digifor.pw

Prepare installation of Ruby Version Manager (RVM) :

sudo apt-get install curl
mkdir /tmp/rvm && cd $_

Install RVM:

# Install mpapis public key (might need `gpg2` and or `sudo`)

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

# Download the installer

wget https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer
wget https://raw.githubusercontent.com/rvm/rvm/master/binscripts/rvm-installer.asc

# Verify the installer signature (might need `gpg2`), and if it validates...

gpg --verify rvm-installer.asc

# Run the installer

bash rvm-installer stable

Finish and test RVM installation:

source ~/.rvm/scripts/rvm
rvm list known

Install Ruby:

# before

ruby -v
which ruby
# install

rvm install 2.2
rvm use --default 2.2
# after

ruby -v
which ruby

Add to ~/.bash_profile:

export PATH="$PATH:$HOME/.rvm/bin" # Add RVM to PATH for scripting

[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*

Install Jekyll 3 and some gems needed for this blog:

gem install jekyll
gem install jekyll-paginate jekyll-sitemap
gem install octopress -v 3.0.12.pre.1
gem install octopress-deploy octopress-hooks octopress-escape-code
gem install coderay pygments redcarpet titlecase
gem install sass -v 3.4.5
gem install glynn --source http://gemcutter.org

cd to Jekyll project and build:

jekyll build
digifor.pw

I got a Lenovo ThinkPad W510 from 2010 with empty HDD. Here I describe how I got Debian GNU/Linux (stable) to run on it. Since my last report from June 2014 about installing Debian Wheezy some things turned for the better.

Get files

Install Debian

  • boot W510 with USB flash memory
  • choose install
  • … get coffee… (and press ENTER a few times)

After first boot

SSH

Edit /etc/ssh/sshd_config from PermitRootLogin yes to PermitRootLogin no

Fingerprint sensor

ThinkWIKI:

sudo apt-get install -y libpam-fprintd && fprintd-enroll

TrackPoint

ThinkWIKI: Middle key for scrolling

sudo apt-get install xinput
gedit ~/.xsessionrc
 # START TrackPoint
 # http://www.thinkwiki.org/wiki/How_to_configure_the_TrackPoint
 # try:  xinput list-props "TPPS/2 IBM TrackPoint"
 # To enable vertical scrolling
 xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 1
 xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 2
 xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 200
 # To enable horizontal scrolling in addition to vertical scrolling
 xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
 #To enable middle button emulation (using left- and right-click simultaneously)
 #xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Middle Button Emulation" 1
 #xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Middle Button Timeout" 50
 # END TrackPoint

Graphics driver

sudo apt-get install -y nvidia-driver nvidia-xconfig
sudo nvidia-xconfig
sudo gedit /etc/X11/xorg.conf

Add to Section "Device"

 # Disables Nvidia logo
 Option         "NoLogo" "true"
 # Fix Large fonts
 Option          "DPI" "96 x 96"
 # Power saving setting for Nvidia drivers
 Option         "OnDemandVBlankInterrupts" "1"
 # Enables overclocking gui
 Option         "Coolbits" "1"
 # Enable brightness keys
 Option         "RegistryDwords" "EnableBrightnessControl=1"

Reboot:

sudo shutdown -r now

Change the boot console’s resolution from 600x480 (I think) (resulting in huge letters and less information per screen) to something nicer. But native screen resolution 1920x1080 does not work:

Edit /etc/default/grub
  from #GRUB_GFXMODE=640x480
  to GRUB_GFXMODE=1280x800

Edit /etc/grub.d/00_header
  from set gfxmode=${GRUB_GFXMODE}
  to set gfxmode=${GRUB_GFXMODE}
    set gfxpayload=keep

Fix this with

sudo update-grub

WWAN and GPS

This all does not really work well… :-(

Install Qualcomm Gobi 2000 like described at ThinWiki:

Get Windows driver from Lenovo and install in Windows VM. Then copy files from Windows VM to host:

md5sum *
691a4da480076e239e8bfcfcd817d0de  amss.mbn
661249ddae2b63e2eaac93594a21e409  apps.mbn
cbae9a769f459b77910c2bbdf8a8c464  UQCN.mbn

sudo mkdir -p /lib/firmware/gobi
sudo cp *.mbn /lib/firmware/gobi/
sudo apt-get install gobi-loader
sudo shutdown -r now

PIN query

sudo adduser $(whoami) dialout
exec su -l $USER
echo "\$GPS_START" > /dev/ttyUSB2
gpscat /dev/ttyUSB2

Edit /usr/share/polkit-1/actions/org.freedesktop.ModemManager1.policy:

