Forensic talk slides

Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.

If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. :)

For fun, you can run exiftool on this ppt, exported from LibreOffice.

For accessibility and ease of access, I added the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. :p

Text from slides below:

|+| Slide 01


A data backup and verification chat.

Backing up and ripping data, making test beds and using equipment.

This fire talk will cover:

Write-blockers (hardware), dd, sha256sum, exiftool.

|+| Slide 02

Disclaimer (01 of 02)

Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.

Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example – thumbs.db folder indexers) versus manually viewed files.

|+| Slide 03

Disclaimer (02 of 02)

This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding ‘the needle in the haystack’ tremendously easier to find patterns.

Testing with the tools will give you the comfort to provide services for others.

|+| Slide 04


Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.

After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

|+| Slide 05

Tool usage

There are plenty of tools and applications with forms you can use. However they can be quite expensive.

Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I’m being asked to do or recover.

|+| Slide 06

Write Blocker Imaging

Using a hardware write-blocker is an assured way to not modify the contents of the source drive.

They are around $300 USD, so you have some cheaper options to do software write blocking… but if you forget to turn it on, you can contaminate your data source.

(Such as browsing a folder, having windows make new thumbs.db files)

|+| Slide 07

[Picture of write blocker source drive, and output drive]

|+| Slide 08

Imaging Drives


sudo dd if=/dev/sdf of=/dev/sdg bs=16384k


For a 500 GB HDD, it took about 3 hours. (results below)


29808+1 records in

29808+1 records out

500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s


So how do you come up with the device names?


ls /dev/sd*









|+| Slide 09

Verifying disk image

Now that your drive is imaged, let’s start verifying with the source drive, hooked up to the write-blocker.

This is for the source drive.


sudo sha256sum /dev/sda



cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda


Unhooking the source drive, plug in the target / copied drive and run the same command.


sudo sha256sum /dev/sda



cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda


In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.

Boom! It’s a match :)

|+| Slide 10

Cryptographic Checksums

There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.

Signature based anti-virus seems to have some clashes in the MD5 space.

Tools to get a checksum for a file are:




|+| Slide 11

Checksum examples

Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).

Making a new file called ‘sampleChecksum.txt’ with the contents of ‘Hello checksum’ and saving it.


nano sampleChecksum.txt


Obtaining the checksum of said file:


sha256sum sampleChecksum.txt



9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt


Making a second file with a single character change, I calculated that hash. New file called ‘sample02Checksum.txt’ with the contents of ‘Hello Checksum’ and saving it.


sha256sum sample02Checksum.txt



65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt


File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.

|+| Slide 12

Other checksum examples

ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.


md5sum sampleChecksum.txt



9938b398bc883db337fb41431545955b sampleChecksum.txt



md5sum sample02Checksum.txt



65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt


sha1sum displays a similar but unique output for each file. Slightly more ( 8) characters a return value than md5sum.

|+| Slide 13

(Duplicate slide of slide 12)

Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.

|+| Slide 14

BONUS ROUND – exiftool

Here I am grabbing the logo image from my site, then checking the image metadata for extra details.




|+| Slide 15

Exiftool (continued)

Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.


exiftool ftb-logo.png



ExifTool Version Number : 10.26

File Name : ftb-logo.png

Directory : .

File Size : 29 kB

File Modification Date/Time : 2013:05:29 11:45:14-04:00

File Access Date/Time : 2016:09:26 12:20:58-04:00

File Inode Change Date/Time : 2016:09:22 14:26:31-04:00

File Permissions : rw-r–r–

File Type : PNG

File Type Extension : png

MIME Type : image/png

Image Width : 465

Image Height : 100

Bit Depth : 8

Color Type : RGB with Alpha

Compression : Deflate/Inflate

Filter : Adaptive

Interlace : Noninterlaced

SRGB Rendering : Perceptual

Background Color : 255 255 255

Pixels Per Unit X : 2835

Pixels Per Unit Y : 2835

Pixel Units : meters

Modify Date : 2009:10:13 17:45:32

Comment : Created with GIMP

Image Size : 465×100

Megapixels : 0.046


|+| Slide 16

Exiftool conclusion

Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.

Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option

Looking at the File Modification Date/Time that is consistent to when I uploaded that file into WordPress for my front page of the site.

