D-Light DTrace script for Sun Studio 12 in Solaris

Here's a pretty cool tool for developers, similar to the DTrace GUI from XCode in OS X 10.5 Leopard (Instruments):

It's part of Sun Studio 12.




It's still in development, but it can be pretty useful.

Windows Performance Tracing Toolkit

Windows Performance Tools Kit, v.4.1.1 helps diagnostic application start time issues, boot issues, deferred procedure calls and interrupt activity (DPCs and ISRs), interrupt storms, application resource usage and system responsiveness issues.

The toolkit includes xperf - a trace capture tool, xperfview - a visualization tool (Performance Analyzer) and xbootmgr - a boot trace capture tool.

It works great along side sysinternals tools (Process Explorer and Process Monitor) and krview for kernel tracing and profiling and Performance Monitor (perfmon.msc).


Here's a VERY simple trace (xperf -on DiagEasy, xperf -d trace.etl, xperf trace.etl). There's hunderds of knobs you can turn. You can use it for everything from getting VERY detailed system information (xperf –i trace.etl –a sysconfig) to getting advanced disk I/O info or pinpointing Registry Access bottlenecks.

Why I don't trust software that puts 3rd party drivers in my system

Here's something fun I found on somebody's computer... it kept crashing.. I wonder why :-). Let's check what WinDbg !analyze -v has to say of the minidumps:

DEFAULT_BUCKET_ID: DRIVER_FAULT

Probably caused by : SYMTDI.SYS ( SYMTDI+ab3f )


STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
a74c1aec a73b874e ebe44589 863d4220 00000e20 0xd04d8dda
a74c1b1c a73b855d 86cd0034 a74c1b58 863d4220 SYMTDI+0x1174e
a74c1b60 a996bfbf 885f7700 863d4220 00000e20 SYMTDI+0x1155d
a74c1b64 885f7700 863d4220 00000e20 00000000 vsdatant+0x40fbf
a74c1b68 863d4220 00000e20 00000000 00000034 0x885f7700
a74c1b6c 00000000 00000000 00000034 a74c1b9c 0x863d4220

OK, here' s another one:

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8a3e1a30 a7899aef 88c908b8 88bbef00 00000000 SYMTDI+0xab3f
8a3e1a50 a789c490 88c90404 88bbef00 00000000 SYMTDI+0xaaef
8a3e1a68 a78a99ab 88bbef00 00000000 8a3e1aac SYMTDI+0xd490
8a3e1a94 a78aadb3 89826688 8275b620 89826688 SYMTDI+0x1a9ab
8a3e1aa8 804ef095 89826688 8275b620 837bfb58 SYMTDI+0x1bdb3
8a3e1b10 a9ebc5e5 89429488 0103fd04 a9ebc5e5 nt!MiCheckControlArea+0x103
8a3e1c5c 8057f1fd 869af238 00000001 0103fc48 afd!AfdFastIoDeviceControl+0x415
8a3e1d00 805780c2 00000340 000002d4 00000000 nt!KeInitThread+0x101
8a3e1d34 8054086c 00000340 000002d4 00000000 nt!RtlCreateAcl+0x1d
8a3e1d64 7c90eb94 badb0d00 0103fc14 baccfd98 nt!RtlIpv4StringToAddressExA+0x149
8a3e1d78 00000000 00000000 00000000 00000000 0x7c90eb94

3: kd> lm kv
a788f000 a78b9dc0 SYMTDI T (no symbols)
Loaded symbol image file: SYMTDI.SYS
Image path: SYMTDI.SYS
Image name: SYMTDI.SYS
Timestamp: Sat Aug 24 23:54:56 2002 (3D6800B0)
CheckSum: 00038527
ImageSize: 0002ADC0
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

No point bothering with Driver Verifier at this point, this is cleary caused by Norton Internet Security - Norton Dispatch Drivers. First few google hits confirm this:

Random BSOD's and reboots. - TechSpot Troubleshooting - Probably it is caused by SYMTDI.sys (Norton Internet Security Filter) or faulty memory

MSFN Forums > Server 2003 Blue Screen with SYMTDI.sys

A brief look at ClamAV security - Open Source Antivirus

A brief (over)look at ClamAV security and performance. Comparing Open Source Antivirus products with commercial products.

I've been looking into signature based open source security products lately, namely Antivirus software (for SMTP E-Mail gateways or File Servers or anything that would be used as a distribution point for example as well as for Desktop systems).

I've had a pretty good look at ClamAV and other ClamAV based products (ClamWin or Spyware Terminator which include the ClamAV Engine) and found them rather weak, both from a security point of view (vulnerabilities) and in terms of detection rates, as well as performance (speed) and usability (interface, features, etc).

Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX (also ported to Windows, and used by GUI products such as ClamWin) designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.


I. Security track record - a look at common vulnerabilities

So let's take a look at ClamAV's security track record. A simple look on Secunia at the vulnerability summary reveals a stunning 25 security advisories (1 unpattched), 31 % of which lead to System Access and 91 % are exploitable from remote. 40 % of vulnerabilities are "Highly Critical". I realize that some of these are in 3rd party plugins and compression tools and such, but when an attacker just sends a specially crafted archive via E-mail or whatever means, and manages to buffer overflow and gain system access when ClamAV scans it, that's when you need to look at other products. There are ways to mitigate it, with permissions, limited users, chroots, jails and such, but still...




So let's compare that with another security product, Avira Antivir, basically multi-platform Antivirus software (also has a free version for non-commercial usage). We can see only 2 security vulnerabilities reported, both local and privilege escalation (Windows only too).



Vulnerabilities range from Denial of Service: "A NULL-pointer dereference error exists within the "cli_scanrtf()" function in libclamav/rtf.c. This can potentially be exploited to crash ClamAV via a specially crafted RTF file." to Buffer Overflow and System Access: "An integer overflow error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow via a specially crafted executable. Successful exploitation of this vulnerability may allow execution of arbitrary code."


II. Vulnerability assessment tools - Static Code Analsys

What about a source code audit of ClamAV? Well, I don't really have the time for that, but I did parse it through Flawfinder, RATS and other Static Code Analysis tools looking for simple lexical "bad practices" and functions (strings functions for example) that may overflow buffers and so on.

