Archive for the ‘Windows 7’ Category

HTTPS sites not loading in Windows 8

December 17, 2012

While I am still in the process of tweaking my Windows 8 workstation; apparently Microsoft has decided to block websites that have SSL certificates with keys that are less than 1024 bits.

Untitled

Evidently this not only an issue with Windows 8 (which I presumed) but rather a development with IE 8 and beyond. For the Windows 7; Microsoft did released a patch. While in Windows 8 (thanks to the forums) I did the following work around to get the sites load in the default IE10 provided with Windows 8.

  • Run command prompt with administrator privileges.
  • Execute the following commands

certutil -setreg chain\minRSAPubKeyBitLength 512

–          This will set the minimum allowed key length to 512 bits rather than 1024 bits.

certutil -setreg chain\EnableWeakSignatureFlags 8

–          This flag will not enforce blocking of keys with length less than 1024 bits.

certutil -setreg chain\WeakSignatureLogDir “c:\Under1024KeyLog”

–          This is required when you set the flag described in the previous command to 8. All the keys with length less than 1024 bits will be written to this folder. (Though I have to admit I haven’t found this folder physically :\)

CertUtil

  • After giving my Windows a restart; things started working for me!

Microsoft Knowledge Bases: 2661254, 813444 .

Advertisements

Recovering a stolen USB Drive

October 4, 2012

Am feeling all CSI at the moment! Yesterday; I got involved in an investigation of a USB mass storage device theft. The clue I had at start was the Windows 7 machine from which the device was stolen and a CCTV camera. The video from the CCTV wasn’t much helpful without any supporting evidence from the machine hence my only resort was to dig deep into the machine’s OS and get to some conclusion.

I did what anyone would have done; checking out the event viewer. Unfortunately no such logs about USB devices are recorded there. So I resorted to some Googling.  Once again I owe one to the immense help available out there online on forums and blogs; you can just find any solution these days!  What I did found was that a USB device when plugged into a machine; leaves all kind of traces. These traces includes time stamps, vendor & product ID’s, serial numbers, product make\model etc. Of all these what more internal to forensics is the time stamps! and getting them accurate is the key to get some productivity out of the homework.

I found two really great utilities that helped me in ending the case. USBDeview by Nirsoft and Windows USB Storage Parser by TZWorks LLC. Of these two USBDeview is simple and more efficient and I will tell you here why.

So getting to homework! First get to know your machines and devices well.

Get to know which USB devices are used on a machine

You can get to know by going into the Registry Editor and checking out  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR. This is what you will get.

As from the snap shot you can see; there are a total of three devices used on this machine with the serial numbers mentioned under the product names. Serial numbers are unique and will give you a head start.

USBDeview

So now I know the device, and mapped the serial number as well. I then used a simple utility USBDeview to get the information I required.  The great thing this utility is that It also shows you the details\time stamps etc from the previous dates.

This very efficiently shows the complete details in nicely sorted columns. The important entry that helped me a lot here is the  Last Plus\Unplug time stamp.

Windows USB Storage Parser

This is another great command line tool. This tool will tell you about the different USB devices used on a machine, their vendor\product ID’s along with serial numbers and time stamps. But most important of all this will also tell you the “account name” that mounted the USB device which can really help in forensics.

As you can see in the snap shot above, its pretty well self explanatory. What missing from there is the unmounts event time stamp. That why I mentioned earlier in this blog that the USBDeview holds its ground pretty well and gives us a combined plus\unplug time stamp. This is what helped me in nailing the case.

So to complete the investigating, and to further cement my findings; I used these tools on the suspect’s machine as well and bingo!!! It was all filled up with familiar traces! I rested my case 🙂 !!!


%d bloggers like this: