some awesome stuff daa !
http://virgintech.blogspot.com/2008/10/send-secret-email.html
Wednesday, November 12, 2008
malicious Chat messages heysan.com
If you are getting messages on Your Messenger Like this:
" I just tagged you in a photo on heysan, you look great! Check it out here http://i.heysan.com/LMnRGyG"
and other one says
"just stole your cookies! Get them back here http://i.heysan.com/qDOL****"
"Person-I-know has uploaded your photo. Click on the link http://i.heysan.com/YEyw4Sy4 to see it!”
"I found a cool site called Heysan. It lets me chat on my phone free! Visit it at http://i.heysan.com/118c771156"
"It lets me chat on my phone free! Visit it at http://i.heysan.com/ 118c7711566dd8"
"something in your scrapbook, check it out http://i.heysan.com/7rbc6Ar4"
or offlines like this
[your friend name]: [your name/ID] wants to battle you. Accept the battle here: http://i.heysan.com/OfO79VQa
These messages were sent while you were offline.
11:18 PM
[your friend name]: [your frds id] just uploaded a new photo on heysan. Check it out at http://i.heysan.com/Q5n5fmii
Don't Click on these type of links.
This messages are because of vulnerability in Heysan.com.
Once you click on any of this messages your buddy list will also start receiving the similar messages.
Spread this message to all of your friend to safeguard them.
p.s: This messages are because of vulnerability in Heysan.com. Heysan.com is similar website like ebuddy which provide messenger services.
Heysan is not a virus or a fishing site, heysan is a mobile IM site that enables users to use their IM on their phone.
" I just tagged you in a photo on heysan, you look great! Check it out here http://i.heysan.com/LMnRGyG"
and other one says
"just stole your cookies! Get them back here http://i.heysan.com/qDOL****"
"Person-I-know has uploaded your photo. Click on the link http://i.heysan.com/YEyw4Sy4 to see it!”
"I found a cool site called Heysan. It lets me chat on my phone free! Visit it at http://i.heysan.com/118c771156"
"It lets me chat on my phone free! Visit it at http://i.heysan.com/ 118c7711566dd8"
"something in your scrapbook, check it out http://i.heysan.com/7rbc6Ar4"
or offlines like this
[your friend name]: [your name/ID] wants to battle you. Accept the battle here: http://i.heysan.com/OfO79VQa
These messages were sent while you were offline.
11:18 PM
[your friend name]: [your frds id] just uploaded a new photo on heysan. Check it out at http://i.heysan.com/Q5n5fmii
Don't Click on these type of links.
This messages are because of vulnerability in Heysan.com.
Once you click on any of this messages your buddy list will also start receiving the similar messages.
Spread this message to all of your friend to safeguard them.
p.s: This messages are because of vulnerability in Heysan.com. Heysan.com is similar website like ebuddy which provide messenger services.
Heysan is not a virus or a fishing site, heysan is a mobile IM site that enables users to use their IM on their phone.
Friday, May 30, 2008
how-to-remove-orkut-is-banned-virus
A few months ago, while surfing the net and trying to open Orkut i got a strange message on my computer screen which said “Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!” and the browser closed. I didnt think it was a virus as i had AVG installed on my system and i had faith in it. I tried it on different machines which were part of the Local Area Network and each gave the same message while opening Orkut and Youtube. Each machine had AVG or Norton installed. I ran an Antivirus scan and it also didnt detect any virus or spyware. I decided to search on the net for this problem and thats when i discovered that my computer was infected with the W32.USBWorm virus which displayed such messages while opening Orkut and Youtube. Here are a few simple steps which you can follow to remove this virus if this has infected your system too.
*
o Open the Task Manager by pressing Ctrl + Alt + Del and go to processes tab
o Locate svchost.exe under the image name. There will be many processes by that name but look for the ones which have your username under the username. Just kill these processes by pressing Del key.Only kill those which have your username under the username and leave the rest
o Open the run command and type C:\heap41a and press enter. This is a hidden folder. Delete all the contents of this folder
o Open the registry by typing regedit in the run box
o Search for heap41a in the registry by using the find command
o You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt“. Just delete the entries by pressing the del key
o Close the registry editor
Now the virus will be gone. The virus mainly spreads through USB disks so be sure to delete Autorun.inf file and any folder which has a .exe extension in the pen drive you use. Avast and Nod32 are able to detect it. Even AVG, Norton and macfee failed to detect it.