So, I download the source code for the latest stable release: ClamAV 0.91.2 (signature) and stumble across a ton of bad programming practices. While most of the time, they mean nothing (as they aren't really vulnerabilities or even exploitable, they are usually where most errors occur, and, as such, should be avoided). We basically have hundreds of such occurrences (537 marked as High and 83 marked as Medium by RATS), so I'm just going to paste a few interesting examples here:

..\clamav-0.91.2/clamav-milter/clamav-milter.c:266: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:859: High: getopt_long
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/getopt.c:961: High: fprintf
Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/vba.c:1127: High: sprintf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1205: High: popen
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1404: High: getenv
Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.

..\clamav-0.91.2/shared/output.c:159: High: umask
umask() can easily be used to create files with unsafe priviledges. It should be set to restrictive values.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1585: High: gethostbyname
DNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1703: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.


..\clamav-0.91.2/shared/misc.c:132: High: printf
Check to be sure that the non-constant format string passed as argument 1 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/shared/output.c:235: High: syslog
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/freshclam/manager.c:1307: High: system
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/sigtool/sigtool.c:815: High: strcat
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/libclamav/hashtab.c:408: High: sscanf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/shared/options.c:194: High: strncat
Consider using strlcat() instead.

..\clamav-0.91.2/shared/options.c:194: High: strncat
Check to be sure that argument 1 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/shared/getopt.c:983: High: getopt
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/output.c:212: High: vfprintf
Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/sigtool.c:609: High: scanf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/test/pe/debugpe.c:165: Medium: signal
When setting signal handlers, do not use the same function to handle multiple signals. There exists the possibility a race condition will result if 2 or more different signals are sent to the process at nearly the same time. Also, when writing signal handlers, it is best to do as little as possible in them. The best strategy is to use the signal handler to set a flag, that another part of the program tests and performs the appropriate action(s) when it is set.
See also: http://razor.bindview.com/publish/papers/signals.txt

..\clamav-0.91.2/libclamav/mbox.c:4659: Medium: getc
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/sigtool/sigtool.c:172: Medium: read
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:4260: Medium: stat
A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 4269 (open)

..\clamav-0.91.2/sigtool/vba.c:1063: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.

..\clamav-0.91.2/libclamav/lockdb.c:246: Medium: SetSecurityDescriptorDacl
If the third argument, pDacl, is NULL there is no protection from attack. As an example, an attacker could set a Deny All to Everyone ACE on such an object.

..\clamav-0.91.2/libclamav/msexpand.c:130: Medium: fgetc
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/libclamav/others.c:433: Medium: srand
Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.

..\clamav-0.91.2/libclamav/others.c:697: Medium: lstat
A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is
the first line where a check has occured.
The following line(s) contain uses that may match up with this check:
699 (rmdir), 715 (unlink)

..\clamav-0.91.2/contrib/Windows/Projects/clamAV/libclamav/regex.c:70: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.


You should keep in mind that ClamAV also relies on 3rd party libraries and tools, and it's security also depends on those. Again, I remind you that these aren't actual vulnerabilities, just bad practices that MAY lead to such vulnerabilities. You would need to look at the code and employ various testing tools to find them.

The authors of ClamAV should really solve these problems like OpenBSD developers do, even if it is something as simple as replacing strncat() with strlcat() - functions designed to be safer, more consistent, and less error-prone (this would be an issue on other platforms though, so it's not as simple as that).


III. Detection rates
So, here are some tests made by various research projects:

AV-Test is an anti-virus research project at the Institute of Technical and Business Information Systems at the Otto-von-Guericke University Magdeburg (Germany).

They measured the detection times for six of the malware programs released last week utilizing the MS05-039 Plug and Play vulnerability under 36 different anti-virus products. Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

Product Score
BitDefender 6 of 6 Fortinet 6 of 6 Nod32 5 of 6 eSafe 3 of 6 F-Prot 3 of 6 Panda 3 of 6 QuickHeal 3 of 6 McAfee 2 of 6 Norman 2 of 6 AntiVir 1 of 6 ClamAV 1 of 6

AV Comparatives did a test on various other Antivirus products not in their current testing process, including the ClamAV based ClamWin. Here are the results:
http://www.av-comparatives.org/seiten/ergebnisse/2ndgrouptest.pdf

This test also places ClamAV among the last in terms of detection rates:
http://www.sunbelt-software.com/ihs/alex/malwarereportjun3007.pdf

ClamAV also scores a 17 % (sig: 99% / heur: 1%) in retrospective Antivirus Performance Statistics, which also placed it among the last.

At VirusPool Tested Products ClamAV scores:

Number of descriptions in the database: 31928 out of 45159 live samples ( 70.7 %)
Number of 'in the wild' descriptions in the database: 25 out of 30 live samples ( 83.3 %)
(not very good, but not all that bad)

IV. Signature Updates:

How often is the clamav-virusdb updates? According to the FAQ, multiple times a week, and the response should be rather prompt. Anyway, to get an idea on that, take a look at http://lurker.clamav.net/list/clamav-virusdb.html

Conclusion:

I definitely need to investigate this further, but so far I find ClamAV to be highly overrated, simply based on the fact it is "part of the open source movement". It lacks a real time scanner (that's fair seeing how it was designed for mail gateways though), it has a horrible security track record, poor detection rates and dreadful performance. I somewhat doubt that it would last long as a commercial product. Still, it is available on multiple platforms, and the cost is just about right :-).

Things aren't all bad though (and I may have been to rash and only brushed the surface here). ClamAV is a free product (open source even), and it does leave a lot of room an opportunity to evolve. I just don't see this happening without powerful commercial backing. If you plan on using it though, make sure you've got at least another product scanning your emails :-).

Other links:
http://www.av-comparatives.org/
http://www.virustotal.com/

Exploit development frameworks and platforms - Metasploit, MSF-XB

Metasploit:

The Metasploit Project is an open source computer security project aids penetration testing activities and IDS signature development and provides information on security vulnerabilities.



