Free Wipies

New Year’s Eve is almost upon us.  Figured I close out 2011 with one final post.
Out of a recent post on drive wiping I followed a white-rabbit and ended up on this Disk Wiping with dcfldd at the Anti-Forensics blog.
I’m always on the lookout for tips and techniques when it comes to secure-wiping drives and the post was full of great info regarding use of the dcfldd tool.
When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.
The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”
The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.
The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.
The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.
I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.
I also keep a collection of secure file-wipe tools handy as well.  These are useful for when I have a personal document with sensitive info that is no longer needed, or at work where I have successfully recovered a customer’s data from a seriously crashed drive and the files were successfully restored; don’t need to keep those around on the workbench PC.
EraserDrop Portable - is an easy to use and easy-to-configure tool I find useful to manage large volumes of files/folders needing secure deletion. It is based on Eraser.
Eraser Portable - - Portable software for USB, portable and cloud drives is the portable version of that tool. It is very flexible and powerful, though the interface and job/task “scheduling” might be off-putting to less advanced users. Besides handing wiping of files/folders, it also can wipe free-space on a drive.
WipeFile over at Gaijin is a simple and basic file-wipe tool with lots of options. Just launch, set your wipe-preferences, and drag-n-drop your files for wiping.  See the related Gaijin tool WipeDisk as well.
File Shredder is a “new-to-me” secure-wipe tool. It is quite small and consists of two files; the main exe and a dll helper.  The interface is nice and it also includes wiping of free-space.
ultrashredder is even smaller. Basically just drag-n-drop. While you can set the number of over-writes, you can’t set the pattern.
DPWipe 1.1 by Dirk Paehl is similar to Ultrashredder in the GUI layout, however it does allow selection of the wipe method.
Blowfish Advanced CS. This is an oldie-but-a-goodie which was the very first secure wipe (file and freespace) tool I started using back in my Win98 days. It probably has been passed on by other tools here but I still keep it around for fond-memories.
SDelete is Microsoft Sysinternal’s CLI tool to wipe files as well as zero-out free-space.  I like it particularly well for that second task.
Disk Redactor also handles wiping of all free space on a drive very nicely with a helpful GUI interface.
These are all specialized secure-wipe tools and are pretty easy and convenient to use; a few even have options to integrate into the Windows context-menu shell.  However if you frequently use an alternative Windows file manager (like I prefer to do), there are more than one which include a hand-dandy “secure-file-wipe” option baked right in!
FreeCommander remains my #1 all-time favorite “multi-pass” tool for Windows file management. it includes a secure wipe action that performs a multi-step wipe of the selected item(s). You can set how many passes you want that routine to run.
Explorer++ also includes a “destroy” option (1 or 3-pass choice) to secure delete selected files/folders.
A43 likewise includes a basic secure-destroy option.
NexusFile has a “shred and delete” feature.
My Commander reminds me in many ways of FreeCommander, and it does have a secure delete action.
Happy New Year!


