tag:blogger.com,1999:blog-79160256134290760602024-02-19T09:40:21.286+01:00Security is FUN by KienEng ChanInformation security stories. The fun ones.Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.comBlogger44125tag:blogger.com,1999:blog-7916025613429076060.post-45686337753099166862016-01-04T01:59:00.003+01:002016-01-04T06:11:29.938+01:00Information Security Outlook 2016. What's coming?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglsEk7EfxeXOOQ0S-8PdDl25omjo0J7p6MT85IhshCMHsPFGRnXPYyAxhrVHwcNhkVT2QgRka_lC1cAL7fbXEpQX6gA9FiNeA1N-2LXIJKuLnYk0c1jVILKEl_HFSlw5LcZk7JXtLdbO8/s1600/2016.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglsEk7EfxeXOOQ0S-8PdDl25omjo0J7p6MT85IhshCMHsPFGRnXPYyAxhrVHwcNhkVT2QgRka_lC1cAL7fbXEpQX6gA9FiNeA1N-2LXIJKuLnYk0c1jVILKEl_HFSlw5LcZk7JXtLdbO8/s320/2016.jpg" width="320" /></a></div>
<br />
For me the Top 3 will be:<br />
<br />
<b>1. Data breach is the "new normal"</b><br />
<br />
<ul>
<li>The question now is not could or might, rather when. </li>
<li>Are you prepared for it? How is your Cyber Security incident response plan?</li>
<li>Many large organisations can absorboperational costs related to data breaches, but how about costs to reputation and brand damage? Reputation risks must be integrated into risk management process. </li>
<li>Become part of cyber security defense/intel sharing community - we cannot fight cybercrime alone</li>
<li>Share the 0 days that attacked you. 0 days have less value when they are known to public</li>
<li>Have deterrence policies and tactics. Tell attackers what could happen to them but be careful not to send a wrong signal (e.g. taunting)</li>
</ul>
<br />
<b>2. <a href="https://en.wikipedia.org/wiki/DevOps">DevOps</a> is coming and will prevail</b><br />
<br />
<ul>
<li>Developers will be the one doing operations making "segregation of duties" principle a challenge. </li>
<li>Information security folks need to adjust to it. Like it or not, more and more businesses are doing this due to adoption of Agile software developments. It does not make business sense if DevOps can spin a server and app in a day or two but Security needs 2 weeks to review it </li>
<li>Adjust, adapt, get involve earlier or we will be "bypassed </li>
<li>Why not share information security budget with other department if it helps to address security weaknesses? Think of the "win-win" situation. </li>
</ul>
<b>3. More are moving to Cloud</b><br />
<br />
<ul>
<li>Enterprises are moving more solutions and services to Cloud. Be it software, platform or infrastructure</li>
<li>Cloud vendors are growing like mushrooms</li>
<li>Vendor risk assessments are becoming more important than ever. Ensure you have one before engaging any cloud vendors. Be careful and do not rush, especially if we are talking about security tools. New vendor may have great ideas and technologies but are they strong enough to last? </li>
</ul>
<br />
And,<br />
<b><br /></b>
<b>Be prepared for Internet of Things (IoT)</b><br />
<br />
<ul>
<li>It might not become a big thing soon but it certainly walking towards it. Smart fridge, Smart Car, Smart Aircon, Smart Oven will all be connected together and if exploited, could allow adversaries physical alike access. We can't stop IoT from happening. The challenge will be how to make it secure?</li>
</ul>
Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com1tag:blogger.com,1999:blog-7916025613429076060.post-89523987657454931922015-10-09T13:28:00.001+02:002015-10-09T13:28:37.559+02:00Moving to SaaS? How to quickly assess the vendor?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPszDBcWZU7Lsn-Lnrl-SPDwZ8QJJxdniG2Gt1m6v510anHEepfgsIG39frn5d-pNyoV5eyTGoQ732KQANa-iTzpVkks6by0oBPSoGY7MucwRvJ4-YHdFd15juLjlzgraaQON7PNwVQZs/s1600/SOC.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPszDBcWZU7Lsn-Lnrl-SPDwZ8QJJxdniG2Gt1m6v510anHEepfgsIG39frn5d-pNyoV5eyTGoQ732KQANa-iTzpVkks6by0oBPSoGY7MucwRvJ4-YHdFd15juLjlzgraaQON7PNwVQZs/s320/SOC.jpg" width="320" /></a></div>
<br />
So a Cloud vendor managed to pitch your boss to switch to their SaaS application and your boss has asked you to quickly check out the vendor.<br />
<br />
You don't know anything about the vendor nor how the SaaS application works. How to quickly assess something that you don't know? You certainly don't want to be blamed if you missed something. You start entering panic mode... Time to call up your senior cum mentor the Information Security chap.<br />
<br />
<b>You:</b> Yo bro! What's up? How's life?<br />
<br />
<b>Information Security chap: </b>Hei dude. Long time no see. I'm good! And you? What you have been up to lately?<br />
<br />
<b>You:</b> Not too bad, not too bad. I've been busy with all this cloud and SaaS thingy... talking about that, I need to quickly check-out a SaaS vendor. Any tips?<br />
<br />
<b>Information Security chap: </b>How quick? You know quick in infosec usually translates to "same as do anything" right?<br />
<br />
<b>You:</b> Quick as in like 2 days top? Boss is pushing me left, right and center. Any tips?<br />
<br />
<b>Information Security chap: </b>Hahaha.. that's life man. Well, you know that you can't assess them in 2 days right? And you can't depend on what they said on their websites as most are just marketing pitch. What you can do is ask them to provide you any third party independent assurance report.<br />
<br />
<b>You: </b>Independent assurance report? Like ISO27001 certification?<br />
<br />
<b>Information Security chap: </b>Having ISO27001 certification is good but not good enough. Ask them if they have undergone SOC 2 or SSAE16 audit. There is usually SOC 2 Type 1 and Type 2. If they have done SOC2 Type 2, even better. Ask for a copy of the report and see if there are major issues raised.<br />
<br />
<b>You: </b>Why Type 2 is better?<br />
<br />
<b>Information Security chap: </b>For Type I, effectiveness of controls are only assessed only one time during the assessment. For Type 2, controls effectiveness are assessed for a period of time so provide a much better assurance of control effectiveness.<br />
<br />
<b>You: </b>I see... I will Google for more info about this SOC stuff. Thanks bro! Coffee on me next time we watch up!<br />
<b></b><br />
<b>Information Security chap:</b>You're welcome man! Good luck! Ciao!<b><br /></b><br />
<b>You:</b> Ciao!<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-15642322182676090582014-11-12T17:41:00.003+01:002014-11-12T17:41:56.844+01:00Not only that.We all are better together<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7sRo7esZXktKVowbtp4R4YAk1JkGAPlUibkSEiBVQFJfHLmJU_Asr15_BD5iV2TJJhO2Q_HX0D56vEg98sTez7EW8rwEQPj6WK8S6pUs1R1Myt-_2gFAV76JZr88JJl9ktEyI3ctCqEM/s1600/Fighting-cybercrime.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7sRo7esZXktKVowbtp4R4YAk1JkGAPlUibkSEiBVQFJfHLmJU_Asr15_BD5iV2TJJhO2Q_HX0D56vEg98sTez7EW8rwEQPj6WK8S6pUs1R1Myt-_2gFAV76JZr88JJl9ktEyI3ctCqEM/s320/Fighting-cybercrime.jpg" width="320" /></a></div>
<br />
Just read an article published by Darkreading "<a href="http://www.darkreading.com/analytics/better-together-why-cyber-security-vendors-are-teaming-up-/a/d-id/1317416">Better Together: Why Cyber Security Vendors Are Teaming Up</a>". <br />
<br />
I always believe that one cannot fight cybercrime alone.<br />
<br />
Cybercrimes are organized crime. We all know that there are organized crimes have gone "cyber" for quite some times. They evolve. We must too.<br />
<br />
If those bad guys can team up to launch a cyber attack. The vendors are teaming up too, then why can't we - Cyber security representatives of our company - team up to defense ourselves? Start by sharing info, intel and experiences in mitigating attacks. <br />
<br />
If some of us are worried about disclosing "weaknesses" to competitors, then start with a closed group, for example, amongst "Top 10 public listed companies" in XXX country. Of course it could be that at first few initial meetings, no one would really share a very detailed info but over the time when trust has been built amongst the members, more info and details would flow in.<br />
<br />
Most of us security folks are trained to be skeptical and careful in trusting people, but in the matter of countering cybercrimes, I don't think we have much choice there. We have to learn to trust, give and take. <br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-45458925877720729512014-09-28T10:47:00.001+02:002014-09-29T22:29:47.091+02:00Bashing the Big Bad Bash "shellshock"<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuJvW5RPvJwUrr4LLqHZphUYCpeAHAmbHqNrhUZcRg9CbB_Ld3Q1A3P3O8Bix5q4T9CNHDZGXVgKBxl06GiNsKeog4OAr50pnRB9kcphAYjhtXMjYYF73hSzT7LW9GFhvuIKmjFTctex0/s1600/bashing+the+bash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuJvW5RPvJwUrr4LLqHZphUYCpeAHAmbHqNrhUZcRg9CbB_Ld3Q1A3P3O8Bix5q4T9CNHDZGXVgKBxl06GiNsKeog4OAr50pnRB9kcphAYjhtXMjYYF73hSzT7LW9GFhvuIKmjFTctex0/s1600/bashing+the+bash.png" height="167" width="320" /></a></div>
<br />
<b>Updated: 29/9/2014:</b> Updated video from SANS<br />
<br />
How bad is it? <b>Very.</b><br />
<br />
<br />
What happened? Check out the SANS's video below:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/b2HKgkH4LrQ?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
As of today (28 Sep 2014), current patch<strike> is not adequate as it only</strike> fixed the first problem
(CVE-2014-6271)<strike> but not the 2nd one (CVE-2014-7169). Vendors are still
struggling to fix</strike> , the second problems (CVE-2014-7169 and 4 other new bugs discovered. <br />
<br />
Also, the folks at Fireye have written a very good piece about this with sample of attack vectors and exploits included. Check out their blog post titled <a href="http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html">"Shellshock in the wild" </a><br />
<br />
<br />
Now, I'm sure by now you have been asked the one million dollar question by your boss or some senior managers:<br />
<span style="color: red;"><i><b>Are we vulnerable? Can you quickly find out?</b></i></span><br />
Quick is the keyword. You should first check your exposure from the internet.<br />
<br />
But how? Ask google. Look for indication of usage of bash script on your website. For example:<br />
<br />
<i>filetype:sh OR filetype:bash site:bashing.badbash.com</i><br />
<br />
If you see URLs with sh or bash extension, be paranoid. Check those first and disable them. Replace the script with something else e.g. Perl or Python. <br />
<br />
Next, you may want to add a custom signature to your NIPS to detect/stop any potential exploits. Here is a quick snort signature signature (taken from <a href="http://www.volexity.com/blog/?p=19">Volecity's website</a>)<br />
<br />
<i>alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex –
Possible CVE-2014-6271 bash Vulnerability Requested (header) “;
flow:established,to_server; content:”() {“; http_header; threshold:type
limit, track by_src, count 1, seconds 120; sid:2014092401;)</i><br />
<br />
Or grab the official snort rules from snort's website <a href="http://blog.snort.org/2014/09/snort-community-ruleset-out-of-band.html">here</a>. <br />
<br />
Information security folks: If you play this game well, it could be another good business case for you to push for those legacy systems to be updated/upgraded! Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-25670890254327371112014-08-08T09:57:00.000+02:002014-08-08T10:00:38.366+02:00Babusb in enterprise. Why you should not panic over it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkXy32wg5IDNh2TmYIUm46Y28pPMUMRokQEEw_kl83IrTDklptUGeBZdH4paHGh_5TzWdOUIRyCg2bhV9MFEQP6JTfqN-Ph7tqrVM-XszmLYCKv7TZMkkSBIJggb6q1XAyGx1-fJSwE8c/s1600/badusb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkXy32wg5IDNh2TmYIUm46Y28pPMUMRokQEEw_kl83IrTDklptUGeBZdH4paHGh_5TzWdOUIRyCg2bhV9MFEQP6JTfqN-Ph7tqrVM-XszmLYCKv7TZMkkSBIJggb6q1XAyGx1-fJSwE8c/s1600/badusb.jpg" height="400" width="277" /></a></div>
<br />
Hot topics of this past 2-3 weeks - <a href="https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf">Badusb</a>. Until yesterday, most talks or write-ups are just speculations as there are no details released.<br />
<br />
Folks at srlabs.de had released more details during their Black Hat 2014 presentation yesterday. You may grab the slides on their website<a href="https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf"> here</a>. <br />
<br />
As the CISO or Information Security Professional responsible for ensuring security within your organisation, you have every right to be worried. The good news is, you can stop the panic mode now, if....<br />
<br />
<div style="text-align: center;">
<span style="color: red;"><b>You don't allow admin right to your users. </b></span></div>
<br />
To successful attack a target machine, the attacker must have/gain access to a machine that has been logged in by a user that has admin privilege.<br />
<br />
I find that <a href="http://www.wibu.com/en/press-release-details/article/badusb-uncovered-495.html">WIBU Systems's alert</a> explain it very well. Here are the excerpt:<br />
<br />
<i>"A BadUSB attack can be successfully accomplished only with logged-in users who
have administrator privileges to their computer. In principle, the attack would
also work for OS X and Linux; only the actual commands from the “keyboard” would
be different."</i><br />
<br />
<br />
Nowadays, most enterprise laptops/pcs are hardened and you rarely see users with admin right anymore. Of course, there are exceptions (really? If you are the CISO, shame on you!).<br />
<br />
Of course, there are still risks. But I will say, the risk is low - if you have done the right things. <br />
<br />
<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-52671380133913456942014-06-27T16:41:00.002+02:002014-06-27T16:41:39.091+02:00Booting up evidence E01 image using free tools (FTK Imager & Virtualbox)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpbx_ugELwSkKC_D8nxACLiXFw7jxuNIxAXkdz9TtUeR7ffe5nHX6kbQm_4iXAWZTnVJLZJY5gF08pIHKo1XQFWVsczQe0nJoeLBm5c7FU6iJyPH5KF9j_9HaxCVREPSO-fkr8WEehifw/s1600/booting+evidence+image+with+virtualbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpbx_ugELwSkKC_D8nxACLiXFw7jxuNIxAXkdz9TtUeR7ffe5nHX6kbQm_4iXAWZTnVJLZJY5gF08pIHKo1XQFWVsczQe0nJoeLBm5c7FU6iJyPH5KF9j_9HaxCVREPSO-fkr8WEehifw/s1600/booting+evidence+image+with+virtualbox.png" height="320" width="302" /></a></div>
<br />
Being able to boot an acquired evidence image (hard drive) is always helpful for forensic and investigation. If you would do a Google search, you would find most methods or discussions are referring to usage of Vmware Workstation. As Vmware Workstation is not free, not a good news if you are on low budget or do not have one at all. <br />
<br />
Don't worry....I will show you how you could boot an acquired E01 image using freely available tools.<br />
<br />
<b>What you will need:</b><br />
1. <a href="http://www.accessdata.com/support/product-downloads">FTP Imager</a> <br />
2. <a href="https://www.virtualbox.org/wiki/Downloads">Virtualbox and Virtualbox expansion pack</a>- <br />
3. Admin right (do not have one? You're joking right???)<br />
<br />
I'm not going to detail down how you should install FTK and Virtualbox.... those are really easy.<br />
<br />
<b>Here are the steps:</b><br />
1. Open FTK Imager. Go to File -> Image Mounting.<br />
<br />
2. Select the E01 image you want to mount.<br />
a) Mount Type: Physical Only<br />
b) Mount Method: Block Device / Writeable (I know what you are thinking.... do not worry about tampering the evidence file. FTK Imager will create a cache file that will temporarily store all the "changes" you made)<br />
c) Write Cache Folder: Take the default or point it to any folder that would make you happy :)<br />
<br />
3. Click "Mount". You will see which physical drive the image is mapped to.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgurpzplhXfPhtNuN8K0wcRPNsWC_wugXUZsvSZoijf4Fm00J1ULG7staXevdI2syMAi-9Fe6SGTYHDfLf4Jl8FRUvArhql4SwmCvTlpRoBDL7xNOCOljgKNOQZE6WVhFSdIyPAyN8LphA/s1600/mounting+image+with+FTK.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgurpzplhXfPhtNuN8K0wcRPNsWC_wugXUZsvSZoijf4Fm00J1ULG7staXevdI2syMAi-9Fe6SGTYHDfLf4Jl8FRUvArhql4SwmCvTlpRoBDL7xNOCOljgKNOQZE6WVhFSdIyPAyN8LphA/s1600/mounting+image+with+FTK.jpg" height="392" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
4. Create a new folder (for storing the virtual disk file later) e.g. c:\temp\securityisfun.net<br />
5. Open a command prompt as administrator. Go to c:\Program Files\Oracle\VirtualBox. Run following command:<b> vboxmanage internalcommands createrawvmdk -filename <span style="color: blue;"><i>c:\temp\securityisfun.net\securityisfun.vmdk</i></span> -rawdisk <span style="color: blue;"><i>\\.\physicaldrive5</i></span></b><br /><br />
NOTE: Replace <b>the path</b>, <b>file name to be created</b> and <b>physical drive</b> as accordingly.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio1qlt4zrr6tKPUPC7VcwhqFspfnWio6LFMIvFELJIO3GHAYzdX3xBYrSy1Gnbzj56dld8IgSYkf8A4OU-_Hh1Zml2HMuCquTwHr0znwuqfPxJGTZNphg7ASNLi9OYzoVZvGaHp6x-yaA/s1600/Command+to+create+vmdk.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio1qlt4zrr6tKPUPC7VcwhqFspfnWio6LFMIvFELJIO3GHAYzdX3xBYrSy1Gnbzj56dld8IgSYkf8A4OU-_Hh1Zml2HMuCquTwHr0znwuqfPxJGTZNphg7ASNLi9OYzoVZvGaHp6x-yaA/s1600/Command+to+create+vmdk.jpg" height="91" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmyqN_AaxhZ8uIrh6jgLsvlQTZiQbFtoqfG22F8i7_ULLr1TKov4pNJltQwxMnJ87VwMHwEW6zUcOPKR_8GRSR1JCRvgitIbWZo-B49mq6QNql1fjAYgXk3tilI5jTqE8DfSBlNyD3TVw/s1600/Command+to+create+vmdk.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
5. Run Virtualbox as administrator. Create a new virtual machine matching the OS of the image e.g. Windows XP or Windows 7.<br />
a) RAM - set it to any amount you like. For me, normally I will set it to 2GB<br />
b) Hard Drive - point it to the virtual disk file you just created in step 5 above<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlK63_xxSLgqxdes8qwjrZ_aAmYn0gT3FmsABEH2ipe62sOAD6u_mOutVDb-OjT2mTzx_oSf6iec1PVDIphXcryU0ruQOKx93IyyUVlAv3pTT25uz_otyfBqSt_ac9Leu4X1F6SceUgM0/s1600/creating+a+new+vm.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlK63_xxSLgqxdes8qwjrZ_aAmYn0gT3FmsABEH2ipe62sOAD6u_mOutVDb-OjT2mTzx_oSf6iec1PVDIphXcryU0ruQOKx93IyyUVlAv3pTT25uz_otyfBqSt_ac9Leu4X1F6SceUgM0/s1600/creating+a+new+vm.jpg" height="327" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Well, start the virtual machine. It should run now. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
7. In case you get a blue screen.. which is not uncommon. Try changing the HDD controller type, which is IDE by default, to SATA, SCSI or SAS. You can change this by editing the settings of the virtual machine:</div>
<div class="separator" style="clear: both; text-align: left;">
a) Delete the existing HDD controller</div>
<div class="separator" style="clear: both; text-align: left;">
b) Add a new controller e.g. SATA</div>
<div class="separator" style="clear: both; text-align: left;">
c) Add a new disk. Select "Choose an exiting disk". Point it to the virtual disk file you created (e.g. securityisfun.vmdk)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0xVz_JJt-avwxwLdeYbHIT4sl8kcAu6s8JcwFvpocxW3QQn6H-UCr7sR6375XYHntlan4mhkE6H0ekcynjJO3yS6nta7lVHlITvcl-A3jTbs2ekGxOrQS_491-0cMjvlnqmDZdpNGXmA/s1600/changing+hdd+controller+in+virtualbox.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0xVz_JJt-avwxwLdeYbHIT4sl8kcAu6s8JcwFvpocxW3QQn6H-UCr7sR6375XYHntlan4mhkE6H0ekcynjJO3yS6nta7lVHlITvcl-A3jTbs2ekGxOrQS_491-0cMjvlnqmDZdpNGXmA/s1600/changing+hdd+controller+in+virtualbox.jpg" height="235" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM64Gzdz-LY8MmVw0knmA7qWeIbLpEk3a5nn4Z8lv2_4I4nrVIZTeVwPDhFW8SWgHYBOFfg0Gg1soqOcX1JXOnDttYR7phw_ZUaGwb18GGdyifaz4wfw6vmTe0j2pSinqrFAEuxv2aX4A/s1600/changing+hdd+controller+in+virtualbox2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM64Gzdz-LY8MmVw0knmA7qWeIbLpEk3a5nn4Z8lv2_4I4nrVIZTeVwPDhFW8SWgHYBOFfg0Gg1soqOcX1JXOnDttYR7phw_ZUaGwb18GGdyifaz4wfw6vmTe0j2pSinqrFAEuxv2aX4A/s1600/changing+hdd+controller+in+virtualbox2.jpg" height="277" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-r36rhbfHP_eHd3q7oK8m6nOeNMhEZqT6lw31mks-3jfU5llBJXMXj9pWGEMhWD8Ti7aHKye4-Cqswio-sEod_RDx0Yn_n0QT2p4d7X_NRNSWjd_qN9nyIe3VhVtAMZ4gD-y0LtNkJ0Q/s1600/changing+hdd+controller+in+virtualbox3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-r36rhbfHP_eHd3q7oK8m6nOeNMhEZqT6lw31mks-3jfU5llBJXMXj9pWGEMhWD8Ti7aHKye4-Cqswio-sEod_RDx0Yn_n0QT2p4d7X_NRNSWjd_qN9nyIe3VhVtAMZ4gD-y0LtNkJ0Q/s1600/changing+hdd+controller+in+virtualbox3.jpg" height="273" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
8. If you still get the blue screen... this might be due to Windows could not see the drive. Try following steps which involve editing the registry to enable SCSI and SAS drivers on boot: </div>
<div class="separator" style="clear: both; text-align: left;">
a) Unmount the image you mounted with FTK Imager </div>
<div class="separator" style="clear: both; text-align: left;">
b) Mount the same image with FTK Imager but now with the option: </div>
<div class="separator" style="clear: both; text-align: left;">
Mount Type: <b>Physical & Logical</b></div>
<div class="separator" style="clear: both; text-align: left;">
Drive Letter: Take the default</div>
<div class="separator" style="clear: both; text-align: left;">
Mount Method: Block Device / Writable</div>
<div class="separator" style="clear: both; text-align: left;">
c) You should see the partitions of the image are now mounted and accessible</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh98VuP-lUQ68uCbngZBDCF26OyPlx1INEnrEPJOY480tjvjVjH2yZSmCkD1BruOMiw-a7zqkQzSHwVM2LRGB-fzu9_ELtU_gMAIOUsY1gec_cz483W2HRn8_0xojz9wrDwFx9Nhut3WrQ/s1600/FTK+mount+physical+and+logical.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh98VuP-lUQ68uCbngZBDCF26OyPlx1INEnrEPJOY480tjvjVjH2yZSmCkD1BruOMiw-a7zqkQzSHwVM2LRGB-fzu9_ELtU_gMAIOUsY1gec_cz483W2HRn8_0xojz9wrDwFx9Nhut3WrQ/s1600/FTK+mount+physical+and+logical.jpg" height="385" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
d) Run "regedit.exe" as administrator.</div>
<div class="separator" style="clear: both; text-align: left;">
d) Expand "HKEY_Local_Machine". </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
e) Select "Load Hive". Point it to the SYSTEM hive of the Windows partition of your mounted image. For example, if the image's Windows partition is mounted by FTK as K:, point it to K:\Windows\system32\config\SYSTEM</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoscNE7YN9BwZPlj1FUUISh8wxxD9YCRpa-JjUAifD76Lz-v6MhBFDmgxaeIvBDS8JL49EZnlJS0NdyEvpcYAaf8Zgd8cDeRqJoqqD7mjhJ0YEn0jO2iWTtezjS13DENKYMcOv6KDTuPw/s1600/editing+registry1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoscNE7YN9BwZPlj1FUUISh8wxxD9YCRpa-JjUAifD76Lz-v6MhBFDmgxaeIvBDS8JL49EZnlJS0NdyEvpcYAaf8Zgd8cDeRqJoqqD7mjhJ0YEn0jO2iWTtezjS13DENKYMcOv6KDTuPw/s1600/editing+registry1.jpg" height="227" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
d) Enter any name when prompted e.g. securityisfun.net (sorry, a bit of marketing here :) ). You should now see additional registry key with the name you typed appeared.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYJopfpO_5gEldW3aFx3iPIq6LvCh-ifhNo4_aBBwEN58fIcIqjRfTaW3M5nK08KHJAtyI8QEYcVQRA9HY7yo83jHC9eJ9vbLzTikW0CJgCs7CZEQJeMH6o5VgpSGeyfq_BCEkdZZQrHk/s1600/editing+registry2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYJopfpO_5gEldW3aFx3iPIq6LvCh-ifhNo4_aBBwEN58fIcIqjRfTaW3M5nK08KHJAtyI8QEYcVQRA9HY7yo83jHC9eJ9vbLzTikW0CJgCs7CZEQJeMH6o5VgpSGeyfq_BCEkdZZQrHk/s1600/editing+registry2.jpg" height="156" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
e) Navigate to securityisfun.net\ControlSet001\Services</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYBvOnJd0G1toE8EhIO6BfEV4fzEpJO-pcfxT9mY3gP-wJr1pxeJgoW74Oc24c4mITD0G8tcR2bJbr31Q19dAppsxysJQntM6aJT6HpgfGNHaCBKDIq2OPZRviDWB97TbjazQK0MfwQo/s1600/editing+registry3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYBvOnJd0G1toE8EhIO6BfEV4fzEpJO-pcfxT9mY3gP-wJr1pxeJgoW74Oc24c4mITD0G8tcR2bJbr31Q19dAppsxysJQntM6aJT6HpgfGNHaCBKDIq2OPZRviDWB97TbjazQK0MfwQo/s1600/editing+registry3.jpg" height="235" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
f) Look for "LSI_SCSI". Click on it and set the key "Start" value to "0" (zero). Setting it to "0" means Windows will start/load this driver at boot time. Repeat the same for "LSI_SAS, LSI_SAS2". </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEislXWmY8IEAUsxptwe672b4Xt9VuMrQyAf6gZkZp2nCdLLemuPptdXCgSxHtNUMbBLaLncgXyMQDotJlUORxuZpO85TWvjqMOYpXxhA1iZofnfhlSI04FoW3LNGvsLA8Nj-kjLpQAf76I/s1600/editing+registry4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEislXWmY8IEAUsxptwe672b4Xt9VuMrQyAf6gZkZp2nCdLLemuPptdXCgSxHtNUMbBLaLncgXyMQDotJlUORxuZpO85TWvjqMOYpXxhA1iZofnfhlSI04FoW3LNGvsLA8Nj-kjLpQAf76I/s1600/editing+registry4.jpg" height="142" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
g) Point to the "securityisfun.net" hive once you finish editing. Select "File, Unload Hive". Click "Yes". Close regedit.</div>
<div class="separator" style="clear: both; text-align: left;">
h) Now try to boot your virtual machine again. Try using difference controllers e.g. SAS, SATA, SCSI if you still getting the blue screen.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
9) If you are still getting the blue screen despite doing all this........ two words for you - bad luck! At this moment, I don't have any other solutions or workarounds. I will update this blog post if I (ever) come across something new :) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Have fun!</div>
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com1tag:blogger.com,1999:blog-7916025613429076060.post-13695067064179591292014-06-03T20:16:00.001+02:002014-06-03T20:16:22.622+02:00HiTB Haxpo AMS 2014 - My takeaway<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0NESbSNykZCA4vAe2B3BGzhgFU17-1XO_YPzqRddQ1jJCD4aj0P2ql8ZF74xeE0VXR1_FADdqTO-RCjL4pFb4fKv9xhtEkjV2Qn_FiWKoGlXPvb0GkMJjCqOBOTH8Ydu0GcNMYZLoSw/s1600/hackinthebox-haxpo-nl-2014.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0NESbSNykZCA4vAe2B3BGzhgFU17-1XO_YPzqRddQ1jJCD4aj0P2ql8ZF74xeE0VXR1_FADdqTO-RCjL4pFb4fKv9xhtEkjV2Qn_FiWKoGlXPvb0GkMJjCqOBOTH8Ydu0GcNMYZLoSw/s1600/hackinthebox-haxpo-nl-2014.jpg" height="320" width="240" /></a></div>
<br />
<br />
Yup. That's my crew T-shirt of Hack in the Box Amsterdam 2014 or now known as <a href="http://haxpo.nl/">Haxpo</a>. It was nice and fun meeting all the .MY and .NL folks again.<br />
<br />
I have to admit, I feel like the presented conference topics are not as exciting as last year's. However, the Haxpo (the part where you can enter for free) was quite a success.<br />
<br />
Nevertheless, there are couple of interesting topics that caught my attention:<br />
<br />
1. Cool idea - splitting java exploits into multiple "innocent" looks Java applets in order to avoid detection. Check out <a href="http://haxpo.nl/hitb2014ams-ferrante-auriemma/">Reloading Java Exploits: Long Live Old JRE!</a> by renown security researcher (read Hacker) <a href="http://aluigi.altervista.org/">LUIGI AURIEMMA</a> . <br />
<br />
2. Wanna fly for free? Check-out <a href="http://haxpo.nl/hitb2014ams-anthony-hariton/">Exploiting Passbook to Fly for Free </a>by ANTHONY HARITON. This was the most funny presentation that I had seen this year. Full of fun and laughs. NOTE: He did not confirm nor deny whether he did indeed perform the "test: personally :)<br />
<br />
See y'all again next year folks! <br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com1tag:blogger.com,1999:blog-7916025613429076060.post-48472162094325870332014-04-11T22:35:00.001+02:002014-04-14T18:47:09.025+02:00Heartbleed - A picture that tell a thousand words<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
20140414 Update #2 <br />
The server's private key can be obtained. This is confirmed. See <a href="http://www.securityweek.com/confirmed-heartbleed-exposes-web-servers-private-ssl-keys">here</a>. <br />
<br />
Update #1:<br />
Apparently <a href="http://www.computerworld.com/s/article/9247642/NSA_secretly_exploited_devastating_Heartbleed_bug_for_years_report_says?source=rss_latest_content">NSA KNEW</a> about this since years ago. Surprised? Not really...<br />
