New...