1. capture memory via moonsol’s win32dd
2. parse memory snapshot with mandiant’s memoryze
3. analyze results via audit viewer
4. or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

1. Go to Start -> Run and type Regedit
2. On the left hand side select the “+” to navigate to the following.
3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
4. On the right look for NukeOnDelete
5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

1. Create the honeypot file share.
2. Create sexy files in the share: bank_statement.pdf, password_list.txt, 08taxes.pst, gmail.doc, megan13.jpg, etc….
3. Enable audit logging on shared folder.
4. Install LogParser.
5. Learn to use LogParser here: http://128.175.24.251/forensics/logparser.htm

However, I’m very disappointed with search results.  I’m finding that most of my queries are not returning what I’m looking for.  I find myself returning to google.  This could be because the Bing engine doesn’t have enough information from analytics data to generate better results.  Hopefully with time this will improve; once Bing see’s what pages users are really interested in.

WinKey + E : Windows Explorer

WinKey + R : Run

WinKey + F : Find (Windows Search)

WinKey + L : Lock computer

WinKey + Pause/Break : Computer properties

CTRL + LEFT SHIFT + ESC : Task Manager

CTRL + ALT + END : Shows Shutdown menu *on remote machine*

http://www.microsoft.com/windows/internet-explorer/default.aspx

I played around with it a little last night.  Unfortunately it’s the same user interface as IE7.  Where IE8 really steps it up is with security and privacy.  There’s a built in SmartScreen filter that notifies you if a page is known to be malicious.

You can also clear all of your browsing artifacts with one click.  There is also a new context menu (right click) that lets you jump right to your blog or map an address.  There is compatibility mode to render pages as IE7 — what would really be nice is IE6 which so many pages seem to still be built for.  Also I noticed they more or less stole the improved Firefox address bar that doubles as a history search.

I recommend trying it at least to give you something to talk about this weekend!

Microsoft & Forrester Outlook 2007 Productivity Report

Wikipedia: Fluent UI

Ford Sync handles the external audio input — usb or headphone jack. It also features a bluetooth receiver to work with your cell phone. First, my friend told his car “play nirvana” and Sync randomly selected a nirvana song on his mp3 player. It appears that Sync has internal memory that catalogs the media on your mp3 player. While we were driving the car speakers started playing a telephone ringing. My friend pushed a button on his steering wheel and answered the phone – it was his wife! I can see where having your car stereo morph into a cell phone would be great for long commutes. The voice recognition of Sync is also amazing. It never once hesitated when we gave it a command. My friend instructed Sync to call someone and we soon had them on the line. It also turns out that Sync 2.0 will read SMS (text) messages and interpret acronyms i.e. LOL.

Cadillac, Benz, BMW and other luxury cars have had bluetooth receivers built in for some while but they can’t compete with Sync technology in a Ford Fusion with MSRP $19,035.

However before proceeding with such drastic steps there are two things I recommend checking:

1) Do you have enough physical memory?  You want to reduce the frequency of virtual memory paging activity.  Run Task Manager by pressing CTRL+SHIFT+ESC.  See below:

*Note: If you have Windows Vista or 7 remember you can add additional member on the fly with a USB stick by using ReadyBoost

2) Make sure your hard drive(s) is running in DMA mode.  It is unfortunately not uncommon for Windows to revert to PIO mode which means transfer speeds of 3-4mbps instead of 50-60mbps.  Basically remember that PIO=slow, DMA=fast.  Open Device Manager by pressing WinKey+R and typing “devmgmt.msc”