惡意軟件分析沙盒(Sandbox) - Cuckoo

Cuckoo是一個輕量級的windows二進制文件行為自動動態分析工具。它能夠給出程序運行過程中詳細的關鍵API調用和網絡活動。Cuckoo項 目是參加2010年google編程夏令營的作品,最近在GPL許可下開源發佈。任何人可以將其加到自己的項目中,打造自己的惡意軟件行為分析工具。

工具更多信息及下載:http://www.cuckoobox.org/download.php
手冊:http://cuckoobox.org/doc/0.2/Cuckoo%20User%20Guide.pdf



參考:

徹底研究exFAT

exFAT與先前檔案系統的區隔


exFAT(Extended File Allocation Table)是適用於隨身碟或隨身型攜帶裝置(如PDA)的新格式,最早出現在2006年的WinCE 6.0,為了增進與桌上型作業系統的相容性還有便於隨身裝置的同步需求,到了Vista SP1正式被納入桌機作業系統所支援的檔案系統,但跟一般玩家息息相關的,還是在於隨身碟上的應用。以往在隨身碟上,FAT32/FAT是比較常見的格 式。然而FAT32在目前大體積的檔案應用下逐漸產生問題,它的單檔容量最多只有4GB,在某些用途上還要分割檔案才放得進隨身碟裡,而且XP的抽取式媒 體讀寫快取是限定NTFS格式才支援,在拷貝大量且零碎的小檔案時,往往要耗上漫長的等待時間。那為什麼不用NTFS來當隨身碟的主流格式呢? 



一、NTFS相容性不如FAT32


FAT32/FAT已經被大多數的作業系統所廣泛支援,不論是OS X、Linux或是隨身PMP裝置,雖然部份非Winodws系統加上外掛也能做NTFS的讀寫,但是畢竟沒有原生支援來得方便。 



二、存取效能的差異


NTFS是採用「日誌式」的檔案系統,因為要記錄磁碟的詳細讀寫動作,對隨身碟這種快閃記憶體會造成較大負擔,比如同樣存取一個檔案或目 錄,在NTFS磁區上的讀寫次數就會比FAT32來得多,「相較」之下理論上使用NTFS格式存放檔案的隨身碟比較容易損壞,而且在400MB以下的分割 區也比較浪費空間。 



三、XP預設的格式化選項不是NTFS


一般來說除非手動修改原則,不然XP預設不能把隨身碟格式化成NTFS系統,使用者找不到此選項,自然很順理成章的使用FAT32來格式 化。在XP下對抽取式媒體有兩種存取方式:「快速移除最佳化(預設值)」與「效能最佳化」,前者適用於FAT32,後者即是因應NTFS寫入快取的設定, 我們常常聽說不要直接拔除隨身碟,其中一個原因就是考量到後者需要把快取中的資料確實寫入隨身碟,因此使用快速移除最佳化時,就不能直接格式化成 NTFS。 



exFAT有什麼用?


如果不是很在意隨身碟的存取效能,那麼現在市面上4G、8G的MLC隨身碟可以說一點都不貴,這種容量對FAT32支援的單一分割最大容量(32GB)並不成問題,不過超過4GB的單檔就有點麻煩。 



雖然說很少有單一檔案超過4GB的機會,但不代表完全沒有:如BD影片的Remux檔、BD/HD影片的原始檔、無失真音樂愛好者的未壓縮音訊檔、DVD光碟的ISO檔、從DV上擷取下來的AVI檔等等,想要完整備份就得選擇NTFS或exFAT做為儲存格式。 



大部份讀者可能會問:那用NTFS就好了,為什麼要選擇一個相容性更差的檔案系統呢?exFAT原本設計的目的是在FAT32與NTFS之 間取得一個折衷,有FAT32的輕便、不需要耗損太多的效能及記憶體來處理檔案運作,又有類似NTFS的CAL存取控制機制(很可惜在SP1下找不到 exFAT對於CAL的支援),以及類似HPFS系統可快速整理可用叢集空間的Free Space Bitmap,來將檔案破碎的情況盡量減少。 



然而要真正比較出使用FAT32、NTFS及exFAT時的檔案破碎情況很難做到客觀的評比,剩下所能測試的就是存取效能了,尤其是 exFAT最大的叢集大小達到了驚人的32MB,連NTFS都只有64KB,如果隨身碟真的拿來存放BD Remux動輒上GB的大檔案,那麼將exFAT的叢集設大時,將會有多少效能增進呢? 



大叢集有用嗎?


叢集(cluster)在檔案系統上是指比檔案還小的邏輯分割單位,比如說一個檔案的大小是64KB,叢集大小設為4KB的話就是用了16 個叢集。叢集的大小與實體磁碟區的大小成正比,比如說FAT32在4~8GB及8~16GB的預設叢集大小分別為4KB與8KB,基本上叢集愈小愈能節省 磁碟空間,例如一個檔案為12KB,因為叢集是以自然整數的方式存在,如果這時的叢集大小是8K的話就必須動用到兩個叢集(16KB)的空間來存放檔案, 當中的4KB就算浪費掉了。 



不過叢集設太小理論上也會造成存取效能遲緩,一個64KB的檔案只需要存取4個16KB的叢集,換成1K的叢集就變成了64個。從 FAT16、FAT32、到NTFS,在一定的磁碟空間範圍內預設的叢集愈來愈小,但使用者能自訂的最小底限都是512Bytes,如果用安裝光碟來格式 化硬碟,一定也是使用512bytes的預設值,因為512bytes是剛好對齊FAT結構的界限;換成Windows桌面的格式化,則會由系統自行挑選 適當的預設值來決定。 



上述的檔案系統最大叢集都是到64KB,對存取單一大檔案時算不算是理想的設置呢?而且小叢集在進行磁碟重組時會花上比較久的時間。 



然而就這次的測試結果來看,叢集的大小對於檔案的存取並沒有多大影響,而且真的把叢集開到32MB是瘋狂的行為,放一個1KB的檔案,32MB的空間就被吃掉了,尤其是1GB的隨身碟格式化完成,光配置表就用掉了96MB的容量。 