<br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoEhSe6A6hiMCRYq0eVuIjsbOc-2MjlHMoQLHPRCn4Ki5xNDQ_c7zyBkDLrrRlRgKjydqJaVq-P2VEsj_pZWMexY2mbQfeebTpgSy4WrwssuhLSTwY7SDA4RE0CWy1zb8UOKlzF8PY7mU/s1600/heartbleed_explanation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoEhSe6A6hiMCRYq0eVuIjsbOc-2MjlHMoQLHPRCn4Ki5xNDQ_c7zyBkDLrrRlRgKjydqJaVq-P2VEsj_pZWMexY2mbQfeebTpgSy4WrwssuhLSTwY7SDA4RE0CWy1zb8UOKlzF8PY7mU/s1600/heartbleed_explanation.png" height="900" width="500" /> </a></div>
Well explained. Picture taken from xkcd - http://xkcd.com/1354/ <br />
<br />
How bad is heartbleed? Very bad. It affects not only https. But all other applications, servers , routers, firewalls that use OpenSSL.<br />
<br />
We have heard all the bad news. But, there is a little good news. Retrieving private keys may not be that easy. This <a href="http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed">post</a> explains it all. However, getting passwords are still easy if you are lucky (well, try a few times). There are a few websites that you can use to check if a website is vulnerable, but done give you the dumps. Here is the <a href="https://gist.githubusercontent.com/dyatlov/10192468/raw/be10eb98ed71bf9804aedb1928d7b659d7326a2a/hb-test.py%20">python script</a> that give you the dump. <br />
Tips: run it in debug mode.<br />
<br />
<br /><br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-36897864297729041922014-02-20T17:42:00.000+01:002014-02-20T17:44:02.909+01:00Encase vs Autopsy vs XWays<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqVTd7uVT650YCf20Hae4hfK957XYUh0e6OOz6ta7QzSLI6jUcfskS4cCC1mCFa56eycL7Em6DZn4eQSuLyurqFJdmgALWa2BSM3WHdiX7P7NSGOMckx5rPziAKDq_ZFrVzAt70iUEwj0/s1600/Encase+vs+xwf+vs+autopsy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqVTd7uVT650YCf20Hae4hfK957XYUh0e6OOz6ta7QzSLI6jUcfskS4cCC1mCFa56eycL7Em6DZn4eQSuLyurqFJdmgALWa2BSM3WHdiX7P7NSGOMckx5rPziAKDq_ZFrVzAt70iUEwj0/s1600/Encase+vs+xwf+vs+autopsy.png" height="240" width="320" /></a></div>
Over the past few months, I have had the chance to work more extensively with the following IT Forensic tools (at the same time):<br />
<br />
1. <a href="http://www.guidancesoftware.com/">Encase Examiner</a><br />
2.<a href="http://www.x-ways.com/"> XWF or X-Ways</a><br />
3.<a href="http://www.sleuthkit.org/"> Autopsy</a><br />
<br />
Most IT forensic professionals would say that there is no single tool that fit for everything. I can't agree more.<br />
<br />
Here are my personal views of each tool's pros and cons:<br />
<br />
<b>1. Encase:</b><br />
<br />
<b>Pros: </b><br />
- Easy to use user interface. <br />
- Renown tool and accepted by court of laws. <br />
- Easy reporting features. <br />
- Easy and free tool for acquisition (Encase Imager). <br />
- Built-in support for Bitlocker.<br />
- Nice and user friendly "Review Package" that can be sent to Requestor for reviewing the evidence.<br />
<br />
<b>Cons:</b><br />
- Not cheap.<br />
- Evidence processing can be slow, especially when processing large PST files.<br />
- Not portable by default. <br />
<br />
<b>2. XWF (X-Ways)</b><br />
<b>Pros: </b><br />
- Very customizable evidence processing options. Thus, you can select to process only certain things that you want to look at e.g. emails, registry. <br />
- Very flexible and granular filtering options. Filter by column 1 + filter in colum 2 etc... <br />
- Highly customizable search functions. For example, search for "xyz" only in Word documents. <br />
- Multiple instances e.g. one doing "processing", the other doing live preview.<br />
- Portable by default.<br />
- Very frequent updates for new features. <br />
<br />
<b>Cons:</b><br />
- Complex interface. Technical in nature - not easy to learn for a beginner. <br />
- Too many options to choose, thus could be confusing. (However, the default options are good enough for most of the cases). <br />
- Dongle must be attached all the times to start the software. <br />
- No option to create nice "Review Package" that you can forward to someone.<br />
- No support for Bitlocker<b> </b>(the company I work for use this a lot).<br />
- No nice "review package".<br />
<br />
<b>3. Autopsy</b>:<br />
<b>Pros:</b><br />
- Free for commercial use. <br />
- Very fast and easy tool for analysis of user's browsing history or internet activities.<br />
<br />
<b>Cons:</b><br />
- Limited function (but it is free!).<br />
- No support for Bitlocker.<br />
- No nice "review package".<br />
<br />
Thus, it really depends on what you want to do. For example, if I would like to quickly find out how a malware infected a machine, I would use Autopsy first. If I would like to process evidence for fraud cases, I would go for Encase first. X-Ways will be the tool if I need to do complex filtering and fast extraction of some evidence.<br />
<br />
Have fun! <br />
<br />
<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-39939895590766662582014-01-18T12:29:00.001+01:002014-01-18T12:29:48.287+01:00What's coming in 2014?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBO-OF0cKb_pyXWBMZOE3m92lIHU7cgW8eOM5tMKEZXd6DC2VNM9Ia1pDdNYL6tdFCYnvAsiQBFr5wxIHA9GPo9J8ZGStTD-JsO6KfcXfli99hD26o-sAZLXgNuzpBS1YF6R1drjW0fkw/s1600/information+security+world+2014.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBO-OF0cKb_pyXWBMZOE3m92lIHU7cgW8eOM5tMKEZXd6DC2VNM9Ia1pDdNYL6tdFCYnvAsiQBFr5wxIHA9GPo9J8ZGStTD-JsO6KfcXfli99hD26o-sAZLXgNuzpBS1YF6R1drjW0fkw/s1600/information+security+world+2014.jpg" height="320" width="320" /></a></div>
<br />
What's coming to information security world in 2014?<br />
<br />
<b>These are my views:</b><br />
1. Malware will be for profit. No longer about fun.It will be harder to track who is behind it.<br />
2. Cryptolockers or alike will go mainstream.<br />
4. Demand for digital/IT forensic will go up.<br />
5. More providers will enhance their services offering with encryption to respond to NSA's spying activities.<br />
6. Companies and government organisations will collaborate more to fight cybercrimes. More join announcements will be made on successful take-downs of botnet or cybercrime networks.<br />
7. Windows XP end of live will have a high impact and will directly contribute to higher botnet activities. The bad guys are holding their cards now, waiting for the right time to swallow their preys once XP is left orphaned.<br />
8. More malware will target Android devices. I won't be surprised if Cryptolocker invades Android soon (if it does not already did that).<br />
9. Data breaches will continue to rise. We will see more data breaches of big retail or non IT services companies.<br />
10. Big Data will be one of the hot topics discussed. <br />
<br />
<b>What's yours?</b><br />
<br />
<i><span style="font-size: x-small;">Acknowledgement: </span></i><br />
<i><span style="font-size: x-small;">Picture's source - http://www.flickr.com/photos/danmoyle/11178388835/sizes/z/ </span></i>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-64571671225525932772013-12-12T17:43:00.002+01:002013-12-12T17:43:25.560+01:00Live Forensic on Linux<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsatdVXs9dB3ziwk2l_7rwCBespHa6RVk_-EwJ113cKTDQFju5jH0a08DGPpiK5uRGh4PG14zny6JvbrGiIiH_WqCEBss0Q1Sg3-ZCGZQrH6RjRBdmlsv36z-YDvGwC3rc8SQc-YQG_jc/s1600/Linux-live-forensic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsatdVXs9dB3ziwk2l_7rwCBespHa6RVk_-EwJ113cKTDQFju5jH0a08DGPpiK5uRGh4PG14zny6JvbrGiIiH_WqCEBss0Q1Sg3-ZCGZQrH6RjRBdmlsv36z-YDvGwC3rc8SQc-YQG_jc/s320/Linux-live-forensic.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv5Ok2aUi8KOLXbkU0tYHAFE5WkQcJo4rmtWnvofIIhZhkbCOReoCgDb93SfmsKjn99UbIAMbZi1VmUzAfVJcpPPoDVeg6fhPDpz8tHlajOWlDXE4tbAQamAkWrXLBCrhVy9jWfi4UOQs/s1600/live+forensic-busybox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv5Ok2aUi8KOLXbkU0tYHAFE5WkQcJo4rmtWnvofIIhZhkbCOReoCgDb93SfmsKjn99UbIAMbZi1VmUzAfVJcpPPoDVeg6fhPDpz8tHlajOWlDXE4tbAQamAkWrXLBCrhVy9jWfi4UOQs/s1600/live+forensic-busybox.png" /></a></div>
<br />
Last month, I wrote a bit about doing <a href="http://www.securityisfun.net/2013/11/live-forensic-on-windows.html">live forensic on a Windows machine</a>. Today, let's do Linux.<br />
<br />
Let's do a bit of recall before we proceed. Since I'm lazy to repeat, here are excerpts of what I have written previously in <a href="http://www.securityisfun.net/2013/11/live-forensic-on-windows.html">Live Forensic on Windows</a>:<br />
<br />
<i><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Before we touch that, why do we need to do live forensic at the first place? For a few reasons:</span><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic</span><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">b) The server/system is at a location that you could not go there physically</span><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately</span><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;" /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Next, what info or data should we gather? What tools to use? In </span><a href="http://www.securityisfun.net/2013/03/5-key-processes-in-enterprise-it.html" style="background-color: white; color: #6699cc; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px; text-decoration: none;">IT Forensic</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.</span></i><br />
<i><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span></i>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">Now, what tools you can use? Unlike Windows, Linux binaries are quite sensitive to the kernel's version. Also, have you heard about dynamic library <a href="http://en.wikipedia.org/wiki/Dependency_hell">dependency hell</a>? Basically one library depends on other library which depends on another libraries and so on... Thus, most of the time you can't just copy out the binary/program and expect it to work on another system. You can always compile your own binary statically, but that require lots of works as well. Luckily, I found a saviour -<a href="http://www.busybox.net/"> Busybox!</a> Yes, it is the same tool you use to run commands on your rooted Android devices :)</span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">So, go grab yourself the Linux version of <a href="http://www.busybox.net/">Busybox </a>now!</span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">For memory dump acquisition:</span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">1. Use<a href="http://code.google.com/p/lime-forensics"> LiME</a>. However, it might not work if the system prevent loading of kernel module. it is also very kernel specific, thus you can't compile it on a system and expect it to work on any systems. It will only work on a system with a same kernel version. </span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">2. dd if=/dev/mem of=host1/dd-dev-mem.img . However, this may not work with newer kernel or if the kernel is compiled with STRICT_DEVMEM=y option (check /boot/config-<KERNELVERSION>). </span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">Have fun!</span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; margin-left: -.05in; mso-border-alt: solid windowtext .5pt; mso-border-insideh: .5pt solid windowtext; mso-border-insidev: .5pt solid windowtext; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-table-layout-alt: fixed; mso-yfti-tbllook: 480; width: 462px;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">No.<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">What to Acquire<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Tools/Commands to Use
(Output is saved to a file) <o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">1.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Hostname<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 hostname >
targethost/b-hostname.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">hostname > targethost</span><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">/hostname.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">2.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">OS version<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="IT" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: IT; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="IT" style="font-size: 10.0pt; mso-ansi-language: IT; mso-bidi-font-family: Arial;">./busybox-i686 uname –a >
targethost/b-uname-a.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">uname –a > targethost/uname-a.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">cat /etc/os-release > targethost/os-release.txt
<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">3.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current system date and
time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 date > targethost/b-date.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">date > targethost/date.txt <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">4.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current IP address <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 ifconfig > targethost/b-ifconfig.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">ifconfig –a > targethost/ifconfig-a.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">5.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current running process
list<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 ps –eaf > targethost/b-ps-eaf.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">ps –eaf > targethost/ps-eaf.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 lsof –a > targethost/b-lsof.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">lsof > targethost/lsof.txt <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">6.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> current network connection lis<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 netstat –anp
> targethost/b-netstat-anp.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">netstat –anp > targethost/netstat-anp.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 netstat –anr
