tag:blogger.com,1999:blog-78960913476686887042024-03-13T15:28:28.346-04:00Basement PC TechA blog dedicated to helping the basement PC Technician in all of us.Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-7896091347668688704.post-53923311157650554062014-12-17T15:26:00.000-05:002014-12-17T15:29:25.593-05:00How I Self Study for the CISSP<div class="MsoNormal">
Recently a friend as me how I study for the CISSP exam and I sent him the following. I just thought I would share with everyone else.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>I self-study for the CISSP and here is how I did it:</b><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
There are 10 domains in the CISSP that you need to study to
be ready to successfully pass the CISSP. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
</div>
<ul>
<li>Access Control</li>
<li>Telecommunications and Network
Security</li>
<li>Information Security Governance
and Risk Management</li>
<li>Software Development Security</li>
<li>Cryptography</li>
<li>Security Architecture and Design</li>
<li>Operations Security</li>
<li>Business Continuity and Disaster
Recovery Planning</li>
<li>Legal, Regulations, Investigation
and Compliance</li>
<li>Physical (Environmental Security)</li>
</ul>
<o:p></o:p><br />
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I dedicated one week of book study for all domains except
for Cryptography which is usually the domain that majority of the people have
issues. I dedicated two weeks for that domain which made the total weeks of
book study 11 weeks. Good thing we have
DVR’s now, you don’t have to miss any of your favorite show on TV while you are
studying. You just watch them when you’re done LOL.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
After studying each domain I would then start taking
practice test that asked question related to the domain I just study. Depending
on the software/site you use to study, you may have the option of configuring
the practice test to include question from specify domains. I used the <a href="https://www.cccure.org/" target="_blank"><span style="color: blue;">CCCure.org</span></a> website. This website
allow me to configure my practice test question from the domains I selected.
Key thing is to not forget the material you previously learned and ensuring
that each practice test include questions from previously study domains. I
would turn the time off on the practice test while at work and leave the
webpage open all day while at work answering question in between work task. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I also created my own flash cards from question I created
while doing my book study of each domain.
Back then I actually used index cards but now there have much better
ways of making flash cards that can be used on your phone. One flash card
program that I highly recommend if you have an Android phone is <a href="https://play.google.com/store/apps/details?id=com.ichi2.anki" target="_blank"><span style="color: blue;">AnkiDroidFlashcards</span></a>. You can use your computer or phone to make flash cards with this
program. I normally would use my computer to create the flashcards and move the
flashcard file over to my phone. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Recommended Books</b>:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p> </o:p><a href="http://www.amazon.com/gp/product/0071781749/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=0071781749&linkCode=as2&tag=basecom0e-20&linkId=CKWGXJ5RN4DXD4UV" target="_blank"><span style="color: blue;">CISSP All-In-One Exam Guide [WithCDROM]</span></a> by Shon Harris</div>
<div class="MsoNormal" style="margin-left: .5in;">
<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ul><ul>
<li>The bible of study for CISSP. Goes into a lot of explaining
which is good for anyone that don’t know that domain.</li>
</ul>
</ul>
<o:p></o:p><br />
<div class="MsoNormal">
<a href="http://www.amazon.com/gp/product/0072225785/ref=as_li_qf_sp_asin_il_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=0072225785&linkCode=as2&tag=basecom0e-20&linkId=7FJ7Y67TI6ET3ECR" target="_blank"><span style="color: blue;">Mike Meyers’ CISSP® Certification Passport</span></a> by Shon Harris<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ul><ul>
<li>This book was more to the point without a lot of fluff.</li>
</ul>
</ul>
<o:p></o:p><br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I would read the Mike Meyer’s book for all the domain that I
was familiar, if I didn’t understand something or need more explanation then I
would turn to the CISSP All-In-One Exam Guide. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
While studying for the CISSP you have to get in a test-taking
mode. You need to be consistently answering CISSP related questions. I would
recommend a minimum of 1 month from doing your book study of just doing
practice test. When you feel that you are getting the practice question right a
majority of the time you may be ready to take the test.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I hope this helps those out there that are thinking about self studying for the CISSP</div>
Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com1tag:blogger.com,1999:blog-7896091347668688704.post-379843234966069172014-09-06T01:41:00.000-04:002014-09-06T01:41:18.143-04:00Online Security DashboardFound this list of <a href="http://www.techiehow.com/online-security-dashboard" target="_blank">online security dashboards</a><br />
<br />