Components:

• The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language (rewritten from Perl) and includes components written in C and ASM. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.
• The Shellcode Archive contains various payloads written by the Metasploit staff. Has Windows Shellcode Development Kit.
• The Opcode Database contains the position of certain machine language opcodes in the attacked program or included DLLs
  

MSF-eXploit Builder

• MSF-eXploit Builder (MSF-XB) is free Windows GUI and Exploit Development PlatformMetasploit Framework exploit modules. It will help you to edit/modify/create/test exploit modules for the Metasploit Framework. It also contains an assortment of Fuzzers (TAOF, ProxyFuzz, FileFuzz, WinFuzz) and various other tools (Branchseeker, Faultmon, mycrc, nc, Findjmp2 and even pstools). It requires an installed Metasploit framework and a debugger (try Immunity Debugger).

SecurityForest Exploitation Framework:

• SecurityForest's Exploitation Framework is similar in concept to Metasploit, and is written in Perl. The major difference is that it leverages the massive amount of exploits available in the ExploitTree. These exploits are publically available and do not have to be re-written to be used in the framework (no matter what language and sometimes no matter what OS). It basically acts as a Graphical User Interface to the ExploitTree which is dynamically updated at the same time as the ExploitTree.

E-mail exploitation frameworks:

• PIRANA is an exploitation framework that tests the security of a E-mail content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the shellcode generator from the Metasploit framework!

Browser Exploitation Framework:

• BeEF is the browser exploitation framework used to demonstrate the real-time impact of XSS browser vulnerabilities. Download here.
• Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Network Vulnerability Scanners

• Nessus is a comprehensive vulnerability scanning program. Its goal is to detect potential or confirmed weaknesses on the tested machines.
• FwTest is a firewall testing tool.

Online vulnerability databases:

• Secunia provides security advisories and information about patches, and provides software for vulnerability management.
• Milw0rm is an exploit database separated by exploit type.
  

Immunity Debugger - an exploit development debugger

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. It is similar to OllyDbg in functionality and interface.

Immunity Debugger is said to cut exploit development times in half and has a powerful scripting language and connectivity to fuzzers and exploit development tools.

Firebug - awesome Web debugging tool - Firefox plugin

Firebug is a really cool Firefox plugin that lets you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.



If you're doing web development or just want to see why a webpage is loading slowly, you NEED Firebug!

Windows Crash Dump Analysis - Pinpointing Faulty Drivers with Driver Verifier and WinDbg.

I've been having problems with my system lately, random freezes or crashes (BSOD, DRIVER_IRQL_NOT_LESS_OR_EQUAL, etc). Since the system passes memtest86+ and Vista memory tests, and it is updated to the latest and greatest patch level, I'm pretty sure the problems are caused by 3rd party drivers.

I'm going to use a very overlooked tool in Windows, and that is the "Driver Verifier". This tool has been a part of Windows systems ever since Windows 2000, and it's an invaluable tool in debugging faulty drivers.

You'll need to run the tool manually, just start - run - verifier.exe. A wizzard will pop up.



You'll need to create custom settings, Select individual settings from a full list, and pick everything but "Low resource simulation". You can now either pick unsigned drivers (the usual suspects, since signed drivers are usually tested) or select driver names from a list (pick the ones you most suspect... recently installed before crashes appeared and so on). Make sure you don't pick ALL drivers on your machine, that's quite painful.

In my case, I've picked drivers not provided by Microsoft. To be more specific, the Intel Turbo Memory (Robson) Driver, since this is a Santa Rosa platform laptop, and Turbo Memory isn't really know for it's stability or performance boosts. In fact, some laptop providers like HP have said NO to Turbo Memory.

iaStor.sys is the Intel Matrix Storage Manager Driver and ianvstor.sys is the Intel Turbo Memory (Robson) driver. Both install with the Intel Turbo Memory driver.

In case you're more worried about it's actual usefulness than security issues (people reading data from the solid state device) or stability issues, take a look at this article:

Investigating Intel's Turbo Memory: Does it really work?




Once you're done rebooting, make sure you check the results tab:



After this change you'll need to reboot your system, and wait for a crash to occur. Just in case your system will freeze, it's generally a good idea to boot your system in Debugging Mode (F8 at startup) and make sure you have full memory dumps and CrashOnCtrlScroll enabled.

Once you've managed to obtain a crash dump (either by a BSOD or connected a debugger to a hanged system and typing .dump, or even crashing the system yourself with Ctrl - Scroll Lock - Scroll Lock in case of a hang) you'll need to analyze it. For this task, you'll need Windows Debugger (WinDbg) and a Debugging Symbols Server. You can grab them off Microsoft's website. Just make sure they're the right ones for your system.

Once you've got yourself a debugging environment set up, open WinDbg, pick File - Open Crash Dump (Ctrl - D) and open the fresh memory dump (C:\Windows\MEMORY.DMP by default - check the Startup and Recovery Tab to make sure).



As we can see in the image, it did not find any debugging symbols for the iaStor.sys and iaNvStor.sys drivers (the Intel Turbo Memory Drivers) since they are 3rd party drivers.

We're going to type "!analyze -v" to get more details on the error.


Looking at the stack, we can see:

WARNING: Stack unwind information not available. Following frames may be wrong.
88fafd00 80673529 85f2b0e8 8593d194 b92b8f00 iaStor+0x3cf51

That's the Intel TurboMemory driver (well, the Intel Matrix Storage Manager to be more exact).

Since this is a Core 2 system, we have CPU 0 and CPU 1. To run instructions on CPU 1, we need to switch to it, using the ~1 command.