There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!

Active Directory re-design in production

The topic hook here, is redesigning the Active Directory Object Units of an existing network. Really, OUs are like Subfolders of a Windows User and Computer tree / list. I am working with a live domain structure, so more important before making any changes, is knowing and documenting how it was / currently is. This being in case you move something and it breaks.
Especially 3rd party applications linked into Active Directory, and the OU path is like a network or folder path, if the lookup is where it assigns user permissions via the AD / LDAP (Lightweight Directory Access Protocol) / Windows Challenge/Response (NTLM) mechanisms. Point here being, if you assign permissions to a user as below, moving them to a new OU and not updating that lookup in an app can break it, unless it verifies the current path of that user account in its NTLM-esc lookup.


Point being, if I move the Object_UserAccount into a different OU or a deeper subfolder / OU on that domain, that lookup may very well be broken for the 3rd party app, using AD for it’s lookup.

That is kind of long in the teeth, but in Windows land, especially when changing domain structure around, you can get some nasty snags. Documenting is as it was, lets you see if the old path is defined in whatever 3rd party app or device you are working with.  Also applicable, are Group Policies and where they apply.  Group Policy Editor on a domain controller will let you see what ones are applied and what OU they are nested under.  Group Policies are a step of this, but I am not focusing on these for this thread.  Knowing the old policies they apply to, will be helpful on your rollout, as in my case, some departments have printers autoinstall, based on their location.  I note this to troubleshoot or recreate that behavior on the new side of domain OUs.

csvde.exe: This C(ommand L(ine) I(nterface) tool will let you connect to your domain.local, while picking a root OU, to then export all those details to a CSV file.  Along with some screenshots of the tree structure, this is a great method to know what OU path a user was in, before you redesigned the trees and moved users around.  This in especially the case, of someone’s windows or other app, stopping to work, upon you moving their account or machine around in the domain tree.

Excel or Libre based office spreadsheet program:  I use these especially in migrating a live domain to a new server.  You have to clean the AD export up to 8 relevant columns, as the rest of the data is made by the new domain controller, thus importing the old stuff will just fail.  Rambling point here, is that when you import a new domain controller to an existing domain, it will inherit the security level of the prior domain.  Server 2012 running on a Windows 2003 Domain Forrest level?  No thank you, please don’t even.
You can and likely will use the spreadsheet program for reference in the future, either to make sure you moved the user from old to new, correct path, or to debug why an app may have stopped working, and trend a fix for anyone else who may have the same issue.

Great.  We have a dump of users with their original path (in my case, over 100 sub-OUs for maybe 20 different business units.).  Sometimes, people over-design systems.  It can be intentionally confusing to dissuade others from making changes, or simply be over-designed for some fantasy scope projection of future growth, instead of something that works with their current, yet is still scaleable for later add-ons.  In my opinion, empty folders are a BAD design call, especially in OUs.  Sometimes the path is limited to a certain amount of characters, so 50 of them characters being empty sub-folder paths, is just a shitty design call.

Logo clean

Pardon the prior header image. I had it up from prior years. I like to think I have normalized some progress and a smidge of coherence, at times.
Explore every day for those of us who are no longer with us. Respect and salute to them. That is my opinion on resolve.

Attached Thumbnails

  • JoeDirtSnowden.jpg

Flashback topic

Thanks again to everyone who came out to the Open House @ Philly Secure Shell.  I handed out some stickers with the address, so I wanted to share a 2014 thread about Bitcoin Miner Malware.  A random note, is to use google and type ‘bitcoin miner’.  You will get the 1st result, but it looks like there is some redirection poisoning going on there.  It bounces to a URL4SHORT_info page.  I have to explore that some more.


A friendly reminder that I do not do the advertisers thing on the site, as I believe in sharing information and not exposing people to advertiser traffic and potential infection by way of poorly moderated advertising networks.  I have had the forums up for about 13 years now and plan to keep doing so.  When I jump into hardware or software reviews, I do so of my own opinion and observations.  No one has, nor ever will send me a free product to view, without that being clearly defined as the scenario.  Even if that were to occur, I would also remain to be critical.

