It is a common task for an investigator to boot a machine using bootable media in the form of DVD or USB and there are countless options available. This tutorial is not intended to replace your favorite Helix CD or preferred method, but you may find this analysis interesting if you are a Windows expert performing a forensics analysis.
Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.
Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 [...]
Back on November 11th, 2009 we confirmed Laurent Gaffié’s remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when for example a user is tricked into clicking on a link to a malicious SMB share on a web page. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash.
About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly [...]
Today marks the last Microsoft patch Tuesday of 2009, and Microsoft has released patches to six bulletins: MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183) MS09-072 – Cumulative Security Update for Internet Explorer (976325) MS09-069 – Vulnerability [...]
It’s been a while since my last post regarding Powershell which showed how to scan hosts for network interfaces in promiscuous mode. This time around, we’ll scan for some well known ports in our Active Directory to see who has a local IIS or SQL Express running on their machine. I know what you’re thinking. [...]
Several months ago, users of a wireless carrier in the United Arab Emirates (UAE) were sent an SMS message to their Blackberry devices instructing them to install a software patch that would resolve recent network trouble they’ve been experiencing. The patch turned out to be spyware (Etisalat.A[MA]) and would intercept the user’s email, sending the [...]
Windows Server 2008 R2 was released in August, and it introduced new functional levels for Active Directory. This article takes a look back at the different functional levels of the past and what is new in the latest release of the server operating system for Active Directory (yes, a recycle bin for AD objects!). Functional [...]
One of my favorite websites in the days of Windows 2000 Server was a project from a group of system managers from the Department of Electrical Engineering at the Swiss Federal Institute of Technology; it was titled “Real Men Don’t Click”, and it was dedicated to accomplishing tasks solely using the command line interface (CLI). [...]