<br />
<br />
<br />Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com5tag:blogger.com,1999:blog-7896091347668688704.post-54672138263584882642014-08-23T11:43:00.000-04:002014-08-23T18:53:03.456-04:0050 Ways to Drive Massive Traffic to Your BlogWhen I first started my blog I found and bookmarked an excellent blog posting by Cassie Boorn on July 11, 2012 on how to drive massive traffic to your blog. I notice that Cassie Boorn website "www.askaprgirl.com" was no longer on line. I thought her article on driving traffic to your blog had some good ideas and was something that should still be shared with the world so I decided to repost her blog article (with the help of Archive.org) for other to read, use and share. <br />
<br />
<br />
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
Here are 50 ways you can drive massive traffic to your blog and links showing you how to do it.</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
<br /></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
<a href="https://web.archive.org/web/20120715022750/http://askaprgirl.com/wp-content/uploads/2012/07/5-Great-Traffic-Sources-For-Your-Website.jpg" style="color: #2361a1; margin: 0px; padding: 0px;"><img alt="" class="wp-image-169 aligncenter" height="210" src="https://web.archive.org/web/20120715022750im_/http://askaprgirl.com/wp-content/uploads/2012/07/5-Great-Traffic-Sources-For-Your-Website.jpg" style="border: none; clear: both; display: block; float: none; margin: 0px auto 1.571em; padding: 0px;" title="5-Great-Traffic-Sources-For-Your-Website" width="420" /></a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
1.Profile other bloggers</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
2.Interview experts on your topic</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
3. Get published in a magazine. <a href="http://goinswriter.com/how-to-get-published-in-a-magazine/" style="color: #2361a1; margin: 0px; padding: 0px;">Here is how. </a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
4.<a href="http://blog.penelopetrunk.com/2006/12/20/how-to-get-your-blog-or-yourself-mentioned-in-print-media/" style="color: #2361a1; margin: 0px; padding: 0px;">Pitch media and offer yourself as an expert</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
5.Have a virtual “grand opening” celebration</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
6.Start an award</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
7.<a href="http://www.copyblogger.com/blog-comment-traffic/" style="color: #2361a1; margin: 0px; padding: 0px;">Comment on blogs in your niche</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
8.Join <a href="http://www.webpronews.com/linkedin-traffic-2011-05" style="color: #2361a1; margin: 0px; padding: 0px;">Facebook and LinkedIn groups</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
9.Launch a Facebook or LinkedIn group</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
10.Create “link love” roundups</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
11.Add <a href="http://wordpress.org/extend/plugins/sharebar/" style="color: #2361a1; margin: 0px; padding: 0px;">“Share bar” to your blog</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
12.Add <a href="https://web.archive.org/web/20120715022750/http://wordpress.org/extend/plugins/tweetherder/" style="color: #2361a1; margin: 0px; padding: 0px;">“tweetables” in your blog posts with TweetHerder</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
13.Comment on a hot topic</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
14.<a href="http://blog.hubspot.com/blog/tabid/6307/bid/31501/Why-Every-Business-Blog-Needs-Evergreen-Content.aspx" style="color: #2361a1; margin: 0px; padding: 0px;">Create evergreen blog posts </a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
15.Share <a href="http://www.blogmarketingacademy.com/social-media-drive-traffic/" style="color: #2361a1; margin: 0px; padding: 0px;">your posts on Twitter & Facebook</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
16.Share <a href="http://www.sumonbdinfo.com/stumbleupon-is-good-for-drive-traffic" style="color: #2361a1; margin: 0px; padding: 0px;">your posts on Stumble Upon</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
17.Turn blog posts into PDF’s to share on <a href="https://web.archive.org/web/20120715022750/http://www.scribd.com/" style="color: #2361a1; margin: 0px; padding: 0px;">Scribd</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
18.<a href="http://www.marketingprofs.com/short-articles/2531/should-you-host-your-blog-on-site-or-off-site" style="color: #2361a1; margin: 0px; padding: 0px;">Syndicate your articles on sites like Ezine Articles</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
19<a href="https://web.archive.org/web/20120715022750/http://foundertips.com/traffic/free-ebook-boost-traffic-sales/" style="color: #2361a1; margin: 0px; padding: 0px;">.Create a free e-book</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
20<a href="http://www.copyblogger.com/10-sure-fire-headline-formulas-that-work/" style="color: #2361a1; margin: 0px; padding: 0px;">.Use attention grabbing headlines</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
21.Hold a contest</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
22.<a href="http://heartifb.com/2012/06/26/7-reasons-list-posts-drive-traffic-to-your-blog/" style="color: #2361a1; margin: 0px; padding: 0px;">Write list posts</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
