If you tell enough stories, perhaps the moral will show up.


Trees from Whips

The last thing I did before I was locked up was plant some fresh ash whips. I smeared off the lower buds, stuck them eight or ten inches in, wrapped rabbit guards round, and bundled in threes in the hope that one will grow. I've tried hazel in some hedges and they look like they're going to break out, so we'll see.

Hospital Protocols

I spent last week in hospital with an infected joint; I've had to find out about StickyKeys, and I'm using the mouse wrong-handed. I didn't feel ill, I just had to be around for regular surgery and IV penicillin, so there was a lot of time to kill with no desk, no computer, no Internet and one or two compromised hands (you can't read when your hands hurt and you haven't got a desk).

Better people than I am would have done something useful with all this time. I just wished it was finished. But I saw a lot of security protocols:

  • When you are prepped for a local anaesthetic, it's the same as for general: eight hours starvation. For why? So you can be conveniently be put right under when it all goes tits.
  • Every single person who planned to do anything substantial at all asked me whether I was allergic to anything. Every time. I was the second longest term resident on the ward at the end, and the nurse who'd infused the same prescription all week still asked the same question every time.
  • Everybody asks your name and date of birth, and then checks the band on your wrist. Every time.
I got pretty sick of this and I was brewing up some smart answers. Until the porters turned up to collect the appendectomy next to me. He was starving and ready to go. They asked his name. Wrong guy. I love security protocols.


Light Feet on the Drive

OK -- the scenario is that you really, really want to know what's on a Windows workstation hard drive -- you plan to look in the IE cache, system logs, registry, SAM, etc. You can't/won't be arsed to image it and work on the image and you are not going to take this rather urgent moment to learn about excellent Linux based tools. But you do want to take all reasonable precautions. (What's reasonable? I'm less sure than I was after reading this document. It's a normally reliable source, but the example scenario contains an eyepopping amount of work on a live system. Maybe evidence rules are different in the States. My approach is to kill the disk and only ever read from it.) Here's the plan.

  1. Prepare an investigation machine. You need a computer with Internet access where you can work privately. You also need a USB disk housing that will fit the disk in question. Maplin do an IDE/SATA for 3 1/2 inch disks, while 2 1/2 inch laptop disks still seem to be small format IDE and there are lots of housings for those. Since we really don't want to write to the evidence disk, run the Read Only registry file below, and test that you can't write to a scratch USB device. Load tweakui (Microsoft Powertoys) and make sure that you're not set to autoplay anywhere to reduce the risk of malwaring your investigation machine.
  2. Give the job a name. The Remedy number, "2007 02 Hotmail Complaint" -- whatever.
  3. Get a chain of custody log. The idea here is that you have a collection of evidence for the investigation, and as you collect each item, you sign it out and and back in when you return it. so that you can swear to where anything was at any future tribunal.
  4. Get a log book. Or open a file, or something, anything where you can write everything down. Computer records are good here as you can paste in log entries and images. Finish each day with next steps so you don't forget, then print the day's record, and sign and date each page. Enter it into your evidence store.
  5. Pull the power on the workstation. Record make model and serial number. Remove the disk, and record the make, model and serial. Put this diskless carcass into your evidence store with a label that says "2007 02 Hotmail Complaint Exhibit A". You shouldn't need to boot it, but you never know. Anyway it's evidence.
  6. The disk is Exhibit B. Log it, and sign it out to yourself. Mount it in the USB housing. Check that you've run readonly.reg on your investigation machine. Plug it in and make sure it comes up on you're investigation machine. Don't let it auto play.
  7. Where you go now is up to you. Check the tools below to look at Windows file contents, and there are others to look at file times.
Read Only.reg

Create a file called readonly.reg using notepad. Save it on your desktop. The file contains just these lines:

Windows Registry Editor Version 5.00

Double click on the file and confirm you do want to load the settings. Then test on a scratch USB stick -- you should see a "Write Protect" warning come up when you try and save something. To get back to read/write you need another file with that last dword set to 00000000.

Read Event Log Files

The log files you want will be in d:\windows\system32\config\ assuming d: is where your disk is. Sometimes you can load the .evt files from the subject disk into the log viewer. I find that it always says they're corrupt though.