那麼究竟多大的分割會需要用到32MB的叢集呢?SP1需在命令列模式才能把實體硬碟格式化成exFAT,筆者將320GB的硬碟以 exFAT格式化,所得的預設叢集是128KB,真正需要用到32MB叢集的「大」硬碟要問世應該還早。何況微軟目前就沒有把它用在一般固定式媒體 (Fixed Media)的打算,叢集大小對於抽取式媒體來說暫無意義。 








































































exFAT與FAT32、NTFS的比較





FAT32


NTFS


exFAT

適用作業系統 Win95 OSR2之後皆可 Windows 2000之後的NTFS5為較成熟版本 Vista SP1、Windows CE 6.0
最小叢集 512bytes 512bytes 512bytes
最大叢集 64KB 64KB 32,768KB
最大單檔大小 4GB-2bytes 受最大分割容量影響 16EB(理論值)
最大分割容量 32GB、2TB 2TB 16EB(理論值)
檔案數限制 4194304 單一目錄至少大於1000個
支援CAL SP1並無採用
最少叢集數 65,527 (註a) 至少大於127 (註b) 至少大於13 (註c)
最大叢集數 4,177,918
註a:FAT32系統的叢集數不可少於65,527個,也就是說磁碟容量小於 32MB左右(最小叢集 (512bytes) x 65527)的話,就不能用FAT32檔案系統。筆者手邊有一顆31.2MB的隨身碟就無法格式化成FAT32。而FAT(16)系統所能支援的叢集數最 多為65,525,單一叢集容量最大為64KB,所以最大分割區容量大約是4GB(65,525x64)。

註b:在Windows下無法做出小於8MB的NTFS分割區,以8MB的容量用64K叢集來格式化得到的叢集數是127個,但此數字不具意義,因為這種分割容量不太可能會出現,而且採用NTFS格式太浪費空間。(NTFS適用400MB以上空間)

註c:以2048KB(不含)以上的叢集大小無法格式化31.2MB的隨身碟。


exFAT的附加功能

exFAT的另一個特點是支援TFAT(Transaction-Safe Fat),TFAT是為了彌補原本FAT系統缺陷而生。


就拿一般FAT格式的隨身碟來說,如果在拷貝或搬移、建立檔案或目錄時,突然將隨身碟拔除或是電力流失等等任何因素都會造成資料的中斷,也就是無法確保資料是否完整的寫入到了磁碟中。


可以做一個實驗:將一個體積較大的檔案拷貝到隨身碟中,在複製到一半時將隨身碟拔除,放到另外一台電腦上看,能看見檔案的大小、資訊與原始檔一模一樣,並沒有減少,實際上此檔案的內容卻是不完整的,但在Explorer裡看起來就像已經複製成功了一樣。

重點是:雖然沒有人會真的無聊到去拔除正在存取中的隨身碟,但不管是NTFS或FAT,都沒有一個確保檔案存取完整性的機制,可以看做是在檔案真正存取完畢前就先將資訊寫入檔案配置表或MFT。

exFAT、NTFS、FAT32的存取效能差異 (單位:MB/s)
讀取NTFS_4K 寫入NTFS_4K 讀取FAT32_4K 寫入FAT32_4K 讀取exFAT_32K 寫入exFAT_32K
exFAT_32K 116.6719 40.8 114.3248 39.26 114.9264 39.112
exFAT_32M 119.8438 41.99414 118.92 41.836 118.63 42.82
exFAT_512K 117.5313 41.88477 117.13 41.274 116.23 41.63
exFAT_4K 126.4531 41.91602 124.52 40.998 125.42 41.1
exFAT_16K 117.8906 41.9 116.923 41.219 117.792 42.25
FAT32_4K 141.9453 40.8 129.65 39.23 131.427 39.5
NTFS_4K 129.6016 42.19 129.3 42.361 129.3012 42.92
NTFS_64K 127.4531 40.26 126.37 40.293 127.9804 40.96
FAT_16K 120.0391 41.9 120.02 41.57 119.863 41.77
測試環境皆為Vista SP1


SP1原生不支援用GUI將Fixed Media格式化成exFAT格式,需自行到命令列下指令來處理。

TFAT的優點

TFAT的運作方式剛好相反,它 將FAT原始的分層概念(Second Copy):FAT0與FAT1做了有效運用。當檔案系統有變動時先在FAT1上進行存取操作,迨執行完畢後再把FAT1的資料複製到FAT0,如果在 FAT1進行存取時被中斷了,那麼原本的FAT0並不會有變動,拿上面舉的例子來看就是如果檔案沒有複製完成,隨身碟中就看不到該檔案的資訊,雖然實體資 料確實有被寫入磁碟區,但該區塊仍然是被標示為「空」的,對之後的檔案存取並不產生影響,也沒有消耗磁碟空間。這對隨身碟的壽命及檔案系統的健全性有一定 幫助,如果上述情況發生在FAT的話,不但容易流失資料,而且整個配置表會破碎不完整,有時會出現明明刪除了檔案,磁碟空間卻沒有挪出來;或是檔案名稱還 在,卻無實體內容的情況,這時就得靠chkdsk或重新格式化來解決問題。


說了那麼多,其實有點枉然,因為Windows桌面作業系統並不支援TFAT,一切還是以WinCE為主,而XP或Vista會把TFAT 當作FAT來使用,而且沒有辦法刪除TFAT建立的目錄,總之現在TFAT與桌機系統無關,硬是要結合在一起不會有好結果就是了。TFAT是依存在 exFAT之下的檔案系統,並沒有獨立出來。

總結:現在真的需要exFAT嗎?

延續上一段的結論,Vista SP1支援的exFAT不但沒有存取控制的機制,也沒有把TFAT的應用帶到一般桌面作業系統上,毋須逃避的Vista就是要裝在桌機或筆電,沒有人會去 裝在PDA或手機上面,玩家最常接觸的媒介就是記憶卡、硬碟外接盒或隨身碟,如果exFAT帶來的是不怎麼明顯的效能節省與速度提昇,現階段又缺乏相容 性,尤其是無法支援自己的ReadyBoost,要成為一個理想的跨平台檔案系統?理由似乎還不夠充份。


XP硬灌了兩個系統檔之後,可以辨別exFAT格式並做存取,但無法格式化。

讓XP也能讀exFAT

雖然exFAT對大檔案沒有明顯效能增益,但因為相容性而放棄使用還蠻可惜的,至少它可以支援4GB以上的檔案。有個已經不是秘密的公開撇 步可以讓XP認識exFAT,讀取exFAT格式的磁碟,不過只限於讀取,仍然無法直接在XP下格式化或轉換(Convert.exe)磁碟成exFAT 格式。作法很簡單,將exfat.sys及uexfat.dll兩個檔案從Vista SP1的系統目錄下抽出,分別放在XP目錄的system32及system32\driver資料夾下,再把以下登錄檔內容匯入即可。














































Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exfat]
"Description"="exFAT File System Driver"
"DisplayName"="exFAT File System Driver"
"ErrorControl"=dword:00000001
"Group"="Boot File System"
"Start"=dword:00000002
"Type"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\exfat]
"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,49,00,6f,00,4c,00,6f,00,67,00,4d,00,73,00,67,00,2e,00,64,00,6c,00,6c,\
00,00,00
"TypesSupported"=dword:00000007



何謂「日誌式」檔案系統?
日誌式(Journaling File System)主要是用來記錄檔案的詳細變動,不管是複製、搬移、刪除等動作,如果在這些動作進行時遭遇不正常的中斷,在中斷狀況解除後仍能依照記錄來進 行復原或繼續的操作,也不必重新掃描一次來修復亂掉的檔案系統結構,這是大部份日誌式檔案系統的重點。如果電腦中的FAT32磁碟遭受不正當的關機程序, 重開機時會對FAT磁區做一次掃描檢查,如果磁碟區容量愈大回復的動作就會愈久。NTFS卻不會,因為日誌式檔案系統已經有做紀錄,只要按圖索驥去重整 MFT就好,不需要重新整個掃描一次,不過NTFS並沒有回復資料狀態(RollBack)的功能。


轉自:PChomeAdvance電腦王46期

筆記型電腦維修必備,各型號筆電折解說明書大全

近來我有兩台筆記型電腦接連罷工,本來想找人維修,但維修費用大都要3000以上,在網上查到的一些資料,送原廠維修費用更高,都幾乎夠在網拍買一 台不錯的中古機,甚至是新電腦了。於是想動手自己diy折解看看,死馬當活馬醫,雖然最後都失敗,救不回來。但卻意外發現一個很棒的網站--Tim's laptop service manuals
,是一個想自己維修,或是拆解筆電不可缺少的好站。

網址如下:http://www.tim.id.au/blog/tims-laptop-service-manuals/


第 一台故障的電腦是acer travelmate 4002lci,它的螢幕先是出現一些小條紋,繼而出現雪花,然後隨著時間,情況愈來愈嚴重。最後就不能開機了,我判斷是顯示晶片的問題,於是找到上述的 網站,居然能找到同型號的筆電,依樣畫葫蘆,很順利的就拆解開了。雖然東敲敲西打打,火攻加熱法,也無法起死回生,不過倒是順便清理了鍵盤,風扇,主機板 等灰塵。也學會了如何拆解這一台acer travelmate的筆電,雖然自己動手維修失敗,但後來我在網拍,花了一千元買到一台同型號的筆記型電腦的良品主機板。很容易也很順利的安裝上去,開 機後一切正常,於是這台acer老筆電,目前還正常服役中。

不過現在良品的主機板相當難買到,我也是等了好久才遇到,一般筆電故障最大 的現象,就是不能開機,而無法開機的原因,很大的部分是主機板故障。 現在很多標榜獨立顯示晶片的筆電,都是把顯示晶片直接焊在主機板上的。一旦顯示晶片故障,也等於主機板故障,偏偏顯示晶片是最容易故障的部分。因為它很容 易發出高熱,如果筆電散熱不良,或是長時間使用,內部的散熱裝置故障,如風扇。很快這台筆電也就等著報銷了。

第二台故障的筆記型電腦, 是acer travelmate 220,這一台年代更是久遠,有時候無法開機,好像是電源方面的問題,時好時壞,我也在上述網站,找到拆解的方法,一樣順利拆開,但一樣維修失敗。目前這 台還是故障中,因為太古老了,所以就放著,我另外花了二千多元買了一台更好的中古機hp presario x1000來代替。不過這台hp的筆電,剛買來的時候風扇居然不轉,我一樣到Tim's laptop service manuals找到同型號的拆解手冊,將它拆開來看,原來是風扇的接線掉落了。小問題,將它接回去,就正常運轉了。


Tim's laptop service manuals這個網站蒐集到大量的各式各樣筆記型電腦的手冊,拆解說明,教學文章等,可以說應有盡有。這些內容所有權,都是各筆電廠商所有,不過我們如果到原廠網站去找恐怕也找不到,因為有些內容並不對外公開。

至 2011.12.1止共有以下的電腦型號,如果您的電腦在下列的名單內,請到該網站去下載拆機手冊:

Acer
Aspire One, NAV50
Aspire 1200, 1300, 1310, 1350, 1360, 1400, 1410, 1420PT, 1450, 1500, 1520, 1600, 1606, 1610, 1620, 1640Z, 1650, 1650Z, 1660, 1670, 1680, 1690, 1700, 1710, 1800, 1810t, 1820PT, 2000, 2010, 2020, 2420, 2920, 2920Z, 2930, 3000, 3010, 3020, 3050, 3100, 3300S, 3500, 3510, 3600, 3610, 3620, 3630, 3640, 3650, 3680, 3690, 3810T, 3810TG, 3810TZ, 3810TZG, 4220, 4220G, 4230, 4310, 4310G, 4315, 4320, 4330, 4332, 4520, 4520G, 4530, 4710, 4710G, 4715Z, 4720, 4720G, 4720Z, 4730Z, 4730ZG, 4732Z, 4740, 4740G, 4820T, 4920, 4920G, 4930, 4930G, 4935, 4935G, 5000, 5010, 5020, 5050, 5100, 5110, 5220, 5230, 5235, 5236, 5241, 5242, 5310, 5310G, 5330, 5332, 5335, 5338, 5340, 5500, 5500Z, 5510, 5515, 5517, 5520, 5530, 5530G, 5534, 5535, 5536, 5536G, 5538, 5540, 5541, 5542G, 5560, 5570, 5580, 5600, 5610, 5620, 5630, 5650, 5670, 5680, 5710, 5710G, 5720, 5720G, 5730Z, 5732Z, 5735, 5735Z, 5737Z, 5738, 5738G, 5738DG, 5738ZG, 5738DZG, 5738Z, 5738Z, 5738ZG, 5739, 5739G, 5740, 5740D, 5841, 5741G, 5910, 5920G, 5930, 5930Z, 5935, 5940G, 5942, 5942G, 6530, 6920, 6930, 6930G, 6935G, 7000, 7100, 7110, 7120, 7220, 7220G, 7230, 7315, 7336, 7420, 7520, 7520G, 7530, 7530G, 7540, 7715Z, 7720, 7720G, 7730, 7730G, 7736, 7736Z, 7740, 7740G, 7745, 7745G, 8530, 8730, 8730Z, 8920, 8920G, 8930, 8930Q, 8935G, 8940, 8942, 8942G, 9100, 9110, 9120, 9300, 9400, 9410, 9420, 9500, 9510, 9520, 9800, 9920, ASX1200, ASX3200
Extensa 365, 390, 450, 500, 510, 570, 600, 610, 650, 660, 670, 700, 710, 900, 2000, 2500, 2700, 3100, 5210, 5220, 5230, 5610, 5620, 5630, 5630Z, 6600
Ferrari One
Ferrari 1000, 1100, 1200, 3000, 3200, 3400, 4000, 5000
Travelmate 200, 210, 220, 230, 240, 250, 260, 270, 280, 290, 310, 330, 340, 350, 380, 420, 430, 505, 510, 520, 530, 550, 610, 620, 630, 650, 660, 720, 730, 740, 800, 2000, 2100, 2200, 2300, 2350, 2400, 2410, 2420, 2430, 2440, 2450, 2470, 2480, 2490, 2500, 2600, 2700, 3000, 3010, 3030, 3040, 3210, 3210Z, 3220, 3230, 3240, 3250, 3280, 3300, 4000, 4010, 4020, 4050, 4060, 4070, 4080, 4100, 4150, 4200, 4210, 4220, 4230, 4260, 4270, 4280, 4320, 4330, 4330G, 4400, 4500, 4520, 4530, 4600, 4650, 4670, 4720, 4730, 4730G, 5000, 5100, 5110, 5220, 5220G, 5230, 5310, 5320, 5330, 5520, 5520G, 5530, 5600, 5610, 5620, 5710, 5720, 5730, 6000, 6231, 6291, 6292, 6293, 6410, 6460, 6492, 6493, 6500, 6592, 6592G, 6593, 7100, 7220, 7230, 7300, 7320, 7510, 7520, 7520G, 7530, 7720, 7730, 7730A, 8000, 8100, 8200, 8210, 8331, 8371, 8431, 8471, 8531, 8571, C100, C110, C210, C300
eMachines E430, E627, E628, E630, EM250, G430, G627, G630


Apple

eMac - 2004 original, 2005 ATI/USB2
iMac 2000, 2001, Summer 2001, DV, DV Special Edition, Flat Panel, Flat Panel USB2.0, 17″ Flat Panel, 17″ Flat Panel 1GHz
iMac 17″ mid 2006, late 2006, late 2006 CD
iMac 20″ early 2006, late 2006, mid 2007, early 2008, early 2009, mid 2009
iMac 21″ late 2009, mid 2010
iMac 24″ 2006, mid 2007, early 2008, early 2009
iMac 27″ late 2009, mid 2010
iMac G5 17″ original, iSight, Ambient Light Sensor
iMac G5 20″ original, iSight, Ambient Light Sensor
iPad Wifi+3G
MacBook Air original, late 2008, mid 2009
MacBook 13″ original, late 2006, mid 2007, early 2009, mid 2009, late 2009, mid 2010, Aluminium late 2008
MacBook Pro 15″ original, Core 2 Duo, 2.2/2.4GHz 2007, early 2008, mid 2009, 2.53GHZ mid 2009, mid 2010
MacBook Pro 17″ original, Core 2 Duo, 2.4GHz 2007 and 2008, early 2009, mid 2010
Mac Mini 2006, Mini 2006/7, Mini 2009, Mini 2010
Mac Pro, 8x, 2008, 2009, 2010
PowerBook 100, 140, 145, 145B, 150, 160, 165, 165c, 170, 180, 180c, 190 and 190 REA, 200 series, 500 series, 550c, 1400 series, 2300c, 2400c, 3400c, 5300 series and 5300 series REA, Firewire
PowerBook G3 original series, Bronze series
PowerBook G4 original, DVI, Gigabit Ethernet, 1GHz/867MHz
PowerBook G4 12″, 12″ DVI, 12″ 1.33GHz, 12″ 1.5GHz
PowerBook G4 15″ 1.67/1.5GHz, 15″ Double-Layer SD, Firewire 800, 1.5/1.33GHz
PowerBook G4 17″ original, 17″ Double-Layer SD, 17″ 1.67/1.5/1.33GHz
Power Mac G3 All-In-One, Blue-White, Desktop, Server Minitower
Power Mac G4/Macintosh Server G4, Power Mac G4 Mirrored Drive Doors/Firewire 800, G4 Cube
Power Mac G5, 2004, 2005
Xserve 2003, 2005 G5, 2006, 2009, Xserve RAID
Macintosh Classic, Classic II, Color Classic, Color Classic II, 128k, 512k, II, IIcx, IIci, IIx, IIfx, IIsi, IIvx, IIvi, Plus, Portable, SE, SE/30, TV
Macintosh LC, LC II, LC III, LC 475, 520, 550, 575, 580
Macintosh/Powermac/Performa 200, 275, 400 series, 500 series, 580CD, 600, 630, 4400, 5200, 5260, 5280, 5300, 5400, 5500, 6100, 6200, 6300, 6400, 6500, 7100 series, 7200 series, 7300, 7500, 7600, 8100, 8200, 8500, 8600, 9500, 9600, WS6150, WS7250, WS7350, WS8150, WS8550, WS9150, WS9650
Macintosh Quadra/Centris 605, 610, LC630, Performa 640, 650, 660AV, 700, 800, 840AV, 900, 950, WS60, WS80, AWS95
Macintosh Network Server 500, 700
The Twentieth Anniversary Mac (user guide only - no official take-apart guide exists for these)
Apple Displays - including Monochrome, RGB, AppleColor, AppleVision, Multiple Scan, Cinema and Studio displays.
Miscellaneous manuals - including external drives, printers, ADB devices including keyboards and mice, eMate/Newton MessagePads, and various upgrade cards.