> targethost/b-netstat-anr.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">netstat –anr > targethost/netstat-anr.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">7.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> current list of current logon sessions<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 who –a
> targethost/b-who-a.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">who –a > targethost/who-a.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">w > targethost/w.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">8.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> list of auto start applications and services
<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">chkconfig --list > targethost/chkconfig--list.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 ls –alR /etc/rc* > targethost/ls-al-etc-rc.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 ls –alR /etc/init.d > targethost/ls-al-rc-d.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">more /etc/init.d/* > targethost/more-init-d.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">cat /etc/inittab > targethost/inittab.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">service –-status-all > targethost/service—status-all.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 ls -alR /etc/systemd* > targethost/ls-al-etc-systemd.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 cat /etc/inetd.conf > targethost/inetd.conf<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">cat /etc/inetd.conf > targethost/inetd.conf<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">9.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> environment variables <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 env > targethost/b-env.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">env > targethost/env.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">10.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> list of cron jobs (scheduler)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">./busybox-i686 cat
/etc/crontab > targethost/b-crontab.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">cat /etc/crontab > targethost/crontab.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">11.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="FR" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">system event (dmesg) log records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 dmesg > targethost/b-dmesg.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">dmesg > targethost/dmesg.txt <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">12.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> last user activity records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 last > targethost/b-last.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">last > targethost/last.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">lastb > targethost/lastb.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">lastlog > targethost/lastlog.txt <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">13.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> list of installed software<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">rpm –qa targethost/rpm-qa.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">dpkg --get-selections >
targethost/dpkg—get-selections.txt <o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">14.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> list of user accounts<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">./busybox-i686 cat
/etc/passwd > targethost/b-passwd.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">cat /etc/passwd > targethost/passwd.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 cat
/etc/group > targethost/b-group.txt <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">cat /etc/group > targethost/group.txt<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">15.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> partition table and drive info<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">./busybox-i686 df –h > targethost/b-df-h.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt; mso-bidi-font-family: Arial;">df –h > targethost/df-h.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 fdisk -l >
targethost/b-fdisk-l.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">fdisk -l > targethost/fdisk-l.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">parted –l targethost/parted-l.txt
<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 cat
/etc/fstab > targethost/b-fstab.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">cat /etc/fstab > targethost/fstab.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 mount >
targethost/b-mount.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">mount > targethost/mount.txt
<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">16.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> list of loaded modules <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 lsmod > targethost/b-lsmod.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">lsmod > targethost/lsmod.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 cat
/proc/modules > targethost/b-proc-modues.txt<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">cat /proc/modules > targethost/proc-modues.txt
<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">17.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="SV" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">information
about memory usage<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">./busybox-i686 <a href="" name="OLE_LINK7"></a><a href="" name="OLE_LINK6">cat
/proc/meminfo > targethost/b-proc-meminfo.txt</a><o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">cat /proc/meminfo > targethost/proc-meminfo.txt
<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">18.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> iptables rules (firewall)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;">iptables --list > targethost/iptables--list.txt
<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">19.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="FR" style="font-size: 10.0pt; mso-ansi-language: FR; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> system logs normally stored in /var/log<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">./busybox-i686 tar –czvf targethost/b-var-log.tgz
/var/log<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">20.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> memory dump with LiME<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">As the LiME software needs to be specially built for the target system
Linux’s kernel, there are more steps to be done before the tool can be used:<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.75in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">a.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Extract the LiME source file you downloaded. <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.75in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">b.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Change directory into the “src” directory. Type: <b>cd src</b> <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.75in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">c.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Compile the module. Type: <b>make</b><o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">If successful, a new file
starting with “lime’ and ending with “.ko” will be created. Example:
lime-3.2.6.ko<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">insmod lime*.ko “path=targethost/lime.mem
format=lime” <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">The module is then loaded to the kernel and the memory dump will
happen automatically. If you need to run it again, you must first remove the
module from the kernel. Type: <b>rmmod lime</b> <o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<br /></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.5in;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 27.0pt;" valign="top" width="36">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">21.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="IT" style="font-size: 10.0pt; mso-ansi-language: IT; mso-bidi-font-family: Arial;"> /dev/mem and /dev/kmem via dd<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 207.0pt;" valign="top" width="276">
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">dd if=/dev/mem of=targethost/dd-dev-mem.img<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-US" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">dd if=/dev/kmem of=targethost/dd-dev-kmem.img<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<br /></div>
</td>
</tr>
</tbody></table>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-75435812748125441542013-11-07T16:20:00.001+01:002013-12-12T17:13:23.351+01:00Live forensic on Windows<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkp-rWbEYjtHza8OQSw5bLXCf5VbHoOM9xFgh2QK2Uofu36q0XMSyt9X7ldwS9lqUoQJbbKoUo3_9DLrpqv6P-PszVfd5WaLEXxV5Da9wALgRNHh26lM84Y2mLW-R-Ban90sEPXpjRTTM/s1600/Windows-Live-Forensic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkp-rWbEYjtHza8OQSw5bLXCf5VbHoOM9xFgh2QK2Uofu36q0XMSyt9X7ldwS9lqUoQJbbKoUo3_9DLrpqv6P-PszVfd5WaLEXxV5Da9wALgRNHh26lM84Y2mLW-R-Ban90sEPXpjRTTM/s320/Windows-Live-Forensic.jpg" width="320" /></a></div>
<br />
In the last posts, I talked about the processes of <a href="http://www.securityisfun.net/2013/03/5-key-processes-in-enterprise-it.html">IT Forensic</a>. Those are just theories as one might say. Hence, today, let's get more real and technical. How about what can we do to perform live forensic on Windows systems sounds to you?<br />
<br />
Before we touch that, why do we need to do live forensic at the first place? For a few reasons:<br />
a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic<br />
b) The server/system is at a location that you could not go there physically<br />
c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately<br />
<br />
Next, what info or data should we gather? What tools to use? In <a href="http://www.securityisfun.net/2013/03/5-key-processes-in-enterprise-it.html">IT Forensic</a>, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.<br />
<br />
Back to what info or data to gather.... Below are the lists of what we should gather and how or using what tool can we gather it (yes, I know some of them are not of trusted binaries but there are also advantages in running them. Can you see those advantages? Answers below :) ) . Basically, we will need these free and great software suites:<br />
a) <a href="http://technet.microsoft.com/en-us/sysinternals/">Sysinternals Suite</a> - http://technet.microsoft.com/en-us/sysinternals/<br />
b) <a href="http://www.nirsoft.net/">Nirsoft</a> - http://www.nirsoft.net/<br />
c) <a href="http://www.mandiant.com/resources/download/redline">Redline</a> (for memory dump and analysis) - http://www.mandiant.com/resources/download/redline<br />
<br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; margin-left: -.05in; mso-border-alt: solid windowtext .5pt; mso-border-insideh: .5pt solid windowtext; mso-border-insidev: .5pt solid windowtext; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-table-layout-alt: fixed; mso-yfti-tbllook: 480;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">No.<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">What to Acquire<o:p></o:p></span></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<b><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Tools/Commands
to Use (Output is saved to a file)<o:p></o:p></span></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">1.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Hostname, OS
version, system info, list of software installed<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Psinfo –h –s –d > targethost\psinfo-hsd.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">2.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">System info<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Systeminfo > targethost\systeminfo.txt
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">3.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current system
date<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Date /t > targethost\date.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">4.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current system
time<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Time /t > targethost\time.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">5.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Registry dump<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Regedit /E targethost\registry.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">6.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current IP
address<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Ipconfig /all > targethost\ipconfig.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Awatch /stab targethost\awatch.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Networkinterfacesview targethost\networkinterfacesview.csv
<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0in;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">7.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Running
current process list<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="DE" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: DE; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="DE" style="font-size: 10.0pt; mso-ansi-language: DE; mso-bidi-font-family: Arial;">Pslist –t > targethost\pslist-d.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Pslist –x > targethost\pslist-x.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">8.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current
network connection list<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Netstat –anb > targethost\netstat-anb.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;">Netstat –anr > targethost\netstat-anr.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Tcpvcon –an > targethost/tcpvcon-an.txt