Change auth_self_keep in

  <action id="org.freedesktop.ModemManager1.Device.Control">
    <description>Unlock and control a mobile broadband device</description>
    <description xml:lang="de">Ein mobiles Breitbandgerät entsperren und steuern</description>
    <description xml:lang="uk">Розблокувати пристрій мобільної широкосмугової мережі і керувати ним</description>
    <message>System policy prevents unlocking or controlling the mobile broadband device.</message>
    <message xml:lang="de">Die Systemrichtlinien verhindern das Entsperren oder Steuern des mobilen Breitbandgerätes.</message>
    <message xml:lang="uk">Правила системи забороняють розблокування і керування пристроями широкосмугових мобільних мереж.</message>
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_self_keep</allow_active>
    </defaults>
  </action>

to yes:

  <action id="org.freedesktop.ModemManager1.Device.Control">
    <description>Unlock and control a mobile broadband device</description>
    <description xml:lang="de">Ein mobiles Breitbandgerät entsperren und steuern</description>
    <description xml:lang="uk">Розблокувати пристрій мобільної широкосмугової мережі і керувати ним</description>
    <message>System policy prevents unlocking or controlling the mobile broadband device.</message>
    <message xml:lang="de">Die Systemrichtlinien verhindern das Entsperren oder Steuern des mobilen Breitbandgerätes.</message>
    <message xml:lang="uk">Правила системи забороняють розблокування і керування пристроями широкосмугових мобільних мереж.</message>
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

Troubleshooting lost WWAN:

sudo rm /etc/NetworkManager/system-connections/1\&1\ Mobile\ Broadband && sudo service network-manager restart

…and click through creating new conection.

Second SSD

… in a Serial Ultrabay Enhanced second Hard Disk Caddy

What is the UUID of the SDD?

sudo blkid

=> /dev/sdb1: UUID="12345678-9abc-def0-1234-56789abcdef0" TYPE="ext4" PARTUUID="abc123de-f0"

Create mount point

sudo mkdir /media/ultrabay

Automatic mount at boot

sudo gedit /etc/fstab
    # SSD in UltraBay
    UUID=12345678-9abc-def0-1234-56789abcdef0    /media/ultrabay    ext4    defaults    0    2

sudo mount -a

More about SSDs

I have two SSDs. Mount option noatime or relatime is recommended. Nothing to care about as this is default:

$ cat /proc/mounts | grep /sd
/dev/sda1 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
/dev/sdb1 /media/ultrabay ext4 rw,relatime,data=ordered 0 0

Weekly trim is recommended (e. g. c’t 3/2016 p. 97). Do we already have it enabled?

$ systemctl status fstrim.timer
● fstrim.timer
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Nope. Can we enable it?

$ sudo systemctl enable fstrim.timer
Failed to execute operation: No such file or directory

Nope but wiki.debian.net helps:

$ sudo cp /usr/share/doc/util-linux/examples/fstrim.{service,timer} /etc/systemd/system
$ sudo systemctl enable fstrim.timer
Created symlink from /etc/systemd/system/multi-user.target.wants/fstrim.timer to /etc/systemd/system/fstrim.timer.
$ systemctl status fstrim.timer
● fstrim.timer - Discard unused blocks once a week
   Loaded: loaded (/etc/systemd/system/fstrim.timer; enabled)
   Active: inactive (dead)
     Docs: man:fstrim

SanDisc SDXC card


SDXC



Trying to mount a SDXC card (SanDisk Ultra 128GB) results in an error message mentioning the unknown filesystem type ‘exfat’: 


Error mounting /dev/mmcblk0p1 at /media/xxx/6661-6131: Command-line `mount -t "exfat" -o "uhelper=udisks2,nodev,nosuid,uid=1000,gid=1000,iocharset=utf8,namecase=0,errors=remount-ro,umask=0077" "/dev/mmcblk0p1" "/media/xxx/6661-6131"' exited with non-zero exit status 32: mount: unknown filesystem type 'exfat'

Error mounting fs type exfat

Solution: exfat-utils

sudo apt install exfat-utils

Software

Enigmail

Troubleshoot with this hint from Enigmail Support:

… how to disable gnome keyring on Ubuntu-based systems. Type these two commands in a Terminal window:

mv /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-ssh.desktop.disabled
mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.disabled

Also, put the following line: use-agent into your ~/.gnupg/gpg.conf Afterwards log out and log in again.

diverse

sudo apt-get install keepassx rdesktop p7zip p7zip-rar iotop iftop lm-sensors
sudo apt-get install network-manager-vpnc network-manager-vpnc-gnome vpnc

Back in time (German article at heise)

sudo apt-get install backintime-gnome

R

add

deb https://cran.uni-muenster.de/bin/linux/debian jessie-cran3/

to /etc/apt/sources.list.

gpg --keyserver pgpkeys.mit.edu --recv-key 06F90DE5381BA480
gpg -a --export 06F90DE5381BA480 | sudo apt-key add -
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install r-base r-base-dev libproj-dev libgdal-dev

Other

Some nice Gnome Extensions

Currently installed

digifor.pw

Given is a dimension’s element. We want an attribute’s value.