ASUS

Eee PC 4G (701)
A6JC, A6JM, A7T, A7V, A3000N, G1S, G73, KN1, L8400, M2400NE, M6000, S37E, S62, S62F, S96J, S97V, SW1, V1S, W5F, W3000A, X50RL, Z93E, Z500A, Z9200K, Z97V

BenQ

Joybook A33, R23, S52, S72

Clevo

Clevo 888E, 2200C, 2700C, D400E, D400S, D410E, D410S, D470V, D480V, D500E, D510E, D520E, D530E, D610S, D620S, D630S, D800P, D900C, D900F, D900K, D900T, L295N, L295T, L297N, L390T, LV19C, LV19N, LV22C, LV22N, M570A, M570TU, M575A, M590KE, M660SE, M665SE, M720T, M728T, M729T, M730T, M740T, M740TU, M760T, M760TU, M860TU, M980NU, TN120R
Compal CL50, CL51, CL56, CY23, CY25, HEL81
Eurocom M350C and M360C
FIC/Medion A360, A440, A985, M295, M296, M785, MB02, MB05W, MD02
Mitac 7521, 8011, 8050, 8050D, 8050QMA, 8066MP, 8081, 8170, 8224, 8355, 8399, 8575A, 8599, 8965, W130
Sager NP2280, NP4060, NP4780, NP5270, NP5690, NP61x0, NP8886, NP8890, NP9260, NP9261, NP9750
Uniwill 340S2 and 340S8