So I use Activestate Perl, add the Parse::EventLog module and a few lines of code to list them out into an easy text format. Here's the code -- you'll want to tweak it.

use strict;
use Parse::EventLog;

my $elogfn = 'd:\\windows\\system32\\config\\SecEvent.Evt';
print "Loading Event log: $elogfn .." ;
my $elog = Parse::EventLog->new($elogfn);
print "..loaded\n";
my %c = $elog->getOldestEvent();
while (%c = $elog->getNextEvent())
  my $str;
  if ($c{Strings})
      $str = join('|', @{$c{Strings}}) ;
      $str =~ s/\t/\\t/g;
      $str =~ s/  / /g;
  my $evt = $c{EventID};
  my $time = localtime($c{TimeGenerated});

  my $ msg = "$time: $evt <$str>\n";
  print $msg unless grep({$_ == $evt} (560, 576, 515, 600));

The good bit here, is that this will work from a Linux machine just as well as Windows.

Read Registry and SAM files

The most amazing thing thing I've learnt recently is that the SAM is in the same format as a registry hive. This means you can use this tool to print out the system registry and the SAM (from d:\windows\system32\config\) as well as user registry from ntuser.dat in the appropriate profile.

You should also be able to use Parse::Win32Registry though I haven't done that. It would work from Linux, too. There's scope for a useful script here, as the SAM is in a desperately unhelpful format.


Investigate That!

When you have to investigate a PC, there's the ideal approach, and the actual approach.

The ideal approach calls in a firm of investigators -- I use Kroll Ontrack as the sucessors to Vogon. They send in an engineer to take forensically sound images, and retain them on their systems until they can schedule an investigation to answer some of the basic questions. Two weeks to get there, and then further rounds of questions and answers ending in a report. Meanwhile you have managers wanting answers.

So there's the actual, otherwise known as DIY. Everyone does this sometimes, so here's a few pointers to protect your arse.

1) Give Babylon Her Due.

If this is one of the cases where the police need to be called, then you must do that. You can't be ordered to conceal it by your boss -- your duty as a subject trumps your duty as an employee. Definitely talk it over with a sane advisor who's familiar with the situation, but if it's ugly then you have to give the cops the option. Don't go mental about this: for certain spyware breaches the Computer Misuse Act, but what are the chances of some random piece of spyware originating from someone subject to the Act?

2) Get it Cleared.

You need a pretty explicit memo from your source of arse covering (your boss, HR) saying that the answers are wanted tomorrow, there is definitely no intention to rely on your investigation in any sworn proceedings, and that your advice to go the ideal route is not wanted or not practical in this case.

3) Take Care Anyway.

When you're half way into a DIY investigation and you realise that you are going to have to complain about the behaviour of an employee, or call the police, you do not want a sinking feeling that you've trampled on the only copy of the evidence. See the next post has basic tips for getting the data you need without booting the evidence disk or writing to it.

4) Keep it Locked Up.

One of the best reasons for working on images is that the record keeping to prove evidence is easy: you can keep the original locked away for long periods. If you're actually working on it, you have to sign it in and out, secure it when you leave your desk.... No fun, and not impressive when you have to swear a long chain on ins and outs, but better than no records kept at all.


Busy Weekend

OK. I finished pollarding the old willows by the pond. The take from that is going to be a lot of crappy firewood and a lot of waste, unless I can make faggots. The sanest use for the land we have would be to grow enough willow or poplar to fire a woodchip boiler -- as we burn oil at the moment that's twelve or sixteen hundred savings from something that currently yields nothing.

The big winds last week blew out some of my dodgier hedgelaying, so I've put that back. And I've planted another twenty-five hazels on a rather tight spacing. When they're established I'm putting in ash behind them with a view to eventual firewood coppice.

And I put in seventy-five hornbeams for Mrs U's garden.

Just one magic point: if you've struggled as I have to put bare-root trees into heavy clay you need this spade or one like it. If you want to let the plants in down the back of the spade in the traditional way, and you're strong enough to open up the slits in the soil, the metal shaft means you can push as hard as you need without breaking the handle off, and if you do decide to dig a trench, it needn't be a wide one. You'll need metal re-inforced boots to use it though -- and be prepared to jump on it to get it in to clay.



Just to note that Mrs U. got her chickens at last -- on the same day that this hit the news. Every day, I expect to come home and find she's been tarred and feathered by the neighbours.