Make a dual-boot WinPE CD

I’ve been in the workshop for the past several days hammering out a new WinPE product for our technical field-support team.
You may recall from the GSD post WinPE Building and PGP Support Links Updated that I have previously built a highly-customized PGP WDE injected WinPE boot CD to allow our team to manually off-line boot, then authenticate into a PGP v9.x encrypted hard-drive.
Now we are rolling out systems encrypting with PGP Desktop 10.x.  Unfortunately the v10 isn’t backwards-compatible in supporting the v9 encrypted systems.
So I cleared off the workbench and using the techniques I have previously outlined here, built a new customized WinPE boot disk that supports PGP-WDE 10.x.
Only there was one problem; we currently now have a mixed PGP-WDE environment where some systems are running PGP Desktop v9.x and others are running v10.x.
I started to plan just having the techs carry both WinPE boot disks with them.  But that seemed silly.  The WIM files were both very small.  Too bad I couldn’t include both BOOT.WIM files on the same CD as the rest of the CD structure was identical.
Or could I…..?
I knew a suggestion Brett had made earlier that with some BCD file editing on a customized WinPE booting USB stick, that I could multi-boot different WinPE BOOT.WIM.  We outlined that process in this GSD WinPE Multi-boot a Bootable USB Storage device post. I can tell you it works like a charm.
But surely that doesn’t work for WinPE CDs. That’s crazy talk. Right?
Nope. Works fine.
David over at the “ITC Guy’s Doodles” blog has it all laid out, simple as can be (with screen-shots):
David and I are assuming here you already have the WAIK installed and are long-past the steps regarding building a customized WinPE build or two. If not, check out these GSD posts first for some background if needed:
Once you’ve done that and have your primary WinPE folder structure set as well as your custom BOOT.WIM files ready you basically do this:
  1. Launch your WAIK Deployment Tools Command Prompt (in Windows 7 I chose to run it elevated as Administrator).
  2. Change directories to your WinPE building folder (in my case it was C:\winpe_x86 yours may differ adjust recipe accordingly for your WinPE baking altitude).
  3. Copy into the c:\winpe_x86\ISO\sources folder the BOOT.WIM files you want to include. Note they will need to be named different things. Your first/default booting wim can remain “boot.wim” to keep things easy, but the 2nd (and each additional one if so desired) should be named something more descriptive.
  4. Next you will need to edit the BCD file for the booting build which is located in C:\winpe_x86\ISO\boot location.
  5. Follow David’s steps to make a copy of the default boot entry item to a new second one with a different boot guid. Then you need to “fix” some of the copied sub-items to associate with the new guid value.
  6. Finally, you can rename the default boot item description to something more meaningful.
Use oscdimg to build the ISO file and when you boot it, you should now see your different boot image options appear on the boot selection menu!
I’m  not aware of any limitations to the number of different bootable wim files you can have.  I suppose that’s mostly limited to the size of your CD/DVD media (if not USB-booting) as well as the size of the custom WIM files themselves.
So for me, I now have one physical bootable CD with two distinct WinPE boot choices…one for PGP v9 and one for PGP v10 support.  Locked and loaded now baby!
In theory, if you weren’t really comfortable with all this CLI work, you could use one of two GUI based tools to edit the \winpe_x86\ISO\boot\BCD file.
EasyBCD 2.1.2 - NeoSmart Technologies supports WinPE BCD files. There is also a EasyBCD 2.2 Beta Build that may have additional support. Check out the forum as well as this Multiboot WinPE CD - How to specify .WIM forum post for some tips.
In fact, somewhere between eating lunch, listening to a football game, and trying to pay attention to a holiday story Lavie was telling me while I was following David’s steps, my own “descriptions” work for the BCD file got mixed up a bit and I wasn’t getting the custom boot descriptions to appear as desired.
I was able to quickly and easily use the Visual BCD Editor - Windows 7/Vista to clean up the mess I made and get it all put right.  So if you knew what you were doing, you could do it all from the GUI with this tool rather than the CLI.
Anyway, thanks to Bret for his original tip and for David for the game-walkthrough for making a multi-boot WinPE CD.