Compaq/HP
• Compaq 100, 510, 511, 515, 516, 610, 615, 800, nx4820, nx9010, nx9008, nx9005, nx9000
• Compaq Armada 100, 100s, 110, 1100, 1500, 4100, 4200, E500, E500S, E700, M300, M700, V300
• Compaq Business nx7000, nx9100, nx9500
• Compaq Evo N110, N150, N160, N180, N400c, N410c, N600c, N610C, N610v, N620c, N800c, N800v, N800w, N1010v, N1050v
• Compaq Mini 110, 311, 700
• Compaq Presario 1100, 2100, 2500, 2800, 3000, CQ50, CQ60, C300, F500, C700, M2000, M2300, R3000, R4000, V2000, V2400, V4000, Widescreen x1000
• Compaq Tablet PC TC1000
• HP 500, 510, 520, 530, 540, 541, 550
• HP 2533t, 4410t mobile thin client
• HP Compaq nc6110, nx6110, nc6120, nx6120, 6720t mobile thin client, 8710p notebook, 8710w mobile workstation, NC4400, TC1100 Tablet, TC4200 Tablet
• HP Elitebook 2530p, 2730p, 6930p, 8530p, 8530w, 8730w
• HP Envy 13, Envy 15
• HP G50, G60, G3000, G6000, G7000
• HP HDX 16, HDX 18, Pavilion HDX
• HP Media Center zd7000
• HP Mini 110, 311, 1000, 1101, 5101, Mini-note 2133, Mini-note 2140
• HP Omnibook xt1000, xt1500
• HP Pavilion dm1, dm3, dv2, dv3, dv4, dv5, dv6, dv7, dv8, dv1400, dv2000, dv4000, dv6500, dv6600, dv6700, dv8000, dv8200, dv9000, dv9200, dx6500, tx1000, tx2000, tx2500, xz100, xz300, zd7000, zd8000, ze2000, ze2300, ze4100, ze4200, ze4300, ze4400, ze4500, ze4600, ze4700, ze5200, ze5300, ze5400, ze5500, ze5600, zv6000, zx5000, zv5000, zt1000, zt1100, Widescreen zt3000
• HP Probook 4310s, 4311s, 4410s, 4411s, 4510s, 4710s, 5310m
• HP Special Edition L2000
• HP TouchSmart tx2
Dell/Alienware
• Inspiron 300M, 1501, 7000, 9100
• Inspiron XPS 9100
• Latitude CP, CPi, CS, LM, XPi CD
• Latitude C500, C600, C800, L400, X200, X300
• Alienware M17x
Gateway
• Gateway 400, 450RGH, 450ROG, 600, 6000, 6100, 6500, 6600, EC14, EC14D, EC14T, EC18, EC18T, EC34, EC38, EC54, EC58, LT21, LT31, NV42, NV53, NV59, NV59C, M275, M305, M350, M360, M675, MX6100, MX6200, MX6400, MX6500, MX6600, MX6900, NX500, P-78, P-79, Solo 1450
• Gateway Profile 4, Profile 5
• Gateway Convertible Notebook CX200, CX2000, M280, M285, S-7200, TA1, TA6, TA7
IBM/Lenovo
• IdeaPad S9e, S10, S10e
• ThinkPad 240, 240X, 380, 380XD, 380Z, 385, 385XD, 390, 390E, 390X, 560, 560E, 560X, 560Z, 570, 570E, 600, 600E, 600X, 760C, 760CD, 760E, 760ED, 760L, 760LD, 760EL, 760ELD, 760XL, 760XD, 765D, 765L, 770
• ThinkPad A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22m wireless, A22p, A30, A30p, A31, A31p
• ThinkPad Edge 13″, E30, E31, Edge 14″, E40, Edge 15″, E50
• ThinkPad G40, G41
• ThinkPad L410, L412, L510, L512
• ThinkPad R30, R31, R32, R40, R50, R50e, R50p, R51, R51e, R52, R60, R60e, R61, R61e, R61i, R61i widescreen, R500
• ThinkPad S30, S31, SL300, SL400, SL400c, SL410, SL500, SL500c, SL510
• ThinkPad T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p, T43, T43p, T60, T60 widescreen, T60p, T60p widescreen, T61, T61 widescreen, T61p, T61p widescreen, T400, T400s, T410, T410i, T410s, T410si, T500, T510, T510i
• ThinkPad R400
• ThinkPad W500, W510, W700, W700ds, W701, W701ds
• ThinkPad X20, X21, X22, X23, X24, X30, X31, X32, X40, X41, X41 Tablet, X60, X60 Tablet, X60s, X61, X61 Tablet, X61s, X100e, X200, X200 tablet, X200s, X200si, X201, X201 Tablet, X201i, X201s, X300, X301
• ThinkPad Z60m, Z60t, Z61e, Z61m, Z61p, Z61t
• ThinkPad TransNote
• ThinkPad Dock, Dock II, Mini Dock, Port Replicator, Port Replicator II, Selectadock II
• WorkPad Z50
• iSeries 1200, 1300, 1400, 1500, 1700, 1800
JVC
• MP-XP5220KR, MP-XP5230GB, MP-XP7220KR, MP-XP7230GB, MP-XP741DE
• MP-XV841DE, MP-XV841GB, MP-XV841GBEX, MP-XV841US, MP-XV941DE
LG
• LE50, LM40, LM50, LS40, LS50, LS70, LW20, LW60, LW70, S1, P1, T1, TX
NEC and Packard Bell
• Dot a, m, mr, mr/u, s
• Dragon A, SN
• Easy Lite
• EasyNote A7, B3, BG, BU, C3, DT85, E, L, LJ61, LJ65, LJ75, LJ77, M3, M5, M7, MB, ME, MV, MX, MZ, R, R7, S, SB, SJ, SW, T5, TJ75, TJ76, TJ77, TJ78, TM85, TM86, TM89, V, W, W3, W7, XS, Butterfly Touch, Butterfly xs
• iPower GX
• Versa Lite, M340 and E2000, M400, M540, P520, S940, VX
Panasonic
• CF-08TX1A1M
• CF-1000
• CF-18JHU70TW, CF-18JHU80TW, CF-18KHH65Lx, CF-18NHHZXBM
• CF-19CDBAXVM, CF-19CHBAXBM, CF-19FHGAXxM, CF-19KDRAXCM
• CF-29N3LGZBM, CF-29NTQGZBM
• CF-30CTQAZBM, CF-30CTQAZxx, CF-30FTSAZAM, CF-30KTPAXxM
• CF-52AJYZDZM, CF-52EKMxDxM
• CF-73E3KVXxM
• CF-74CCBAXBM, CF-74ECBAXBM, CF-74ECBGDBM, CF-74GCDADBM, CF-74JCJBDxM
• CF-T4GWCTZBM, CF-T4HWETZBM
• CF-T5LWETZBM
• CF-W4GWCZZBM, CF-W4HWEZZBM
• CF-W5LWEZZBM
• CF-Y5LWVYZBM
Samsung
• Samsung NC10, P560, Q1U, Q40, Q45, R50, R510, R520, X460
Sony
• PCGA-DSD5, PCGA-DSM5
• PCG-C1VP, PCG-C1VPK
• PCG-FX210, PCG-FX220, PCG-FX220K, PCG-FX240, PCG-FX240K, PCG-FX250, PCG-FX250K, PCG-FX270, PCG-FX270K, PCG-FX290, PCG-FX290K, PCG-FX777, PCG-FX877
• PCG-FXA32, PCG-FXA33, PCG-FXA35, PCG-FXA35D, PCG-FXA36
• PCG-GR150, PCG-GR150K, PCG-GR170, PCG-GR170K
• PCG-R505AFE, PCG-R505JE, PCG-R505JEK, PCG-R505JEP, PCG-R505JL, PCG-R505JLK, PCG-R505JLP, PCG-R505JS, PCG-R505JSK, PCG-R505JSP
• PCG-SR27, PCG-SR27K
• VGN-A, VGN-AR, VGN-AX, VGN-B, VGN-BX, VGN-C, VGN-FE, VGN-FJ, VGN-FS, VGN-N, VGN-S, VGN-SZ, VGN-T, VGN-TX, VGN-U, VGN-UX
Toshiba
• 100CS and 110CS
• Dynabook V1, V2, VX4
• Equium A60, A210, A300, L300, L300D, L350, L350D, M40, M45
• Libretto 100CT, L100, L105, U100
• Mini Notebook NB100, NB200, NB250, NB255, NB300
• Portege 610CT, 620CT, 2000, 3010CT, 3020CT, 3110CT, 3400, 4000, 7010CT, 7020CT, 7200CT
• Portege A100, A200, A600, M100, M200, M300, M400, M500, M700, M750, M780, M800, M900D, P2000, R100, R200, R300, R400, R500, R600, R700, S100, T110, T110D, T130, T130D, T210
• Qosmio E10, F10, F20, F30, F40, F45, F50, F60, G10, G20, G30, G40, G50, X300, X500
• Satego A210, A300, L300, L300D, L350, L350D
• Satellite 220, 300, 310, 320, 330, 440, 460, 470, 480, 1400, 1405, 1700, 1710CDS, 1800, 1900, 2060CDS, 2100, 2230, 2250, 2400, 2405, 2500CDS, 2510CDS, 2520CDS, 2540XCDT, 2590CDT, 2610, 2750, 2800, 3000, 4000, 4010, 4020, 4030, 4060, 4070, 4080, 4090, 4100, 4200, 4300, 5000, 5100, 5200, TE2000
• Satellite A10, A20, A30, A40, A50, A50S, A60, A70, A80, A85, A100, A105, A200, A210, A215, A300, A350, A350D, A500D, A660, C650, C650D, C655D, E100, E105, E200, E205, L10, L20, L300, L300D, L305, L305D, L350, L350D, L450, L450D, L500, L500D, L510, L550, L600, L600D, L630, L635, L640, L640D, L645, L645D, L650, L655, L670, L670D, L675, L675D, M20, M30-35, M30X, M40, M40X, M50, M60, M70, M100, M200, M205, M300, M500, M505, M507, P10, P20-25, P30, P100, P200, P205, P250D, P300, P500, R10, R20, R70, T110, T110D, T130, T130D, T210, T215, T230, T230D, U200, U300, U400, U500, X200, X205
• Satellite Pro 220, 440, 460, 470, 480, 4600, 6000, 6100, A10, A60, A65, A120, A210, A300, A500D, A660, L300, L300D, L350, L350D, L450, L450D, L500, L550, L600, L600D, L630, L635, L640, L640D, L645, L650D, L650, L655, L670, L670D, L675, M10, M70, M200, M300, P500, S200, S300, S500, S500M, T110, T110D, T130, T130D, T210, T215, T230, T230D, U300, U400
• Tecra 520CDT, 530CDT, 550CDT, 750, 780CDM, 780DVD, 8000, 8100, 8200, 9000
• Tecra A1, A2, A3, A3X, A4, A5, A6, A7, A8, A9, A10, A11, M1, M2, M2V, M3, M4, M5, M7, M9, M10, M11, P5, P10, P11, R10, S1, S2, S3, S4, S5, S10, S11
Twinhead
• Durabook 14K
• efio! 121A, 121i