We're going to examine the stack on both CPU's:

0: kd> ~0
0: kd> k
ChildEBP RetAddr
a9563bb0 81ce8651 hal!KeReleaseQueuedSpinLock+0x26
a9563c14 81ce86f6 nt!ExFreePoolWithTag+0xae7
a9563c24 81dec9ae nt!ExFreePool+0xf
a9563c60 81d3949b nt!ObOpenObjectByName+0x47b
a9563d2c 81d39258 nt!CmOpenKey+0x1b1
a9563d50 81c8c92a nt!NtOpenKey+0x39
a9563d50 77ae0f34 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0097f0c4 765d5fc9 0x77ae0f34
0097f120 7566548e 0x765d5fc9
0097f214 75664e62 0x7566548e
0097f274 75665581 0x75664e62
0097f2a4 75665f46 0x75665581
0097f450 75665f5f 0x75665f46
0097f474 75664b10 0x75665f5f
0097f4d0 75664a05 0x75664b10
0097f51c 76686d7e 0x75664a05
0097f548 767003a2 0x76686d7e
0097f974 766ff44c 0x767003a2
0097f990 766873cb 0x766ff44c
0097f9cc 76687279 0x766873cb
0: kd> ~1
1: kd> k
ChildEBP RetAddr
88fafb64 828059c1 nt!KeBugCheckEx+0x1e
88fafb94 82805d01 crcdisk!VerifyOrStoreSectorCheckSum+0x111
88fafbc4 8280521a crcdisk!VerifyCheckSum+0xa9
88fafc00 82805570 crcdisk!CompleteXfer+0x16a
88fafc14 81ecec69 crcdisk!CrcScsiReadCompletion+0x20
88fafc4c 81caca3b nt!IovpLocalCompletionRoutine+0xcc
88fafc80 81eceb53 nt!IopfCompleteRequest+0x13d
88fafcf0 8297ef51 nt!IovCompleteRequest+0x11c
WARNING: Stack unwind information not available. Following frames may be wrong.
88fafd00 80673529 iaStor+0x3cf51
88fafd10 8067a8b5 iaNvStor+0x16529
88fafd30 8067b1f1 iaNvStor+0x1d8b5
88fafd4c 80679740 iaNvStor+0x1e1f1
88fafd7c 81e25472 iaNvStor+0x1c740
88fafdc0 81c9141e nt!PspSystemThreadStartup+0x9d
00000000 00000000 nt!KiThreadStartup+0x16

We can use lm kv to list currently loaded drivers and version information. From this list, I've selected the two drivers we're interested in:

8065d000 80699000 iaNvStor (no symbols)
Loaded symbol image file: iaNvStor.sys
Image path: \SystemRoot\system32\DRIVERS\iaNvStor.sys
Image name: iaNvStor.sys
Timestamp: Sun Mar 11 10:11:01 2007 (45F3B995)
CheckSum: 000423B0
ImageSize: 0003C000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

82942000 82a00000 iaStor (no symbols)
Loaded symbol image file: iaStor.sys
Image path: \SystemRoot\system32\DRIVERS\iaStor.sys
Image name: iaStor.sys
Timestamp: Mon Feb 12 22:46:47 2007 (45D0D237)
CheckSum: 0004966D
ImageSize: 000BE000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

This tells us the driver version and timestamp, to let us know if an update is in order. Usually old drivers are suspect.

Useful commands:

• ~N where N is the CPU number (count starts from 0) changes to that CPU
• !analyze -v gives a detailed heuristic analysis of the problem, and looks for 3rd party drivers that might be responsible for the crash.
• lm kv lists loaded drivers and gives details on them
• !deadlock the deadlock verifier
• !vm prints memory usage. If pool usage is close to pool maximum, then a driver might have a memory leak.
  
• !poolused if pool tagging is on (by default on 2003+) displays kernel memory usage pools by pool tag, and allows you to map the pools back to the drivers. Mapping it for 3rd party drivers require you to grep printable strings in the driver. See "!poolused c".
  
• !thread examine current thread (run on each CPU). If a driver interrupts a running thread, this may not list the cause of the crash.
  
• !process 0 0 list active processes. Look for suspect processes that shouldn't be running, or common 3rd party processes that show up in multiple crashes.

Since all results point at the Turbo Memory drivers, and while working I've got another couple of crashes, with similar results (Probably caused by : iaNvStor.sys ( iaNvStor+3523 )), I've got two choices here: either look for updates or remove the driver, and stop using Turbo Memory. Since most benchmarks say it doesn't provide an actual performance boost, and may provide a mild battery boost, I concluded it's safer to just remove the driver, and stop using Turbo Memory on this machines.

The Windows Experience Index on this machine is 4.7 with Turbo Memory enabled, 4.7 with Turbo Memory caching disabled. No change in performance (Sure, the Experience Index may be no proper benchmark, but it's more than relevant in this case).

Seeing how disabling the caching didn't affect performance, I simply removed the software from my machine. Big mistake. Uninstalling the Turbo Memory software also gave this neat little error when booting Windows:

Please insert the Windows recovery CD.

Windows failed to load because a critical System driver is missing or corrupt.
\WINDOWS\System32\DRIVERS\iaStor.sys

Well, that was fun. At least restoring BOOTSECT managed to fix things.

Final Words:

A vast majority of Windows crashes are caused either by:

Unstable hardware:

• Entry level memory with no ECC or Chipkill, sometimes running and very high speeds it wasn't designed for
• Broken memory: Make sure you run memtest86+ or Vista's Memory Tester (boot the DVD and pick Memory Test).
  
• Overclocked processors and high temperatures

Buggy 3rd party drivers:

• Binary blob drivers that aren't proper tested, verified and updated for all versions of Windows
• Drivers for small time hardware like keyboards with "special" keys or 8 button mice and so on.

My advice is simple: avoid such drivers at all costs. The functionality they add is minor, and the risks and stability problems are not worth it. If your keyboard's "Email" button requires a kernel module, forget about it, the idea is broken by design.

And remember, if you have problems, make sure you obtain a memory dump for analysis, and always perfrom a hardware test before blaming it on software: a full POST, a memtest86+ test, a CPU Prime95 test, monitor system temperatures and disk S.M.A.R.T. data with HD Tune, check your hardware cabling and such, then look at the software. Mainly, at the drivers: remove unneeded 3rd party drivers, software (use Sysinternals autoruns) and hardware, install the latest driver versions, update to the latest Windows patchlevel.

Digital Forensic Tools: Imaging, Virtualization, Cryptanalysis, Steganalysis, Data Recovery, Data Carving, Reverse Engineering

"Jrypbzr gb gur bgure fvqr."