<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Cports.exe /scomma targethost\cports.csv<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">9.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Current list
of current logon sessions<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Psloggedon > targethost\psloggedon.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">10.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">List of auto
start applications<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Autorunsc –a –c > targethost\autorunsc.csv
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">11.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Environment
variables <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Set > targethost\set.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">12.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">List of
services<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Psservice > targethost\psservice.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">13.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">System event
log records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Psloglist –x > targethost\psloglist-x.txt<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">14.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Last user
activity records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Lastactivityview
/scomma targethost\lastactivityview.csv
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">15.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Windows turn
on/off time records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Turnontimesview
/scomma targethost\turnontimesview.csv<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">16.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Windows user
login/logoff records<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Winlogonview /scomma targethost\winlogonview.csv <o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">17.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">List of
installed software<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Myuninst /stab targethost\myuninst.csv
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">18.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">List of loaded
dlls<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Listdlls > targethost\listdlls.txt
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">19.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span lang="SV" style="font-size: 10.0pt; mso-ansi-language: SV; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">List of user
accounts<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Net user > targethost\net-user.txt<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;">Userprofilesview
/scomma targethost\userprofilesview.csv
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">20.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Browser
history<o:p></o:p></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">IE<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Mozilla<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Chrome<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Opera<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Safari<o:p></o:p></span></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Iecacheview /stab targethost\iecacheview.csv <o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Iehv /stab targethost\iehv.csv<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Mozillacacheview /scomma targethost\mozillacacheview.csv
<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Mozillahistoryview
/scomma targethost\mozillahistoryview.csv <o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Mzcv /stab targethost\mzcv.csv
<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Chromecacheview /scomma targethost\chromecacheview.csv
<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Chromehistory /scomma targethost\chromehistoryview.csv<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Chromecookiesview /scomma
targethost\chromecookiesview.csv <o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Operacacheview /scomma targethost\operacacheview.csv<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Safarihistoryview /scomma
targethost\safarihistoryview.csv<o:p></o:p></span></span></div>
<div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Safaricacheview /scomma targethost\safaricacheview.csv
<o:p></o:p></span></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 36.45pt;" valign="top" width="49"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial; mso-fareast-font-family: Arial;">21.<span style="font-size: 7pt;"> </span></span><!--[endif]--><span style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: Arial;"> </span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 151.95pt;" valign="top" width="203"><div align="left" class="MsoBodyText" style="margin-left: 0in;">
<span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Using Redline
Comprehensive Collector tool to acquire full memory dump, page file data,
running processes, registry data etc. <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 279.6pt;" valign="top" width="373"><div align="left" class="MsoBodyText" style="margin-left: 0.25in; text-indent: -0.25in;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;">
</span></span><!--[endif]--><span dir="LTR"><span lang="EN-GB" style="font-size: 10.0pt; mso-bidi-font-family: Arial;">Runredlineaudit.bat <o:p></o:p></span></span></div>
</td>
</tr>
</tbody></table>
<br />
Have fun!<br />
<br />
Oh wait... what are the advantages of running (carefully) "untrusted" binaries as well?<br />
By comparing the output of trusted binaries vs untrusted binaries, it may give us some clues that the "untrusted binaries" had been modified or "rookitted". We then can analyse this binary in order to track down other malicious binaries that might get installed on the system as well.<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-882173928602314602013-09-09T20:49:00.000+02:002013-09-09T20:49:18.594+02:00Enterprise IT Forensic Process - Disposal<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7XO84FyiXuE448tbBYA917AL_9LJvnsNCVauL_himCb-8OTG8N76XpSr6YwVD5FVSNvRXv7Wupz71pt9Ct7r5uZNafRC62DDgkWFtde9RN0Ug_ZklyJC4r6sjE-j4nKh0gtlsEA-PRQc/s1600/IT+Forensic+Disposal+Process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7XO84FyiXuE448tbBYA917AL_9LJvnsNCVauL_himCb-8OTG8N76XpSr6YwVD5FVSNvRXv7Wupz71pt9Ct7r5uZNafRC62DDgkWFtde9RN0Ug_ZklyJC4r6sjE-j4nKh0gtlsEA-PRQc/s400/IT+Forensic+Disposal+Process.png" width="400" /></a></div>
<br />
In my previous posts, I have covered the first 4 processes of Enterprise IT Forensic Process:<br />
<br />
1) <a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval</a> - Ensuring that we are allowed to do what we want to do<br />
2) <a href="http://www.securityisfun.net/2013/06/enterprise-it-forensic-process.html">Acquisition</a> - Ensuring that we collect and acquire the evidence in a forensically sound manner<br />
3) <a href="http://www.securityisfun.net/2013/07/enterprise-it-forensic-process-analysis.html">Analysis</a> - Performing the analysis and investigation, also in a forensically sound manner<br />
4) <a href="http://www.securityisfun.net/2013/08/enterprise-it-forensic-process-reporting.html">Reporting</a> - What a report should contain?<br />
<br />
Disposal process is the final piece of the puzzle.<br />
<br />
Once we have done the analysis, completed the report, the next question is what to do with the evidence (both original and acquired) that we have gathered? We cannot keep the evidence forever due to various reasons, e.g. storage limitation, legal requirements, security etc.<br />
<br />
Basically, the options are:<br />
1) Store - If there is a need to preserve the evidence e.g. legal case<br />
2) Return - Return the evidence to the owner or data custodian<br />
3) Forward - Forward the evidence to another party as agreed with the Requestor<br />
4) Dispose - Securely delete or dispose the evidence<br />
<br />
However, it is important to take note that the above decision does not lies entirely with the forensic examiner or investigator. The decision shall be made together with the Requestor.<br />
<br />
There is also possibilities that the Requestor might want the original evidence to be returned and the acquired evidence to be deleted or vise versa. Anyway, regardless of the option, the chain of custody must be maintained and updated to reflect the status.<br />
<br />
To delete/wipe an evidence, for example a hard drive, simply formatting the hard drive is not secure enough as data can still be recovered. There are a few methods out there that you could use to securely wipe a drive:<br />
<br />
1) Hardware based - It is the fastest way. The hardware is known as <a href="http://en.wikipedia.org/wiki/Degaussing">degausser</a>. It will render the drive useless digitally and physically - not a good idea if you still want to use the drive for other purposes.<br />
2) Software based - This method which is slower is to rewrite the drive with zeros or random data multiple times. There are various free tools out there that can do the job. For example <a href="http://www.diskwipe.org/">diskwipe</a> and <a href="http://www.dban.org/">dban</a>.<br />
<br />
<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-35068154214587569572013-08-20T19:12:00.000+02:002013-08-20T19:12:23.802+02:00Enterprise IT Forensic Process - Reporting<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9BG-datptiU5ntUnhe_CnyscIWEb9d3bGv_sWVgLnCLmJLMsw1FuGkqjY145wTPaJ1oAf2wMA44zzZYw7e6Od160mBd9qEWarGdoIl1ylcDVfulrjBVLALpZ-edWOJJgGJr_CORaOrKk/s1600/IT+Forensic+Reporting+Process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9BG-datptiU5ntUnhe_CnyscIWEb9d3bGv_sWVgLnCLmJLMsw1FuGkqjY145wTPaJ1oAf2wMA44zzZYw7e6Od160mBd9qEWarGdoIl1ylcDVfulrjBVLALpZ-edWOJJgGJr_CORaOrKk/s400/IT+Forensic+Reporting+Process.png" width="400" /></a></div>
<br />
So far, I have covered 3 of the 5 key processes of Enterprise IT Forensic Process:<br />
<br />
1) <a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval</a> - Ensuring that we are allowed to do what we want to do<br />
2) <a href="http://www.securityisfun.net/2013/06/enterprise-it-forensic-process.html">Acquisition</a> - Ensuring that we collect and acquire the evidence in a forensically sound manner<br />
3) <a href="http://www.securityisfun.net/2013/07/enterprise-it-forensic-process-analysis.html">Analysis</a> - Performing the analysis and investigation, also in a forensically sound manner<br />
<br />
The next one is Reporting. Well, I agree, there is no rocket science about this one.<br />
<br />
First of all, a forensic report should be written purely based on evidence and reference to the mentioned evidence must be made clear. An examiner or investigator should not write something based on assumptions.<br />
<br />
In general, a forensic report should contain the following:<br />
1) <b>Introduction</b> - Describe the background of the forensic investigation.<br />
2) <b>Objective</b> - Describe the objective of the investigation. What is the purpose, what you were asked to look for.<br />
3) <b>Executive Summary</b> - This section is to provide quick management summary. State the main highlights or findings and summary or conclusion.<br />
4) <b>Detailed Observations</b> - List all observations, in detail , with reference to evidence. For example:<br />
<blockquote class="tr_bq">
Based on the email (REF: Appendix 1, Item No.8) sent out by the suspect (Joe Black) to Mary Margaret on 18 Jul 2012 04:21:02 AM, it is possible that the suspect was aware that the invoice (REF: Appendix 1, Item No.10) that were given to her (Jane Doe) was a forged one.</blockquote>
5) <b>Evidence Information</b> - Detailed information of all evidence obtained and analysed.<br />
6) <b>Appendix </b>- List all referred evidence and their contents here.<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-86994518565462649302013-07-23T19:27:00.000+02:002013-07-23T19:27:20.394+02:00Enterprise IT Forensic Process - Analysis<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzQkNVq5Kx1ISGSXth_FMIuF-78IjTqUTHvVvLhm_dhrqNjQCQ4W6HZbSJG86dMdU-De7_UzeVpeV8J_1oJhiid9wE0PCAS2FvvUcBWrz2tnsHB8RZsslx2t1HNNGUI2UH3GhWTLLBIOI/s1600/IT+Forensic+-+Analysis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzQkNVq5Kx1ISGSXth_FMIuF-78IjTqUTHvVvLhm_dhrqNjQCQ4W6HZbSJG86dMdU-De7_UzeVpeV8J_1oJhiid9wE0PCAS2FvvUcBWrz2tnsHB8RZsslx2t1HNNGUI2UH3GhWTLLBIOI/s400/IT+Forensic+-+Analysis.png" width="400" /></a></div>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">In the last two months, I have talked about the first two processes - <a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval</a> and <a href="http://www.securityisfun.net/2013/06/enterprise-it-forensic-process.html">Acquisition</a>. Now, let's us move to the next process - Analysis. </span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">You may have heard of PPT - <b>People, Process and Technology</b>. While the <a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval</a> and <a href="http://www.securityisfun.net/2013/06/enterprise-it-forensic-process.html">Acquisition</a> are more about Process and Technology, Analysis is really about <b>People</b>. No matters how good your processes or technologies are, without the "People" factor, those processes or technologies would not yield much tangible outcome. </span></span><span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">One needs to have a very good analytical skills and adequate experience to be a good forensic examiner. One gains experience by doing more forensics in different scenarios and solving more technical issues etc. Bottom line, it's all about experience. </span></span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Nevertheless, there is one vehemently crucial element for the Analysis process. Even the most experience forensic examiner will need to have this prior to any investigation:</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;"><b>Knowing what to look for - </b></span></span><span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 