轉自 http://save-coco.blogspot.com/2011/11/3000diy-tims-laptop-service-manuals.html

Random Cookie Filenames

As forensic examiners will be aware, Microsoft Internet Explorer stores cached data within randomly assigned folders. This behaviour was designed to prevent Internet data being stored in predictable locations on the local system in order to foil a number of attack types. Prior to the release of Internet Explorer v9.0.2, cookies were an exception to this behaviour and their location was insufficiently random in many cases.




Cookie Files


Generally, for Vista and Windows 7, cookie files are stored in the location shown below:


Microsoft Windows Internet Explorer Cookie Location
\AppData\Roaming\Microsoft\Windows\Cookies\



Table 1



The cookie filename format was the user’s login name, the @ symbol and then a partial hostname for the domain of the cookie.


Digital Detective NetAnalysis Windows Cookies

Figure 1



With sufficient information about a user’s environment, an attacker might have been able to establish the location of any given cookie and use this information in an attack.


To mitigate the threat, Internet Explorer 9.0.2 now names the cookie files using a randomly-generated alphanumeric string. Older cookies are not renamed during the upgrade, but are instead renamed as soon as any update to the cookie data occurs. Figure 2 shows an updated cookie folder containing the new files.


Digital Detective NetAnalysis New Cookies Window

Figure 2


This change will have no impact on dealing with the examination of cookie data. It will obviously no longer be possible to identify which domain a cookie belongs to from just the file name.

轉自 http://wordpress.bladeforensics.com/?p=366

Evtx Parser Version 1.1.0

Evtx Parser and the Parse::EVTX Perl library is now available for download (ZIP).

轉自 http://computer.forensikblog.de/en/2011/11/evtx_parser_1_1_0.html#more

DocumentsRescue Pro

Office DocumentsRescue Professional recover lost data from Hard Drives, CompactFlash cards (type I/II), IBM Microdrives, SmartMedia cards, MultiMedia cards (MMCs), Secure Digital (SD) cards, Memory Sticks, CD/DVD disks, and any other storage device with the addition of wide range file format support: DOC, XLS, PPT, RTF, LIT, etc.

DocumentsRescue Pro is an effective document recovery tool for Microsoft Word, Excel, PowerPoint, Project, Publisher, Visio and many other popular document formats. DocumentsRescue Pro can recover documents lost due to computer crashes, accidental deletion - even if the Recycle Bin has been emptied, formatting of a disk drive, and when a document has never been saved! Easy to use for novice users, as well as a feature rich advanced mode for the skilled technician users. DocumentsRescue Pro is not just 'undelete' tool it can easily, quickly and absolutely reliably reconstruct the lost document files that undelete programs can never recover.

Program features

- Recovers deleted and corrupted files
- Recovers data from formatted media
- Recovers data from corrupted media
- Supports all popular formats of document files *
- Supports all formats of media used by digital devices
- Works with all digital devices and card readers
- Easy to use, intuitive wizard-driven interface
- Supports Windows® NT/2000/XP/2003/Vista
- and many more!

轉自 http://www.essentialdatatools.com/products/documentsrescuepro/

Blackberry 黑莓手機密碼破解

轉自 計算機取證技術

現在,恢復黑莓手機的密碼已經成為可能。Elcomsoft公司推出的手機密碼恢復工具現在能夠破解黑莓手機的密碼。但是,需要有個前提,就是用戶設置 「設備密碼」時,選擇了同時加密存儲卡中的數據。通過分析加密存儲卡中的數據,解密軟件可以通過在幾個小時之內,破解7位密碼,解密速度可達每秒幾百萬 次。對於黑莓手機加密的成功破解,打破了黑莓手機不可破解的神話。感興趣的朋友可試用一下。Sprite。

SQLite Forensic Reporter v1.2 Released

A new version of SQLite Forensic Reporter, Universal SQLite database examination tool is now available, Version 1.2 includes more features to analyse, extract and report on information from any SQLite database (not corrupted or encrypted). Useful for Computer & Phone Forensic Analysts and Data Recovery Technicians. Searches, identifies and decodes all SQLite database files in a case. Available for $125 per license with discounts for Government and Law Enforcement Agencies...