23.Post regularly</div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
24.<a href="http://www.momcomm.com/2011/06/if-that%E2%80%99s-your-business-card-i-can%E2%80%99t-wait-to-see-your-blog/" style="color: #2361a1; margin: 0px; padding: 0px;">Get creative business cards</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
25.<a href="https://web.archive.org/web/20120715022750/http://www.bloggersentral.com/2010/04/submit-siteblog-to-google-yahoo-and.html" style="color: #2361a1; margin: 0px; padding: 0px;">Submit your blog to search engines</a></div>
<div style="background-color: white; color: #111111; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 21.993999481201172px; margin: 0px; padding: 0px;">
<div style="margin: 0px; padding: 0px;">
26.<a href="http://www.seomoz.org/beginners-guide-to-seo" style="color: #2361a1; margin: 0px; padding: 0px;">Optimize for SEO</a></div>
<div style="margin: 0px; padding: 0px;">
27.<a href="https://web.archive.org/web/20120715022750/http://http/blogs.babble.com/momcrunch/2012/05/25/publishing-your-blog-to-kindle/" style="color: #2361a1; margin: 0px; padding: 0px;">Publish your posts to Kindle</a></div>
<div style="margin: 0px; padding: 0px;">
28.Turn your blog into a podcast with <a href="http://www.odiogo.com/" style="color: #2361a1; margin: 0px; padding: 0px;">Odiogo</a></div>
<div style="margin: 0px; padding: 0px;">
29. <a href="http://www.quora.com/How-would-one-best-use-Quora-to-drive-traffic-to-their-website" style="color: #2361a1; margin: 0px; padding: 0px;">Answer questions related to your niche on Quora</a></div>
<div style="margin: 0px; padding: 0px;">
30. Turn your posts into video using <a href="https://web.archive.org/web/20120715022750/http://animoto.com/" style="color: #2361a1; margin: 0px; padding: 0px;">Animoto</a></div>
<div style="margin: 0px; padding: 0px;">
31. <a href="http://wordpress.org/support/topic/plugin-for-you-may-also-like" style="color: #2361a1; margin: 0px; padding: 0px;">Add the “other posts you might be interested in” app to your blog</a></div>
<div style="margin: 0px; padding: 0px;">
32. <a href="https://web.archive.org/web/20120715022750/http://blog.hubspot.com/blog/tabid/6307/bid/31054/10-Clever-Ways-Your-Email-Signature-Can-Support-Your-Marketing.aspx" style="color: #2361a1; margin: 0px; padding: 0px;">Add your URL to your email signature</a></div>
<div style="margin: 0px; padding: 0px;">
33. Host a local event</div>
<div style="margin: 0px; padding: 0px;">
34. Start an advice column</div>
<div style="margin: 0px; padding: 0px;">
35.<a href="http://searchenginewatch.com/article/2166510/4-SEO-Recommendations-to-Target-the-Long-Tail" style="color: #2361a1; margin: 0px; padding: 0px;">Target long-tail keywords with low competition to rank in them</a></div>
<div style="margin: 0px; padding: 0px;">
36.Advertise on other blogs in your niche</div>
<div style="margin: 0px; padding: 0px;">
37.Link to other bloggers</div>
<div style="margin: 0px; padding: 0px;">
38.Host a webinar</div>
<div style="margin: 0px; padding: 0px;">
39.Launch a video series</div>
<div style="margin: 0px; padding: 0px;">
40.<a href="http://www.squidoo.com/how-to-make-money-with-squidoo" style="color: #2361a1; margin: 0px; padding: 0px;">Create a Squidoo lense </a></div>
<div style="margin: 0px; padding: 0px;">
41.<a href="https://web.archive.org/web/20120715022750/http://www.inc.com/guides/201104/how-to-host-virtual-events.html" style="color: #2361a1; margin: 0px; padding: 0px;">Host a virtual conference</a></div>
<div style="margin: 0px; padding: 0px;">
42.Write an editorial for your local newspaper</div>
<div style="margin: 0px; padding: 0px;">
43.Write an industry report on a hot topic</div>
<div style="margin: 0px; padding: 0px;">
44.Create a useful tool (checklist, planner, etc.) as a thank you to new subscribers.</div>
<div style="margin: 0px; padding: 0px;">
45.<a href="http://www.socialmediaexaminer.com/pinterest-blog-traffic/" style="color: #2361a1; margin: 0px; padding: 0px;">Use interesting images and share your post on Pinterest</a></div>
<div style="margin: 0px; padding: 0px;">
46.<a href="https://web.archive.org/web/20120715022750/http://www.jeffbullas.com/2012/03/07/9-awesome-reasons-to-use-infographics-in-your-content-marketing/" style="color: #2361a1; margin: 0px; padding: 0px;">Create an infographic</a></div>
<div style="margin: 0px; padding: 0px;">
47.<a href="http://www.problogger.net/archives/2012/05/29/5-fantastic-reasons-you-should-attend-a-blogging-conference/" style="color: #2361a1; margin: 0px; padding: 0px;">Attend an event</a></div>
<div style="margin: 0px; padding: 0px;">
48.Publish a list of the top bloggers in your niche</div>
<div style="margin: 0px; padding: 0px;">
49.<a href="http://www.blogtipsntricks.com/2011/04/20-blog-directories-sites-to-submit.html" style="color: #2361a1; margin: 0px; padding: 0px;">Submit your blog to directories </a></div>
<div style="margin: 0px; padding: 0px;">
50.<a href="http://www.blogworld.com/2012/07/11/the-art-of-constructive-controversy-on-your-blog/" style="color: #2361a1; margin: 0px; padding: 0px;">Write something controversial</a></div>
<div>
<br /></div>
<div style="margin: 0px; padding: 0px;">
</div>
</div>
Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com8tag:blogger.com,1999:blog-7896091347668688704.post-41242546446470238912012-11-24T02:00:00.000-05:002013-03-01T06:32:39.776-05:00Installing PFSense on WatchGuard X700<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">For years I have been running PFSense as my main firewall at home and the equipment that I was using was not what you would say “state of the art”. I have been using an old IBM Pentium 4 Tower which I have never upgraded the system because: </span></b><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1) it was working and I’m a strong advocate of the old saying “If it’s not broke, don’t fix it” </span></b></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">2) the system allowed me to have 4 nics installed</span></b></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">3) the money that I could use to upgrade the system could be better spent elsewhere (like on my other systems)</span></b></div>
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The PFSense system that I have ran for years was starting to meet it’s end. The system hardware started to fail and the system would randomly reboot throughout the day which made accessing the Internet challenging so I guess it was time for me to invest in a new system. Originally I thought I would get one of those fanless embedded PFsense devices that start at $</span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">99 </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">with only two NICs</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> to replace my old system until a friend at work hip me to using an WatchGuard appliance that could be bought on ebay any where from $25 - $80<b> </b></span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">with 8+ network connections.</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> HEY!!! -- I’m all about saving $$ like the next guy and I find a WatchGuard x700 on ebay that had the “</span></b><span style="background-color: yellow;"><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">B</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">uy </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">N</span></span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="background-color: yellow;">ow</span>” option for $59 and free shipping and place the order for the new appliance that would replace my current PFSense system. </span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">I decided to document the steps and any lesson learned from my experience of installing PFSense on my newly acquired WatchGuard appliance. I hope this experience may be helpful to someone else that may be looking for an alternative to an old workstation or a fanless appliance. </span></b><br />
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><br /><b><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Installing PFSense 2.0 on a WatchGuard x700 Appliance. </span></b><br /><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">If you do a </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Google</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> search of </span><a href="https://www.google.com/#hl=en&safe=off&tbo=d&sclient=psy-ab&q=pfsense+watchguard+x700&oq=pfsense+watch&gs_l=hp.1.1.0l4.671.5082.0.8339.17.11.2.4.5.1.192.1078.8j3.11.0.les%3B..0.0...1c.1.dvB6JfptXX0&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&fp=cea928a3cb2ac156&bpcl=38093640&biw=1440&bih=756"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">PFSense and WatchGuard</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, you will get thousand of hits related to the query. There are a few good sites out there that you can use when installing PFSense on a WatchGuard appliance such as the PFSense forums<b> </b></span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">and I</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> must credit the URL at the bottom of this post for actually having the information <b>I </b>required to successfully install PFSense 2.0 on my WatchGuard x700 appliance. </span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">I guess it’s best to list the items you will need while installing PFSense to your WatchGuard appliance. There nothing like having to run to the store to buy something that is needed such as a larger CF Card while in the middle of your PFSense install project. Good thing Walmart is open 24 hours :)</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"></b><br />
<b></b><br />
<b><span style="font-weight: normal;"><b>Item List:</b></span></b><span style="font-weight: normal;"><br /></span><br />
<b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1. WatchGuard Appliance </span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">2. <a href="http://amzn.to/TpKB6R" target="_blank">CF Card Reader/Writer </a></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">3. CF Memory Card 2 to 4 Gigs (recommend 4 GB)</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">4. Serial Cable </span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5. PFSense nano image (PFSense Site)</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">6. Miscellaneous files to upgrade BIOS and post PFSense configuration (see below)</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Step 1 -- Remove the CF Card</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">To access the CF memory card, I had to take out the hard drive tray which I was able to simply pull out of the appliance via the front hard drive access panel and remove the screw to the cover. </span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Below is a picture of how the inside of my WatchGuard appliance looked after the cover was remove and also the CF Memory Card. Sorry, it wasn’t until I was already