15px; line-height: 20px;">You can't find anything if you don't know what to look for. For example, one cannot just tell the police to look for a "murderer" in a big shopping complex. The police would need more detail descriptions of the murderer - male or female? Hair colour? What type of clothes etc. It is the same in IT forensic, o</span></span><span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">ne cannot just throw a laptop to a forensic examiner and tell him/her to look for something criminal on this laptop. It needs to be more specific than that. For example - "look for any trace of child pornography in this laptop" is specific. </span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">This info about "What to look for" shall be obtained prior to Approval process, ideally it should be part of the <b>Request for Investigation</b>. </span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Once you know what to look for, the next steps will be:</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><b><br /></b></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><b>How to look for - </b>There is no fix procedure or formula for this. It's really depends on situation and it is case by case. This is when one's experience really make a hell lots of difference. However, as a start, in most cases a forensic investigator or an examiner can use a certain forensic tool such as Encase or FTK to do a search based on relevant keywords. The search results would give more hints or clues on what or where to look deeper. In a nutshell, here are the basic steps:</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">1. Develop basic keywords</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">2. Perform search based on those keywords</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">3. Review search results</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">4. Refine keywords or develop new keywords</span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">5. Repeat 2 - 4 until tangible results are obtained. </span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">6. Mark, note or extract those relevant evidence for reporting later. </span><br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Of course, the above approach may not be always valid or applicable. For example, if you are investigating a DoS attack, you'll need to use a completely different approach. Using Encase or FTK to review firewall, routers, webservers logs are not effective and I will say it doesn't even make sense to do so. For this one, manual reviews of the logs with some customised filtering scripts is the best way forward. Needless to say, every investigator has his/her own favourite tools and methods.</span><br />
<br />
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>
<span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><br /></span>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-56044406573194211412013-06-08T15:30:00.001+02:002013-06-08T15:37:00.577+02:00Enterprise IT Forensic Process - Acquisition<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh594MGoN0mmQDAZFjQCJFD2zrhdbc5g7pDZ3sZRRJJH7ZUTIvcsRmPvPyK3ioTn16wnmq6g-_e4lKjKnKmc8MzEsb4Q4nJGMx1CmgQ0YoLE41sq8HVPkuDBv11pGernu6xaOcINFr1dLs/s1600/IT+Forensic+Acquisition+Process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh594MGoN0mmQDAZFjQCJFD2zrhdbc5g7pDZ3sZRRJJH7ZUTIvcsRmPvPyK3ioTn16wnmq6g-_e4lKjKnKmc8MzEsb4Q4nJGMx1CmgQ0YoLE41sq8HVPkuDBv11pGernu6xaOcINFr1dLs/s400/IT+Forensic+Acquisition+Process.png" width="400" /></a></div>
<br />
Last month, I talked about the first process in <a href="http://www.securityisfun.net/2013/03/5-key-processes-in-enterprise-it.html">Enterprise IT Forensic Process</a>, which is the <a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval </a>process. Today, I shall proceed to talk about the next process - <b>Acquisition</b>.<br />
<p>
What is acquisition? In a nutshell, it means collecting the evidence. Sounds easy right? Not really. There are many things need to be considered, especially if there is a high chance that the investigation will lead into a legal case.<br />
</p>
You may have heard that the evidence collection must be done in a forensically sound manner. I bet you would recall from many scenes in CSI or other movies alike that some criminals got away scott-free on technical grounds, for example police's mistake when taking evidence etc. This sort of things could happen in IT Forensic as well. Thus, it is very imperative that the acquisition is done properly and (again), in a forensically sound manner.<br />
<br />
Now, what is meant by "in a forensically sound manner"? Basically:<br />
1. Ensure that evidence intake is done legally (refer my last piece on "<a href="http://www.securityisfun.net/2013/05/enterprise-it-forensic-process-approval.html">Approval</a>" process). <br />
2. Evidence's chain of custody is well documented and preserved.<br />
3. Ensuring that tampering of evidence is not possible during collecting, transferring, analysis and storing of the evidence.<br />
4. All forensic activities are well documented and traceable.<br />
<br />
I will say a) <b>Evidence Intake</b> and b) <b>Evidence Chain of Custody</b> are two key sub-processes within the <b>Acquisition</b> Process. Furthermore, there are two principals that I always apply: <br />
1) Four Eyes Principal - ensuring that there is always a witness around<br />
2) Bag and Tag - ensuring that evidence is properly labelled, sealed and its movements are recorded. <br />
<br />
<b>a) Evidence Intake:</b><br />
Basically referring to how the evidence is collected or taken into custody.<br />
<br />
Let's image a simple and basic scenario - A forensic investigator is tasked to collect a laptop from IT department (data custodian) for forensic.<br />
<br />
What the forensic investigator needs to prepare beforehand?<br />
<br />
<b>Tools:</b><br />
1. A camera or phone with decent camera - It is always a good idea to photograph everything before you touch the evidence. <br />
2. Evidence Intake and Custody form: <br />
a) To record the information of the to-be-taken evidence<br />
b) This form also serves as an acknowledgement of transfer/receipt of evidence. Both the investigator and the custodian shall sign on it (Four Eyes Principal). <br />
3. Waterproof envelope to <b>"bag"</b> the evidence<br />
4. Sticker to <b>"tag"</b> (labelling) the evidence<br />
<br />
<b>General Steps:</b><br />
1. First, take photos of the evidence. Important info such as serial number, model, brand etc shall be clearly photographed.<br />
2. Fill in the form and record all details as possible e.g. the model of the laptop, serial no, HDD size, its condition etc.<br />
3. Label the evidence (Tag) with a unique ID (you shall already has this info beforehand!).<br />
4. Put the evidence into the envelop and seal it (Bag).<br />
5. Label the sealed envelope (Tag).<br />
6. Sign the form and ensure that the data custodian counter signs as well (Four Eyes Principal). Once both parties have signed, the custody of the evidence is now with the investigator.<br />
7. The investigator can now proceed to his lab and start the forensic analysis (shall be done in a forensically sound manner as well).<br />
<br />
That's it for a simple scenario. How about a more complex scenario? Such as - evidence intake is to-be-done by a representative in a remote location, then the evidence will be shipped to the head office and handed over personally to investigator. As you can imagine, the evidence intake and chain of custody process will be much more complex. So, stay tuned for the next piece!<br />
<br />
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-31893687339310078512013-05-12T19:01:00.002+02:002013-05-12T19:01:26.892+02:00Enterprise IT Forensic Process - Approval<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8vRXLunu2VSZv8iJuRczOkXpOxse3wEq88mMo4ioE5XNY5F4-8MLm3jKb9mGkNsFjn6GiIDPvDcnhx_QkTKsYjiXHAeriwEME_4z4Cp0oWwTMYKoAAD-LxsbKY6lrJw-WKLFkTBvOYvs/s1600/Enterprise+IT+Forensic+Process+-+Approval.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8vRXLunu2VSZv8iJuRczOkXpOxse3wEq88mMo4ioE5XNY5F4-8MLm3jKb9mGkNsFjn6GiIDPvDcnhx_QkTKsYjiXHAeriwEME_4z4Cp0oWwTMYKoAAD-LxsbKY6lrJw-WKLFkTBvOYvs/s400/Enterprise+IT+Forensic+Process+-+Approval.png" width="400" /></a></div>
<br />
In last March 2012, I wrote a piece about what are the <a href="http://www.securityisfun.net/2013/03/5-key-processes-in-enterprise-it.html">key processes for IT Forensic in Enterprise</a>'s environment. Let's do a bit of a recap. There are 5 key processes - Approval, Acquisition, Analysis, Reporting and Disposal.<br />
<br />
Today, I'm going to dive into more details on the first process - <b>Approval</b>.<br />
<br />
Approval is the most important process. We don't want to do something that is illegal right? Therefore, this process will ensure that the investigation and forensic activities are legal in every aspect e.g. company's policy as well as law's.<br />
<br />
Normally, the process starts when there is a Request for Investigation (RFI) raised by someone within the company (referred as <b>Requestor</b> hereafter). Naturally, the obvious next step is for the the <b>Investigator</b> to discuss with the Requestor in details about the RFI. Following questions shall be discussed and agreed:<br />
<b><br /></b>
<b>Who shall approve this investigation?</b><br />
As each request is normally a unique one, it cannot be predetermined who shall be the approver. However, typically following persons/roles should be part of the approval list:<br />
a) A person that can confirm that investigation is allowed from employment contract's perspective e.g. Head of Human Resource Department<br />
b) A person who can confirm that investigation is allowed from country law's and legal's perspective e.g. Head of Legal Department<br />
c) A person who can confirm that data belonged to the <b>subject</b> (or suspect) is allowed to be transferred and examined by the Investigator e.g. Head of Data Protection.<br />
d) a person who is direct disciplinary authority to the subject e.g. Direct manager of the subject<br />
e) In some countries e.g. Germany where the Workers Council is strong, their approval maybe needed as well.<br />
f) Your boss. He has to approve from resource allocation's perspective :)<br />
<br />
<b>Who shall be the driver to gather all these approvals?</b><br />
It is in the best interest of the Requestor for the investigation to be approved. Therefore, the Requestor shall be primarily responsible to gather all the needed approval. The Investigator, to a certain extend (due to resource limitation etc) could provide support as well.<br />
<br />
Another reason to have the Requestor taking the lead role is to avoid "misuse" of RFI. As an investigator, I'm sure you don't want to be running around chasing for approvals whenever there is a RFI raised to you :) .<br />
<br />
<b>We know we will get the approval, to expedite the time, could we start collecting evidence in parallel? </b><br />
NO. You shall not do that. Never collect or acquire evidence before you have all the green lights, no matter how strong is the pressure. Just like a police shall never search a place without a warrant.<br />
<br />
<b>Is email approval accepted?</b><br />
I will say yes, provided that the email is digitally signed with a valid user certificate of your organisation's PKI infrastructure. A digitally signed email will ensure non-repudiation. Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-68858266960412469052013-04-09T22:23:00.000+02:002013-04-09T22:24:57.586+02:00Hack in the Box Amsterdam 2013<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHEtzSb3qsRSLRIR9ph-FqRCSZE7zgvp2vZzoibLZB99hNmUqo5eOHQb057MeQmtMv3V5nTE0pBzYeE1yH40h35EBWBJCIeN46soryPMBGM-qYW0pfNy4cNahhh4nvx70mNsP5DB4ItZs/s1600/HITB+Amsterdam+2013.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHEtzSb3qsRSLRIR9ph-FqRCSZE7zgvp2vZzoibLZB99hNmUqo5eOHQb057MeQmtMv3V5nTE0pBzYeE1yH40h35EBWBJCIeN46soryPMBGM-qYW0pfNy4cNahhh4nvx70mNsP5DB4ItZs/s320/HITB+Amsterdam+2013.jpg" width="320" /></a></div>
<br />
Today marks the end of the first part - Tech Training. Yesterday was a pretty smooth but today was a different story.<br />
<br />
The <a href="http://conference.hitb.org/hitbsecconf2013ams/tech-training-6-ipv6/">"TECH TRAINING 6 – RECENT ADVANCES IN IPV6 INSECURITIES"</a> guys were trying to prove their points and they did succeed, few times in fact. Therefore, the network was unstable almost the whole day and at some points, not working at all. The Wifi APs suffered as well. Nevertheless, the network team did try their best to manage it.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmtvJPoqDkxVPUl95RJAHlJCUmGqOQqrW8g8tF5mHMLbsUxU6AqfaQcOkYIHbTOZ1xo6ENnMhzR-OyEeJp7d8QdZZbcJVpy6jFq1Q0d-7IvJkVtTxrTt44IamPOIeSKpIa-N7Y1xYXq5w/s1600/HITB+AMS+2013+routers.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmtvJPoqDkxVPUl95RJAHlJCUmGqOQqrW8g8tF5mHMLbsUxU6AqfaQcOkYIHbTOZ1xo6ENnMhzR-OyEeJp7d8QdZZbcJVpy6jFq1Q0d-7IvJkVtTxrTt44IamPOIeSKpIa-N7Y1xYXq5w/s320/HITB+AMS+2013+routers.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Yes. That's the routers.</td></tr>
</tbody></table>
<br />
<br />
However, I was informed that the exploited vulnerability (buffer overflow) is not something that they can just fix it on the fly (they would if they could) as it is on a third party's software, something that they don't have control. I was also tipped that Marc (the trainer) will tell more soon.. so, stay tuned to his site - <a href="http://thc.org/">thc.org</a><br />
<br />
Tomorrow is the most important day. It is the official opening of HITB AMS 2013 Security Conference, and the keynote speaker is the CISO of RSA, Edward Schwartz.Keynote speaker for the second day is Bob Lord, CISO of Twitter.<br />
<br />