Computer Forensics is a science and an art. And to perform it, you need tools to identify, acquisition, preserve and analyze data in a clean, safe, non-destructive manner. Lots of tools. Everything from data acquisition to virtualization and steganalysis.

A list of more or less free tools (mostly open source or freeware, but I have included some relevant commercial products) no digital forensics expert should be without:

Data acquisition, enumeration, imaging and forensics tools: Toolkits and utilities.

1. The Sleuth Kit and Autopsy Browser. Both are open source digital investigation tools (a.k.a digital forensic tools) that run on Unix systems (such as Linux, OS X, FreeBSD, OpenBSD, and Solaris). They can be used to analyze NTFS, FAT, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types. The Sleuth Kit (TSK) is a collection of command line tools based on The Coroner's Toolkit (TCT). Autopsy is a graphical interface to TSK.
2. The Coroner's Toolkit (TCT) is a forensics toolkit for analysis of UNIX break-ins. It runs on BSD (OpenBSD, FreeBSD, BSD/OS), Solaris/SunOS, Linux and HP-UX.
   
3. WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor.
4. dcfldd is an enhanced version of GNU dd with features useful for forensics and security. GNU ddrescue is a data recovery tool. It copies data from one file or block device trying to rescue data in case of read errors. It's a better alternative to using dd_rescue and dd_rhelp or SpinRite (you can just do a disk refresh with dd: "dd if=/dev/disk of=/dev/disk bs=2m" while the drive isn't mounted - no write operations going on - or something along those lines in order to prevent presently recoverable read errors from progressing into unrecoverable read errors).
5. Sysinternals tools contains programs like streams that help us find data hidden inside alternate streams or strings that grep readable strings from a file. It also has tools like process explorer, procmon, autoruns and rootkit revealer that allow you to dig deep into the Windows operating system to process, disk and data related information.
   
6. Microsoft Log Parser is a powerful, versatile tool that you can use to extract information from files of almost any format by using Structured Query Language to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
7. AccessData Forensic Products: FTK - Forensic Toolkit, Registry Viewier - more neat tools from AccessData. Commercial products.
8. Clonezilla is used to clone many computers simultaneously. It can perform a full disk image or just file backup. It's a backup tool, but it can also perform bit by bit disk imaging.
9. Sysinternals LiveKD is a Live version of Windows Debugger (WinDBG) that allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. This means that you to easily take a memory dump of a running Windows system (.dump /f YOURUSBDISK:\fullmemorydump.dmp). On UNIX systems you can use dd to take a snapshot of the system memory ("dd if=/dev/kmem of=/path/to/memorydump").
10. Paraben's Device Seizure - Cell Phone and PDA Forensic software. Specialized software for portable device forensics.
11. PDD is a forensic analysis tool for Palm OS platform devices. It is an open source Windows-based tool for Palm OS memory imaging and forensic acquisition. The Palm OS Console Mode is used to acquire memory card information and to create a bit-for-bit image of the selected memory region. No data is modified on the target device and the data retrieval is not detectable by the user of the PDA.
12. CDInfo is an application that will display all ISO descriptors from all attached cd-rom drives (Label, System, Application, VolumeSet, Copyright, Creation Date, Directory Start, Directory Length, extentions, tracks, etc).
13. PMDump is a Windows tool that lets you dump the memory contents (both RAM and swap) of a process to a file without stopping the process.

Virtualization: Once the actual machine is cloned, it's usually put inside a virtual machine (features like snapshots and debugging help quite a bit with the digital forensics process). This is called physical to virtual (P2V) migration.

1. Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
2. VMware Converter Starter is a free p2v (physical to virtual) migration tool. VMware Converter quickly converts Microsoft Windows based physical machines and third party image formats to VMware virtual machines. It also converts virtual machines between VMware platforms. Note: for digital forensic images, you should use LiveView, and not the converter.
   
3. VMware Server allows for free virtualization. You can use it in combination with Live View to virtualize existing environments, and use the snapshots feature to revert back to a previous state of a virtual machine in an instant.
4. QEmu - a much more flexible virtualization program, albeit a bit slower than VMware. Supports emulating IA-32 (x86) PCs, AMD64 PCs, MIPS R4000, Sun's SPARC sun4m, Sun's SPARC sun4u, ARM development boards (Integrator/CP and Versatile/PB), SH4 SHIX board, PowerPC (PReP and Power Macintosh), and ETRAX CRIS architectures. Also, qemu-img can be a valuable tool for converting virtual machine images. Also allows for some really low level debugging features. A modified version of QEmu can even emulate PIX platforms (or Juniper JunOS systems like Olive).
   
5. VirtualBox is a GPL licensed x86 virtualization platform that runs on Windows, Linux and MacOS hosts, and supports various x86 client machines (Windows, Linux, BSD, Solaris). It's a noteworthy alternative to using VMware, as performance tends to be pretty good.
6. Microsoft VirtualServer / Virtual PC are free virtualization products from Microsoft. They support all major features (snapshots, mounting ISO images and such), and performance tends to be reasonable (to some extent, similar to that of VMware).
7. SIMH is a highly portable, multi-system simulator. It can emulate VAX and PDP-11 platforms. Just in case you need to perform forensics on older minicomputers.
8. Hercules is an open source (QPL licensed) emulator of IBM Mainframe computers (System/370, ESA/390 architectures and even the 64-bit zSeries). Hercules runs under Linux, Windows (98, NT, 2000, and XP), FreeBSD, and Mac OS X (10.3 and later). Hercules will run OS/360, DOS/360, DOS/VS, MVS, VM/370, TSS/370 - all IBM public domain operating system, as well as OS/390, z/OS, VSE/ESA, z/VSE, VM/ESA, and z/VM, and even Linux/390 and Linux (SuSE, RHEL, Debian, CentOS and Slackware) on zSeries.
9. Oracle VM is a server virtualization software based on Xen and Oracle Linux (itself based on RHEL sources) that fully supports both Oracle and non-Oracle applications. It is a free alternative to VMware Virtual Infrastructure (VMware ESX + VirtualCenter). It is certified to run the Linux operating system, Oracle Database, Fusion Middleware, and Application software, thus makes a very good platform for investigating Oracle databases.
10. The Palm OS Emulator is a program based on the Copilot app that emulates the hardware of the various models of Palm-powered handhelds, making it a valuable tool for writing, testing, and debugging applications as well as obtainiwinng evidence from the device.
11. Microsoft Windows CE 5.0 Device Emulator contains the emulator technologies featured in Windows CE 5.0. By using the Device Emulator, you can run emulated-based images created by Windows CE 5.0 without installing Platform Builder, its platform development tool.
    