Wipies -- Addendum

You may recall that both GSD posts on secure wiping -- Free Wipies and Wipies - Part II (Full Coverage Cleaning) -- were both inspired by a blog post by the TinyApps.Org blogger.
Last night I received a kind message from this dear friend pulling my attention back to the deeper issue raised in that post, and while this isn’t a completely unknown issue, it is one that can be easily overlooked by the best of sysadmins in our zeal to “secure wipe the darn thing” and get on with our other daily grinds.
The TinyApps how-to post ATA Secure Erase (SE) and hdparm shares an added benefit for those who dare to tread that hard-drive wiping technique through the “enhanced secure erase” option.
(Very) Basically the issue comes down to this: hard drives may have bad sectors that have been found and so marked as well as additional “host protected area (HPA)s” both of which can be skipped by many “block-erase” wiping tools and utilities. The end result is the possibility of recoverable data left behind in these areas if a standard block-erase method is used.
So even though you are diligently laying down your randomized data and/or zeros to all the (accessible) sectors of the drive, the drive itself may be actually hiding physical sectors from your software that will not get overwritten no matter how hard you try.
As TinyApps linked for me in the communication, even the almighty Darik's Boot And Nuke clearly says in its FAQ that it must be used with knowledge to address some of these issues:
Does DBAN wipe remapped sectors? - Darik's Boot And Nuke
Does DBAN wipe remapped sectors?
Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.
Does DBAN wipe the Host Protected Area ("HPA")?
Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.
Why not now and why not by default?
Some vendors are using the HPA instead of providing rescue media.
Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.
DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.
That’s not to say this information makes DBAN (or any of the others like it) a bad or faulty tool, just one with some limitations (like most all other block-erase wipe tools) that must be fully understood before deciding if its methods are sufficient for the use at hand.
For example, there are forensic drive access/capture tools that can detect these areas and ensure the investigator is able to respond to them.  That’s great news for the good guys and a warning that bad-guys can also take advantage of this as well: HPA/DCO Detection - WiebeTech Forensic Docks
Here (again) are links to two posts about the HPA/remapped sector issue with drive wiping well worth the read:
I suppose one good place to start is pre-inspecting your drive before you get wiping to better understand what you are dealing with.
There are a few Windows-based tools that I am aware of that can let you look at either/both HPA area(s) as well as DCO info (if they exist).  In most cases, these do require specialized booting of the system either directly with a true DOS disk or a Linux tool to access the drive correctly.
So, that brings us back to using a combo of tools and methods to wipe both check for the presence of  HPA/DCO and address/remove them first before using a block-erase wipe tool or to learn some new techniques for an “all-in-one” wipe method to get it all.
For “modern” hard disk drives that support this feature the “enhanced secure erase” method may be the only option short of extreme physical destruction (with prejudice and malice aforethought) of the drive to ensure all data is irrevocably cleared from the drive.
TinyApps “how-to” post is a great starting point at using a Linux Live CD to accomplish the process and what is happening :
It is my understanding that Windows port of hdparm may work as well that is found in Cygwin. I’ve seen some forum posts discuss that some versions (the later ones) are better than earlier ones.
Christian Franke has also provided a native Win32 tool version if you just need it without Cygwin.
So to sum up from my perspective,
  1. If you want to keep the OEM HPA area intact (maybe you have a Dell system with diagnostics loaded there) and plan to recycle the drive/system in your organization, then a simple whole-disk block-erase of the drive may be sufficient.  Updating the DCO information probably isn’t necessary and may help -- in fact -- preserve the previously found “bad sectors” info if it is present.
  2. If you plan on giving the drive/system away then you should strongly consider attempting the “enhanced secure erase” method first to see if your drive supports it. If not, then you may have to settle for either a whole-disk block-erase wipe and hope for the best (that there is no sensitive data in any HPA/DCO areas (if present) or use one of many reliable, completeirrevocable, physically destructive methods.
Hopefully I have covered this sufficiently for you to Google on from here.
If not, as always your comments are welcome and appreciated.
And if anyone knows of any additional Windows/DOS/*Nix tools that can handle “enhanced secure erase” wiping of a modern drive, please leave a tip in the comments.


REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

About REMnux

REMnux incorporates a number of tools for analyzing malicious software that runs on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. The toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.
REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.
You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.
Originally released in 2010, REMnux has been updated to version 3 in December 2011.

What REMnux Is Not

REMnux does not aim to include all malware analysis tools in existence, and omits the utilities designed to work on Windows. If you are looking for a more full-featured Linux distribution that supports a wider range of digital forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Downloading REMnux

You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are:

Getting Started With REMnux

Since REMnux is an Ubuntu-based Linux distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux. Below are some notes to help you get started with becoming comfortable in REMnux.
To get a sense for the tools installed, configured and tested on REMnux and how to use them for malware analysis, take a look at the REMnux Usage Tips cheat sheet.