BTW, we are still setting it up.....<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWmvHNLwlDvnk2O9kDk6tkkLxiiK3Klz-klBIY3MvbkESiRtRNMY1Q4ypjELnNCgg9Q8YA_9OvPzuwX_0Qyw6ld5mby0RzUeiSUSRfrccCDSX2-uIZpztoJE4n8XZjMpwAsQjnppOQi0/s1600/the+gateway.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWmvHNLwlDvnk2O9kDk6tkkLxiiK3Klz-klBIY3MvbkESiRtRNMY1Q4ypjELnNCgg9Q8YA_9OvPzuwX_0Qyw6ld5mby0RzUeiSUSRfrccCDSX2-uIZpztoJE4n8XZjMpwAsQjnppOQi0/s400/the+gateway.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gateway to ComSec Village</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-87324568253288333852013-03-09T11:22:00.000+01:002013-03-09T11:22:07.203+01:005 Key Processes in Enterprise IT ForensicAs an Information Security Professional, I'm sure that many of us had been approached by the management to perform <a href="http://en.wikipedia.org/wiki/Digital_forensics">IT/digital forensic</a>.<br />
<br />
Cases such as: a manager suspects his employee is feeding secret company info to a competitor, a dude claims that a colleague has some of child pornography materials on his laptop, or HR wants to pursue a case against an employee for breaching of company policy etc are not uncommon to us. Most of the time, the laptop of the suspect will just be thrown on our lap and we are expected to perform forensic and search for evidence asap.<br />
<br />
I mentioned in my previous <a href="http://www.securityisfun.net/2013/02/why-it-is-crucial-to-perform-it-or.html">piece</a> that IT forensic not only must be carried-out in a forensically sound manner, it must also be done legally. What's at stake is not only about winning the legal case but also our ass. In some countries such as Germany and other EU countries in general, one cannot simply access other's data without the owner's consent or proper approval. By performing forensic without a proper clearance, it is a criminal offense which could invite a hefty jail time.<br />
<br />
Enough talking. So, what are the key processes for IT or digital forensic in enterprise? If you googled, you will find many useful information here and there but the principals are roughly the same. For me, I'll just stick to these 5 key processes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7TpNnnXCj7CJhfR_lDn81fhcgIFWbYP7_vUdAvwXTInRdrSEBCW3db-TGOpgr7K0OVu1mhE-87YlYDNhA9ZqPnSFZBBcYAY4hdWKfHHn9pq-SVd2Jr1bui6QWhpp_OaB5-NCya7h5KPI/s1600/5+key+IT+Forensic+processes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7TpNnnXCj7CJhfR_lDn81fhcgIFWbYP7_vUdAvwXTInRdrSEBCW3db-TGOpgr7K0OVu1mhE-87YlYDNhA9ZqPnSFZBBcYAY4hdWKfHHn9pq-SVd2Jr1bui6QWhpp_OaB5-NCya7h5KPI/s400/5+key+IT+Forensic+processes.png" width="400" /></a></div>
<br />
<a name='more'></a><br />
1) <b>Approval</b> - Before you start touching that machine, make sure that you have got all the right approvals. You may need HR, legal, Data Protection, workers council's approval etc. Think "Cover your ass" first.<br />
<br />
2) <b>Acquisition</b> - Now, you can start the acquisition of the evidence. All must be done in a forensically sound manner e.g. use a write blocker. Chain of Custody record must be clearly maintained. <br />
<br />
3) <b>Analysis</b> - This goes without saying. Time to analyze whatever you just acquired.<br />
<br />
4) <b>Reporting</b> - The final product of your forensic activities. The one thing that the management really want from you - the report. Prepare not only one report, but two. Management report and technical report. Remember that bosses love presentation slides.<br />
<br />
5) <b>Disposal</b> - Once the report has been finalized and everyone is happy (except the suspect maybe), you'll need to decide what to do with the evidence. Basically you need to "dispose" them. You can't just keep them forever under your desk right (don't do this, evidence must be stored in a secure place!)?. Basically, here are the options that you can discuss with the Requestor:<br />
a) Return the evidence to the him/her<br />
b) Securely destroy the evidence<br />
c) Forward the evidence to another party (as requested by the Requestor)<br />
d) Keep it in a secure storage (until further notice).<br />
Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-16678630254799063412013-02-04T21:02:00.001+01:002013-02-04T21:02:48.547+01:00Why it is crucial to perform IT or computer forensic in a forensically sound manner?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4zwWqNKzlKMycQ6tJyWajWJnfw82dcVaKG9cTeICNhcq93N7kR9mFpFz4cSAsFxu5wf7mgDrp_1DaRnpacJZZr-TwuJFmYi7cMyUvgDVlSEL-sbiHVTmmX6DV89Z-lSS1jubRENqTrK0/s1600/digital-computer-forensics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4zwWqNKzlKMycQ6tJyWajWJnfw82dcVaKG9cTeICNhcq93N7kR9mFpFz4cSAsFxu5wf7mgDrp_1DaRnpacJZZr-TwuJFmYi7cMyUvgDVlSEL-sbiHVTmmX6DV89Z-lSS1jubRENqTrK0/s1600/digital-computer-forensics.jpg" /></a></div>
<br />
One does not need to be a CSI fan to know that before a search can be performed, a warrant is required for the law enforcement to enter a premise. In a crime scene, it is crucial for the law enforcement to properly handle the evidence to avoid tampering or contamination. The same principles apply when it comes to IT/Computer forensic. This story will show you why....<br />
<br />
<i>They story begins like this: Information security chap was invited to an emergency meeting to discuss about a potential dismissal of an employee that was suspected of breaching the company's policy. The meeting was called by a senior manager who was the department head of the suspected employee. </i><br />
<br />
<b>Mr. Senior Manager: </b>Ladies and gentlemen, thank you for coming to this meeting. I'm sorry for the short notice, but let me assured you that this can't no longer wait. Let me bring you up to the speed. Two weeks ago, we suspected that Mr. White was involved in a fraud. Upon our investigation,, we managed to find evidence that linked him to the fraud. I would like to thank our Miss System Admin here. Great job!. Now we shall discuss how can we proceed to dismiss this employee as soon as possible.<br />
<br />
<b>Information Security chap:</b> Thank you for the letting me know now. Before we proceed, may I ask Miss System Admin, how did you perform the investigation and how did you gather those evidence?<br />
<br />
<b>Miss System Admin: </b>I was approached by Mr. Senior Manager here couple of weeks ago. He asked if I can connect to Mr. White's PC, access his file remotely, copy out all the files and perform analysis. Of course I can do that. I'm the system admin right? I have admin right that allows me to connect to everywhere. So, I did exactly what was asked. I copied all his files and emails to my laptop, then I went through them on my laptop.<br />
<br />
<b>Information Security chap:</b> I see. And I assume that you got all the approvals to do so.....<br />
<br />
<b>Miss System Admin:</b> I think so. It was Mr. Senior Manager who asked me to do it, since he is the boss of the suspect. Therefore, there is no problem right?<br />
<br />
<b>Mr. Senior Manager:</b> Yes, I asked her to do it.<br />
<br />
<b>Information Security chap: </b>< * starting to worry...* ><b> </b>Mr. Senior Manager, you did check with HR, legal, data protection etc before you proceed right?<br />
<br />
<b>Mr. Senior Manager: </b>Nope. Should I? I'm his boss, I think I have the right to do so.<br />
<br />
<b>Information Security chap: </b>Hmm... now things just get very complex. We may not be able to dismiss that employee. Not before fighting a tricky legal battle. I'm not a legal expert, should Mr. White decide to take this to the court, I'm pretty sure we would lose the lawsuit on technical grounds. Not only that, you and Miss System Admin her might be incriminated as well. <br />
<br />
<b>Mr. Senior Manager: </b>What are you saying exactly?<br />
<a name='more'></a><br />
<b>Information Security chap: </b>First mistake that could lead to legal issue. From data protection's perspective. The local law is pretty tough on that, one cannot access another person's personal data without first obtaining the consent from the person. In this case, it is obvious that the consent was not obtained. So, both of you might have committed a legal offence. Not only that, you might have issues with worker's council as well, as investigation on employee may require their approval. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ4RXjbl0PnV_zgyneEeAlj38oLmhihJ1u8Bmaziuq5iy06-F_0cZsUu_46_o03EYXbcDuORmckpwqHpGfWEOvtHolkUrTdlKV0QtEHxwBac7KUvjfyKVdR8XwIUuymj2Zhk8Y3jbP258/s1600/write+blocker.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ4RXjbl0PnV_zgyneEeAlj38oLmhihJ1u8Bmaziuq5iy06-F_0cZsUu_46_o03EYXbcDuORmckpwqHpGfWEOvtHolkUrTdlKV0QtEHxwBac7KUvjfyKVdR8XwIUuymj2Zhk8Y3jbP258/s320/write+blocker.JPG" width="320" /></a></div>
<br />
Second mistake, the evidence was not acquired in a forensically sound manner. For one, it was acquired without a proper method ensuring there was no tampering during the acquisition. A <a href="http://www.forensicswiki.org/wiki/Write_Blockers">write blocker</a> was not used. In a layman's term, it is just like you are not wearing a glove when you autopsied a body. Any defense lawyer worth his salt will frantically ride on this point to stop the admission of the evidence.<br />
<br />
<b>Miss System Admin: </b><i><* starting to sweat like hell *></i><i> </i>Wow...WAIT. Please don't scare me. I've done nothing wrong. I just follow orders....<br />
<br />
<b>Information Security chap: </b>My advice for you now would be to engage our legal department immediately. You may be able to get away on the legal offence, but for sure the evidence you captured would not stand. You should have contacted information security team immediately so that we can do this right from the beginning. We have people that can perform IT and digital forensic in a forensically sound manner. We also have the right tools.<br />
<br />
<b style="background-color: white; color: red; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;">Moral of the story?</b><br />
1. Make sure you have a proper clearance before you perform digital forensic. Most important, seek legal approval. It is for your own protection as the investigator.<br />
2. Ensure that the acquisition process is done in a forensically manner. The last thing you want is for your hard work to be deemed as useless and not admissible.<br />
<div>
<br /></div>
<div>
<i style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: large; line-height: 20px;"><b><span style="color: blue;">Ain't security fun? ;) </span></b></i></div>
<div>
<span style="color: blue; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 20px;"><b><i><br /></i></b></span></span></div>
<div>
<span style="color: blue; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: medium;"><span style="line-height: 20px;"><b><i><br /></i></b></span></span></div>
Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-60562557296338647692013-01-08T17:27:00.000+01:002013-01-08T17:27:43.366+01:00Yahoo Mail is now fully HTTPS. This is how to turn it on.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5Obb4Ariv_LqUbwBHWR52DoA0eeVx3DwrefTpTcAiTjZoBvr_z3zZ5jWfIaL47gxXxejxRVLUhhVNEmWhma9-mnPCLaSxvnyQp5rFuDuzXFRH1-ebZfS21h_WOug0RJS2TOo7PIllaY4/s1600/yahoo+mail+https.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5Obb4Ariv_LqUbwBHWR52DoA0eeVx3DwrefTpTcAiTjZoBvr_z3zZ5jWfIaL47gxXxejxRVLUhhVNEmWhma9-mnPCLaSxvnyQp5rFuDuzXFRH1-ebZfS21h_WOug0RJS2TOo7PIllaY4/s1600/yahoo+mail+https.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Good news to loyal Yahoo Mail users like me, as of 2013 you can have full <a href="http://en.wikipedia.org/wiki/HTTP_Secure">HTTPS</a> session when using Yahoo Mail.<br />
<br />
Some would argue that Gmail has it<a href="http://gmailblog.blogspot.com/2008/07/making-security-easier.html"> implemented since the day it was launched</a> years ago. Anyway, it's still a good news to us. Yahoo is doing all the right things after they recruited their new CEO <a href="http://en.wikipedia.org/wiki/Marissa_Mayer">Marissa Mayer</a> from Google. In case you missed it, the recently <a href="http://ycorpblog.com/2012/12/11/introducing-the-new-yahoo-mail/">updated Yahoo Mail interface</a> is also better, faster and simpler to use.<br />
<br />
Why https? In layman term, to protect your email session from malicious eyes. It's the same reason why you want your internet banking to be in https. Want to know more about https? Check out the <a href="http://en.wikipedia.org/wiki/HTTP_Secure">wiki</a> :)<br />
<br />
So, how do you turn on the https in Yahoo Mail? It's pretty simple actually. Go to Mail Options, scroll down and tick the box. See below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR786Y2OmD_e8TERcBWyqllvnwiJqZ6tjFryrbeGE-G2Kpy9bWMIppI92yx46kVqgKUZWytwTR04roPzpy5SFQkmU_TLAXUCodPPfVZwUj4FdSYyjio7S6eqEB-cP-LkYVVDYZ9Mo9IZg/s1600/how+to+turn+on+https+yahoo+mail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR786Y2OmD_e8TERcBWyqllvnwiJqZ6tjFryrbeGE-G2Kpy9bWMIppI92yx46kVqgKUZWytwTR04roPzpy5SFQkmU_TLAXUCodPPfVZwUj4FdSYyjio7S6eqEB-cP-LkYVVDYZ9Mo9IZg/s400/how+to+turn+on+https+yahoo+mail.png" width="400" /></a></div>
<br />Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-34071380144674070992012-12-07T22:11:00.003+01:002012-12-07T22:20:07.123+01:00Counter CyberCrime - Do not challenge the hackers<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsqQH2WeUkHtQVsLJ0PeOr3DWe1BGICy5J3bQE_RNROsQ1xjqoKZNngW7fbIVDARR4FyeOF7ACAuDywzHjPesNtcNB5nn5dlMisphmXFpJABBaOzS9_B8NNjA1GrTOCZwVZbLlS1r6SMk/s1600/counter-cybercrime-do-not-challenge-hacker.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsqQH2WeUkHtQVsLJ0PeOr3DWe1BGICy5J3bQE_RNROsQ1xjqoKZNngW7fbIVDARR4FyeOF7ACAuDywzHjPesNtcNB5nn5dlMisphmXFpJABBaOzS9_B8NNjA1GrTOCZwVZbLlS1r6SMk/s320/counter-cybercrime-do-not-challenge-hacker.jpg" width="320" /></a></div>
<br />
I'm pretty sure many organisations had faced cyber-attacks before. Some organisation might think of getting a "revenge" at the attacker. It could be a good idea, but it could also be a bad idea totally, depending on how you do it.<br />
<br />
This is a story about why it's a bad idea, if you do it this way......<br />
<br />
<i> Few months ago, in that XYZ company</i>.....<br />
<br />
<b>Business Owner guy: </b>How come my users can't access this application at all? I have got emails, phone calls from everywhere, complaining!<br />
<br />