Password recovery tools: You may often need to recover keys and passwords.

"This text has been encrypted twice... for double protection!"

1. Ophcrack is a very efficient Windows password cracker based on rainbow tables. It will crack huge tables of LM hashes in under 3 minutes. It also comes in the form of a LiveCD (though in digital forensics cases it's usually best to extract the SAM file containing the password hashes from the disk image and use that. Ophcrack can be a lot more effective if you have more complete rainbow tables.
2. LCP is a free alternative to the now dead L0phtcrack.
3. John the Ripper is a very versatile password cracking tool. It's supported on different architectures and operating systems (UNIX, Windows, OpenVMS, etc) and it's quite fast. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Medusa is a very fast parallel brute force login password cracker.
5. Elcomsoft Password Recovery suite: anything from office, archives, pdf files etc. to email clients. These are commercial products though.
6. CmosPwd decrypts password stored in CMOS used to access BIOS SETUP. Works on a lot of BIOSes (AMI, Award, Phoenix, IBM, etc). It can also be used to backup, restore or erase the BIOS.
7. AccessData Decryption Tools: PRTK - Password Recovery Toolkit, DNA - Distributed Network Attack, PORT - Portable Office Rainbow Tables are some of the best and fastest tools in the business.
8. Offline NT Password and Registry editor - a utility to (re)set the password of any user that has a valid (local) account on your NT system. You do not need to know the old password to set a new one. Features a registry editor. Supports 32 and 64 versions of Vista (and NTFSv5).
9. Elcomsoft Distributed Password Recovery is designed for distributed recovery of forgotten or lost passwords of different documents. Version 2.0 adds support for Windows SYSKEY startup passwords, passwords stored in Domain Cached Credentials, includes updated Adobe Acrobat module, and provides hardware acceleration (now up to 25 times faster!) for NTLM password recovery using GeForce 8 video cards.
10. Dialupass - Dialup Password Recovery - Recovers the passwords of dialup entries (VPN and Internet connections) on Windows systems. NirSoft provides a couple of free password recovery tools for various products such as Instant Messaging applications, cached passwords stored by Internet Browsers, E-mail clients and so on.

Here's a little cool trick for recovering cached passwords (asterisk passwords) stored in your Internet Browser (Firefox, Opera, Internet Explorer or anything with JavaScript).

Steganalysis and stenography: how to detect hidden data using stenography.

1. Stegdetect finds hidden information in JPEG images using such steganography schemes as F5, Invisible Secrets, JPHide, and JSteg. XSteg is a GUI.
2. Stego Suite is a powerful commercial Stenography detection toolkit, consisting of 3 major tools.
3. Stegkit is an Automated Steganalysis Tool.
4. Digital Invisible Ink Toolkit is an open-source cross-platform image steganography suite that includes both steganography and steganalysis implementations.
5. StegSpy will detect steganography and the program used to hide the message.
   
6. SteGUI is a StegHide GUI.
7. Digital Watermarking allows you to hide copywrite information and such in media (images and such) that's present even after encoding to another format (bmp->jpg), printing, copy/paste, etc. You can use ImageMagick of various Photoshop plugins to do this.
8. Stepic is a Python module and command line tool for hiding arbitrary data within images by slightly modifying the colors. These modifications are generally imperceptible to humans, but are machine detectable.
9. wbStego4 offers steganography in bitmaps, text files, HTML files and PDF files. It is has two very user-friendly interfaces and is ideal for securely transmitting data online or adding copyright information, especially with the copyright information manager.
   
10. NL Stego is a system for text generation and text-based steganography. It combines Markov Models of several orders to generate random text resembling a given training text (or text corpus). It can also embed secret messages into pseudo-random generated text.
11. Steghide is an Open Source (GPL) steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests. Supports compression of embedded data, encryption of embedded data, embedding of a checksum to verify the integrity of the extraced data and has support for JPEG, BMP, WAV and AU files.
    
12. StegFS is an Open Source (GPL) Steganographic File System for Linux. Not only does it encrypt data, it also hides it such that it cannot be proved to be there.
    

Filesystem tools: Data Recovery.

1. Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.
2. Avira UnErase Personal - a freely available unerase product.
   
3. TestDisk is a free (GPL) data recovery software that can fix partition tables, recover deleted partitions and rebuild NTFS boot sectors. It can find lost partitions (anything from BSD disklabels to IBM JFS, it supports pretty much anything).
   
4. GNU Parted is a program for creating, destroying, resizing, checking, and copying partitions, and the file systems on them. This is useful for creating space for new operating systems, reorganising hard disk usage, copying data between hard disks, and disk imaging. It can also be used to attempt recovery of the partition table similar to TestDisk (rescue START END).
   
5. Stellar Phoenix has various UNIX and *NIX (SCO OpenServer, Unixware, Sun Solaris, *BSD, HP-UX, MacOS) data recovery tools as well as some Windows Data Recovery tools. They are, however, commercial products.
6. R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on. This is a commercial product.
7. DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks. This is a commercial product.
8. SystemRescueCD is a Linux system on a bootable CD/DVD for repairing your system and your data after a crash. It also aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the partitions of the hard disk. It contains a lot of system utilities (parted, partimage, fstools) and basic ones (editors, midnight commander, network tools). The kernel of the system supports most important file systems (ext2/ext3, reiserfs, reiser4, xfs, jfs, vfat, ntfs, iso9660), and network ones (SMB/CIFS and NFS).
9. PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even if your media's filesystem has been severely damaged or re-formatted.
10. Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards even when other solutions fail. Once the data is recovered, it guarantees its integrity. It supports recovery of all file types and is optimized for JPG, TIFF, GIF and BMP, as well as most camera RAW formats: CR2, RAW, RAF, CRW, NEF, ORF, MRW, etc and many types of movie files. In some cases, we can even rebuild pictures that have suffered minor corruptions.
11. MiTeC Windows Registry Recovery - crashed machine registry configuration data recovery.
    

