Thursday, January 28, 2010

Mental Note on Firefox forensics using Firefox 3 Extractor

I left a post the other day on Firefox forensics, linking to Harlan's great page.

However, I wanted to dig a little further. I went to the Firefox 3 Forensics site and downloaded the Firefox 3 Extractor. It took a few minutes to get it right, but when I got it running, it was awesome; and a little eye opening.

First, I copied f3e.exe and sqlite3.dll into my firefox profile directory. I launched f3e, but couldn't get any results. Remembering my old sql developer days, it dawned on me that the files were locked as I had Firefox open. So, I closed Firefox and reran. Bingo. The internet history report came out. I tried to run another report, and the program failed with an error message.

So, this time, I followed the directions and copied the Firfox sqlite files to a seperate directory, and dumped f3e.exe and sqlite3.dll in there. Now, I could run any report, as many times as I like.

A couple of things I like:
The program asks for a case reference (maybe the profile of the subject)
The program asks for a cast name.
The program asks for the investigator.
With the internet history report option, you are asked if you want to use the favicons.

I chose the Internet History Usage report, which was D on my menu. After answering the questions, the html file is named "case refernce" - "case investigator" - Internet Usage.html so it is easy to find if you are running many reports.
Besides giving you the reference, name, and investigator, the report shows:
the top 20 most visited sites, with their counts, and,
A table with rows showing: favicon (if used), visit date, url, title, and if the url was typed.

I found it interesting going through the table that Yahoo mail uses the subject of the email as the title of the page. This could be useful if having to trace through web email.

I ran the other reports and have only skimmed the .csv files that have been produced. A quick look shows a detailed cookie analysis, a forms history file, a detailed bookmarks analysis, favorite icon analysis, and a couple of others that were blank (I might not be recording that information.)

There is a mini-FAQ, that lists where the various profile directories are stored.

Running the tool got me to consider the difference between "Private Browsing" and "Clearing Private Data". Normally, I clear my private data at the end of each session. But, I'm thinking of moving to Private Browsing, as it appears private browsing does not write the information to the hard drive.

So far, this is a great tool, that I plan to use in the future.

Wednesday, January 27, 2010

Mental Note for Harlan's Firefox forensics post

Harlan has a great post on Firefox forensics. I've been storing the link in email, but better to post it so I can more easily find it.

Thursday, January 21, 2010

Is IT security a life and death matter?

My boss and I were on a conference call today with a vendor with whom we will be sending a test team in order to test their system. This engagement is with a medical device company whose machines work with radiation. We were talking about patch management and how the company sets their policy of updating and patching their machines. What came out was an interesting story.

They mentioned to us that they handle ALL patching and updating for everything installed on the system. Because of the nature of the software (and that it controls radiation levels being administered to a patient) they do not patch the machine until that patch has gone through rigorous testing. They told of a system administrator that saw one of the vendor's machines on his network, without the latest patches. Without looking further at the machine, he remotely pushed out a whole bunch of patches to the machines. What the system administrator did not know was that the machine was actively administering radiation to a patient. The patches locked the machine, preventing the dosing engine from completing. Had a technician not been carefully monitoring the procedure, and hitting the emergency override switch....who knows what would have happened.

Friday, January 15, 2010

Quick XSS reminder

I keep forgetting this great link.

XSS from IronGeek


A great site. And a very useful XSS post.

Thursday, January 7, 2010

DISA SRR tools need CAC in order to get them

I know that DISA periodically makes part of their site unavailable while they make changes to their regulations (checklists, STIGS, etc.) So, for the past couple of days I've been waiting for the new checklists to be posted so as to prepare for a new trip. Yesterday, a bunch of the checklists updated: MS SQL Server has been split into SQL Server 2000 and 2005. The Oracle checklists have been split up by Oracle version. I notice that three of the Windows checklists have been updated: Windows 2000, 2003, and 2008. Curiously, there is not a checklist posted for Windows XP or Vista. I supposed they are forth-coming.

However, I was highly surprised to see that the SRR scripts have been moved to a site that requires CAC authentication. And at this, I have to wonder why. In my opinion, the scripts do a great job of testing configurations against what the DoD expects items under their purview to be configured. Was that such a bad thing that everyone had access to the tools? It only makes the community safer. I'm hoping this is a temporary measure, and that all will return to normal as I would hate to see valuable tools be available only to a select few.

Monday, January 4, 2010

IM-Me by GirlTech

One of our kids got this for their birthday this past holiday season. Ok, it's a little cute, but I think there is better/maybe cheaper technology out there. The basic premise is that you plug the dongle in, and the child can "IM" with a friend who has the same device. Both users have to be "logged in" to the "chat service" and it connects over the internet. Of course, they want you to recruit many users, but that's another story. We got it because one of our child's friends is moving many states away, and we thought this might be a novel way to stay in touch. Installing it did not exactly please me.

A quick note, we have a couple of desktop machines spread out about the house. One, the main desktop, has multiple accounts on it; and the kids' accounts are very limited in what they can do. There's another computer that is not as limited, but does not have as much connectivity.

I found that I could only install it on the "main" computer because the hardware support for older computers is dodgy at best. To install, you had to install the device (and drivers) as admin. That wasn't too bad, as I don't let the kids' accounts install anything. But, in order for my child's account to be able to use the dongle, I had to temporarily grant admin permissions to the child's account such that the install could finish. And, during installation, I had the choice of installing it for the admin, or all accounts. I suppose I could have hacked the install, but I didn't. And now, EVERY user gets an install script failure upon logging in. Finally, when the child sets up their account, it prompts for a username and password. My kids have security drilled into them, so the password was not really an issue. However, when you enter the password, it's in clear text. Same with the password confirm box. I wasn't too pleased with that. I should have sniffed the transmission of the username and password to see if it was passed to the server in clear text. However, said child was pitching a fit that it wasn't installed yet.

All in all, had I known more about the architecture before, I might not have purchased it. But, the kids have had fun with it. I suppose it will wear off quickly, as they approach more consumer grade technologies.