O&O SafeErase 4 個人文件碎紙機,清除檔案不留痕跡

O&O SafeErase 4
當你刪除、銷毀電腦裡的檔案時,你知道它沒有辦法完全從電腦裡被清除嗎?尤其當你必須將使用過的電腦退回或是賣給其它人,即便是格式化磁碟,任何人都可能透過檔案回復軟體來取得你所刪除的重要資料,包括私密的檔案或是密碼。那要怎麼避免這種問題發生呢?


很簡單,你可以透過一些軟體來給予幫助。
例如 O&O SafeErase 就是一套用來完整清除某些敏感文件或資料的軟體,它所使用的技術是國際認可且推薦的方式,某些技術也被美國國防部及德國訊息技術安全部門所採用。雖然 O&O SafeErase 不是免費軟體,但在近期的優惠活動可以免費獲得價值 $29.95 USD 的軟體序號。

軟體資訊

  • 軟體名稱:O&O SafeErase
  • 軟體語系:英文、德文、法文
  • 軟體大小:28.7 MB
  • 作業系統:Windows XP / 2000 / 2003 / 2008 / Vista / 7(32位元、64位元)
  • 官方網站http://www.oo-software.com/
  • 軟體下載32-bit | 64-bit (英文版)
備註:如下載 E-mail 內的 O&O SafeErase 4 則軟體本身為德文版,請直接下載本文章上方提供的軟體下載鏈結即可使用英文版。

優惠活動說明

進入 O&O SafeErase 4 的優惠活動網頁,在最下方填入你的 E-mail 信箱,然後按下「Kostenlose Lizenz anfordern」,幾分鐘後就可以在信箱收到軟體序號。

接著以一般程序安裝 O&O SafeErase 4.1,啟動後會出現註冊精靈,如果沒註冊會有30天的使用時間限制。選擇「Enter your registration code」接著按下一步。

接著把你收到的姓名、公司和序號(Serial)輸入註冊表單,在這次優惠活動裡,Name 及 Company 都是你所填寫的 E-mail 地址,請務必兩個欄位都要填寫。

本優惠活動所贈送的序號是 O&O SafeErase 4.1 的 NFR-License 序號(不得轉售的序號)。

接著會要求使用者填入 E-mail 來訂閱最新消息,忽略這個步驟直接按 Next 跳過即可。如果出現提示視窗,請按下 Yes 就能夠跳過登錄 E-mail 的程序

開始使用囉,O&O SafeErase 提供以下這些功能:
  • Delete files and folders: 刪除電腦內的檔案、資料夾
  • Delete temporary Windows files: 清除 Windows 暫存檔
  • Delete temporary Internet files: 清除網路暫存檔
  • Delete free disk space: 刪除可用磁碟空間

另外兩個功能比較進階,包括刪除硬碟及磁區,使用上需要更為謹慎以免發生問題。

以其中一項功能 Delete files and folders 來說,若要永久刪除電腦內某些重要的檔案、資料夾,只需要將這些檔案加入清單,然後點擊 Run now,它們就會被完整移除,且無法以復原軟體將檔案還原。


轉自 http://www.freegroup.org/2010/10/o-and-o-safeerase-4-giveaway/

BIOS Password Backdoors in Laptops

When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM - this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings. For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, there are not new penalties such as additional passwords, locks and so on. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing. Another method commonly used is that instead of a checksum, a number is displayed from which a randomly generated password can be calculated. Quite often, vendors also resort to storing the password in plain text, and instead of printing out just a checksum, an encrypted version of the password is shown. Either way, my scripts can be used to derive valid passwords with the hash.


Some vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (see other post). HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that matches your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I took a look at so far:
VendorHash EncodingExample of Hash Code/SerialScripts
Compaq5 decimal digits12345pwgen-5dec.py
Dellserial number1234567-595B
1234567-D35B
1234567-2A7B

Windows binary&source
Fujitsu-Siemens5 decimal digits12345pwgen-5dec.py
Windows binary
Fujitsu-Siemens8 hexadecimal digitsDEADBEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 hexadecimal digitsAAAA-BBBB-CCCC-DEAD-BEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 decimal digits1234-4321-1234-4321-1234pwgen-fsi-5x4dec.py
Windows binary
Hewlett-Packard5 decimal digits12345pwgen-5dec.py
Windows binary
Hewlett-Packard/Compaq Netbooks10 charactersCNU1234ABCpwgen-hpmini.py
Windows binary
Phoenix (generic)5 decimal digits12345pwgen-5dec.py
Windows binary
Samsung12 hexadecimal digits07088120410C0000pwgen-samsung.py
Windows binary


The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.0!) and run the .py script directly by double-clicking them.

Please comment on what make/model the scripts work and on what they don't. Also, be aware that some vendors use other schemes to handle the passwords - among them are e.g. IBM/Lenovo. You are then at the mercy of their service.

轉自 http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

「萬馬奔騰、裝模作樣 (Trojan: Trusted Insider)」

萬馬奔騰、裝模作樣 (Trojan: Trusted Insider)」 by 阿碼科技 Dr. Benson Wu


引言與大綱
大 家好!我是吳明蔚,今天很高興能夠來到北京參加OWASP會議。今天的主題是跟木馬有關,駭客最喜歡的就是木馬,木馬這個故事大家都知道,它是一個看起來 不怎麼樣的東西,你以為它是禮物,把它默默的推到城裡面,後來它作怪。其實不像我們現在的木馬,現在的木馬是張牙舞爪,行為是很明顯的,防毒軟體一看到它 就會發現它是病毒。

我介紹一下我自己,我在臺灣出生,在菲律賓長大,我老婆是長沙人,我自己認為我們現在這個時代非常幸福,因為以前沒有 網際網路的時候自己頂多能夠幫助一個人,學醫再怎麼樣厲害頂多一次救一個人,但是網際網路可以幫助很多人。所以我很喜歡李開復和大家分享的一句話,就是 「做最好的自己」。你可以學很多觀念,但是你自己要有你自己的價值觀,做最好的自己。

引用一下美國SANS的CEO的一句話,「走這行, 快學中文」,外國人開始知道在中文的世界有很多資訊安全寶藏可以學習,我們的技術文章不僅先進,也有很多人樂於分享視頻教學,節省其他人學習的時間。相對 的,做為中國人,那應該學什麼?我覺得應該學俄文,在俄文世界裡有很多無論是攻擊的武器還是各類地下經濟都可以做很多切磋。以下是今天的演講的大綱:首先 從一些案例來分享什麼是木馬?木馬為何要裝模作樣?再談一談掛馬的一種常見方式: SOL盲注入。最後是歸納木馬產業鏈的樣態,也就是對地下經濟而言: 管他什麼馬,賺大錢最重要。

什麼是木馬?
它 是一種惡意軟體,在資訊網路大量出沒。木馬可以做什麼呢?它可以做一些遠端的控制,像是有的人在單戀,拿木馬用在不當用途做強制視頻。它可以充當跳板,譬 如發現一個網站有漏洞,但是我想打它的話會被他看到我的IP,所以我就要找一個受害者當跳板。或者是說我要寄大量的垃圾郵件,我就拿別人的郵件伺服器去 搞,讓他背黑鍋。其實我覺得安全有趣的地方是在於 它是在玩弄「數位落差」和「資安意識的落差」。因為在實體安全上我們知道怎麼樣小心強盜,怎麼樣小心小偷,我們知道怎麼樣避免,看起來鬼鬼祟祟的就會去小 心。但是在網路上很多人不知道要如何去小心木馬,因為網路上面有很多電腦的知識是大家無法理解的。也許我們理解了,但是爸爸媽媽們不理解,爺爺奶奶們更不 理解,所以上面有很多安全的東西很有趣。

我這邊舉個很有趣的例子,講一下假的防毒軟體,防毒軟體是一個很大的產業,非常賺錢。但誰會想到 賣假的防毒軟件竟然也是一個很賺錢的生意。假的防毒軟件之所以能夠成功,就是玩弄敵我雙方的「資安意識與知識」。再來我們看,有時候你會收到很多郵件跟你 講學校的郵件伺服器壞掉了,需要維護,要讓你填下你的資訊來確認,有的人一眼就看出是騙人的玩意,但也許它發1萬封,最終有幾個人上當了,它就是抓這類的 機率。再來我們看最近流行的Unicode混淆副檔名的社交工程手法。這類東西是Windows本身就有的功能, 它讓使用者能指定顯示文字的方式可以從右到左或從左到右,它顯示的方向不一樣。這樣的東西是五年前就有,但最近拿來用還是非常有效,又是一個挑戰你的「資 安意識與知識」的例子。正牌的防毒軟體大概有好幾十種,像是VirusTotal上面有整合的大概四十來種,但假的防毒軟體居然有超過250種品牌! 假的防毒軟體還有網上客服系統呢! 你買了這個假的防毒軟體還可以跟它的客服互動。其實平常在網路上逛大家都有機會遇到木馬,古人說人善被人欺,現在是人善被馬騎!

U+202E Unicode攻擊手法


掛馬技巧:盲注入為例
分 享一下怎麼樣做盲注入,這是網路上的一些入侵畫面,拿出一些國產很厲害的工具直接可以打到後面的資料庫。下一步是把馬放上去,解碼之後的注入碼是像這樣子 的,基本上它只要一行注入碼,就可將所有資料庫欄位塞滿他注入的木馬連結,所以不是一個網站只有塞一隻馬,是每一個頁面每一個欄位都塞,讓你清的時候清到 瘋掉。我們看這個受害案例,這邊有被塞一匹馬,那裡也有一匹木馬,它真的是一個頁面重複出現好多次相同的木馬。最有趣的地方是旁邊也有一個,但是不一樣的 一匹木馬,所以是前赴後繼,各路好手都來塞各種木馬,只要漏洞沒被修補,就不會只是一次傷害、二度傷害,而是每個攻擊方經過都會持續加害。

木馬從張牙舞爪到裝模作樣
木 馬長什麼樣我們可以看一下幾個實務案例,目前這個產業流行的木馬基本上都非常的隱蔽,有的是你明明知道這個是木馬,但是就是砍不下去,包括它DLL或 Code注入至重要系統程序裡面,或以系統服務或驅動程式之姿出現。剛剛我們看到的這些都是木馬目前的現狀,目前的現狀是亂槍打鳥(或亂槍打肉雞),抓到 的量就夠它這個產業。但一旦後來發現這樣已經不能活了,譬如它每次只要一出現,防毒軟體的阻擋率是百分之百,那麼它一定要開始走裝模做樣的路線,這就是未 來大家更需要擔心的。因為最危險的就是披著羊皮的木馬,滿口任意道德的木馬,它們說自己是免費軟體,他們不隱藏程序,他們不利用零時差漏洞,但偷偷摸摸作 怪,讓你毫不知情。這可以延伸到很多地方,其實你會擔心的東西不會只有網路,我更擔心的是延伸至各種關鍵基礎建設的系統,譬如醫療這類的東西,如果你看病 的時候醫生開了藥給你,但是醫生開的藥跟你最後拿到的藥不一樣,這不是很好笑,是很可怕,最後都可能死掉。

膽戰心驚的諜報情節,木馬又何嘗不可如此揣摩?


木馬創造的地下經濟

為 什麼駭客會把時間花在刀口上?因為它可以賺大錢,以前大家都知道的80/20原則,現在更有90/10的賺錢之道,就是10%的人掌握大部分的財富。其實 木馬可以用在洗錢,可以用在製造偽卡,可以產生物美價廉的虛擬商品市場大餅。洗錢會不會被抓,當然會,我們看這邊的交易紀錄,還是查得出來是匯到誰的人頭 戶頭。但為什麼這樣的罪犯在集團中稱為是Mule(螺子)?因為他們是最下階層的,螺子是馬和驢子的下一代,沒有翻身和繁殖下一代的機會,所以FBI抓到 的是洗錢集團中最沒有價值的一群罪犯。真的要抓的話應該抓上面大的,中國固然處處是黃金,但我們看到很多重大犯罪案件,那些作惡多端、無惡不作的都沒能包 得住火,躲不掉國家的嚴峻制裁。偽卡這個畫面大家看一下,就是它讓購買信用卡變得像買一般民生用品一樣簡單,這些都是它們偷來的假的信用卡,但我們可以看 到都是基於真實的信用卡的數據。也有很多假的虛擬商品,也就是贓貨,明明一個商品的價格要100塊,但是它只賣你10塊,而且它是有效的。也可以買 DDoS阻斷式攻擊服務,也就是說我自己沒有機器我就去買一個DDoS的服務打人家。現在不僅防守方可以有資安的SaaS防禦服務,攻擊方也可以拿殭屍網 路做SaaS攻擊服務!

搞木馬不是為了好玩,黑客是為了賺大錢


網路購物的品項包括信用卡...


我 們以 TDS (流量分散系統)來說明各方在這樣產業所扮演的角色。譬如說S先生今天很會掛馬,可以一下子掛一萬多網站,這個JS可以把所有看到這個網站的人都通通指向 一個網站,瞬間創造1萬個人到那個網站,所以S先生就是流量產生者,S先生會賣流量,所以掛馬的人可以賣流量,它是賣家(Seller)。那誰會是買家 (Buyer)呢?買家就是需要人家變成僵屍網路一員的人,比如B先生希望人家中他的木馬,“你能不能夠幫我創造每小時100個人來瀏覽我的網站?”這樣 每小時就會出現有100個僵屍。我們再回顧一下剛剛那個防毒軟體,各位看一下它的銷售體制,這邊是激勵制度。這個圖是有多少個人看到這個頁面 (Unique visitors),有多少個人安裝(installed),有多少人買(sold)。各位看一下他的收入多少,他一個人一個禮拜賺2 萬多塊美金! 以這個集團為例,目前有約500名銷售代表,而在這個激勵制度刺激下,我們看到第一名的銷售人員可達月收入332,000美金,還有車子等大獎等著大家去 衝假的防毒軟體的業績!

總結: 當木馬真的成為木馬
最 後我總結一下木馬的明天,隨著各種作業系統、應用軟體的加固與安全設計,譬如更穩定的IE8/9瀏覽器,Windows 7中更良好安全架構的DEP + ASLR + SEHOP + Low Integrity等等,這些對於防範張牙舞爪的木馬都會很有效果,可是零時差漏洞這種東西是可遇不可求的,有時候是要花幾萬塊錢,甚至十幾萬上百萬人民 幣來買,可是有那個必要嗎?再良好的安全設計都無法阻止你點兩下把一個不可信的軟體安裝起來。不過現在木馬的猖獗已經讓全民心驚膽跳,如果你要不認識的人 去看你的空間,他們可能都不敢去你的空間,因為怕你的空間有木馬。其實真正的木馬是它在你身邊你都不知道,這才是真正的木馬,而不是像現在這樣木馬是很明 顯的,謝謝大家!

木馬的明天...無可限量


轉自 http://armorize-cht.blogspot.com/2010/10/owasp-2010.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+blogspot%2Farmorize_cht+%28%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F+Blog%29

閒聊個資法與數位證據

轉自 http://tw.myblog.yahoo.com/roamer-tw/article?mid=7193

自從新版個資法通過後,就一直被前公司老闆問到企業導入電腦鑑識工具的可行性,當時評估後是覺得沒有太大的必要性,最近陸陸續續又被一些朋友問到類似問題,乾脆就在這邊整理一下個人的一些想法吧。

首先是舉證責任的定義,相對於刑法的無罪推定原則, 新版個資法採用的是非無罪推定,不是由受害者舉證受害事實,而是要求企業需舉證自己已經採行適當安全措施防止個人資料被竊取、竄改、毀損、滅失或洩漏。這 樣會將整個舉證的範圍拉得太大,所有可能被要求舉證的點,都得要準備好,否則只要一個關鍵點無法提出反證,都可能對企業造成嚴重影響,甚至是受到處分。我 猜大概也是因為需要提出反證的範圍太過廣泛,才會間接導致這幾年一堆產品都可以扯上個資法跟資安議題,然後大推特推的一個重要原因吧!

再 回過頭來看數位證據部分,根據維基百科的定義,電腦鑑識的概念源自電腦 / 網絡保安與及刑事偵查,主要是用作調查電腦犯罪時,尋找相關證據或是用來證明損害的證據。過去我們在做數位證據蒐證的時候,多是以蒐集與保存完整電腦犯罪 相關的實體或邏輯證據為主,但現行個資法卻變成了必須提出反證來證明企業已經盡了妥善保管的責任。而市面上的數位鑑識工具,目前還是用來證明我出事了,並 據以提供攻擊者的攻擊軌跡與證據,對企業而言這簡直是買很貴的石頭來砸自己的腳,即便透過電腦鑑識找不到被攻擊的證據,也很難藉此證明本身已經確實採行適 當安全措施。

由於在新版個資法中,企業的工作重點將放在提供證明自己清白的反證,而非過去我們所認知的數位證據,這也讓我們過去學習的電腦鑑識流程陷於無用武之地(當然在電腦犯罪偵查上還是有很大用處的),同時也造成許多新的問題:

1.    反證的定義:要證明企業有被入侵或有資料外洩可能還容易些,但要證明企業是否沒有被入侵就困難多了。個資法規定「需採行適當安全措施防止個人資料被竊 取、竄改、毀損、滅失或洩漏」實在是太攏統了,何謂適當的安全措施?是否有可以量化的標準?是否有一致的參考基準?通過ISO27001驗證算不算是已採 行採行適當安全措施?通過個人資料保護管理制度驗證算不算已盡妥善保管責任?這些都是值得思考的問題。

未來若無法訂出一套可遵循的標準,恐怕又會一樣淪於自由心證,即使制定出來一套可遵循的標準,是否能跟上網路安全的發展趨勢則又是另一回事了,至於是否會演變成為認證而認證的狀況,我想這點就毋須懷疑了(轉頭看看ISO27001),我想肯定是會的。

2.    反證的盲點:常碰資安設備的人應該都很清楚,要驗證False Positive(誤判)並不困難, 難的是如何找出False Negative(漏判)。今天假設駭客成功bypass了我的資安設備入侵得逞,那這樣的False Negative在資安設備的log上會顯示被攻擊得逞嗎?還是會顯示已偵測到攻擊行為?答案可能都是否定的,這樣會讓資安設備交付出去的記錄看起來很乾 淨,誤認為該擋的攻擊都被成功阻擋掉了,但實際情形呢?

3.    球員兼裁判:將舉證的責任丟給被告這檔事,難免也會有點球員兼裁判的嫌疑,被告企業若有本身確有疏失時,是否可能刻意略過對自己不利的證據,僅提供讓自己看起來清清白白的佐證?

4.    殃及無辜:還有一種情形,假設今天遭受攻擊的標的其實並非企業呢?以近幾年常看到的網路釣魚,如果攻擊者刻意打造一個偽造成某個網站的phishing site而釣到大量的該網站用戶,在這整個攻擊的流程中,可能都與受影響網站無關,但站在受害者角度,可能只會看到大量該網站的用戶被盜帳號而提起訴訟, 在這種情況下,企業要對一種不曾發生在自己身上的攻擊提出反證,也是一件十分弔詭的事;運氣差一點,還可能僅因為無法提供適當的反證資訊而受到懲罰,這顯 然與法律強調的「勿枉勿縱」精神大相逕庭。

新版個資法前半段對於個人資料的定義與保護部分,應該是比較沒有爭議的地方,但在舉證責任的部份則顯得滯礙難行,讓人感到茫然,我想這大概也是施行細則遲遲無法順利擬定的一個重要原因吧!(茶~)

十年沈淀,十年礪劍!《看雪學院十週年紀念版》發布!



關於看雪網站

看雪安全網站(www.pediy.com)創建於2000年1月,網站歷經10年多的發展,脫穎而出,憑藉自身實力,已經成為中國軟件安全領域 公認的最權威的技術站點,影響深遠。多年來,看雪軟件安全網站一直遵循純技術的發展策略,不但在行業中樹立了令人尊敬的專業形象,更使一大批專業人士和專 家聚集在這裡,形成了一個技術交流的網上家園,帶動了大批對軟件安全感興趣的網友加入進來,構建起了一個圍繞軟件安全主題的活躍的大社區,歷久彌新。正是 看到這種技術氣氛,不少知名的公司都很關注論壇技術人才。

本著知識共享,一切免費的建站宗旨,看雪軟件安全網站匯聚了大量高水平的技術文章,至今為止原創了上萬篇精華文章,極大地推動了國內軟件安全技術的發展。2007年論壇改名為看雪軟件安全論壇,論壇在保持已有的軟件加密與解密研究方面外,在漏洞分析、系統底層、病毒分析、Rootkit等技術領域進行 全面擴展,逐步發展為信息安全方面的綜合服務網站。  

《看雪論壇精華10》選錄了看雪軟件安全論壇 2008.1.1 - 2009.12.31 期間的精華內容,共1700餘篇文章。作為站長,我 由衷地感謝論壇全體會員的無私奉獻,正是你們的熱情和不懈的努力,使得論壇能夠有今天的成就,成為國內安全技術領域的一支中堅力量。

為了推進軟件安全技術為社會和企業服務的理念,我們正在努力提升網站的服務能力,為關注信息安全的大眾,提供更多的內容、更好的服務和技術產品。如果您有任何好的想法和建議,歡迎隨時在本站發帖,討論,讓我們共同努力,創造一個更加美好和安全的網絡環境。

論壇下載 http://bbs.pediy.com/showthread.php?t=120908
web版 http://bbs.pediy.com/goodpost/web10/pediy2010.html

找出是誰抄襲我的圖片作品!

今天看到一則新聞,由政府主辦的「著作權海報設計比賽」,校園組首獎竟然是抄襲國外藝術家的作品!這倒是提醒大家注意著作權的重要性了(完全凸顯比賽主題),也許這就是參賽者的本意??好啦,這不是今天講古的重點,這件事引發凱撒之鷹另一個想法--要如何在網路上找到別人抄襲你的圖片作品呢?

注意喔,這裡所指的「抄襲」並不是純粹盜圖,而是你的創作圖片被拿去修改後,變成另一張雷同度極高的圖片,如果沒有人跟你說,自己要怎麼發現有這件事呢?

先跳開話題一下,如果是想知道文章有沒有被抄襲,那用Google比對文字是還蠻簡單的,只要拿文章中的某一串句子去做搜尋(最好前後加上 "  " 引號夾註起來),就能很快找出相同或類似的句子。但是Google只能用關鍵字去搜尋圖片,雖然文字搜尋方面很強,卻無法直接「以圖找圖」,所以Google大神這時候就派不上用場了。


這裡介紹一個專門「搜尋相似圖片」的搜尋引擎 TinEye,它的專長就是以圖找圖:你先上傳一張圖片(或圖片網址)給它,TinEye 就會幫你比對網路上幾十億張圖片,然後挑出類似的圖片給你看,這樣就很容易知道有沒有被抄襲修改了。

TinEye網站 http://www.tineye.com 

實作示範

以前面那則抄襲國外作品的新聞為例,如果在沒有人發現的情況下,要怎麼用 TinEye 找出它可能有抄襲某張圖片呢?方法很簡單:

1. 我是在聯合新聞網上面看到這則新聞,裡面有疑似抄襲作品的圖片,那我只要先把圖片的網址複製起來。當然如果一開始並沒有新聞報導,那你在現場把照片拍起來存進硬碟裡也行。
2. 接著到 TinEye 網站,把要比對的圖片網址貼上去,再按下[Search]鈕進行比對。如果是自己硬碟裡的圖片,就用左邊的[選擇檔案]鈕來上傳。
3. 比對結果馬上就出來了,果然網路上有一張圖片非常相似,可能就是當初「參考」的原圖。
4. 點擊圖片下方的「Compare」連結,還能讓兩張圖片更進一步比對。它會把圖片重疊放在一樣的位置,你按[Switch]鈕反覆切換來切換去,就能更清楚看出哪裡被修改過了。
5. 只有找到一張類似圖片,也許能證明來源圖片有抄襲,但原圖的創作者是誰呢?雖然所找到的圖片會有附上網址,不過以此例而言,它是被收錄在某個圖庫網站中的 一張圖片,並不是原作者本身的網站。沒關係,我們用同樣方式繼續找下去,把找到圖片的連結網址再copy起來,重新用TinEye進行搜尋看看。
6. 這下找到更多一樣的圖片了,接下來就要考驗耐心,一個個點進去看看,也許就能找到原作者的網站囉!這種偵探式的搜索就留給有緣人去做吧 =_=


轉自 http://pcuser.pixnet.net/blog/post/27229135

3 Phases of Malware Analysis:Behavioral, Code, and Memory Forensics

When discussing malware analysis, I’ve always referred to 2 main phases of the process: behavioral analysis and code analysis. It’s time to add a third major component: memory analysis.
Here’s a brief outline of each phase:


  • Behavioral analysis examines the malware specimen’s interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke new characteristics. To perform this work, the investigator typically infects the isolated system while having the necessary monitoring tools observe the specimen’s execution. Some of the free tools that can help in this analysis phase are Process Monitor, Process Explorer, RegShot and Wireshark. Several free on-line tools can automate some aspects of behavioral analysis; there are also several free frameworks you can use to script the analysis process in a local lab.
  • Code analysis reverse-engineers the malicious program to understand the code that implements the specimen’s behavior. When looking at compiled programs, this process involves using a disassembler, a debugger and, perhaps, a decompiler to examine the program’s low-level assembly or byte-code instructions. A disassembler converts the instructions from their binary form into the human-readable assembly form. A decompiler attempts to recreate the original source code of the program. A debugger lets the analyst step through the most interesting parts of the code, interacting with it and observing the effects of its instructions to understand their purpose. OllyDbg and IDA Pro Freeware are popular free disassembler/debuggers that can handle Windows programs.
  • Memory analysis examines memory of the infected system to extract artifacts relevant to the malicious program. In the context of reverse-engineering malware, memory analysis can help identify malicious code that is trying to hide itself (i.e., rootkits), can clarify the program’s run-time dependencies, and can explain how the specimen was used on the victim’s system. Memory analysis saves time and allows the investigator to take shortcuts when studying the specimen’s behavior or code. Free tools for performing memory analysis are The Volatility Framework and its malware-related plugins, as well as Memoryze and the associated Audit Viewer program.


The three malware analysis phases are intertwined with each other. The investigator might start with behavioral analysis to get a quick sense for the specimen’s capabilities, then reinforce the initial findings by looking at its code, then explore additional aspects of the malicious program by examining the infected system’s memory. The investigator will keep jumping between phases, not necessarily in any particular order, until he or she develops a sufficient understanding of the specimen’s capabilities.


轉自 SANS

找回消失的記憶〔SD卡照片救援實錄〕

轉自 http://blackjack.blog.ithome.com.tw/post/110/82057

一趟旅行回來,滿心期待的要從裝滿歡樂回憶的記憶卡取出數位照片,記憶卡卻在此時壞了!遇到這種狀況時千萬不要慌,只要找到救援軟體,你還是很有機會救回大多數的寶貴資料。而這些資料救援方法,同時也適用於誤刪的硬碟檔案。

 
雙十節的那個周末,我包下了埔里一家有溫泉游泳池的民宿,辦了一個兩天一夜的家族旅遊,可以說是有史以來最成功的一次,也是大家玩得最歡樂的一次。
周日回到家後,例行性的打開電腦,取出相機的記憶卡,插入讀卡機,接著開始把SD卡的照片搬到電腦內。
悲劇發生了!


看著PC檔案夾裡的照片,只出現了兩張,第三張時,只複製到一點點,記憶卡就卡住了!然後,電腦死當。試了再試,完全沒有任何選擇,只能重新開機。
果不其然,最壞的事情發生了。記憶卡已經無法讀取。用電腦、用相機,都無法讀取。只出現要求你將SD卡「格式化」的訊息。 而在這次旅遊中,大家都靠勢有個人帶了一台單眼相機,所以沒有其他人有拿出相機拍任何照片。
格或不格?That’s the question!



最後,我做了正確的決定:不格!保留全屍才是最重要的!要格隨時都可格,但若格式化之後對原始資料有任何損害,都將無法挽回。〔後來事實也證明如此。〕



基本原理
在開始救援之前,先說明一下淺顯的基本原理。〔已了解的就請跳過,很懂的若要看就請手下留情。〕
在遇到SD卡壞掉時,不要慌張,凡走過必留下痕跡,資料多數情況下是可以救得回來的。
資料救援的基本原理是這樣的:不論是儲存在你的SD卡、CF卡,或是硬碟機……等等儲 存媒體裡的資料,當你刪除或怎樣(例如壞掉)而不見時,它也只是「不見」(看不見)而已,而不是真的消失。也就是說:資料很可能都還在儲存媒體裡,只是透 過電腦一般的檔案管理系統讓你看不到而已。


這些資料在怎樣的情況下才會真的消失?一般來說,當資料儲存滿了之後,新進來的資料把舊的資料取代掉之後,舊資料才會真的在儲存媒體裡消失。或者,資料所儲存的位置,剛好儲存媒體有實體的損壞。最後,可能得用上專業的資料刪除軟體經過正確處理才可能讓它真正消失。


總之:你越能保留全屍,也就是保持SD卡(或硬碟)最後的狀態,盡量不要做出任何可能碰觸資料的動作(例如將它格式化,或是繼續儲存更多資料進去),越有可能救回更多的資料。
這個原理反過來看,也有個資料安全的相關問題。
假設有那麼一天,當你要丟棄你的硬碟或SD卡,或者要消滅數位證據,毀屍滅跡時,不要以為你把資料從電腦上刪除它就永久消失了。


假設你電腦上存很多不宜外流的照片……或是自己一些重要的機密性資料(像是銀行帳號資料或自然人憑證………)
然後有那麼一天要換電腦了,資料全都殺光光,或者是硬碟其實也有給他格式化。接著,電腦就給他送上網路拍賣………


再假設你電腦剛好賣給一個窮極無聊的阿宅,沒事把你的硬碟拿來「資料救援」,將所有你以為已刪除的資料給救回來了………後果當然不堪設想。
事實上,我記得以前就曾有讀過一些相關報告(一時之間找不到),國外就有資料安全公司 到網拍上購買許多二手硬碟回去做研究,就發現到多數廢棄的硬碟都沒真正做好資料刪除。這一方面的議題,不是今日重點,所以點到為止。〔正在考慮那天是不是 去網拍買幾顆來救援,然後寫篇報告?〕


結論是:遇到SD卡毀損的情況,絕對絕對不要對它作任何動作,不要順著電腦的提示就給它格式化下去!


開始救援
在這三天期間,我在網路上爬文,在噗浪上發出求救。細節就不談了,總之,最後我使用了四套軟體。在此以說明四套軟體的使用狀況與結果為主。由於這些軟體的安裝、使用都非常簡單,所以也不詳細介紹了。
Digital Image Recovery
首先,我使用了Digital Image Recovery這套免費軟體。
這套軟體的來源有點複雜,我們看PC home還有軟體王講的都不一樣,更別說網友部落格的貼文了。一套軟體若來源不明,我並不建議大家使用,因為「中標」的機會很大。
據我追查,這套軟體的原創公司為Alexander Grau,該公司的資料救援軟體則是透過另一家專業的資料救援公司LC Technology International Inc.在發布。(這也是PC home和軟體王說法不一樣的原因。)
可是,目前這套免費軟體似乎在兩家公司的網站上找不到了。下載點分布在網路其他地方。看倌可自行前往軟體王和PC home找出連結。
相關網站:
>> Alexander Grau
>> LC technology(http://www.lc-tech.com/
>> 軟體王的介紹
>> PC home土給 

這是我救援SD卡的第一款軟體。很幸運的,這套軟體成功救回了九成的照片(542/591),更幸運的是,其中家族的活動照片,全數救回──不過這是我在未將記憶卡格式化之前。
由於這次照片救援的重點是家族活動照片,至於民宿的一些資料照片(就是沒有人在裡面的景物照)我比較不在意,因為下回去再拍就有:但家族活動照,總不能叫大家再回去重演一次。
總之,成功救回重要照片之後,我就開始放心而手賤了:對於電腦一直出現的「格式化」要求,竟有一次沒用大腦的給他按了下去。
但其實,我還是想救回那剩下的一成照片。
於是,我在把SD卡格式化之後,又重新以這套軟體嘗試一次。結果:大失敗!一張照片也沒有找回。看到掃瞄資料,我大概知道,SD卡損壞嚴重。


PC Inspector Smart Recovery 4.5
OK!既然格式化之後,前一套軟體原本救得回資料,現在救不回來了,那真的有得PK了!我對於那一套軟體可以成功救回已被我破壞的資料(甚至救回更多資料)更有興趣了。
第二款軟體,我找上了PC Inspector Smart Recovery 4.5。 網路上有人在教人如何救回照片,推薦的是這家公司另一款軟體PC Inspector File Recovery,其實有點不大對,這款軟體應該較適合一般檔案資料的回復/救援。對於救援SD卡或其他各式記憶卡的照片,應該選擇PC Inspector Smart Recovery比較適合。
這家德國公司真是大恩大德,這樣的軟體,也是完全免費提供,這也是這次試驗的軟體中:出身明確,然後又完全免費的一套,所以我相當推薦。
>> PC Inspector Smart Recovery下載點
>> PC Inspector File Recovery下載點
此外,這套軟體應該好好介紹一下,因為它讓我學了很多──另一種說法是繞了很大一段冤枉路。
由於這款軟體在我的Windows 7電腦上安裝後有問題,竟說機碼(registry)錯誤(不見得是軟體問題,可能是OS)。
run-time error'339', component gif89.dll or one of its dependencies not correctly registered: a file missing or invalid.
總之,害我又研究了清除機碼的軟體,清了好幾次機碼,還有個什麼gif89.dll……,但最後還是不能執行。於是只好將它安裝在家裡另一台小筆電上。
裝好軟體,開啟了記憶卡後,軟體就告訴我:檔案毀損很嚴重,意思大概是要我選擇比較慢的掃瞄模式。也沒得選了,就選「是」!
可是呢,一整晚上下來只執行了10%,我只好將已找出的近200張照片取出,其餘的讓它繼續執行…… (案,這個10%是與SD卡裡的總檔案數去換,而不只是我最後所拍的那591張照片)
最後擺了24小時之後,它只執行了80%,……
重點是,它所找出的那些JPG照片,雖然看來檔案大小正確,但卻無法預覽,也無法開啟。…改名,改運,換軟體……全都無用。

問題在那我完全不知,唯一的線索是我以IrfanView開啟檔案時看到Can't read file header! Unknown file format!的錯誤訊息,於是往JPEG Header的問題去找答案。

在Google研究之後,覺得應該朝修正JPG檔的header方向走。於是找了幾個JPEG Recovery,或是JPEG Fixer……等等一堆修復JPG圖檔的軟體,結果都沒用。這些軟體都跟我在打滾耍賴說那不是肯德雞!
最後我只好把希望放在jheader這套軟體了。聽說這套軟體很強大,執行很快──but, but,………得回到DOS時代!而這也是它執行超級快速的原因〔不知有幾個看倌認得DOS這三個字?它是什麼,看後面就知。〕
我硬著頭皮,下載了這個軟體。仔細詳讀說明,說明並不是很清楚,只大概知道-te這個指令可以移植照片的exif header資訊。
於是不知試了這個指令多少次,最後被我試對了。但結果一樣:它也耍賴說這不是肯德雞!

 

經過一整天的挫敗,繞了一大圈,一切功虧一簣。不過,或許還是有方法解開這些資料,只是我沒找到答案(若有人知道也歡迎告訴我)。若是如此,那這套軟體還是不錯的!


SanDisk的RescurePRO
第三套是網友向我推薦的:SanDisk的RescurePRO。
這套軟體是知名記憶卡業者SanDisk的,但只有在部份SanDisk產品才有綑綁。有捆綁該軟體者,可以透過產品序號下載,然後以序號取得金鑰啟用軟體。
如果沒有,那麼就必需跟LC Technology購買。LC Technology所提供的免費Demo版(就是未啟用的),只能掃瞄,不能儲存(這實在沒有任何意義)。
相關網站:
http://www.lc-tech.com/rescuepro/
http://kb.sandisk.com/app/answers/detail/a_id/43
不過,最後證明這套軟體不錯。總計成功幫我救回了9成6的照片(569/591),比在未格式化(未破壞到檔案)之前,Digital Image Recovery幫我救回的9成還多。
▽ 下方藍色部份一就是找到的照片,全選之後選擇檔案的儲存位置即可(不過這套軟體的中文化做得有點糟,簡繁字混在一起外,存檔的按鍵竟寫開啟)



FinalData
最後是小狐狸推薦的這一套。據小狐說,長期使用這套,相當可靠,一直成功救回很多資料。其實我用過後之後也相信小狐狸的說法,只是,我這SD卡可能真的傷得不輕....
>> FinalData標準本下載
 >> FinalData企業版下載
這套軟體是Final Data公司所有,提供14天免費試用。要救照片其實一天也就夠了。其執行速度和SanDisk RescurePRO差不多,用我的win 7電腦大概在一、兩個小時就執行完畢。
看到跑出來的預覽圖,以及算一算照片的數字:竟然後SanDisk的都一樣。〔所以那可能就是能救回的照片的極限了〕。
但問題又來了:最後存檔之後,打開照片,全部都殘缺不全。甚至,照片再改以大圖預覽,馬上就現出原形………再細看救回的照片,每張都只有幾百K,和原本該有的幾M差了近十倍的大小。
▽ 小圖預覽沒問題 好像照片都已成功救回

▽ 大圖預覽或是打開照片之後才發現,圖檔都不完整



結論
簡單說
1、遇到SD卡、CF卡……等記憶卡毀損等問題,千萬先不要格式化。不要對記憶卡做任何事。
2、產品使用心得部份:在這次救援中SanDisk的RescurePRO的救援最為成功,在卡不小心格式化之後,591張照片還成功救出了569張,救援率達96%。
3、雖然後三款沒在SD卡格式化之前使用過。但足夠的理由讓我相信,它們在SD卡未格式化之前應該能夠救回資料。若以這個假設為前題,那麼完全免費又有公司保證的PC Inspector Smart Recovery應該是最適合一般想要免費使用軟體的使用者。
最後我要強調一下,這並不是一次什麼產品評測,只是簡單的產品使用心得;因為我甚至沒有仔細去調校或設定這些軟體,或許有什麼更強大的特殊功能我沒發現也不一定.我相信,萬一那一天你遇到類似的問題,這幾款軟體都值得試試








轉自 http://blackjack.blog.ithome.com.tw/post/110/82057

Free Toolkits for Automating Malware ...

Free Toolkits for Automating Malware Analysis


Automating some aspects of malware analysis is critical for organizations that process large numbers of malicious programs. Such automation allows analysts to focus on the tasks that require human insights. There are several free toolkits you can use as the starting point for building your own automated malware analysis lab. The focus of this post is on the tools you can install locally; I wrote about free web-based behavioral analysis services earlier.
Two feature-rich and highly customizable options are outlined below:


There are several other toolkits you may find useful for automating aspects of behavioral malware analysis:
  • Zero Wine by Joxean Koret is a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux.
  • Buster Sandbox Analyzer by Buster is a wrapper around the Sandboxie tool for Windows, which helps you examine the key actions of applications executed by Sandboxie in your lab.
  • Malheur by Konrad Rieck is a very promising tool for analyzing the volumes of data collected by behavioral sandboxes.
  • REMnux by yours truly is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software.


If you’re interested in building your own malware analysis toolkit manual behavioral review, take a look at the article I wrote earlier. You may also be interested in reading about the limitations of automated malware analysis.
Lenny Zeltser



轉自 http://blog.zeltser.com/post/1284687696/malware-analysis-tool-frameworks

Free Automated Malware Analysis Services

Free Automated Malware Analysis Services

In my SANS Institute course, I teach security and systems professionals how to reverse-engineer malicious software. It is an interesting, but time-consuming process if you don't have the right skills and tools at hand.
There are several free automated malware analysis services that can examine compiled Windows executables to save us time and provide a sense about the specimen's capabilities:

These are the services I have come across. If you know of another reliable and free service I didn't list, please let me know.
My other lists of on-line security resources outline Blocklists of Suspected Malicious IPs and URLs and On-Line Tools for Malicious Website Lookups.

About the Author: Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny's other area of specialization is malicious software; he teaches how to analyze and combat malware at SANS Institute. Lenny explores security topics at conferences, in books and in articles. He also volunteers as an incident handler at the Internet Storm Center. You can follow Lenny on Twitter and read his blog.


轉自 http://zeltser.com/reverse-malware/automated-malware-analysis.html

搞不懂個資法?七個實例告訴你




個 人資料保護法已於2010年5月26日經總統明令公布,但相關的施行細則目前還付之闕如。這段期間也許是因為新法上路,許多民眾對自身的權益仍不熟悉,或 是企業本身對於這部法令還抱持觀望的態度,甚至是主管機關,對於自身所該扮演的角色及應擔負的責任,仍然不是那麼清楚。我們希望從近日發現的一些實例,來 解釋一下這些事件背後所牽涉到的相關條文。同時也希望藉由個案討論,引發更多人對這部法令的關注。

現象一:
公司所有處理客戶基本資料的電腦設備,全部置放於國外的區域中心內,因為機器設備不在台灣,所以不受新版個資法的限制。

說明:一般民眾或有以為,只要主機或網路設備不設在台灣地區,便可規避我國法規之適用。

依 照「個人資料保護法」第二條,對國際傳輸的定義為將個人資料作跨國(境)之處理或利用。而根據第二十一條規定,非公務機關為國際傳輸個人資料,而有如涉及 國家重大利益、以迂迴方法向第三國(地區)傳輸個人資料規避本法等情形者,中央目的事業主管機關得限制之;同時第四十一條亦指出,違反中央目的事業主管機 關限制國際傳輸之命令或處分,足生損害於他人者,將處二年以下有期徒刑、拘役或科或併科新臺幣二十萬元以下罰金。

另涉及行政罰規定,如 違反第六條第一項、第十五條、第十六條、第十九條、第二十條第一項規定,或中央目的事業主管機關依第二十一條限制國際傳輸之命令或處分,足生損害於他人 者,則根據第四十三條規定,中華民國人民在中華民國領域外對中華民國人民犯前二條之罪者,亦適用之。可見即便是機器設備沒有在中華民國境內,公司仍然受 「個人資料保護法」的規範。

現象二:
現行許多企業都會藉由研討會或講座的方式,由與會人士提供推薦名單,以便日後做後續業務推廣使用,個資法通過後,仍可透過這種方式來取得潛在客戶資料。

說 明:依照「個人資料保護法」第十九條規定,非公務機關對個人資料之蒐集或處理,應有特定目的,並符合法律明文等相關規定。另依據第九條規定,於處理或利用 前向當事人告知即可。因此,如果仍使用以往的蒐集方式,但沒有告知當事人,就不能處理或利用這些資料,也就是說,企業無法再藉由這種管道取得個人資料,除 非當事人同意。

現象三:
某會員俱樂部近日推出「老客戶回娘家方案」,廣發邀請函及簡訊,希望未續約的會員能重新簽約並享有優惠。

說 明:依照個資法第十九條與當事人有契約或類似契約之關係,此方案的實施並不違法。惟根據第十一條,個人資料蒐集之特定目的消失或期限屆滿時,應主動或依當 事人之請求,刪除、停止處理或利用該個人資料。同時,根據第十三條公務機關或非公務機關受理當事人之請求,可將個人資料使用時間延長,但不得超過一定期 限,並應將其原因以書面通知請求人。由上可知,當契約關係已經不存在時,企業應主動將所蒐集到的個人資料,停止使用。

現象四:
某連鎖店在促銷廣告上聲稱,為配合個資法的修訂,請會員主動更新會員資料,以便日後能取得各項優惠的折扣。

說 明:既然是會員,依照個資法第十九條,企業係與當事人有契約或類似契約之關係,此方案的實施並不違法。惟根據第八條,公務機關或非公務機關向當事人蒐集個 人資料時,應明確告知當事人公務機關或非公務機關名稱、蒐集目的、使用方式等事項。同時,根據第十五條規定,公務機關對個人資料之蒐集或處理,應有特定目 的,並經當事人書面同意。此「書面」同意,目前根據法務部解釋,除非係以電子簽章方式為之者,否則應取得當事人的「紙本」書面同意始符合法定要件,企業應 留意此點要求。

現象五:
客戶攜帶所購買的家電用品進行維修,並提供個人連絡電話、電子郵件在維修紀錄單上,以便維修結果通知。客戶在取得維修的商品時,要求商家交還維修紀錄單,因上面有客戶所提供的個人資料。

說 明:依據個資法第十五條規定,公務機關對個人資料之蒐集或處理,應有特定目的,並經當事人書面同意,因此商家是不需要將維修紀錄單交還給客戶的。而同時依 照第八條規定,公務機關或非公務機關向當事人蒐集個人資料時,應明確告知當事人個人資料利用之期間、地區、對象及方式。因此,商家除非已盡到前述告知義 務,否則不可以將此次維修紀錄單上所取得的個人資料,挪移至其他地方使用。

現象六:
某金融機構欲發行企業聯名卡,該金融機構從合作企業處取得會員資料,並且廣發宣傳,鼓勵企業會員申請聯名卡,並要求留下個人資料,以利行銷作業使用。

說 明:依據個資法第九條指出,公務機關或非公務機關蒐集非由當事人提供之個人資料,應於處理或利用前,向當事人告知個人資料來源。另依據第八條規定,公務機 關或非公務機關向當事人蒐集個人資料時,若沒有取得書面同意,同時未將使用目的明確告訴當事人,都是違反個資法的行為。

現象七:
某公職人員參選人,聲稱透過支持者提供的資料,大量寄發競選文宣,並宣稱前述行為是不在個資法規範的範圍內。

說明:依據個資法第二條對非公務機關的定義,包含自然人、法人或其他團體,因此,該公職人員參選人同樣也受個資法第九條及第八條,公務機關或非公務機關蒐集非由當事人提供之個人資料,應於處理或利用前,向當事人告知個人資料來源的規範。
結論
雖 然新法剛剛上路,但我們仍然殷切的希望主管機關,能夠確實的訂出符合產業要求的施行細則,同時要能徹底落實,另一方面,則要思考如何強化一般大眾對個資法 的認知,以保障自身權益,更重要的是,各單位要能確實檢討現行內部各項與個人資料相關的制度,包括資料的蒐集、處理、使用、傳輸及銷毀,如此才能達到三贏 的效果,這也才是個資法當初修法的目的。



(本文作者現任職於管理顧問公司)



轉自http://www.isecutech.com.tw/article/article_detail.aspx?tv=71&aid=5915


FTK Imager 3

FTK Imager has always been the crème de la crème of free forensic tools and now with the introduction of FTK Imager 3 it is even better.


Access Data have added some amazing functionality to this programs already extensive list of capabilities - in fact to steal a phrase - its almost magical and it is certainly available at an unbelievable price. So what am I referring to?
The answer of course is the new image mounting feature which allows a user to mount an image as a drive or physical device. Encase evidence files, Smart image files, Advanced Forensic Format images and dd images are supported.



Additionally Encase Logical Evidence Files and Access Data's AD1 custom content images can be mounted logically. Full details in the Release Notes.


This functionality is accessed via File/Image Mounting

















In this screen shot I have chosen to mount a drive from a Mac which includes a Bootcamp partition















This resulted in the EFI partition, the HFS+ partition and the NTFS Bootcamp partition all being given a drive letter. The whole drive is allocated the Physical Drive Number 4 in this example.


All of these resources are now available natively upon the machine that FTK Imager 3 is running on. The Physical Disk however is not listed in Disk Management nor does this functionality appear to install any devices within Device Manager.
Logical mounting of non windows partitions (HFS+, EXT3 et al) will present an explorer view of these file systems as FTK imager itself sees them (à la Encase VFS).


This functionality provides many benefits and at first look at least, renders the costly alternatives of PFS/VFS and Mount Image Pro redundant. It also raises the bar in how we can construct virtual machines from images due to the ability to mount more than one drive at once, thus simplifying the creation of multi drive VMs. The functionality also facilitates non techies (lawyers, fraud investigators et al ) to easily peruse images.


FTK Imager 3 also introduces support for VXFS, ex FAT and EXT4 file systems. As we sometimes say in England its the dogs..

轉自http://forensicsfromthesausagefactory.blogspot.com/2010/10/ftk-imager-3.html

Challenges of Windows physical memory acquisition and exploitatio

A Forensic Analysis Of The Windows Registry

A Forensic Analysis Of The Windows Registry

Derrick J. Farmer
Champlain College
Burlington, Vermont
dfarmer03@gmail.com

(click here for a revised, quick reference PDF version of this paper)

Abstract
This paper will introduce the Microsoft Windows Registry database and explain how critically important a registry examination is to computer forensics experts. In essence, the paper will discuss various types of Registry 'footprints' and delve into examples of what crucial information can be obtained by performing an efficient and effective forensic examination. Many of the Registry keys that are imperative and relevant to an examination will also be discussed.

Acknowledgments
This paper is primarily a product of research, but may also serve as a reference to a Windows registry examination. For the sake of simplicity, there will only be reference to the Windows XP operating system - Even though earlier versions of Windows utilize the Registry, contain similar characteristics, and even apply many of the same concepts. The reasons XP was chosen to be discussed over other versions of Windows is because it remains popular and very widely used among average computer users, thus the chance of encountering it in a forensic examination is higher. Windows XP is still very current and much of the same information can still be applied to previous versions of Windows. The illustrations throughout this paper are intended to provide a better understanding of the subject being discussed. All of the screenshot images contained in this paper were captured from the Windows XP system in which the research was conducted on. The P2P client programs that were downloaded, installed, used, and examined were for the purpose of research use only. Searches were conducted and files were downloaded from these networks, not to engage in illegal or malicious activity, but to help provide a better understanding of the software's architecture and how it utilizes the Windows Registry from a forensics standpoint.


Introduction

The Importance of a Registry Examination
Today's society relies heavily on computers and the internet to accomplish everyday tasks, which includes practically everything from communicating and shopping online to banking and investing. It is much more common to send or receive an email than a physical letter. Along with the increasing use of computers and the internet, comes a little problem called computer crime-- facetiously speaking. Computer crimes present exorbitant issues in today's society. Including, but certainly not limited to - fraud, identity theft, phishing, network infiltration, DoS attacks, piracy of copyrighted material, and CP. With computer crimes on the rise, it is becoming extremely crucial for law enforcement officers and digital forensic examiners to understand computer systems and be able to examine them efficiently and effectively. In order to do this a study of how operating systems work must be explored from the inside out. The Registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information can be derived from it.

History
First, it is important to understand what the Registry is, why it exists, and the types of information it contains. Virtually everything done in Windows refers to or is recorded into the Registry. A program called RegMon by Sysinternals can be used to display registry activity in real time. After running this program it is apparent that registry access barely remains idle. The Registry is referenced in one way or another with every action taken by the user.
The Microsoft knowledge database and also the Microsoft Computer Dictionary, Fifth Edition, define the registry as:
A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.
The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Although some versions slightly differ, they all are essentially composed of the same structure and serve the main purpose as a configuration database. The Registry replaces configuration files that were used in MSDOS, such as config.sys and autoexec.bat. The primary purpose of config.sys was to load device drivers and the primary purposes of autoexec.bat was to run startup programs and set environment variables - the Registry now handles these functions. In addition to replacing DOS configuration files, the Registry also replaces text-based initialization (.ini) files that were introduced in Windows 3.0. The .ini files - specifically win.ini and system.ini - store user settings and operating system parameters.
This very basic history of the Windows Registry, why it was implemented, and some of its functions are the core fundamentals of understanding the structure and what each part of the Registry pertains to.

Structure of the Windows Registry
By opening the Registry Editor (by typing 'regedit' in the run window), the Registry can be seen as one unified 'file system'. The left-hand pane, also known as the key pane contains an organized listing of what appear to be folders. The five most hierarchal folders are called 'hives' and begin with 'HKEY' (an abbreviation for Handle to a Key). Although five hives can be seen, only two of these are actually 'real', HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives. Each of these five hives is composed of keys, which contain values and subkeys. Values are the names of certain items within a key, which uniquely identify specific values pertaining to the operating system, or to applications that depend upon that value.
A common analogy that is often used to help understand the structure of the Windows Registry is a comparison between it and the Windows Explorer file system, both are very similar in their structures. The key pane of the Registry is much like the hierarchical structure of the left-hand pane in the Windows Explorer file system. The keys and subkeys located within the five main hives are similar to folders and subfolders of Windows Explorer, and a key's value is similar to a file within a folder. In the right-hand pane of the Windows Registry - a value's name is similar to a file's name, its type is similar to a file's extension, and its data is similar to the actual contents of a file.

Figure 1 - Structure of the Windows Registry (CLICK TO ENLARGE)

Root Key Functions:
Below are listed the five hierarchical hives seen in Figure 1, with a very basic description of each. Beside the root key is their commonly referred to abbreviation in parenthesis, which will frequently be referred to as throughout the paper.
1.HKEY_CLASSES_ROOT (HKCR)
Information stored here ensures that the correct program opens when it is executed in Windows Explorer. It also contains further details on drag-and-drop rules, shortcuts, and information on the user interface. Alias for: HKLM\Software\Classes
2.HKEY_CURRENT_USER (HKCU)
Contains configuration information for the user who is currently logged into the system, including user's folders, screen colors, and Control Panel settings. Alias for a user specific branch in HKEY_USERS. The generic information usually applies to all users and is HKU\.DEFAULT.
3.HKEY_LOCAL_MACHINE (HKLM)
Contains machine hardware-specific information that the operating system runs on. It includes a list of drives mounted on the system and generic configurations of installed hardware and applications.
4.HKEY_USERS (HKU)
Contains configuration information of all user profiles on the system, which concerns application configurations, and visual settings.
5.HKEY_CURRENT_CONFIG (HCU)
Stores information about the systems current configuration. Alias for: HKLM\Config\profile

Examination Tools
Currently, there are many tools available to forensic examiners for extracting evidentiary information from the Registry. The tool used in this paper to analyze and navigate the registry is Registry Editor (regedit.exe). Registry Editor is free and available on any installation of Microsoft Windows XP with administrator privileges.

Registry Examination
The Registry as a Log
All Registry keys contain a value associated with them called the 'LastWrite' time, which is very similar to the last modification time of a file. This value is stored as a FILETIME structure and indicates when the Registry Key was last modified. In reference to the Microsoft Knowledge Base, A FILETIME structure represents the number of 100 nanosecond intervals since January 1, 1601. The LastWrite time is updated when a registry key has been created, modified, accessed, or deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, where as a LastWrite time for the registry value cannot.
Harlan Carvey, author of Windows Forensics and Incident Recovery, refers to a tool called Keytime.exe, which allows an examiner to retrieve the LastWrite time of any specific key. Keytime.exe can be downloaded from http://www.windowsir. com/tools.html.
Knowing the LastWrite time of a key can allow a forensic analyst to infer the approximate date or time an event occurred. And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed. Using the Registry as a log is most helpful in the correlation between the LastWrite time of a Registry key and other sources of information, such as MAC (modified, accessed, or created) times found within the file system. However, a comprehensive discussion of that process is outside the scope of this paper.
Autorun Locations
Autorun locations are Registry keys that launch programs or applications during the boot process. It is generally a good practice to look here depending on the case of examination. For instance, if a computer is suspected to have been involved in a system intrusion case, autorun locations should be looked at. If the user denies their involvement then it's possible their own system was compromised and used to initiate the attack. In a case such as this, the autorun locations could prove that the system had a trojan backdoor installed leaving it vulnerable for an attacker to use at their discretion.
List of common autorun locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
(ProfilePath)\Start Menu\Programs\Startup

MRU lists
MRU, or 'most recently used' lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser. One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. The chronological order of applications executed via 'Run' can be determined by looking at the Data column of the 'MRUList' value. The first letter of this is 'g', which tells us that the last command typed in the 'Run' window was to execute notepad. Also, the LastWrite time of the RunMRU key will correlate with the last application executed in 'Run', or in this case application 'g'.
With the information provided from the RunMRU key, an examiner can gain a better understanding of the user they are investigating and the applications that are being used. In reference to Figure 2, it is apparent the user has sufficient knowledge of the Windows operating system - based on applications that have been executed, such as msconfig, cmd, sysedit, and regedit.

Figure 2 - RunMRU key

UserAssist
The UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values however, are encoded using a ROT- 13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table. A much faster and easier method to decipher this code is with the use of an online ROT-13 decoder, such as http://www.edoceo.com/utilis/rot13.php.

Figure 3 - UserAssist Key

Figure 3a - ROT-13 cipher decoded
With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have been accessed on a particular system. Even though these entries are not definitive, for they cannot be associated with a specific date and time, it may still indicate a specific action by the user.
For instance, in the example of Figures 3 and 3a the decoded value can show a potential amount of information. First, it tells the name of the user profile - 'Cpt. Krunch' - from which the .exe was executed from. Cpt. Krunch could also indicate a handle or an alias of some sort. Second, by researching 'p2ktools.exe', it tells that it is a program used for editing and managing Motorola cell phones. Finally, it shows the user has the p2ktools folder in a parent directory called 'Razor programs', which is located on their desktop. Not only does this give the location of where similar programs may reside, but the name of this directory is a good indicator that the suspect has a Motorola Razor cell phone. If so, that too should be seized for further analysis.

Wireless Networks
Wireless networks today are popular and are only becoming more popular. A wireless ethernet card picks up wireless access points within its range, which are identified by their SSID or service set identifier. When an individual connects to a network or hotspot the SSID is logged within Windows XP as a preferred network connection. Unsurprisingly, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. When opening this Registry key there may be subkeys beneath it, like UserAssist, that look like GUIDs. The contents of these should contain the values 'ActiveSettings' and 'Static#0000'. There may be additional values that begin with 'Static#' and are sequentially numbered. In the binary data of these 'Static#' values are the network SSIDs of all the wireless access points that system has connected to. This can be seen by right clicking the value and selecting 'modify', as shown in Figure 4.

Figure 4 - SSID 'flynn-net'
In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection - such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 4a.

Figure 4a - Network settings of SSID 'flynn-net'
Based on this wireless network information, a Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server. For instance, if it were a case about a child pornography suspect that was war-driving to various network connections and using them illegally, these methods would be very useful. Given the suspect's computer to run an analysis on would make it possible to see what network connections they were using and the IP address that was assigned to further support a subpoena of the ISP.

LAN Computers
Windows XP implements a network mapping tool called My Network Place, which allows users to easily find other users within a LAN or Local Area Network. A computer on a properly configured LAN should be able to display all the users on that network through My Network Place. This list of users or computers, like many other things, is stored in the Registry. Therefore, even after the user is no longer connected to the LAN, the list of devices still remain, including desktop computers, laptops, and printers. The Registry key where this information is stored is HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComputerDescriptions.
The ComputerDescriptions key is useful in determining whether or not a user was connected to certain computers or belonged to a specific LAN. Figure 5 displays the output of this key.

Figure 5 - List of computers associated with on a LAN

USB Devices
There is sufficient information on this topic to write an entire research paper on, however, for the scope of this paper only the basics will be discussed to show the most relevant Registry keys.
Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device's information is stored into the Registry (i.e., thumb drives). The first important key is HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key stores the contents of the product and device ID values of any USB device that has ever been connected to the system. Figure 6 reveals the contents of this key. All of which can be interpreted - there lists an ipod, two external hard drives, a digital video camcorder, and several different thumb drives.

Figure 6 - Contents of USBSTOR key
Beneath each device is the Device ID, which is also a serial number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAC address of a network interface card. Therefore, a particular USB device can be identified to determine whether or not it has been connected to other Windows systems. Carvey mentions in his article The Windows Registry as a Forensic Resource, an important consideration to keep in mind regarding USB device IDs. Not every thumb drive will have a serial number. Particularly, those that have an '&' symbol for the second character of the device ID. In reference to Figure 6, the Device ID that is pointed out has a serial number. However, if the '0' was an '&' that would indicate to an examiner that the device doesn't have a designative serial number. An example of a device that doesn't have an assigned serial number can be seen in Figure 6a, a Western Digital 250GB external hard drive.

Figure 6a USB device without a designated Device ID
Knowing what USB devices have been connected to a system can assist an examiner in collecting additional evidence that may be crucial to the investigation.

Mounted Devices
There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'.

Figure 7 Identification of volume \DosDevice\F:
This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is shown in the list of MountedDevices and that device isn't physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.

Internet Explorer
Internet Explorer is the native web browser in Windows operating systems. It utilizes the Registry extensively in storage of data, like many applications discussed thus far. Internet Explorer stores its data in the HKCU\Software\Microsoft\Internet Explorer key. There are three subkeys within the Internet Explorer key that are most important to the forensic examiner. The first is HKCU\Software\Microsoft\ Internet Explorer\Main. This key stores the user's settings in Internet Explorer. It contains information like search bars, start page, form settings, etc. The second and most important key to a forensic examiner is HKCU\Software\Microsoft\ Internet Explorer\TypedURLs. Figure 8 demonstrates the content of what the TypedURLs key displays.

Figure 8 TypedURLs key
From this data an examiner could conclude that the user possibly has a gmail and hotmail email address, they engage in online banking at tdbanknorth, is interested in digital forensic websites, and that they perhaps go to college at Champlain and have been researching apartments in the area.
The third subkey that may interest an examiner is HKCU\Software\Microsoft\ Internet Explorer\Download Directory. This key reveals the last directory used to store a downloaded file from Internet Explorer, giving the examiner an idea as to the location of where the user stores their files.

Opera, Netscape, and Firefox
It is the best to my knowledge that none of these browsers utilize the Registry in the way that Internet Explorer does. Internet Explorer stores web history in a file called Index.dat, which is referenced in the Windows Registry database - hence the reason we can see the history contents in the TypedURLs key.
Opera on the other hand, stores its history in a file called opera.dir. The default location of this file is C:\Documents and Settings\User Profile\Application Data\Opera\Opera\profile\. Upon installing and using this browser, the only remnants of Opera located in the Registry were install paths. In fact, according to the features of Opera (http://operawiki.info/WhyOpera), two of the many reasons people choose to use this browser is because it doesn't use the registry to store data and the size of it is very small. It is only a 1.8mb executable and according to the 'Add or Remove Programs' applet in Control Panel; the total installation is only 5.33mb.
Like Opera, Netscape and Firefox leave limited footprints (other then install paths) regarding Registry activity. Netscape and Firefox both store web history in a history.dat file, which is in ASCII format and plainly visible when opened. The location for the history.dat file in Firefox is C:\Documents and Settings\User Profile\Application Data\Mozilla\Firefox\Profiles\x.default\ and Netscape is C:\Documents and Settings\derrick.farmer\ Application Data\Netscape\NSB\Profiles\x.default\. An in-depth analysis of these browsers is out of the scope of this particular paper as they are not relevant in a Windows Registry examination.

P2P Clients
Peer-to-Peer (P2P) networks are notorious of providing users with the ability to distribute illegal and sometimes unethical materials. Three popular P2P clients were downloaded, installed, used, and examined for the purpose of this research. The clients that were used are Limewire, Kazaa, and Morpheus.

Limewire
The research conducted on Limewire was somewhat inconclusive in regards to a Registry examination. There were very minimal footprints of user activity and no logs of searches or downloaded files could be found. The most helpful thing discovered in the Registry was install paths of the program. Knowing this information would give the exact location of where to look in the file system. In a default installation of Limewire the location of the install directory is C:\Program Files\Limewire and the share directory is C:\Documents and Settings\User Profile\Shared.

Kazaa
Kazaa, however, was a bit more successful. Two Registry keys of interest were discovered. The first was HKCU\Software\Kazaa, and contained many user settings that could be useful to an investigator. For instance, beneath the Kazaa key there is a subkey called ResultsFilter, which shows the value for the “adult_filter_level”. This setting will filter adult content from search results. If the value of the adult_filter_level is (1) it is enabled and if it is (0) it is disabled. By default Kazaa enables the adult filter, so if this setting is disabled then it's a good indication the user has taken the initiative to do so within the Kazaa options menu. Figure 9 shows the location of this key and the information in which it contains.

Figure 9 Kazaa key
The other Kazaa Registry key that is worth pointing out is HKLM\Software\ Kazaa. This key contains subkeys that hold connection information and the destination directory of the downloaded files, which show that a default installation of Kazaa stores downloaded files to C:\Program Files\Kazaa\My Shared Folder.

Morpheus
Of the three P2P clients that were researched, Morpheus was the only one that kept a log in the Registry of recently searched for keywords or phrases. The location of this key is HKCU\Software\Morpheus\GUI\SearchRecent and can be seen in Figure 10.

Figure 9a Morpheus recent search list
If an examiner is investigating a case where the user is suspected to have used Morpheus to download illegal content, this key could be very useful in seeing exactly the type of material the user was querying.

One Thing in Common
Research of these three P2P clients revealed one Registry key that they all had in common:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List This is a list of applications that are allowed 'outside access' by the Windows Firewall that was implicated in SP2. If the P2P programs are not included in this list then they wouldn't be assigned a TCP or UDP port to access the P2P client's server and would consequently be blocked. Therefore, any type of program in use for file sharing purposes should appear on this list. This would be a great place for a forensic examiner to look in determining if the system has other potential file sharing applications that have been overlooked.

Figure 9b Firewall Authorized Applications key

Overview
The following list includes a brief recap of the Registry keys discussed in this paper.
o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
o HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
o HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces
o HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\
o HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ ComputerDescriptions
o HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR
o HKLM\SYSTEM\MountedDevices
o HKCU\Software\Microsoft\Internet Explorer\Main
o HKCU\Software\Microsoft\Internet Explorer\TypedURLs
o HKCU\Software\Microsoft\Internet Explorer\Download Directory
o HKCU\Software\Kazaa
o HKCU\Software\Morpheus\GUI\SearchRecent
o HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List
For a comprehensive list of Registry keys that directly relate to a computer forensic examination, many of which were not discussed in this paper, refer to AccessData's PDF document Registry Quick Find Chart.
http://www.accessdata.com/media/en_US/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf

Conclusion
Given the popularity of the Windows operating system - in homes and businesses - it is important for computer forensic experts to understand the complexity of the Windows Registry. The information and potential evidence that reside in the Registry make it a significant forensic resource; uncovering this data can be crucial to any computer related investigation. By understanding the fundaments of the Registry from a forensics standpoint, an examiner can develop a more precise account on what actions occurred on the given machine. This report is by no means conclusive in terms of a Registry Examination. It presents some explanations and examples of what types of data can be found, how it can be found, and why it may be relevant to an examination. For as long as operating systems are dependent upon the Registry as a configuration database, and for as long as applications continue to use that database for storage, there will always be different locations to discover that provide evidential support in an investigation.

References
Books
Honeycutt, Jerry. Microsoft Windows Registry Guide. 2nd. Redmond, WA: Microsoft Press, 2005.
Kruse, Warren G., and Jay G. Heiser. Computer Forensics: Incident Response Essentials. New York: Addison-Wesley, 2004.
Nelson, Bill, Amelia Phillips, Frank Enfinger, and Christopher Steuart. Guide to Computer Forensics and Investigations. 2nd. Canada: Course Technology, 2006.
Journals
Carvey, Harlan. "The Windows Registry as a forensic resource." Digital Investigation: The International Journal of Digital Forensics & Incident Response 2(2005): 201-05.
Carvey, Harlan, and Cory Altheide. "Tracking USB storage: Analysis of windows artifacts generated by USB storage devices." Digital Investigation: The International Journal of Digital Forensics & Incident Response 2(2005): 94-100.
Online
Carvey, Harlan. "Windows Incident Response." [Weblog Mounted Devices] 21 Dec 2004. 8 Apr 2007 .
Davies, Peter. "Forensic Analysis of the Windows Registry." Peter Davies. 2006. 3 Feb 2007 .
Jones, Kieth J., and Rohyt Belani. "Web Browser Forensics, Part 1." Security Focus. 30 Mar 2005. 13 Apr 2007 .
Microsoft, "Description of the Microsoft Windows Registry." Help and Support. 27 Jan 2007. Microsoft Corp. 8 Apr 2007 .
Microsoft, "INFO: Working with the FILETIME Structure." Help and Support. 23 Jan 2007. Microsoft Corp. 8 Apr 2007 .
Opera, "Why Choose the Opera Internet Suite'." Operawiki. 2007. 13 Apr 2007 .
'Registry Quick Find Chart." AccessData. 2005. AccessData Corp. 1 Apr 2007 .
"ROT 13 Encoder/Decoder." Consulting, Development, Research, and Support. 2007. Edoceo, inc.. 14 Apr 2007 .
Srinivasan, Ramesh. "Registry MRU Locations." Ramesh’s Site: Troubleshooting Windows. 2006. 14 Apr 2007 .
Websense, "Emerging Threats: Peer-to-Peer File Sharing." Advanced Systems Group. Websense, Inc. 13 Apr 2007 .
Wong, Lih Wern. "Forensic Analysis of the Windows Registry." Forensic Focus. 1 Feb 2007 .