into performing my upgrade that I decide to </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">document</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> my experience. In the picture I have </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">highlighted</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> where the CF Memory card would be located. I also pointed out the location of the screws to remove the hard drive tray </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">for easier access to the</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> CF memory </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">card</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">T</span></span><b id="internal-source-marker_0.0041392522398382425" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">here were four screws that I had to remove from the hard drive tray holder, two on each side. </span></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-ZULDyI50qAI/ULBr4fzk1eI/AAAAAAAAANw/WQOB6RtwPbs/s1600/watchguard+700.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://3.bp.blogspot.com/-ZULDyI50qAI/ULBr4fzk1eI/AAAAAAAAANw/WQOB6RtwPbs/s400/watchguard+700.png" width="400" /></a></div>
<b style="font-weight: normal;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">After successfully removing the 64MB CF Card from the WatchGuard, I was able to </span><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">finally </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">use an accessory that I have bought years ago and hardly ever used....my Digital Concepts 51 in 1 card reader/writer :)</span></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-AAwlbcQKGjk/ULDY_B_aG9I/AAAAAAAAAOA/TddTu1a6Aps/s1600/20121111_172416+(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-AAwlbcQKGjk/ULDY_B_aG9I/AAAAAAAAAOA/TddTu1a6Aps/s320/20121111_172416+(1).jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">If you don’t have one, don’t worry. You can pick up one for fairly cheap at one of the following locations:</span></b></span></b></div>
<b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><iframe bordercolor="#000000" frameborder="0" height="150" hspace="0" marginheight="0" marginwidth="0" scrolling="no" src="http://ad.doubleclick.net/adi/N7433.148119.BLOGGEREN/B6631428.118878;sz=180x150;ord=[timestamp]?;lid=41000613802464048;pid=23629888;usg=AFHzDLuT6bK092QiP0EpCay6Jmcowu73yA;adurl=http%253A%252F%252Fwww.officemax.com%252Ftechnology%252Fmemory-cards%252Fmemory-card-readers%252Fproduct-prod4290350%253Fcm_mmc%253DPerformics-_-Technology-_-Memory%252520Cards-_-Memory%252520Card%252520Readers%2526ci_src%253D14110944%2526ci_sku%253D23629888;pubid=601333;price=%2413.98;title=IOGEAR+12-In-One+Pocke...;merc=OfficeMax;imgsrc=http%3A%2F%2Fwww.officemax.com%2Fcatalog%2Fimages%2F397x353%2F23629888i_01.jpg;width=95;height=85" vspace="0" width="180"></iframe> <iframe bordercolor="#000000" frameborder="0" height="150" hspace="0" marginheight="0" marginwidth="0" scrolling="no" src="http://ad.doubleclick.net/adi/N963.148119.BLOGGEREN/B6527721.7;dcadv=3632184;sz=180x150;lid=41000613802463511;pid=888278;usg=AFHzDLvsVOpSwABgvDZ5R9qxefC1yVKaVQ;adurl=http%253A%252F%252Fwww.kohls.com%252Fupgrade%252Fwebstore%252Fproduct_page.jsp%253FPRODUCT%25253C%25253Eprd_id%253D845524892807975%2526pfx%253Dpfx_shopcompare%2526cid%253Dshopping3;pubid=601333;price=%2414.98;title=Kodak+50-In-1+Card+Reader;merc=Kohl%27s;imgsrc=http%3A%2F%2Fmedia.kohls.com.edgesuite.net%2Fis%2Fimage%2Fkohls%2F888278%3Fwid%3D500%26hei%3D500%26op_sharpen%3D1;width=85;height=85" vspace="0" width="180"></iframe></span></b><br />
<br />
<b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">You don't need a 51 in 1 card just a 1 in 1 </span></b><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">that will read and write to your CF Memory Card. </span></span><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Step 2 - Backup the WatchGuard Firebox CF Image (Optional)</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><i><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Note</span></i><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">: The next steps were all done using a linux system. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Just incase for some strange reason you want to go back to using the factory software that came with the firewall, you can backup the CF Memory card. After connecting the card reader to your computer and inserting the CF Memory Card into the reader, open a terminal window to identify the CF Card connection.</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Type: “</span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">sudo fdisk -l</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">” </span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">(This will list all drives connected to your system. Look for the disk that is the size of your CF Card. Mines was 64 MB and the output of the fdisk command on my system is listed below:</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="background-color: #cccccc;"><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">sudo fdisk -l </span><br /><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Disk </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">/dev/sdd</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">: 64 MB, 64225280 bytes</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">1 heads, 62 sectors/track, 2023 