The above mentioned are not guaranteed to work everytime. In one of my machines, the virus disabled the Task Manager and registry editor also so i was unable to perform the above steps. In such cases, try doing a full system scan with Avast in the boot mode and delete all files which are infected. If a lot of system files get infected, then you would have to format your computer to remove it successfully. The viruse also spreads quicly through Flash drives and Local Area Network so always scan the flash disks in such cases.
With so many viruses being discovered everyday, it becomes difficult to protect your PC completely. The best you can do prevent such things is to use an Antivirus and keep it updated. Have you ever been infected by this virus? What measures do you use to protect your PC from such malwares?
copied from http://www.whoismadhur.com/2007/11/16/how-to-remove-orkut-is-banned-virus/
*
o Open the Task Manager by pressing Ctrl + Alt + Del and go to processes tab
o Locate svchost.exe under the image name. There will be many processes by that name but look for the ones which have your username under the username. Just kill these processes by pressing Del key.Only kill those which have your username under the username and leave the rest
o Open the run command and type C:\heap41a and press enter. This is a hidden folder. Delete all the contents of this folder
o Open the registry by typing regedit in the run box
o Search for heap41a in the registry by using the find command
o You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt“. Just delete the entries by pressing the del key
o Close the registry editor
Now the virus will be gone. The virus mainly spreads through USB disks so be sure to delete Autorun.inf file and any folder which has a .exe extension in the pen drive you use. Avast and Nod32 are able to detect it. Even AVG, Norton and macfee failed to detect it.
The above mentioned are not guaranteed to work everytime. In one of my machines, the virus disabled the Task Manager and registry editor also so i was unable to perform the above steps. In such cases, try doing a full system scan with Avast in the boot mode and delete all files which are infected. If a lot of system files get infected, then you would have to format your computer to remove it successfully. The viruse also spreads quicly through Flash drives and Local Area Network so always scan the flash disks in such cases.
With so many viruses being discovered everyday, it becomes difficult to protect your PC completely. The best you can do prevent such things is to use an Antivirus and keep it updated. Have you ever been infected by this virus? What measures do you use to protect your PC from such malwares?
copied from http://www.whoismadhur.com/2007/11/16/how-to-remove-orkut-is-banned-virus/
How to remove Virus from USB Drives
One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ’Ravmon’ , ‘New Folder.exe’, ‘Orkut is banned’ etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives
Whenever you plug a USB drive in your system, aautorun window will appear !
Don’t click on Ok , just choose ‘Cancel’. Open the Command Prompt by typing ‘cmd‘ in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
* Autorun.inf
* Ravmon.exe
* New Folder.exe
* svchost.exe
* Heap41a
* or any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the “Autorun.inf” file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
Security Tip
Disable the Autoplay feature of USB drives. If you disable the Autoplay feature of USB drives, then there are lesser chances of the virus spreading. A tool which can perform such a function is Tweak UI. Download it from here install it.
Tweak UI
Run the program. Now you can disable the Autoplay feature of the removable drives as shown above. By following the above steps, you can keep your USB drives clean. If there are any other methods which you use, then share it with me through comments.
Whenever you plug a USB drive in your system, aautorun window will appear !
Don’t click on Ok , just choose ‘Cancel’. Open the Command Prompt by typing ‘cmd‘ in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
* Autorun.inf
* Ravmon.exe
* New Folder.exe
* svchost.exe
* Heap41a
* or any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the “Autorun.inf” file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
Security Tip
Disable the Autoplay feature of USB drives. If you disable the Autoplay feature of USB drives, then there are lesser chances of the virus spreading. A tool which can perform such a function is Tweak UI. Download it from here install it.
Tweak UI
Run the program. Now you can disable the Autoplay feature of the removable drives as shown above. By following the above steps, you can keep your USB drives clean. If there are any other methods which you use, then share it with me through comments.
Sunday, April 27, 2008
Prevent your Orkut account from Hacking
Here are some points you need to take care of, to prevent your Orkut account being hacked !!!!