What's new:

  • More templates added!!!
  • Added Polish Language
  • Password and Username Identification, scans all identified SQLite database files for possible user credentials (saved as a separate listing).
  • Collates date and time activity from all identified SQLite database files in a case and saved as a seperate listing for timeline analysis
  • Added Unattended Mode, Identification and Processing of all SQLite database files is performed with a single mouse click
SQLite Forensic Reporter is the only universal SQLite database examination tool available to date, more information :
SQLite Forensic Reporter (Universal SQLite database examination tool)


In addition to the above new additions SQLite Forensic Reporter also includes the following features:
  • File Header Analysis for reliable file identification
  • Advanced identification using automated Table Analysis, Column Analysis and Field Data Analysis
  • Easy to manage template interface, create new templates for newly encountered database formats
  • User optional extraction of 'undecoded' data during processing for raw data comparison
  • Built-in MD5 hashing
  • Date / Time display user customisable
  • Once installed, can be setup and running in as little as 3 mouse clicks
  • Unattended mode, process an entire case overnite, come back to the results in the morning
  • Optional single folder or recurse folder
  • Handles unlimited number of templates
  • Templates are portable, develop and share with colleagues, can be stored locally or on a network location (ie mapped drive)
  • Supports numerous datatypes including all known date/time formats presently used in SQLite databases
  • User can select and decode columns using built in data types
  • User can selectively extract rows and columns matching any criteria using SQL scripting
  • Decodes Windows FILETIME Date/Time stamps (Big Endian, Little Endian, hexadecimal or numerical)
  • Decodes DOS 32-bit Date/Time stamps (hexadecimal or numerical)
  • Decodes Unix Date/Time stamps (Big Endian, Little Endian, Seconds, Millisecond and Precision based formats, hexadecimal or numerical
  • Decodes MAC Absolute Date/Time stamps
  • Decodes OLE Date/Time stamps
  • Decodes Base64 Encoded Text
  • Decodes PRTIME Date/Time stamps
  • Decodes WEBKIT Date/Time stamps
  • Decodes Julian Date/Time stamps
  • Decodes Display Boolean values (user customisable, Yes/No, True/False)
  • Decodes Uppercase Text
  • Decodes Lowercase Text
  • Decodes Text to Hexadecimal
  • Decodes Integer to Hexadecimal
  • Decodes Display number formatted as filesize (examples: 3 bytes,3GB,3TB)
  • Decodes seconds to hours/minutes/seconds
  • Inexpensive, affordable to both individuals and multiple users, additional discount is available to Law Enforcement & Government
  • Identifies fields containing possible usernames and passwords
  • Advanced Identification not available anywhere else
  • Identify files that have there file extensions renamed, a technique used by developers for basic data protection. also may be used for malicious purposes
  • Unicode enabled, reports will export text correctly (arabic etc)
  • SQLite automatically creates reports in HTML and CSV formats decoded as the user specifies
  • Utilitises both Default (simple SQL processing) and/or Advanced User Defined SQL querying, link and reference tables for automatic decoding and reporting
  • SQLite is available in English, German, Spanish, French and Indonesian Languages

SQLite Forensic Reporter costs $125 per license includes free customer support and updates.
www.filesig.co.uk. Discounts are available for Government and Law Enforcement Agencies...

More useful software:
www.simplecarver.com

轉自 http://www.forensicfocus.com/index.php?name=News&file=article&sid=1749

iLook之iximager鏡像效果評測


IXimagerILook分析軟件配套的一款光盤啟動數據獲取工具,獲取工具可以製作成軟盤版、光盤版和U盤版三種啟動設備,可以進行鏡像和克隆兩種方式的數據獲取。

為了檢驗IXimager的取證效果,Sprite和BlueSky利用蘋果筆記本計算機,分別通過USB 2.0FireWire 800eSATAUSB 3.0四種接口進行實測。此例中,我們使用了一款2008年上市的Macbook Pro,配置為:CPU:2.5Ghz Core 2 Duo,內存:2G,硬盤:250G SATA 5400轉。目標磁盤選擇西部數據的WD20EARS2Tb,外部傳輸速率為3Gb/s,轉速為5400/分,緩存為64MB

另外,為了獲得拷貝硬盤過程中的平均速度,拷貝硬盤的過程中分別在獲取開始後5分鐘和10分鐘左右時對拷貝速度進行截圖。10分鐘之後的數據獲取速度基本穩定。
蘋果計算機不具備eSATA和usb 3.0接口,通過轉接卡測試。實測證明,iximager可以直接識別各種pcmcia轉接設備,利用已有高速接口設備進行數據獲取。

測試1:利用usb 2.0接口進行數據獲取

五分鐘後速度:
14分鐘後速度
平均約1.2gb/分鐘

測試2:利用火線800接口進行數據獲取
五分鐘之後速度:
十分鐘之後速度:
平均速度約為3.5gb/分鐘。(註:在最新型號macbook Pro上通過火線800速度可達4-5GB)

測試3:利用eSATA接口進行數據獲取
蘋果機沒有esata接口,本例子中使用了如下轉接卡。
10分鐘後速度保持在3GB/分鐘以上的速度。
測試4:利用usb 3.0接口進行數據獲取
蘋果機沒有usb3.0接口,本例中使用了usb 3.0轉接卡。
10分鐘後,速度保持在3.5gb分鐘。

以 上僅僅對蘋果機進行了測試。通過本測試可以看到,IxImager在火線800和usb 3.0、eSata下表現均很出色。由於蘋果機接口非常規範,因此本測試可以適用於早期、最新上市的各種型號的MacbookPro系列筆記本計算機。由 於目前尚在對iximager的測試期間,故本測試結果不代表已達到iximager的最佳速度。目標磁盤速度和各種轉接口性能也會對數據獲取的速度造成 影響。

為了證明iximager對台式機計算機的性能,Sprite又和bluesky測試了雷神工作站:
        測試機型:雷神4數據分析/密碼破解工作站。CPU:XeonR X5680 3.3GHz (雙CPU,內存:24G DDR3,3*Nvidia GF590 GPU顯卡,硬盤:西部數據企業版1T SATA 64MB緩存 7200

測試結果:
Usb 2.0  1.9gb/分鐘
eSata    125mb/秒=7.5 GB/分鐘
圖片沒拍照,後附。

Sprite測試之後,感覺3點:
1、原來多來以來一直沒有好的鏡像工具。iximager的效果令人震驚。
2、usb 2.0 造成了速度下降,esata和usb 3.0、火線800的優勢一直未被挖掘
3、光盤啟動達到如此速度之後,硬盤複製機的優勢不是很大了。

Sprite還將繼續測試,將不同效果圖展示出來,大家評判。但總體來看,目前Sprite已經找不到能夠超越iximager目前水平的工具了。