Pardon the blurb, but I really felt this needed to be a front-page post and known reminder.  I have purchased products and services before with known issues, that were never shared at launch, due to review deals and all sorts of other anti-consumer deals.  There is no support for that here, nor will there ever be.  I’m into this for sharing information and learning more from people I chat with and meet.  Now that I shared some of my ethos, allow me to drop a link for our Hackerspace in South Philadelphia, PA.

I speak as me, a real person who is occasionally (to often) grumpy.  I do try to be nice though :bunny:


Cisco Noob Guide

Especially on old-school devices, you might find no one logged  any of the network topology and config details.  If you are lucky (depends on your outlook) there is no password for the console connection.  To connect over console, you will need an ethernet cable that plugs into a serial port on your config machine.  If you do have a password on console port, hopefully it’s something from your list of other device passwords.  Probably a Level-15 account.

We will be in the CLI, so all those nice GUI configs you are used to with newer devices, are not at your disposal.  So we have this guide for logging in, going into enable mode, then showing certain configurations.  This can help you map a network out, especially if you inherited it and want to document and know how it really functions.

Starting out: (Run a cable from the console port on said switch, to your machine Serial port.)

  • Use PUTTY or a similar application to connect to COM1
  • Press Enter 2x.  You should then see Console of some sort
  • Login when prompted for a password (or if none)
  • type ‘en‘ without the quotes.  This will take you to config / enable mode.
  • show ? will give you a list of available commands.
  • Start with show version to get an idea what platform and version of iOS (or PiX) you are dealing with.
  • show running-config will show you the currently running device configuration.  Feel free to archive this into a flat file for reference later.
  • show vlan is huge if you need to know the VLANs defined on the network.
    Note: Your core switch will have them defined, then other devices can reference those VLANs and route accordingly.  IF you do not have a VLAN defined somewhere, it will be useless to use as a target.


That’s my primer on dorking your way though some older cisco devices.  Granted these methods will work or be very similar in current, CLI based cisco sessions.  Happy explorations.

VMWare ESXi on Gaming PC

Good morning.  I took on an attempt to install ESXi 6.0 onto a hard drive in my gaming PC.  I ran into a few modifications I needed to make, but luckily nothing too intense.

Starting out, I will rattle off my relevant PC specifications:

  • Intel i5-4690k @ 3.5 GHz
  • Asus Maximus Hero VII BIOS (3103)
  • 32 GB Corsair Vengeance DDR3 1600
  • 500 GB SATA WD Hard Drive (Non-SSD)

OK, so we’ll get started with an EXSi Install CD.  Upon boot up, I did not see any drives I could install to.  At first I thought I had to mark the drive active, since I did a 3-pass wipe of it prior, but that was not the case.  Turns out I had to jump into my BIOS and set my Drive Mode to RAID, instead of SATA that I had it set at.
There is no need to build a RAID array (and in my case, I’m using the Intel Z97 chipset that is the onboard SATA controller on my motherboard).  I am running a test build, otherwise a redundant RAID set should be a priority.

Once the RAID mode is set for your SATA Mode Selection (Under: AdvancedPCH Storage Configuration in my BIOS), you should now see a drive you can install ESXi to.  Also in your BIOS, if you have not already turned on Intel VT-x virtualization support, enable that as well.

Now that we have an install going, set your root password and when the install finishes, reboot.  On my 1st boot up without a network cable plugged in, I got the following message as it stuck in the boot process:

dvfilter-generic-fastpath: loaded successfully

I started to research this and was going to splunk the log files, but I rebooted and it loaded successfully.  As I have experience with supporting and deploying fresh Xen Server installs, this Hypervisor looks nearly identical in ESXi.

Once it boots up, connect to the IP Address by web browser to install the client tools, if you have not done so already.  The tools are sadly, confined to working best in a windows environment for your client software, but there is a web interface as well.  I am currently putting a Kali Linux install on via the Web Interface for EXSi, from my Mac.

That concludes my start to hypervisor online install of EXSi.  My gaming computer picked up another skill as a virtualization server.  I also have a Core 2 Duo refurb I will try the same for, but since that one is an OEM HP Machine, the BIOS features for Hyper-V and RAID support may be absent.