=PALO.ENAME(“Server/Database”;”Dimension name”;”Dimension element”;0;;”Attribute name”)

digifor.pw

A simple demonstration shall show how effortless memory analysis can be when starting out with a Windows target.

There are numerous approaches to acquiring a Windows PC’s memory. For RAM up to 4 GB Inception [1] is a noteworthy tool for hardware-based acquisition. It exploits PCI-based DMA. That means it can attack over any PCI/PCIe interfaces such as FireWire or Thunderbolt, etc. and has full read/write access to the lower 4 GB of RAM on the victim’s computer. In addition, Volatility itself supports acquisition and interrogation of memory over FireWire [2, pg. 79].

The Volatility project lists 10 software-based acquisition tools [2, pg. 79 et seqq.]. Most of them are commercial. We demonstrate how straightforward the process is using the freely available MoonSols DumpIt [3] on a Windows 7 computer.

DumpIt is a single executable which can be saved to a USB flash memory drive. Once inserted into the target computer’s USB port, the DumpIt executable can be run. After confirming the Windows 7 UAC security question, the program writes a memory dump to the flash drive.

DumpIt - v1.3.2.20110401 - One click memory memory dumper
Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net>
Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com>


Address space size:        2147418112 bytes (   2047 Mb)
Free space size:         171407523840 bytes ( 163466 Mb)

* Destination = \??\E:\WIN7-20141225-222255.raw

--> Are you sure you want to continue? [y/n] y
+ Processing... Success.

Volatility can analyze the data straightaway. Just by using this dump Volatility can determine the Windows version and propose the correct profile. The command python vol.py --info lists about 30 profiles for the different major versions of Windows.

$ python vol.py -f ~/tmp/WIN7-20141225-222255.raw imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...

          Suggested Profile(s) : Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/tmp/WIN7-20141225-222255.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x8296ec30
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x8296fc00
             KUSER_SHARED_DATA : 0xffdf0000
           Image date and time : 2014-12-25 22:23:03 UTC+0000
     Image local date and time : 2014-12-25 23:23:03 +0100
$ python vol.py -f ~/tmp/WIN7-20141225-222255.raw --profile Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.4
Offset(V)  Name           PID  PPID Thds Hnds Sess Wow64 Start                        Exit
0x84a3c630 System            4    0   88  553   -1     0 2014-12-25 20:12:19 UTC+0000     
0x85ede380 smss.exe        288    4    2   29   -1     0 2014-12-25 20:12:19 UTC+0000     
0x865227a0 csrss.exe       368  360    9  432    0     0 2014-12-25 20:12:20 UTC+0000     
<snip>

Though this demonstration was quite simple, it is important to note that several requirements had to be met:

  • physical access to the computer
  • access to the \ac{UI}
  • administrator privileges

The examiner requires at minimum physical access to the computer. That is the USB port if a USB flash drive is used as well as an input device—usually a keyboard and/or a mouse—in order to answer the UAC question and to start the program. The latter requires an unlocked screen and a running user account with sufficient privileges.

In case the screen was locked by a password and/or privileges had to be escalated the beforementioned tool Inception will be useful. For privilege escalation on many Windows systems the “NTLM reflection attack through WebDAV” can be leveraged. Google’s security research team disclosed this vulnerability and a proof-of-concept exploit in March 2015 [4]. It is reported that Microsoft won’t fix this issue.

[1] Carsten Maartmann-Moe. Inception, October 2011. URL http://www.breaknenter.org/projects/inception/. [Online; accessed 30 Dec. 2014].

[2] Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons, 2014.

[3] Matthieu Suiche. MoonSols DumpIt goes mainstream!, July 2011. URL http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/. [Online; accessed 29 Dec. 2014].

[4] Google Security Research. Issue 222: Windows: Local WebDAV NTLM Reflection Elevation of Privilege, March 2015. URL https://code.google.com/p/google-security-research/issues/detail?id=222. [Online; accessed 27 Mar. 2015].

more to come…

This text is from my thesis Practical Infeasibility of Android Smartphone Live Forensics. Applicability Constraints of LiME and Volatility.”

Related publication: “Wächter, Philipp ; Gruhn, Michael: Practicability Study of Android Volatile Memory Forensic Research. In: IEEE (Veranst.): Proceedings of the 7th IEEE International Workshop on Information Forensics and Security (WIFS) (7th IEEE International Workshop on Information Forensics and Security (WIFS) Rome, Italy 16.11.2015). 2015, S. 1-6.” (Slides)

digifor.pw

How to move single Outlook emails to Thunderbird/Icedove? This solution works for me:

matijs.net: MSGConvert: A .MSG to mbox converter.