Java script: You must have seen the circulating scraps that asks you to paste this code in your address bar and see what happens! Well sometimes they also leak out your information. Check the code and if you are unsure of what to do, then I recommend not to use it.
Community Links: Many times you are provided with a link to a community in a scrap. Read the link carefully, It may be something like http://www.okrut.com/Community.aspx?cmm=22910233 OKRUT not ORKUT. Clicking on this link will take you to a fake login page and there you loose up your password.
Phishing Attack is the most popular way of stealing other's password. Popular by the name of fake login (among those who knows it) the users land on a page where they are asked for their login information and they enter their username and password thinking it to be a real page but actually it is other way round. It submits all the details entered to the programmer or the coder.
Orkut New Features: I have come across a page that looks like they are giving the user a choice of selecting new features for orkut with your ID and password, of course!! When user submit the page, there goes his ID and password mailed to the coder
Primary mail address: If by some means a hacker came to know password of your Yahoo mail or Gmail, which users normally keeps as their primary mail address in their Orkut account, then hacker can hack Orkut account by simply using USER ID and clicking on 'forget password'.This way Google will send link to the already hacked primary email id to change the password of the Orkut account. Hence the email hacker will change your Orkut account's password. Hence your Orkut account hacked too.
So a better thing would be to keep a very unknown or useless email id of yours as primary email id so that if the hacker clicks on 'Forgot password' the password changing link goes to an unknown email id i.e. not known to the hacker.
Java script: You must have seen the circulating scraps that asks you to paste this code in your address bar and see what happens! Well sometimes they also leak out your information. Check the code and if you are unsure of what to do, then I recommend not to use it.
Community Links: Many times you are provided with a link to a community in a scrap. Read the link carefully, It may be something like http://www.okrut.com/Community.aspx?cmm=22910233 OKRUT not ORKUT. Clicking on this link will take you to a fake login page and there you loose up your password.
Phishing Attack is the most popular way of stealing other's password. Popular by the name of fake login (among those who knows it) the users land on a page where they are asked for their login information and they enter their username and password thinking it to be a real page but actually it is other way round. It submits all the details entered to the programmer or the coder.
Orkut New Features: I have come across a page that looks like they are giving the user a choice of selecting new features for orkut with your ID and password, of course!! When user submit the page, there goes his ID and password mailed to the coder
Primary mail address: If by some means a hacker came to know password of your Yahoo mail or Gmail, which users normally keeps as their primary mail address in their Orkut account, then hacker can hack Orkut account by simply using USER ID and clicking on 'forget password'.This way Google will send link to the already hacked primary email id to change the password of the Orkut account. Hence the email hacker will change your Orkut account's password. Hence your Orkut account hacked too.
So a better thing would be to keep a very unknown or useless email id of yours as primary email id so that if the hacker clicks on 'Forgot password' the password changing link goes to an unknown email id i.e. not known to the hacker.
Restoring System against common attacks !
Registry editing has been disabled
If you ever encountered above error, i.e. "Registry editing has been disabled by your administrator" on Windows XP or any other Windows NT Operating system, this may help you.
I have encountered the above error while patching registry. Even manual "regedit" was not working.
Here is simple solution.
Click "Start >> Run" or press "[window key + R ]" and type this command exactly as given below (or you can copy-paste it too)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Options Disabled
Go to run
Type "control folders"
If it doesnt work, try:
Solution 1:
->Run -> Type gpedit.msc
Then:->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.
Right click:-> Properties -> Disable ->Apply -> Again set it to not configured
Solution 2:
Go to Startmenu->Run and enter regedit there and press ok to execute regedit (registry editor).
There you’ll see a tree like structure of folders like stuff in left.
There navigate to registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and on right side you’ll see many values.
Out of these values in right see a value (key) named “NoFolderOptions” .Double click after highlighting it, if there under value box it’s written 1 then change it to 0 and press enter. Exit the registry editor and close any folder and open again to see the settings.
If you want to disable Folder Options then set the value of “NoFolderOptions” to 1 (and to retrieve it back change it to 0).
Orkut is banned u fool..MUHAHAHA...
How to fix the Orkut is banned you fool! Virus
Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!! with title ORKUT IS BANNED.
Well, a similar message was displayed for YouTube also.