Using the REMnux Virtual Appliance

Prior to using REMnux as a VMware virtual appliance, you need to download a VMware product, such as VMware Player, VMware Workstation and VMware Fusion. If using VMware ESX server, you can use the VMware vCenter Converter tool to convert the virtual appliance to the ESX format.
Then, download the REMnux VMware virtual appliance rar file. Extract the file's contents into a dedicated directory using a tool such as "unrar". Open the .vmx file using the virtualization tool, such as VMware Player. The REMnux virtual appliance should start up within your VMware product.
The REMnux virtual appliance is configured to use the "host only" network, isolating the REMnux instance from the physical network. To connect REMnux to the network, for instance, to provide it with Internet access, change the settings of the virtual appliance to the appropriate network, such as "NAT". Then reboot REMnux or issue the "renew-dhcp" command.
If using VMware, you can optionally install VMware Tools in REMnux to automatically adjust the screen size.
You can other virtualization software, such as VirtualBox, which is able to import VMware virtual machine images. If using VirtualBox you may need to convert the VMware virtual appliance to the VirtualBox format. Alternatively, you can create a new virtual machine using VirtualBox and point it to the hard drive file (.vmdk) that's part of the REMnux virtual appliance.

Malware Analysis Tools Set Up On REMnux

Analyze Flash malware: SWFTtools, flasm, flare, RABCDAsm and
Interacting with IRC bots: IRC server (Inspire IRCd) and client (epic5)
Observe and interact with network activities: Wireshark, Honeyd, INetSim, fakedns, fakesmtp , NetCat, NetworkMiner, ngrep, pdnstool and tcpdump
Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify, SpiderMonkey, V8, Windows Script Decoder and Jsunpackn
Explore and interact with web malware: Firefox Tamper Data and User Agent Switcher extensions, TinyHTTPd, Burp Suite Free Edition, Stunnel, Tor , Jsunpackn and torsocks.
Analyze shellcode: gdb, objdump, Radare, shellcode2exe, libemu's sctest
Examine suspicious executables: upx, packerid, bytehist, DensityScout, xorsearch, xortool, TRiD,, ClamAV, ssdeep, md5deep, pescanner and Pyew
Decompile Java programs: Jad, JD-gui
Perform memory forensics: Volatility Framework with malware, timeliner and other modules, AESKeyFinder and RSAKeyFinder.
Handle miscellaneous tasks: unzip, unrar, strings, feh image viewer, SciTE text editor, OpenSSH server, findaes, Xpdf PDF viewer, VBinDiff file comparison/viewer, FreeMind.

Questions on and Improvements to REMnux

Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me by email or via Twitter. You're welcome to get in touch with me if you have questions regarding using REMnux.

Articles About REMnux

The Password is…

Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.
Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so.  Some folks had told them their own security apps had alerted when they tried to follow the link in the email.
It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.
I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.
Then I turned my attention to their email account.  This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.
What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night.  Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.
I mailed that to myself to look into the URL more later.
They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.
Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book.  I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.
For the really curious, here is a link to the urlQuery (free online URL scanner) findings from that particular URL I found: urlQuery scan result. Turns out that particular link leads to a compromised (?) website serving up fake AV scanner malware via some JavaScript code.  That is why some recipients of the email were likely getting alerts when they visited the site. Sneaky.
Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.
This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.
Turns out weak passwords remain a common plague.
ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.
Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall.  See also: Researchers find many weak Stratfor passwords -Naked Security.
And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via
What is one to do? This maybe?
If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.
Some highly recommended online locations to check your current password strength against are:
Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.
From SophosLabs via YouTube
And just today, Lifehacker released a super-cool mega-graphic on password selection
Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.
Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.
I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)
How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.
I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:
  • Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
  • Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
  • Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011.  Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
  • PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
  • PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.
So how do you manage these complex passwords?
Pick at least one tool from each category and learn to use them, then use them always.
And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”
I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…
Just be sure you select a different crazy complex random password for each of them.
And put them in another password manager for safekeeping in case you forget.