cylinders</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Units = cylinders of 62 * 512 = 31744 bytes</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Sector size (logical/physical): 512 bytes / 512 bytes</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">I/O size (minimum/optimal): 512 bytes / 512 bytes</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Disk identifier: 0x00000000</span><br /><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> Device Boot <span class="Apple-tab-span" style="white-space: pre;"> </span>Start <span class="Apple-tab-span" style="white-space: pre;"> </span>End <span class="Apple-tab-span" style="white-space: pre;"> </span>Blocks Id System</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><b>/dev/sdd1</b> <span class="Apple-tab-span" style="white-space: pre;"> </span>34 <span class="Apple-tab-span" style="white-space: pre;"> </span>302 <span class="Apple-tab-span" style="white-space: pre;"> </span>8320 83 Linux</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Partition 1 does not end on cylinder boundary.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><b>/dev/sdd2 </b> <span class="Apple-tab-span" style="white-space: pre;"> </span>302 <span class="Apple-tab-span" style="white-space: pre;"> </span>1128 <span class="Apple-tab-span" style="white-space: pre;"> </span>25600 83 Linux</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Partition 2 does not end on cylinder boundary.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><b>/dev/sdd3</b> <span class="Apple-tab-span" style="white-space: pre;"> </span>1128 <span class="Apple-tab-span" style="white-space: pre;"> </span>1954 <span class="Apple-tab-span" style="white-space: pre;"> </span>25600 83 Linux</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Partition 3 does not end on cylinder boundary.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><b>/dev/sdd4 </b> <span class="Apple-tab-span" style="white-space: pre;"> </span>1954 <span class="Apple-tab-span" style="white-space: pre;"> </span>1987 <span class="Apple-tab-span" style="white-space: pre;"> </span>1024 83 Linux</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Partition 4 does not end on cylinder boundary.</span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">According to the output of the fdisk command, the card was located at “</span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">/dev/sdd</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">” which contained 4 partitions listed as /dev/ssd1-4.</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Now that I have confirmed the device location of the CF memory card “/dev/ssd” I’m now ready to make a backup of the card. Using the “dd” command I created a backup to file</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><i>Command Syntax:</i><span style="font-weight: normal;"> <span style="background-color: #d9d2e9;">sudo dd if=/disk device location of=/location and name to save backup image</span></span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><u>Command used</u>: <span style="background-color: #cccccc;">“</span></span><span style="background-color: #cccccc;"><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">sudo dd if=/dev/sdd of=WatchGuardBackup.img</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">”</span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><i><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Note</span></i><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">: of=WatchGuardBackup.img will save the backup image to a file called WatchGuardBackup.img in the current location of the terminal window. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Step 3 - Flash the BIOS of the WatchGuard Appliance</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><i><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Note</span></i><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">: The next steps were all </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">completed</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> using a </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Linux</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> system. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">The next step in getting PFSense to run on a WatchGuard appliance is to flash the BIOS to enable support for larger CF Memory Cards. The WatchGuard appliance currently will not boot from a CF card larger than 256MB and by flashing the BIOS with the X750EB6.BIN file, your WatchGuard appliance will now be able to support CF Memory Cards larger then 256MB. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">1. Download the </span><a href="https://docs.google.com/open?id=0B1C3CxiOuH1daENGb3B4VnNZODg" style="font-weight: normal;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">FreeDOSBios.img</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://docs.google.com/open?id=0B1C3CxiOuH1dNTBXMFV3dUVBQjg" style="font-weight: normal;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">X750EB2.BIN</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> BIOS image</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">2. Write FreeDOSBios.img image to CF Memory Card.