Solution given here:
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start --> Run and type Regedit
9. Go to the menu Edit --> Find
10. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
11. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
12. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
UPDATE
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.
Remove ntde1ect.com virus=show hidden files problem
First method
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Second method
RUN>> type "regedit"(without quotes) & press enter >> then go to>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
Now u can see two keys CheckedValue and DefaultValue
Double Click on CheckedValue and set the value 1 from 0
Double Click on DefaultValue and set the value 2 from 1
Now exit and watch
If you ever encountered above error, i.e. "Registry editing has been disabled by your administrator" on Windows XP or any other Windows NT Operating system, this may help you.
I have encountered the above error while patching registry. Even manual "regedit" was not working.
Here is simple solution.
Click "Start >> Run" or press "[window key + R ]" and type this command exactly as given below (or you can copy-paste it too)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Options Disabled
Go to run
Type "control folders"
If it doesnt work, try:
Solution 1:
->Run -> Type gpedit.msc
Then:->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.
Right click:-> Properties -> Disable ->Apply -> Again set it to not configured
Solution 2:
Go to Startmenu->Run and enter regedit there and press ok to execute regedit (registry editor).
There you’ll see a tree like structure of folders like stuff in left.
There navigate to registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and on right side you’ll see many values.
Out of these values in right see a value (key) named “NoFolderOptions” .Double click after highlighting it, if there under value box it’s written 1 then change it to 0 and press enter. Exit the registry editor and close any folder and open again to see the settings.
If you want to disable Folder Options then set the value of “NoFolderOptions” to 1 (and to retrieve it back change it to 0).
Orkut is banned u fool..MUHAHAHA...
How to fix the Orkut is banned you fool! Virus
Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!! with title ORKUT IS BANNED.
Well, a similar message was displayed for YouTube also.
Solution given here:
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start --> Run and type Regedit
9. Go to the menu Edit --> Find
10. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
11. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
12. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
UPDATE
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.
Remove ntde1ect.com virus=show hidden files problem
First method
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Second method
RUN>> type "regedit"(without quotes) & press enter >> then go to>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
Now u can see two keys CheckedValue and DefaultValue
Double Click on CheckedValue and set the value 1 from 0
Double Click on DefaultValue and set the value 2 from 1
Now exit and watch
Saturday, April 26, 2008
The science of computer forensics
This week, I am introducing some tools used in computer forensics and investigations. This will probably be so much “ho-hum” to those of you already in the trade, but I thought this would be of interest to other TechRepublic members.
As usual, I have linked to specific products that I’m familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don’t get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.
Feel free to suggest other such products in the comments section.
HotPlug
The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study — without having to first shut it off.
Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.
Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system — with the UPS, can then be loaded onto a trolley to be carted off.
Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method — it’s quite fascinating, really.
Write protection devices
As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands — be it while duplicating the data or performing a forensic analysis.
You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.
The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer’s P-ATA interface, PCI Card, USB, and FireWire ports.
ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.
Mouse Jiggler
This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.
The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.
Wiebetech sells two versions, including a “Slow Jiggler” in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a “Fast Jiggler,” whose only use is as part of a practical joke.
The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.
Network Taps
As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.
Do note that some higher-end network switches come with a “monitoring port” that can be used to the same effect.
catch this at http://blogs.techrepublic.com.com/security/?p=437&tag=rbxccnbtr1 !
As usual, I have linked to specific products that I’m familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don’t get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.
Feel free to suggest other such products in the comments section.
HotPlug
The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study — without having to first shut it off.
Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.
Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system — with the UPS, can then be loaded onto a trolley to be carted off.
Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method — it’s quite fascinating, really.
Write protection devices
As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands — be it while duplicating the data or performing a forensic analysis.
You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.
The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer’s P-ATA interface, PCI Card, USB, and FireWire ports.
ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.
Mouse Jiggler
This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.
The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.
Wiebetech sells two versions, including a “Slow Jiggler” in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a “Fast Jiggler,” whose only use is as part of a practical joke.
The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.
Network Taps
As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.
Do note that some higher-end network switches come with a “monitoring port” that can be used to the same effect.
catch this at http://blogs.techrepublic.com.com/security/?p=437&tag=rbxccnbtr1 !
Subscribe to:
Posts (Atom)