South Philly Hackerspace

Since I have been fairly light on the forums, I wanted to make a thread about our new Philly Secure Shell hackerspace.  I have been helping setup the location, while Leo has been doing all the coordination, paperwork and intricate work.

We are in the Bok building so you can also checkout Hive 76 (different space – same building), a hardware hackerspace in the building that has been around for some time now.  As for Secure Shell, we just got into the building this month and had a local CTF trial this weekend. <-+ Twitter page for our group.  We have been around for just over a year now and made the jump to getting a space as well.  Feel free to come check us out, we have a meetup page too for month meets and events as they pop up. <-+  MeetUp page.

Personally, I’m into hardware, data recovery and log crawling with SQL database log data archiving & trending.  I’m a fan of chatting and sharing ideas, so this space will be an excellent venue for that.  Shameless plug for 2600 First Fridays as well.  I tend to make most all of the local meetups @ 30th Street Station by the Taco Bell near Bridgewater’s bar.  It’s a really fun time to get out IRL and chat IT or just crack some jokes.  Highly advised, especially if you thought about it but never got around to it yet.

Software Restiction Policies – Windows GPOL

I hope you are enjoying your day.  Perhaps you found yourself in a pickle with malware and need to finally implement a software restriction policy on your Windows Domain.  Considering the items in question, I am presuming and hoping you have a Group Policy on your side to help manage these machines and users.  Software Restriction Policies (SRP) are here to help you out.

Great!  Since you are looking to add a restrictive group policy, I would suggest making a test OU (Object Unit – I will only define acronyms once) and creating GPO (Group Policy Object).  With your Test OU and user account, I would suggest a VM (Virtual Machine) with that user account having minimal level domain access (Group: Domain Users).  Making our new policy, you want to focus on the following tree of your new policy.

Computer Configuration | Windows Settings | Security Settings | Software Restrictions

Brief pause here.  Respect to SwiftOnSecurity for bringing this conversation up recently on Twitter.  My guide is based from Branko Vucinec’s SRP Guide.  There is also a guide I will link below, that is for when you realize your policy also prevented Admins from installing programs.  There is a fix for that too. ;)

Let’s talk about Environmental Variable Paths (EVP).  These are commonly used by installers and scripters for installing, both legitimate and exploit code & applications.  Ones I am focusing in are:

>@echo %appData%

>@echo %localAppData%

>@echo %temp%

>@echo %tmp%

Echo shows us we have the right file paths and how they output per the active user account.  As noted, we are looking to restrict some access to items in these folders executing.  Along with that, we have some extensions to focus on restricting.  The linked guide covers, while I also add:

  • Archives (7z, zip, rar)
  • EXE
  • JAR
  • MSI
  • VBS
  • COM
  • BAT
  • PS1

Wild list, with some oldies on there.  Let’s just say, you can lots of automation with .bat files.  Everything else listed has more capabilities than that, but if you can call something else from a batch, there are options from there.  This is not meant as an exhaustive stop-all-exploit execution solution!  Honestly nothing really is (and if someone says so, they are lying).  This is about presenting extra layers to prevent exploits from ‘getting the keys to your castle’ in respect to infrastructure.
This is getting wordy on the backdrop narrative… Let’s get going here.  Time to make the policy.
Making our new GPO, jump into the tree and Right-click on SRP then click New Software Restriction Policy.
Under Additional Rules, add our Disallowed exceptions.  These being the EVP list of folders I noted above.  An example being “%temp%*.exe”
We add these by making a New Path Rule.
I could lie to you here, but you have quite a few to add.  Branko’s Guide covers the syntax while my extension list adds other possibilities.  Make the call what is most probable on your network and what you may have seen in attack patterns.  Besides, you are one of the people who has to test this, and ideally one of the 1st to do so… so you can eliminate the immediate conflicts with business operations, before anyone else can try to prevent the implementation from happening.
Good Job.  Now that you finished your new GPO, add your test machine into the linked OU with that policy and have your test account login on said VM or test desktop.  Try to do some standard fare user operations and software patching.  Install Firefox, update Flash, whatever you or anyone else might do on a frequent basis.  If you managed to remove flash from your network.  Give yourself a high-five.
Ok now try to install some software as an Administrator.  In this case, Firefox will fail because it extracts the installer to %localAppData%.  Turns out your policy also applies to Local and Domain Administrators logged into that machine.  Good thing we are testing before launching live, huh?
To resolve this, we are jumping back into that policy you just made.  We need to add an Enforcement exception for Administrators.  The Policy path for that is:

Computer Configuration | Windows Settings | Security Settings | Enforcement

On the Enforcement settings, you will see Apply software restriction policies to the following users: Go ahead and in this middle section, set the radio dot to All users except local administrators MS KB on Enforcement.
Hit OK, Close your policy, jump back onto your VM and run another ‘gpupdate’ command to get the latest policy on that machine.
Diagnostic Note: If you have questions if the policy is actually applying, run RSOP.msc and see the Resultant Set of Policy.  These details will show you what options are set by all GPOs and what one is defining the settings.
Try running that installer again, but this time right-click it and do a Run as Administrator.  It will prompt if you are not logged in with an admin-level account, else it will just run.  Your installer should now properly execute.  In addition and most of all, rouge applications matching your filter rule list, should not be able to run.  The protections are only as good as your rules, so keep an eye out for what applicable stops you can build to protect your network from processes gone awry.

Ansible and Vagrant. DevOps acronym decoded

Let me start by saying Ive lived the System Admin life for quite some time. The decoding title is in reference to:
Installing, deploying, configuring, and monitoring servers in a rapid deployment manner.
Most important of all, in a non-static and non-fragile manner. TL;DR security – Running services across multiple servers, that can be shut down in the event of intrustion or broken configuration and replaced with a new image with all the required configuration, out the gate on your reployment.
You will be communicating and deploying over SSH sessions, so encrypted communcations are how you ‘make the magic happen’.

Here are some notes I took from a great presentation by Chris Rossi of AppliedTrust, that also got me running my own deployments. I am also working from the following book: Absible for DevOps by Jeff Geerling.

As this is a technical and video game heavy site, Im sure many visitors and members know the struggle of single-thread processes not scaling your gaming hardware. By deploying your server topology with Ansible (Python based) and Vagrant (Ruby syntax) scripting, you get a performance scalable topology, where services can be allocated per Virtual Machine; while also being able to be replaced by a fresh spun VM, in the event of misconfiguration change or security exploit. You also get some botnet-like controls to distribute commands across all or selected servers in your Vagrant configuration.

Personally, I have been learning Python to make tools to assist me in log crawling functions, configuration and other data driven projects. I legit feel like Ansible and Vagrant usage has progressed me beyond making bash script, as the state control / config deployment and validation is light-years beyond cobbling my own scripts from scratch. I have been exploring this for less than a week, so please excuse the details thus far. However I will say this knowledge is really addictive, since I am seeing my personal projects materialized in a deliverable, community cooperative platform of Ansible using Vagrant.

Borrowing from Chris’s presentation, patch deployment and distributing content is the final leg / deliverable of the DevOps process. Considering I am used to living a Windows SysAdmin life with the use of windows cmd and Linux scripting, this point resonates as solid truth in the compliance being the hardest deliverable, while being consistent. Did I mention scaling your network and sever topology? Because that is what you are up to with deploying dynamic servers in a VM environment. Get the most performance per service to VM, with added benefit of essentially real-time monitoring. In the event of a fault, you can also handle the decommission and re-launching of a new, compliant VM in the event of mis-config change / exploit.

Weather talk

The weather is fairly cold locally for the season, but an extra layer is not a bother. So more apt a conversation is security. Without a ton of hyperbole and a flood of links, usage and personal information is why you are seeing most everyone using ‘free services’.  Social relationships are spiking because the technology boom is completely breaking social comprehension of the world they live in.

Why is something being stored relating to what can be found?  The sickness of it is how much marketing is everyday.  If you do not seek out various opinions about, really any matter you seriously have concern about… is frankly, ignorant.  Researching can be exhausting, but if you rely on bias you are facilitating that.  Secure things and work with people.  Share your reason for disagreeing.  Stop imprisoning some of the smartest people for being observant.  Allowing an individual to make a non-baited opinion about what is ‘allowed’.  Maybe stop fighting, especially over text words.

Thank you for reading.  Keep thinking about your well being to help others instead of flip a power leverage trope.