<b>IT Supplier chap: </b>Mr. Business Owner sir, our Network Operation Center (NOC) just confirmed that the application is currently under <a href="http://en.wikipedia.org/wiki/Denial-of-service_attack">DDoS</a> attack. Our ISP and NOC is trying their best to mitigate the attack.<br />
<br />
<b>Business Owner guy: </b>What? How dare they attack us. Do we have any information who is doing this to us? Can we track them?<br />
<br />
<b>Information Security lad: </b>Not easy to trace. As most certainly those machines or IP addresses that we seen attacking us are zombies or compromised machines part of a <a href="http://en.wikipedia.org/wiki/Botnet">botnet</a>. I'm afraid the real attacker is a few more layers behind those compromised machines. <br />
<br />
<b><b>IT Supplier chap: </b></b>We do have a solution to mitigate this attack. There is this Company P that provides protection against DDoS. It would cost us 10K EUR to use their service. From what we are seeing now, the attacks are not going to stop anytime soon and it will only get worse. Hence, it just a matter of time that our whole network would be completely brought down by it. We should engage this DDoS protection service immediately.<br />
<br />
<b>Business Owner guy: </b>Ok. Let's do it. You have my approval to proceed. <br />
<i><br /></i>
<i>2 hours later. After the solution has been implemented....</i><br />
<br />
<b><b>IT Supplier chap: </b></b>Good news folks. The attacks have subsided. It is a right call to engage that company.<br />
<b><b><br /></b></b>
<b>Business Owner guy: </b>Great! But I'm still not very happy. I want whoever behind this attack punished. I want them to know that they are messing with the wrong guy. I have contacted my friend in the law enforcement and opened an official case. Not only that, I will call a press conference to tell whoever behind this that we are coming after them and that they are messing with the wrong people. <i></i><br />
<i></i><br />
<a name='more'></a><b>Information Security lad: </b>Mr Business Owner. Hold on a second there sir. I agree on opening an official case with the law enforcement. But the press conference is a bad idea. The last thing we want is for the attacker to think that we are challenging them. I'm afraid it will have a reverse effect. A bad one. We don't want to be seen as provoking them.<br />
<br />
<b>Business Owner guy: </b>Let them come. I'm not afraid, we are now protected by the Company P. So, we would be safe even they launch another attack.<br />
<br />
<b>Information Security lad: </b>Still a bad idea sir! We shouldn't throw a challenge nor invite for attacks. I have been in this information security field long enough to know challenging the hackers is a very bad bad bad idea!<br />
<br />
<b>Business Owner guy:</b> <i><* cowards! *></i> I have made up my mind. I have instructed my PR Manager to send the press release to <i>The Storybrooke Post.</i><br />
<i><br /></i>
<i>3 days later.....</i><br />
<i><br /></i>
<b>IT Supplier chap: </b>Mr. Business Owner, we are under DDoS attack again....<br />
<br />
<b>Business Owner guy: </b>We have nothing to afraid right? We have got Company P watching our back.<br />
<br />
<b>IT Supplier chap:</b> Yes and no sir. Company P only protect one of the sites. The current attacks are targeting another 10 websites of us. Our whole network is paralyzed now. Nothings can come in, nothings can go out....<br />
<b><br /></b>
<b>Business Owner guy: </b><i><* start panicking *> </i>What are you waiting for? Get Company P to protect all these 10 websites as well!<br />
<br />
<b>IT Supplier chap: </b>We could do that sir.... but it would cost us 200K EUR for the new 10 websites.<br />
<br />
<b>Business Owner guy:</b> What??? Last time they only charged us 10K per site. How come it's double the amount now?<br />
<br />
<b>IT Supplier chap: </b>Well, according to them. The DDoS traffics are much bigger this time. They have to pull-in more resources and hardware to cope with it. Hence, it costs more... but I think they just taking advantage of our situation to blackmail us. They know we don't really have a choice. Do we, sir?<br />
<br />
<b>Information Security lad: </b><i>< * I told you so, don't go and provoke the hackers! *> </i>Mr. Business Owner, I don't think you have another choice here. Our customer would not tolerate anymore downtime....<br />
<br />
<b>Business Owner guy: </b>.......... Ok. Go ahead and do it. Charge it to my cost center.... <i><* damm, there go all my cost savings and my bonus *></i><br />
<i><br /></i>
<b><span style="color: red;">Moral of the story?</span></b><br />
1. Engaging law enforcement to fight cybercrime is a good idea and a right move, but making a big brouhaha out of it is a bad idea. Do not ever provoke or challenge the hackers. There are too many out there ready to accept any challenges.<br />
<div>
<br /></div>
<div>
<i style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><b><span style="color: blue;">Ain't security fun? ;)</span></b></i></div>
<div>
<i style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20px;"><b><span style="color: blue;"><br /></span></b></i></div>
<span style="font-size: x-small;">Acknowledgement: Picture taken from: http://www.flickr.com/photos/alancleaver/4121423119/sizes/m/</span>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-54088096716333916192012-11-20T15:28:00.000+01:002012-11-21T10:51:00.735+01:00Counter Cybercrime - Turn insiders(employees) into assets <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8bau5ePOaTOYxkSgMLMf5l90SCtivX_gNEFdQviBw_tyV2oi6rT5RqWb3l03eN2Nul3slRQxr-PMpbaepDLEz52IUNexSKJuSqpAQ3PYtZIXudlGyomm3axQATmvahI0KQdYa2qgGPD8/s1600/awareness-education.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Security Awareness and Education" border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8bau5ePOaTOYxkSgMLMf5l90SCtivX_gNEFdQviBw_tyV2oi6rT5RqWb3l03eN2Nul3slRQxr-PMpbaepDLEz52IUNexSKJuSqpAQ3PYtZIXudlGyomm3axQATmvahI0KQdYa2qgGPD8/s320/awareness-education.jpg" title="Security Awareness and Education" width="320" /></a></div><p>
Darkreading has a very good article today - <a href="http://www.darkreading.com/insider-threat/167801100/security/security-management/240142363/four-ways-to-turn-insiders-into-assets.html">Four Ways to Turn Insiders into Assets</a><br />
<br />
In general, I like the idea as I'm a believer of putting more effort on <a href="http://www.securityisfun.net/search/label/Awareness">security awareness and education</a>.<br />
<br />
Robert Lemos, the author of the article had listed down 4 ways:<br />
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me) <br />
<br />
<i>1. Focus on changing user behavior</i><br />
<i><i>When it comes to training users, about 70 to 80 percent of companies are
driven by compliance requirements and just want to get the box checked
for training their employees, says Aaron Cohen, a managing partner at
MAD Security, a security training firm. </i> </i><br />
<br />
<b>Securityisfun:</b> This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees. <br />
<br />
<i>2. Test and retest</i><br />
<i>Videos may work for some employees, but testing their reaction to an
actual test can give a company an idea of what might happen, while
giving the worker valuable experience in what to expect in the future.
Security training company PhishMe, for example, allows companies to send
their employee phishing e-mails. Anyone who clicks on the e-mail link
will be brought to a special site to educate them. </i><br />
<br />
<a name='more'></a><br />
<b>Securityisfun:</b> I found the idea of using "PhishMe" is brilliant and I believe it is an effective way. I did <a href="http://www.securityisfun.net/2012/04/fun-with-lock-screen-policy.html">similar test </a>with the <a href="http://www.securityisfun.net/2012/04/fun-with-lock-screen-policy.html">"screen lock policy" </a>and I can vouch that the result was indeed excellent. Sometimes, people need to learn from "mistake" :)<br />
<br />
<i>3. Teach the individual</i><br />
<i>Yet, periodic testing and video training are not the only ways to solve
the training problem, says Cohen. The training should be tailored to the
company and the individuals who work there. </i><br />
<br />
<b>Securityisfun:</b> Yes. There is no one silver bullet for all. Awareness training has to be tailored for the target individuals or groups. Threat scenarios for a System Admin are not the same as that for Finance Admin.<br />
<br />
<i>4. Even a failure can be a success</i><br />
<i>If an attacker fools an employee into clicking on a malicious link,
submitting their credentials to a phishing site, or holding a door to
allow them in the building, a properly trained employee can still act on
their suspicions and correctly respond to the threat. An employee that
reports any misgivings about an event can help a company respond in
minutes or hours, before any damage has happened. </i><br />
<br />
<b>Securityisfun:</b> Good point. If an employee realised that he/she had been phished and immediately took action to report the incident, immediate countermeasure could be taken to minimize the damage. Employer should praise such employee for reporting the incident instead of blaming or punishing him/her. <i></i><br />
<i> </i> <br /></p>
<i><b><span style="color: blue;">Ain't security fun? ;)</span></b></i><br />
<br />
<span style="font-size: x-small;"><span style="font-size: x-small;">A</span>cknowledgement - http://www.flickr.com/photos/bsabarnowl/7045688417/sizes/m/</span>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-38700350305201253092012-11-20T00:55:00.002+01:002012-11-20T00:56:19.456+01:00Have a fun information security story to share?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisMwbQzbFMKiNq5S0EboDo_qOqh_qWiMBXae5WUcLuMlsWWFMALtfW__UoYwQSlcr4ljhcP61wyZrIzK-UttXj9KKaPBZ0WFgivAC7aFz0O36c1OFsC4eJH-z7vo0R0qOiprMsVarrcBo/s1600/security-stories.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisMwbQzbFMKiNq5S0EboDo_qOqh_qWiMBXae5WUcLuMlsWWFMALtfW__UoYwQSlcr4ljhcP61wyZrIzK-UttXj9KKaPBZ0WFgivAC7aFz0O36c1OFsC4eJH-z7vo0R0qOiprMsVarrcBo/s320/security-stories.jpg" width="222" /></a></div>
<br />
Information Security folks,<br />
<br />
I'm sure you have some fun stories to tell as well. Why don't you share them? If you like, I can put it on my blog as well. Of course, all credits go to you :) <br />
<br />
Think about it ;) . Just drop me a message on my Google plus or Facebook page. Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0tag:blogger.com,1999:blog-7916025613429076060.post-76574906315761162842012-11-14T17:59:00.002+01:002012-11-19T17:12:50.327+01:00How secure your SMS token/mTAN/TAC code is really up to you<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQQ558LBajAN1Cf0lbShB6iFBSGDDnWEVYnj6B3kjZjXxZbaQ3EVwqRwJx18Urnyy49yqLU1UhGL7toFfWsWCIPm1Nj_YKRqSDxed4RmeAJSk6AJDXn73volMfQp6ROHvJazkFpbdPeBU/s1600/android+trojan+sms.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQQ558LBajAN1Cf0lbShB6iFBSGDDnWEVYnj6B3kjZjXxZbaQ3EVwqRwJx18Urnyy49yqLU1UhGL7toFfWsWCIPm1Nj_YKRqSDxed4RmeAJSk6AJDXn73volMfQp6ROHvJazkFpbdPeBU/s320/android+trojan+sms.jpg" width="320" /></a></div>
<p>
Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.<br />
<br />
Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).<br />
<br />
Excerpt from the news by <a href="http://www.thelocal.de/sci-tech/20121114-46169.html">Thelocal.de</a>: <br />
<br />
<i><span style="font-size: small;">Berlin state police warned on Tuesday that "bank customers using the
SMS-TAN/mTAN process have become victim of fraudulent money
withdrawals." Several people have reportedly had their bank accounts
emptied in the past few weeks, the police said in a statement.<br /><br />
"In all cases, the SMS containing the mTAN for the online banking system
was caught or diverted," the statement said. "Up until now, those
affected have been customers using a Smartphone with an Android
operating system."</span>
<span style="font-size: small;"><br /></span></i><br />
<a name='more'></a><i><span style="font-size: small;">
The criminals reportedly use a Trojan virus to get their victims' bank
details from their desktop computer. Then a fake notification appears on
their browser saying they should protect their smartphone with a
security update, which requires them to give the phone's number and
model.</span>
<span style="font-size: small;"><br /><br />
An SMS is then sent to the phone containing a link to the supposed
security update - but the software they then download is highly
dangerous. "From then on, all instant messages containing an mTAN are
diverted to another mobile phone, belonging to the criminal," the
statement said.</span>
<span style="font-size: small;"><br /><br />
These mTAN numbers, along with the account and PIN numbers gleaned
before, can now be used to withdraw money. The transactions cannot be
reversed. In several cases, the fraudsters not only emptied the
accounts, but also used up overdraft limits, the police said.</span>
<span style="font-size: small;"><br /><br />
Police are now warning people not to download security updates onto
their phones apparently sent by their banks. Emails apparently sent from
banks asking for security details should also be regarded suspiciously,
the police said.</span></i><br />
</p>
<span style="color: red;"><b>Moral of the story?</b></span><br />
1. Never enter any personal details, phone number etc you are not sure what it will be used for. <br />
2. Ignore those warnings or ads that suddenly pop-up on your browser. Use ad-block or ad-block plus :)<br />
3. On very top of that, do not simply click on any link you see, no matter how cute or attractive the picture is.<br />
4. Also, install a Anti-Virus on your mobile phone. I found Avast Mobile quite useful :)<br />
5. Patch, patch, patch your system.<br />
<br />
<i><b><span style="color: blue;">Ain't security fun? ;)</span></b></i><br />
<br />
<span style="font-size: xx-small;"> acknowledgement - picture taken from http://www.flickr.com/photos/86979666@N00/8161660138/sizes/m/
</span>Enghttp://www.blogger.com/profile/14888127113186514710noreply@blogger.com0