Cryptography tools: Once the data has been collected, disks and media has been imaged, it now needs to be encrypted, hashed and digitally signed in order to be properly stored.

1. Truecrypt is a powerful open source encryption software that works on Windows (2000, 2003, XP, Vista) and Linux. It can do on the fly encryption, it can encrypt whole partitions or mass storage devices, it supports stenography (hidden volumes within an encrypted partition) for plausible deniability and supports AES-256, Serpent and Twofish encryption. It can also escrow keys (so you can't access the data without say the two USB sticks with the keys and the passphrase), and supports both password and key authentication. Note: when you're using encryption, you should also use encrypted swap or make sure you zero it out when you're done.
2. Cryptsetup-luks is an interface is based on the original cryptsetup utility and retains full compatibility, but adds extra commands to deal with the Linux Unified Key Setup (LUKS) on-disk format. This format provides additional features such as key management and key strengthening, and remembers encrypted volume configuration across reboots The Linux Unified Key Setup (LUKS) - Under Windows, LUKS encrypted disks can be used with FreeOTFE (a free, open source, "on-the-fly" transparent disk encryption program for PCs and PDAs).
3. FreeBSD GELI - cryptographic GEOM class available as of FreeBSD 6.0. The geli utility is different to gbde; it offers different features and uses a different scheme for doing cryptographic work.
4. NetBSD CGD - cryptographic device driver provides functionality which allows you to use disks or partitions for encrypted storage. After providing the appropriate key, the encrypted partition is accessible using cgd pseudo-devices.
5. OpenBSD vnconfig(8) - provides encrypted svnd's via the "vnconfig -K rounds" options associates an encryption key with the device. All data will be encrypted using the Blowfish cipher before it is written to the disk. The user is asked for both a passphrase and the name of a salt file. OpenBSD also provides encrypted swap by default.
6. OpenPGP - Open Pretty Good Privacy provides data integrity services for messages and data files by using digital signatures, encryption, compression and Radix-64 conversion. In addition, OpenPGP provides key management and certificate services. The GNU Privacy Guard (GnuPG) is the OpenPGP implementation of the GNU project. GnuPG is fully OpenPGP compliant, supports most of the optional features and provides some extra features. GnuPG is used as the standard encryption and signing tool of all GNU/Linux distributions.

Intrusion Detection and vulnerability scanners: Sometimes you need to analyze live systems during the incident. A crime has not yet been committed, or the perpetrator is still active. Intrusion detection, network monitoring and security auditing tools. Tools like AIDE, Tripwire, BART and such would need to be installed and configured before the incident occurs, but in case they are, it's good to know how to extract the right information from the hash database and figure out what files have changed and such.

Sometimes something as simple as a simple vulnerability scan using tools like nmap, Nessus and such may reveal us ways on how a perpetrator might have gained illegal access to a system.

1. AIDE - Advanced Intrusion Detection Environment is an open source intrusion detection system similar to TripWire. It maintains a database of files and hashes (md5,sha1,rmd160,tiger,haval,etc) that are used to check the integrity of a file.
2. Wireshark - Network protocol analyzer for Windows and Unix that allows examination of data from a live network, or from a capture file on disk. Also known as Ethereal (before the name change). Alternatives include tcpdump (most UNIX systems), snoop(1M) (Solaris) and Windows Network Monitor on Windows. Helps detect data theft or covert channels used to leak out information.
3. Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.
4. Lynis is an auditing tool for Unix (specialists). It scans the system configuration and creates an overview of information usable by professional auditors.
5. Rootkit Hunter scans for rootkits, backdoors and local exploits by running various tests. On Windows, you would use Sysinternals "autoruns" and "Rootkit Revealer".
6. Microsoft Baseline Security Analyzer (MBSA) is used to detect common security misconfiguration and missing security updates on your computer systems as well as to ensure the system conforms to a baseline security level.
7. BART (Basic Audit Reporting Tool) and BSM (Basic Security Module) are auditing tools used on Solaris.
8. Bastille is a hardening tool that can maintain logs and audits a forensics expert should know how to parse. Bastille is also used on HP-UX.
9. The Metasploit Framework is a development platform for creating security tools and exploits.

Antivirus and anti-spyware products: Finding malware.
The system should be scanned for trojans, keyloggers and other types of malware (make sure you only scan the image, and take no action, just log their existence).

1. Avira AntiVir PersonalEdition Classic is a free Antivirus product that is available on multiple platforms (Windows 2000 / XP / Vista 32 Bit and 64 Bit, Linux / FreeBSD / OpenBSD / Solaris). License is available for home use.
   
2. Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. This can be used in a commercial environment. ClamWin is a free, open source antivirus software for Microsoft Windows 98/Me/2000/XP/2003/Vista. It provides a graphical user interface to the ClamAV (Clam AntiVirus) engine.
3. AVG Anti-Virus Free Edition - only available for single computer use for home and non commercial use.
4. BitDefender 8 Free Edition is an on-demand virus scanner, which is best used in a system recovery or forensics role.
5. bdc - BitDefender Console Antivirus for FreeBSD.
6. AVG Anti-Spyware Free Edition - free antispyware solution available at no cost to home users and provides a high level of detection capability.
7. Windows Defender - Free anti-spyware tool from Microsoft.
8. Spybot Search and Destroy - Free spyware removal tool.
9. Spyware Terminator - Spyware removal tool. Can integrate ClamAV Antivirus. Free for personal and commercial use.
10. HijackThis is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan. It generates in depth report of registry and file settings from your computer. HijackThis makes no separation between safe and unsafe settings in its scan results giving you the ability to selectively remove items from your machine. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.