It’s a USB Thing

I was working on a USB project recently and needed to capture an image of a USB device for restoration.
That got me reviewing my pile of USB tools and looking for updates. Found some and a bunch of new-to-me freeware USB tools.
Here you go.
USB Image Tool - alex’s coding playground - updated to v 1.58 with some nice fixes.
ImageUSB - Write an image to multiple USB Flash Drives - PassMark Software - great standalone tool to make/push images of USB flash drive devices. Hard to go wrong with this one!
USB Disk Ejector - Quick And Easy Software - This is a “cutsie” app but seems much easer to me to use than hunting in the system tray for the Windows USB device ejection method. Definitely makes it easier to identify the correct device when there are more than one connected and I’m rushing.
Dev Eject - Stop right now and add this one to your utility pile. Seriously. A co-worker has been having problems ejecting USB HDD devices from his XP system and turned to me to figure things out. He didn’t think he had any open calls to the device running and OpenedFilesView didn’t report any clues either. I turned to Dev Eject and immediately found the culprit: Symantec AV seemed to be doing a file-scan (slowly) when he was ejecting the device. More info in this AddictiveTips post: Identify Processes Hindering Removable Media Ejection With Dev Eject.
Use command line to safely remove USB drives by Mike Williams at BetaNews has a lot of clever tips.
Want lots of freeware USB tools? Serious, low level USB tools? CLI USB tools (and then some)?
Uwe Sieber’s got you covered! Drive Tools for Windows
  • RemoveDrive V2.2 - Safe removal of drives
  • RestartSrDev - restarts "Safely Removed" devices which have the "Code 21" problem code
  • EjectMedia V2.2 - ejects a media from a drive
  • ReMount - reassigning mounpoints (change drive letters)
  • ListDosDevices
  • USB-WriteCache V0.1
  • USB Drive Letter Manager - USBDLM (Note: USBDLM is Freeware for private and educational (schools, colleges, universities) use only.)
HotSwap! - Kazuyuki Nakayama - gives more friendly interface than the “Safely Remove Hardware” icon in the system tray does.
USBLogView - NirSoft tool to record all USB devices plugged into a system and logs to a file.
USBDeview v2.00 - NirSoft tool to list all USB devices plugged into a system as well as all USB devices previously used (with details).
RMPrepUSB - Tool to partition and format USB drive and make it bootable. Free for private use only. If you know what you are doing, this tool isn’t needed but it goes a long way to helping noobies and the author has a large number of tutorials as well. More here: RMPrepUSB – Amazing USB Formatting Tool! - post from AgniPulse,RMPrepUSB : Install Windows on USB, Speed up USB and do more with it via The Windows Club and RMPrepUSB: Create Bootable Windows/Linux USB, Test R/W Speed & More post via AddictiveTips.
How To Create Customizable Multiboot System Rescue Disk - AddictiveTips post on using SARDU builder to make a multiboot USB tool.


Digital Image\Video Resources

Little bro recently made a Christmas contribution to the “Claus-needs-a-new-hobby” campaign.
While a portion of it does involve me staying up much later each night now (like I needed that bad-habit) reading George R. R. Martin's “Game of Thrones” series on my Kindle, the most recent focus is the coming addition of a Canon PowerShot S95 to my photography tools.
For the longest time I have been seriously looking at the newer digital rangefinder class of cameras and the Olympus PEN E-P1 (Amazon link) fell into my price-point. I’ve yearned for this one for some time, however this particular model has been updated several times (more $$) and the Canon PowerShot S95 (Amazon link) was in the same range (price-wise). Though it also has a newer version, this one just seemed to have many more features (do I really need 1080p video when the S95’s 720p only video may never get used either?).
In the end it was the collection of Flickr: Canon PowerShot S95 group photos that sold me on it along with the smaller (pocket/backpack) format over the E-P1. It came down to me being honest with myself. I can’t take good pictures and improve my technique if I don’t carry the camera with me almost all times to take pictures to begin with…and the S95 is much more pocketable (and less imposing when in use) than the E-P1 or my Canon Rebel XT DSLR. So, photography links on the sidebar have been amended to remove the PEN and add the S95.
Hope to share some pics from it soon.
So, that leads us into these great digital imaging tools I’ve found recently (or have been updated).
Microsoft Research Image Composite Editor (ICE) - This remains my favorite image-stitching tool. Can also handle video stitching techniques: Microsoft ICE update–video to panorama, lens vignette, improved blending - HD View
Hugin - Panorama photo stitcher - This is a new-to-me project. It looks a lot more sophisticated that ICE so I’m looking forward to trying it out as well. It has a lot of control.
Scarab Darkroom - Beta version is free. From the page “Scarab Darkroom is a digital camera raw file converter/photo editor that supports most raw format capable cameras from Canon, Nikon, Olympus, Panasonic, Pentax, Samsung, and Sony. It is fast, easy to use, and produces excellent results. Development is still at the beta version stage.”  My S95 has Raw+JPEG shooting format…. More here at AddictiveTips: Edit And Convert RAW Images To JPG With Scarab Darkroom
It’s been a while since I last posted a roundup of freeware video editing tools: grand stream dreams: Video-Editing Resource Roundup
Here are some new links: Top 3 free video editing software for Windows 7 via The Windows Club links to Avidemux, VirtualDub, and VideoSpin.
What amazes me is that the pro-class Lightworks Open Source Project (free!) for video editing never seems to come up. It is incredible. Is it too complicated? I’m looking forward to shooting some 720p video to experiment with the application.


