Beyond Cyber & CyberSecurity - Anticlimactic Forensic Services

Blindly restoring Windows XP screen resolution

2011-04-13T13:49:00.000-07:00

Applies to Windows XP (any version)

Have you ever changed the screen resolution of your computer to where you have saved settings that your monitor cannot display? I have, several times. It's annoying at best to to have accidentally made a change and then not be able to see what you're doing.

Here are the steps to restore your display.
Please note that you have to be logged in.
If you need to blindly login to your account, I'll save those steps for a different post.

---------------------------------------------------
Take an educated guess and place the mouse cursor someplace on the desktop where you are not hovered over any icons or the toolbar.

Click the Right Mouse button.
On your keyboard, press the UP ARROW once, then press the ENTER key.
On your keyboard press the TAB key four times.
On your keyboard, press the RIGHT ARROW key four times.
On your keyboard press the TAB key once.
Then press the LEFT ARROW key four or five times
Then press the ENTER key.

At this point you should have a viewable display.
The Monitor Setting dialog box will begin a countdown, "Reverting in n seconds".
Save your display settings.

And that should do it!

There's something amiss in China - Increased daily spam

2010-03-09T00:05:00.000-08:00

OK, so for the past few weeks I have noticed a marked increase in spam in my primary email Spam folder. I have been deleting messages willy-nilly from the folder, as I usually do, when I walk through my daily email reading and composition routine.

Yesterday, I decided to let the spam pile up for a 24 hour period and take note of how many spam messages I have received. I don't like to pick on or lean in one direction or the other without having at least some metrics to go on, but out of 98 spam messages, 24 of those messages DID NOT have Chinese characters in the subject line.

Whup, OK, as I was typing this the message count JUST jumped to 102. By way of supposition, that's approximately 80% of the spam I have received in the past 24 hour period is coming from China.

Delving a little deeper I took a random check of the email headers, and yes, unless they're totally forged headers, I have to say, they do originate someplace in China. Where in China? Not important at this time. It's notable that they come from over the China border to here, at my gmail account in the United States.

So, what's happening here? Why the sudden spike in spam to my gmail account originating in China? Is there a mechanism I can implement to block ALL email from China from reaching my email account? I don't know anyone in China. I'm not expecting any email from China. Why can't I simply block all these messages? It's annoying at the very least and it is spam. I am going to keep my eye on this for a while, compile some data, see how it goes and maybe publish my results after 30 days or so. Is it worth it? I'll keep you posted.

- Robert Cazares

FTK 1.8 notes

2010-02-27T06:45:00.000-08:00

FTK 1.8 notes - placeholder

cnbc.com - San Antonio: New Cyber City

2010-02-10T12:51:00.000-08:00

Airtime: Wed. Feb. 10 2010 | 12:17 PM ET

Discussing why San Antonio is key to cyber security, with NBC's Janet Shamlian and Dr. Greg White, colonel for the U.S. Air Force and Fred Ramirez, CNF Technologies.

http://www.cnbc.com/id/15840232?video=1410041474&play=1

Windows 7 64-bit and 32-bit, Swiff Player, Flash 10 installation

2010-02-05T00:20:00.001-08:00

OK, so here's a work-around for you who have not been able to play .swf files on your Windows 7 64-bit and 32-bit systems.

I have tested this on both 32-bit and 64-bit systems with instant success. However, I make no guarantees or warranties and YMMV. What I can tell you is that after after a few hours of research and banging, it works for me.

This "fix" is simple. Really, it is.

- 64-bit systems
1) Install Adobe Flash 10 (Adobe Flash Player Standalone Installer, version 10.0.42.34) from
http://fpdownload.macromedia.com/get/flashplayer/current/licensing /win/install_flash_player_10_active_x.exe.
2) When installation is completed, navigate to C:\Windows\SysWOW64\Macromed\Flash and make a copy of Flash10d.ocx in the same directory.
3) Rename the copy of Flash10d.ocx to Flash.ocx (you will still have a copy of Flash10d.ocx)
4) Install Swiff Player 1.5 (http://www.globfx.com/downloads/swfplayer/)
5) Run Swiff Player and load your .swf files.
6) Enjoy!

- 32-bit systems
1) Install Adobe Flash 10 (Adobe Flash Player Standalone Installer, version 10.0.42.34) from
http://fpdownload.macromedia.com/get/flashplayer/current/licensing /win/install_flash_player_10_active_x.exe.
2) When installation is completed, navigate to C:\Windows\System32\Macromed\Flash and make a copy of Flash10d.ocx in the same directory.
3) Rename the copy of Flash10d.ocx to Flash.ocx (you will still have a copy of Flash10d.ocx)
4) Install Swiff Player 1.5 (http://www.globfx.com/downloads/swfplayer/)
5) Run Swiff Player and load your .swf files.
6) Enjoy!

Note 1: There is also a differing link to Adobe Flash 10 here:
http://get.adobe.com/flashplayer/otherversions/

Here's another link that I leaned on that helped me through this nagging issue:
Adobe Flash Player Standalone Installer?
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/c8fe6d6f-ca63-4f2d-aa39-0365ca9c8b2d

- Robert

Updated Feb 5, 2010 - 1:32PM

Control Sets and the Windows XP startup process

2010-02-04T17:12:00.000-08:00

For our reference, we need to know which ControlSet is used for system startup.

Typically, if the system\Select\Current value is set to 0x1 (Data: 0x00000001 (1)), then CurrentControlSet is pointing to ControlSet001.

For more detailed information see the below snippets and links.
--------------------------------------------------------------
Control Sets and the Windows XP startup process
Published: November 03, 2005
http://technet.microsoft.com/en-us/library/bb457123.aspx

Startup Phases

The Windows XP Professional startup process closely resembles that of Microsoft Windows NT version 4.0, Microsoft Windows 2000, and Microsoft Windows Server™ 2003, but it significantly differs from Microsoft MS-DOS, Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Millennium Edition (Windows Me).

--------------------------------------------------------------
Article ID: 100010 - Last Review: November 1, 2006 - Revision: 3.1
What are Control Sets? What is CurrentControlSet?
http://support.microsoft.com/kb/100010

Of importance:
ControlSet001 may be the last control set you booted with, while ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows NT. The CurrentControlSet subkey is really a pointer to one of the ControlSetXXX keys. Clone is a clone of CurrentControlSet, and is created each time you boot your computer by the kernel initialization process. In order to better understand how these control sets are used, you need to be aware of another subkey, Select.

Select is also under the SYSTEM key. Select contains the following values:

Current
Default
Failed
LastKnownGood

"Each of these values contain a REG_DWORD data type and refer to specifically to a control set. For example, if the Current value is set to 0x1, then CurrentControlSet is pointing to ControlSet001. Similarly, if LastKnownGood is set to 0x2, then the last known good control set is ControlSet002. The Default value usually agrees with Current, and Failed refers to a control set that was unable to boot Windows NT successfully. "

Relative Identifier Allocation

2010-02-03T20:45:00.000-08:00

Relative Identifier Allocation

It is fairly easy for the system to generate a unique relative identifier for each account and group created on a stand-alone computer, where accounts and groups are stored in an account database managed by a local Security Accounts Manager (SAM) The SAM on a stand-alone computer can simply keep track of relative identifier values it has used before, making sure that it never uses them again.

Generating unique relative identifiers is a more complex process in a network domain Windows 2000 network domains can have several domain controllers, each of them a host for Active Directory, where account information is stored. This means that in a network domain there are as many copies of the account database as there are domain controllers. What is more, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation .

The process of generating unique relative identifiers is a single-master operation . One domain controller is assigned the role of relative identifier (RID) master , and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID, and the relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller asks the RID master for another block.

Each domain controller makes sure that when it has used one value in a block of relative identifiers, it never uses that value again. The RID master makes sure that when it has allocated a block of relative identifiers, it never allocates those values again. The result of this teamwork is that every account and group created in the domain has a unique relative identifier.

Several other tasks performed by domain controllers are single-master operations. For example, one domain controller in an enterprise is assigned responsibility for ensuring that each domain has a unique name and a unique domain identifier. The domain controller assigned that role is called the domain naming master . For more information about single-master operations, see "Managing Flexible Single Master Operations" in this book.

Source: http://technet.microsoft.com/en-us/library/cc961984.aspx

Windows - Well-known SIDs - RID's

2010-02-03T20:15:00.000-08:00

Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:

Everyone or World, which is a group that includes all users.
CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the system replaces the CREATOR_OWNER SID with the SID of the object's creator.
The Administrators group for the built-in domain on the local computer.

There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.

Source:

http://msdn.microsoft.com/en-us/library/aa379649%28VS.85%29.aspx

Four Run keys that are in the Microsoft Windows XP registry

2010-02-03T13:52:00.000-08:00

This article lists and defines four Run keys that are in the Microsoft Windows XP registry
Source:
http://support.microsoft.com/kb/314866/EN-US/

Run keys cause programs to automatically run each time that a user logs on. The Windows XP registry includes the following four Run keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Each of these keys has a series of values. The values allow multiple entries to exist without overwriting one another. The data value for a value is a command line.

There are some special considerations for the third and fourth keys in the list, the RunOnce keys:

* Beginning with Windows XP, the values in the RunOnce keys are run only if the user has permission to delete entries from the respective key.
* The programs in the RunOnce key are run sequentially. Explorer waits until each one has exited before continuing with normal startup.
* By default, Run keys are ignored when the computer starts in Safe mode. Under the RunOnce keys, you can prefix a value name with an asterisk (*) to force the associated program to run even in Safe mode.
* You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs.
* Without the exclamation point prefix, a RunOnce value is deleted before the command runs. As a result, if a RunOnce operation does not run properly, the associated program is not asked to run the next time you start the computer.

If more than one program is registered under any particular key, the order in which those programs are run is indeterminate. A program run from any of these keys should not write to the key during its execution. Doing so will interfere with the execution of other programs registered under the key. Furthermore, applications should use the RunOnce keys only for transient conditions (such as to complete application setup); an application must not continually re-create entries under RunOnce. Doing so will interfere with Windows Setup.

APPLIES TO

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Driver Development Kit
Windows XP Embedded
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows Server 2003, Web Edition

Windows 95, Windows 98, Windows ME, Windows 2000, Windows NT
http://support.microsoft.com/kb/137367

When standards bodies are the cyber threat

2010-01-28T13:34:00.000-08:00

By A. M. Rutkowski, Yaana Technologies, Network World
January 28, 2010 12:59 PM ET

http://www.networkworld.com/news/2010/012810-standards-cyber-threat.html?source=NWWNLE_nlt_daily_pm_2010-01-28

CNBC Video - Maryland's Bet on Cyber Security

2010-01-28T13:08:00.000-08:00

CNBC Video - Maryland's Bet on Cyber Security

http://www.cnbc.com/id/15840232?video=1398428905&play=1
Airtime: Thurs. Jan. 28 2010 | 12:42 PM ET
The state is betting on its growing technology sector to capitalize on increased cyber security spending in the U.S., with Gov. Martin O'Malley (D-MD).

Windows 7 - FTK 1.8 KFF database location

2010-01-28T11:37:00.000-08:00

Windows 7
FTK 1.8 KFF default database location -

c:\programdata\accessdata\kff_databases\15.sep.2008

Stellent INSO Viewer - supported file type list

2010-01-28T11:22:00.000-08:00

Oracle Outside In Technology 8.3.2 Supported Formats

www.oracle.com/technology/products/content-management/oit/ds_oitFiles.pdf