Archive for category microsoft

Windows Anti Forensics Tip of the Day…

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

Jailbreak: Export non-exportable Windows certificates

I came across a handy (& free) Windows utility that allows you to export “non exportable” certificates.  Do you want to get at those recovery certificates or private keys? Jailbreak can be snatched here: https://www.isecpartners.com/jailbreak.html

Setting up Windows Honey Pot Shares

I recently setup a honeypot share on a Windows server.  I put some very “interesting” files and directories in there (financial information, PII etc) and then enabled audit logging in Windows.  There’s a very powerful but mostly unknown Windows tool called LogParser which can be used to query your System/Security event logs.  It’s possible to write a script that will query your system security log every so often and look for requests to the honey pot.  You can get very sophisticated using LogParser, a few hand written scripts, and the Windows Task Scheduler.

  1. Create the honeypot file share.
  2. Create sexy files in the share: bank_statement.pdf, password_list.txt, 08taxes.pst, gmail.doc, megan13.jpg, etc….
  3. Enable audit logging on shared folder.
  4. Install LogParser.
  5. Learn to use LogParser here: http://128.175.24.251/forensics/logparser.htm

Microsoft’s google killer: Bing

Now that Microsoft’s Bing has been out for a couple weeks I’m wondering everyone’s impression.  I like the simple interface with minimal ad’s and clutter.  Nothing like the MSN search.  It looks awfully similar to Google’s interface.

However, I’m very disappointed with search results.  I’m finding that most of my queries are not returning what I’m looking for.  I find myself returning to google.  This could be because the Bing engine doesn’t have enough information from analytics data to generate better results.  Hopefully with time this will improve; once Bing see’s what pages users are really interested in.

Windows: Keyboard Kung Fu

Here’s a few [lesser] known Windows shortcuts: (feel free to share more in the comments!)

WinKey + E : Windows Explorer

WinKey + R : Run

WinKey + F : Find (Windows Search)

WinKey + L : Lock computer

WinKey + Pause/Break : Computer properties

CTRL + LEFT SHIFT + ESC : Task Manager

CTRL + ALT + END : Shows Shutdown menu *on remote machine*

Tags: ,

IE8 Released

In case you haven’t heard Internet Explorer 8 was released yesterday. You can download it here:

http://www.microsoft.com/windows/internet-explorer/default.aspx

I played around with it a little last night.  Unfortunately it’s the same user interface as IE7.  Where IE8 really steps it up is with security and privacy.  There’s a built in SmartScreen filter that notifies you if a page is known to be malicious.

You can also clear all of your browsing artifacts with one click.  There is also a new context menu (right click) that lets you jump right to your blog or map an address.  There is compatibility mode to render pages as IE7 — what would really be nice is IE6 which so many pages seem to still be built for.  Also I noticed they more or less stole the improved Firefox address bar that doubles as a history search.

I recommend trying it at least to give you something to talk about this weekend!

Office 2007 and productivity

In case you haven’t seen or heard the new Microsoft Office 2007 includes a completely overhauled user interface dubbed Fluent. I’m been lucky enough at work to be included in our pilot program. Office 2007 features a new “ribbon” across the top of all applications. It is supposed to be a much more intuitive design to follow. Although there is a learning curve for any advanced Office user, there are reported productivity improvements after that.

Microsoft & Forrester Outlook 2007 Productivity Report

Wikipedia: Fluent UI

Ford (Microsoft) Sync: WOW

I had the chance to ride in a friend’s Ford Fusion over the weekend – first time in this car. The Fusion is one of a handful of automobiles that features Ford Sync which was developed through a partnership by Ford and Microsoft. My Fusion experience was simply incredible. I’m in the market to buy a new car and was heavily leaning towards purchasing a Honda Civic Si Sedan — but no more! The Ford Sync technology is making me reconsider my decision (not to mention that Consumer Reports loves the Fusion).

Ford Sync handles the external audio input — usb or headphone jack. It also features a bluetooth receiver to work with your cell phone. First, my friend told his car “play nirvana” and Sync randomly selected a nirvana song on his mp3 player. It appears that Sync has internal memory that catalogs the media on your mp3 player. While we were driving the car speakers started playing a telephone ringing. My friend pushed a button on his steering wheel and answered the phone – it was his wife! I can see where having your car stereo morph into a cell phone would be great for long commutes. The voice recognition of Sync is also amazing. It never once hesitated when we gave it a command. My friend instructed Sync to call someone and we soon had them on the line. It also turns out that Sync 2.0 will read SMS (text) messages and interpret acronyms i.e. LOL.

Cadillac, Benz, BMW and other luxury cars have had bluetooth receivers built in for some while but they can’t compete with Sync technology in a Ford Fusion with MSRP $19,035.


ford-microsoft-sync

Windows computer running slow?

Do you have a Microsoft Windows PC running slow?  The first but usually most painful solution is to reformat and or reinstall.

However before proceeding with such drastic steps there are two things I recommend checking:

1) Do you have enough physical memory?  You want to reduce the frequency of virtual memory paging activity.  Run Task Manager by pressing CTRL+SHIFT+ESC.  See below:

memory

*Note: If you have Windows Vista or 7 remember you can add additional member on the fly with a USB stick by using ReadyBoost

2) Make sure your hard drive(s) is running in DMA mode.  It is unfortunately not uncommon for Windows to revert to PIO mode which means transfer speeds of 3-4mbps instead of 50-60mbps.  Basically remember that PIO=slow, DMA=fast.  Open Device Manager by pressing WinKey+R and typing “devmgmt.msc”

transfer_mode

‘Application Data’ passwords

If you’re running Windows XP or Vista have a look in
C:\Documents and Settings\username\Application Data
***you may need to show hidden files/folders

This is a warning if you have applications store or remember your username and especially password.  These applications may very well be storing them in plain text and it would be easy for someone to steal your credentials.  Instant messenger applications, games, FTP clients, etc…

save_passwd

The pidgin IM client (formely gaim) has an interesting article about why they do not encrypt their passwords: http://developer.pidgin.im/wiki/PlainTextPasswords


Google for im passwords: http://tinyurl.com/8fnc9t

It’s a bad idea to have any application remember your password!  If you don’t like to remember your passwords then try KeePass or the original Password Safe.