Utility Updates

Quick linkfest running down some old tools updated and new tools discovered.
Autoruns v11.21: This update to Autoruns fixes a number of minor bugs, including one that could result in a crash when certain scheduled tasks are configured. Microsoft Sysinternals.
Process Explorer v15.12: This update to Process Explorer makes the search dialog asynchronous and reports the types of found items. It also fixes several bugs, including showing a small font when run after an older version, a bug in the restart-process functionality, working set columns not showing data, and again shows information about service processes when run from an unprivileged user account. Microsoft Sysinternals.
Strings v2.42: This Strings release fixes a bug that would result in a crash when the –n or -b options are specified without a file name. Microsoft Sysinternals.

Mark’s Blog: Case of the Installer Service Error: Follow along with Mark in another of his popular ‘Case of the Unexplained’ troubleshooting examples where he retraces the steps of a network administrator that used Process Monitor to figure out why the Windows Intune installer failed on one of his systems and goes on to fix the problem. 

Mark’s Blog: The Case of My Mom’s Broken Microsoft Security Essentials Installation: Mark goes deep with the Sysinternals tools to fix a corrupt installation of MSE on his mom’s PC over the holidays.

CSVed 2.2.1 - Now at 2.2.1 version.  See also NirSoft’s CSVFileView
CCleaner v3.14 - Piriform - System cleaner
Recuva v1.42 - Piriform - File recovery tool
Speccy v1.14 - Piriform - System information collector
CCEnhancer - v 2.5 - SingularLabs - plugin for CCleaner adding support for over 500 additional aps.
JavaRa - v 1.16 - SingularLabs - not updated but great tool to remove old/redundant versions of JRE.  Now under development is JavaRa 2.0 alpha build which includes updating, removal and some additional bells-n-whistles. Alternative Flash Player Auto-Updater - interesting tool to help update Adobe Flash Player. The latest builds of Flash Player do have an auto-updating feature baked in but it doesn’t (to me) seem to fire off and find newer builds as quickly as I would like to see. This is an alternative that might work good on friends and family PC’s.
ISC Diary | Newest Adobe Flash and Previous 0 Day Exploit -Why keeping Flash updated is important…as if we didn’t need a reminder.
Crystal Dew World - lots of updates here including CrystalDiskInfo and CrystalDiskMark
PST Viewer - Free tool to open and view content of PST files without Ms Outlook - Kernel Data Recovery. See also this review: Gave up Microsoft Outlook but need your PST file? There's an app for that - BetaNews. I like this tool in that when I recently had to carve the PST files off a nuked HDD to recover an end-users PST files, I got a ton of them. Rather than mounting each one to a working Outlook client profile, I just fired up this tool to inspect them with the user to find out which ones we wanted to attach and which ones were duplicates. Saved a boat-load of time. Could be good for incident responders as well.
Highlighter v1.1.3 Released - Mandiant M-unition blog notice. Download link
Download Batch Compiler - SourceForge - You need to install on a system (not portable) but still could be a great resource for building more complex batch files. See more info here at AddictiveTips: Batch Compiler: Create Batch Scripts & Convert Them To EXE Format
Splashtop Remote Desktop - interesting new tool for remote connection management. See this Splashtop Is A Better Alternative To Windows RDP at Windows7hacker blog.
Windows Live Writer Backup - Codeplex project page - See this Windows Live Writer Backup post at Windows7hacker blog.