Malware analysis, debugging and Reverse Engineering tools:
Sometimes you happen to find rootkits, viruses, worms and all kinds of malware or software that requires the use of reverse engineering to figure out. Here's a couple of free to use tools:

1. OllyDbg is a free debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.
2. RR0D is a ring 0 debugger. It offers the possibility to debug any kind of code (kernel/user/rasta land). Its philosophy is to be OS independent. That's why RR0D can today be installed on Linux, *BSD, Wind0ws. It's a free alternative to SoftIce.
3. Hackman Suite is a multi-module all purpose debugging tool. It includes a hex editor, a disassembler, a template editor, a hex calculator and other everyday useful tools to assist programmers and code testers with the most common tasks.
4. IDA Pro 4.9 Freeware (Interactive Disassembler) is a disassembler and debugger with lots of features that is very useful for reverse engineering. It's basically a "lite" version of the powerful IDA Pro.
5. SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications. With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.
6. objdump is a program for displaying various information about object files. For instance, it can be used as a disassembler to view executable in assembly form. It is part of the GNU binutils for fine-grained control over executable and other binary data. It runs on multiple platforms.
7. GDB, the GNU Project debugger, allows you to see what is going on `inside' another program while it executes -- or what another program was doing at the moment it crashed.
8. GNU DDD is a graphical front-end for command-line debuggers such as GDB, DBX, WDB, Ladebug, JDB, XDB, the Perl debugger, the bash debugger, or the Python debugger. Besides ``usual'' front-end features such as viewing source texts, DDD has become famous through its interactive graphical data display, where data structures are displayed as graphs.
9. Debugging Tools for Windows are used to debug drivers, applications, and services on systems running Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 as well as for debugging the operating system itself. Versions of the Debugging Tools for Windows package are available for 32-bit x86, native Intel Itanium, and native x64 platforms. Debugging Tools for Windows includes WinDbg, a powerful debugger with a graphical interface and a console interface, as well as the console-based debuggers NTSD, CDB, and KD and the Windows Debugging Symbols.
10. strace (system call tracer), ltrace (library call tracer), xtrace (eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more), truss (trace system calls and signals - Solaris), ktrace (enables kernel process tracing - OpenBSD) and Valgrind (executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired) are UNIX programs that let you run a program while watching the actions it performs.
    
11. DTrace is a comprehensive dynamic tracing framework for the Solaris Operating Environment (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit administrators, developers, and service personnel to concisely answer arbitrary questions about the behavior of the operating system and user programs.

Timeline editors: analyze and evaluate the data obtained from a system and use it to determine what happened.

1. Zeitline is a Java/Swing tool that allows a computer forensic investigator to import events from various sources of a computing system or network and then order and classify them into one or more timelines of events.
2. mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity. The mac-robber tool is based on the grave-robber tool from TCT and is written in C instead of Perl.

Data carving, analysis: (extracting a collection of data from a larger data set) - a file recovery technique frequently occurs during a digital investigation when the unallocated file system space is analyzed to extract files. The files are "carved" from the unallocated space using file type-specific header and footer values. File system structures are not used during the process.

1. FTimes (File Topography and Integrity Monitoring on an Enterprise Scale) is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.
2. MiTeC Windows File Analyzer - tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. Will print a report of analyzed files.
3. Foremost is a console program to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
4. Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.
5. ReviveIT (Revit) - smart data recovery tool (file carving).
6. Magic Rescue looks at "magic bytes" for carving out files from raw data.
   

Forensic toolkit LiveCDs:

1. Helix is Knoppix based Linux LiveCD containing various forensics tools.
2. Knoppix STD is a Linux based LiveCD containing various digital forensics tools.
   
3. The MacQuisition Boot Disk is a forensic acquisition tool used to safely and easily image Mac source drives using the source system. MacQuisition provides an intuitive user interface to the traditional command line, providing both beginner and advanced forensic examiners with a valuable tool to:
4. Winternals ERD Commander boots dead systems directly from CD into a Windows-like repair environment. It's now part of the Windows Optimization Pack.
5. BackTrack is the result of merging Auditor and Whax into a single penetration testing Linux LiveCD. It contains an assorted suite of pen-testing, data recovery and digital forensics tools.
6. SMART Linux is a Slackware based Data Forensics and Incident Response LiveCD.
7. Snarl is a FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
8. Penguin SleuthKit Bootable CD - A Linux LiveCD that includes SleuthKit.
   
9. UBCD4Win - Ultimate Boot CD for Windows - is a bootable recovery CD based on BartPE that contains software used for repairing, restoring, or diagnosing almost computer issues. It's also easy to costomize and add various forensic tools to a Windows XP SP2 LiveCD.
10. The Farmer's Boot CD (FBCD) is a Linux boot CD designed for on-site previewing of systems before acquiring. It contains a number of programs to preview both Windows and Linux systems in a forensically sound manner. A commercial product.
    

Reference and Documentation, Whitepapers: Material you need to consult and read:

1. Bruce Schneier: His Applied Cryptography and security books as well as his blog posts and articles are a valuable resource for security experts world wide. Beyond Fear there is Bruce Schneier.
2. The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response). Open source tools may have a legal benefit over closed source tools because they have a documented procedure and allow the investigator to verify that a tool does what it claims.
3. The Forensics Wiki, a Creative Commons-licensed wiki devoted to information about digital forensics.
4. The International Journal of Digital Evidence (IJDE)
5. NIST - National Institute of Standards and Technology - CSRC - Computer Security Division
6. DFRWS (Digital Forensics Research Workshop) is dedicated to the sharing of knowledge and ideas about digital forensics research.
7. Computer Forensics Links & Whitepapers (Forensics.nl)
8. Digital Forensics Links and Resources
9. SANS Institute - Network, Security, Computer, Audit Information Reading Room - Whitepapers on Digital Forensics
10. Forensic Focus - Computer Forensics News, Information and Community
11. The Electronic Evidence Information Center
12. Computer Forensics World - A Community of Computer Forensics Professionals
    

"Vs lbh pna ernq guvf lbh'er nyzbfg nf fzneg nf cuo."