By Bhushan Shah, NII Consulting
In the previous article we looked at the Rainbow Tables and how it can crack windows passwords in a matter of seconds. In this article we will look at different ways to add complexity to the passwords and protocols to secure your system so that you can survive the rainbow table attack. (Or at least try to)
Read the full article »
NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.
This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.
By Bhushan Shah, NII Consulting
Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.
A hash function - is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.
The LMHash - LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.
By Kush Wadhwa, NII Consulting
Welcome to the world of log analysis. Log analysis plays a crucial role in intrusion detection. If the compromised system is running on Linux platform one of the first steps which the investigator will perform is the analysis of log files.
Linux has an ability to store the logs of different services like for apache, squid logs, syslogs, and cron logs. These logs help users to resolve different problems and auditing of user actions. In this article we will talk about apache logs & squid logs since they are very closely related to each other and we will also see how to read apache & squid log files.
Fyodor’s back with his top 100 security tools for 2006.
One of the most significant, but not surprising, entries is that of Metasploit Framework at #5 on the list. Since the launch of the 2.0 series, Metasploit has become one of the most popular security tools out there. The 3.0 series is a completely rehauled and very powerful piece of software. Re-written in Ruby and with extensive API’s, it is no longer simply a platform to develop and test exploits. It is now a platform to develop advanced security tools. Check out some cool features such as the recon modules and the sophisticated IDS-IPS evasion techniques. You can download the alpha version of the 3.0 series here.
by Chetan Gupta, NII Consulting
A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system
Size: 5 bytes (5 bytes)
Size on disk: 4.00 KB (4,096 bytes)
Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems!
Read the full article »
by Chetan Gupta, NII Consulting
I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!
Read the full article »
by Chetan Gupta, NII Consulting
Windows XP has a built-in feature - UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
by Chetan Gupta, NII Consulting
How many times in an investigation does a forensic investigator come across the problem of acquiring data from a suspect’s laptop? The answer to this question would be ‘many times’. Whenever such a situation arises, the investigator is usually in a dilemma as to whether he should open the laptop, take out the hard disk, connect it to IDE-to-USB converter and then perform the duplication or should he try to do it without opening the laptop. The preferrable choice usually is the latter one in which the investigator acquires the suspect disk over the network. Choosing the first option could lead to the laptop/hard disk getting damaged or the warrantly of the laptop being rendered void.
Read the full article »
by Khushbu Jithra, NII Consulting
The expertise involved in a forensic investigation is best showcased through the documentation of the evidence and the recording of the techniques used for forensic investigation. Giving a written form to the investigation effort also enables clear explanation of findings and helps organize documents for litigation (if pursued).
Read the full article »