File and Folder Linkfest

As we continue the dig-out over here at the Valca link farm we now must turn attention to file and folder management tools.

Track Folder Changes - CodePlex project page - really clever tool still in development that shows (real-time) as files/folders are being changes for a specific folder/directory to be monitored. Nice GUI. More information at Track Folder Changes in Real Time Windows7hacker post and Track changes to folders with Track Folder Changes post at freewaregenius.

SearchMyFiles - NirSoft - Soo love this tool! It’s one of my must-haves for file-finding.
Everything Search Engine - Love this one too. Wicked fast but does it by building its own index database. Doesn’t search within files; just file/folder names.

UltraSearch - Freeware for Ultra-Fast File Search - JamSoftware - A bit like Everything but doesn’t build an index database rather relies on the MFT. Comes with a portable version.
Locate32 Web Site - Another nice free Windows file indexing application.

eXpress FreshFiles Finder - Super-great tool to quickly find the “freshest” files on a system.
FileProcessor - really powerful tool to find files as well as perform a number of actions on those found files. More info via AddictiveTips: FileProcessor: Set Filters, Search & Perform Batch Actions On Files
SpaceSniffer - Love it to visualize space usage on drives.
GetFolderSize - Interesting tool for scanning file/folder size usage on drives. Different GUI but pretty cool! Spotted via GetFoldersize to Determine the Size of Folders on Your Hard Drive - Windows7hacker.
FolderSize - Jan Horns tiny but quick app for folder size reporting.
NoVirusThanks Freeware tools - interesting tools (free and commercial) for Windows system monitoring. Good overview on them here: NoVirusThanks releases four handy system monitoring tools as freeware -Softwarecrew.
TestDisk - CGSecurity - Now at Version 6.13 for file/disk recovery.
ODIN - Open Disk Imager for Windows - interesting GUI/CLI based tool for drive backup and imaging. More info via AddictiveTips: Backup, Restore And Verify Disk Images With ODIN.
Hardwipe | File & Drive Wiper - GSD has had a number of posts already regarding file/drive wiping but this new-to-me tool is worth mentioning here. More info via AddictiveiIps: Easily Wipe & Clean Files, Folders And Hard Drives With Hardwipe.
Forensic Riddle #5 – Answer - Hexacorn Blog has been posting a series of great puzzlers this one leads us to this clever Microsoft resource: Naming Files, Paths, and Namespaces.
TakeOwnershipEx - WinAero - GUI tool that allows you to get full access to files and folders. More info via AddictiveTips: Take Ownership Of Files And Folders In Windows 8.
Kickass Undelete - Browse /Kickass Undelete 1.2 beta - - I really like this tool for file recovery. It’s not a all-in-one recovery tool, but is another great utility to keep on your response toolbelt.
WinAero: Librarian - powerful libraries manager for Windows 7. Slick interface and easy tool to use.
BExplorer (Better Explorer) - CodePlex - I want to like this project very much. I’m not feeling the love of the existing Windows 7 explorer menu-bar and this would go a long way to making it more powerful to use. However I’ve also had stability/installation issues on both Win7 x32/x64 systems so while it is on my “watch-list” it isn’t yet installed on my system.
FreeCommander - This alternative dual-pane Windows file manager remains top-of-the-heap on my systems. It is required usage here at GSD. I’ve still not found a better alternative though many come close. The developer is hard at work on a new version and the betas look very slick and powerful. Whenever the final public release of that one comes out.
My Commander - The interface on this one looks remarkably similar to FreeCommander. It comes in both 32bit and 64 bit flavors. It is quite nice and would probably be a close runner-up.
NexusFile: File Manager for Windows - This is one with GUI attitude. Want a nice “dark” look? This is it.
Explorer++ - I like this one as a USB stick alternative. Constantly updated and in both x32/x64 flavors it is a single EXE file which makes it nicely portable.
A43 - this was my original love in alternative WIndows file managers. It remains alive in development and has a lot of handy plugins in a format that others don’t seem to offer. Check it out.