</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Using the location identified in “Step 2 - Backup the WatchGuard Firebox CF Image” I proceeded to write the FreeDOSBios.img to the CF Memory card. From the terminal window, I ran the following command:</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><i>Command Syntax:</i><span style="font-weight: normal;"> <span style="background-color: #ead1dc;">sudo dd if=/path to FreeDOSBios.img/ of=/disk device location/</span></span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><u>Command used</u>: <span style="background-color: #cccccc;">“</span></span><span style="background-color: #cccccc; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">sudo dd if=/Download/FreeDOSBios.img of=/dev/sdd</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="background-color: #cccccc;">”</span> </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">3.<b> </b></span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">After writing the FreeDOSBios.img to your CF Memory Card, m</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">ount the CF memory card and copy the X750EB2.BIN file to the bios folder on the CF Card. After the file has successfully been copy to the “bios” folder, you can unmount the CF Card and install it back into the WatchGuard Appliance. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">4. Connect your serial cable from your computer to the WatchGuard appliance. Once again, I get to use something that’s has been sitting in a box in my closet for years, my USB to Serial converter. With more than 10+ computers in my household, not one besides my old IBM PFSense system has a serial port. I believe serial ports are a things of the past. When I take my current PFSense system apart I have to make sure I save the serial card. I will place in the box next to the 5 ¼ and 3 ½ disk I have. You never know when you may need some ancient technology in the future LOL. </span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BA5qrlvkMK8/ULDiV9caBNI/AAAAAAAAAOc/73wLBnlOM-0/s1600/20121111_172518+(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-BA5qrlvkMK8/ULDiV9caBNI/AAAAAAAAAOc/73wLBnlOM-0/s320/20121111_172518+(1).jpg" width="240" /></a></div>
<b><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Note: If you </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">too also do not have a computer with a serial port, you can get a USB to Serial adapter from one of the following sites:</span><br />
<br />
<iframe bordercolor="#000000" frameborder="0" height="150" hspace="0" marginheight="0" marginwidth="0" scrolling="no" src="http://ad.doubleclick.net/adi/N7433.148119.BLOGGEREN/B6675004.71453;sz=180x150;ord=[timestamp]?;lid=41000613802463762;pid=DH26886;usg=AFHzDLs_TmhLUBUO7ikKIUovfExLl1Qy_A;adurl=http%253A%252F%252Fwww.unbeatablesale.com%252F26886.html%253Fmr%253AtrackingCode%253D5982C6DE-5C73-E111-A36F-001B21BCC0BC%2526mr%253AreferralID%253DNA;pubid=601333;price=%2422.89;title=Cables+To+Go+26886+USB...;merc=UnbeatableSale;imgsrc=http%3A%2F%2Fsite.unbeatablesale.com%2Fimg001%2F26886.jpg;width=85;height=85" vspace="0" width="180"></iframe><iframe bordercolor="#000000" frameborder="0" height="150" hspace="0" marginheight="0" marginwidth="0" scrolling="no" src="http://ad.doubleclick.net/adi/N7433.148119.BLOGGEREN/B6675004.71460;sz=180x150;ord=[timestamp]?;lid=41000613802463762;pid=PEICI205146;usg=AFHzDLsijSt0tMa9BhToFO_jvevKP2q5RQ;adurl=http%253A%252F%252Fwww.technooutlet.com%252Fpeici205146.html%253Fmr%253AtrackingCode%253D913EA301-06DF-DF11-9612-001B21631C34%2526mr%253AreferralID%253DNA;pubid=601333;price=%2419.98;title=Manhattan+205146+Usb+S...;merc=Techno+Outlet+Site;imgsrc=http%3A%2F%2Fsite.unbeatablesale.com%2Fimg146%2Fpeici205146.gif;width=85;height=85" vspace="0" width="180"></iframe><br />
<br />
<b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">After connecting your serial cable to your computer and the WatchGuard appliance, you want to start a terminal session on the serial cable. To ensure what device your serial cable is using on your system you can check the dmesg log. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">In a terminal window type the "<b>dmesg"</b> command. This should display the dmesg log file. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Below is a copy of the tail of my dmesg log file:</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="background-color: #cccccc; font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2960.116026] usb 5-2: reset full speed USB device using uhci_hcd and address 3</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2960.236021] usb 5-2: device descriptor read/64, error -71</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2960.460021] usb 5-2: device descriptor read/64, error -71</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2960.676021] usb 5-2: reset full speed USB device using uhci_hcd and address 3</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2962.112029] usb 5-2: reset full speed USB device using uhci_hcd and address 3</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2962.232020] usb 5-2: device descriptor read/64, error -71</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2962.456014] usb 5-2: device descriptor read/64, error -71</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 2962.672021] usb 5-2: reset full speed USB device using uhci_hcd and address 3</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.232024] usb 5-1: new full speed USB device using uhci_hcd and address 4</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.505878] usbcore: registered new interface driver usbserial</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.505889] USB Serial support registered for generic</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.505915] usbcore: registered new interface driver usbserial_generic</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.505917] usbserial: USB Serial Driver core</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.514510] USB Serial support registered for pl2303</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.514532] pl2303 5-1:1.0: pl2303 converter detected</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.525896] usb 5-1: pl2303 converter now attached to </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">ttyUSB0</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.525916] usbcore: registered new interface driver pl2303</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[ 3990.525919] pl2303: Prolific PL2303 USB to serial adaptor driver</span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">On my system my the serial cable is using </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">ttyUSB0. </span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">If you are unsure which device your serial cable may be using, disconnect the cable from your system view the dmesg log again to see if your can identify the cable being disconnected and then connect it back to your computer again while reviewing the dmesg log again. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Once you know what device your serial cable is using, open a session to your serial cable by using the "<b>screen</b>" command. </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">T</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">yping the following command then turn on the WatchGuard appliance:</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><i>Command syntax:</i><span style="font-weight: normal;"> <span style="background-color: #ead1dc;">screen /dev/{your serial cable device} 9600</span></span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> <u>Command used</u>: <span style="background-color: #cccccc;">“</span></span><span style="background-color: #cccccc; font-weight: normal;"><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">screen /dev/ttyUSB 9600</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">”</span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Once you enter the </span><span style="font-family: Arial;">"screen" </span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">command in the terminal </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">window, your window</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> will go blank until the </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">WatchGuard appliance</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> fully loaded. My appliance sounded 3 beeps when device had finished booting up and I was presented with the following: </span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><br /><span style="background-color: #cccccc; font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Freedos on COM1:</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Current date is Mon 11-05-2012</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Current time is 3:44:40.80 am</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C:\></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Once you are presented with the “<b>C:\></b>” prompt, you are now ready to flash the BIOS with X750EB6.BIN file. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="background-color: #cccccc; font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C:\>cd bios</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C:\BIOS>awdflash.exe X750EB6.BIN /py /sn /cc /e</span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="background-color: yellow; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Lesson Learned Time</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="background-color: yellow;">:</span> Being a person very comfortable with using command line, there were some command line features unavailable in the </span><span style="font-family: Arial;">"screen"</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> terminal session to the serial console. Two such features that have caused me to restart this step many times was the missing tab to autocomplete your commands </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">feature</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> and the inability to use the backspac</span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">e key</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">. Neither was available </span></b><span style="font-family: Arial;">while</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> using the <b>"screen</b>" command to access the serial cable. Trying both features sent unrecognizable characters to the terminal </span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">window</span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> which made my session unresponsive. I was able to regain responsivness after shut</span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">down the WatchGuard appliance. </span><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">After you have successfully flashed the BIOS, you can power off the WatchGuard appliance and remove the CF card. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Step 4 -- Installing PFSense on your CF Memory Card</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Now it’s time to install PFSense on your CF memory card. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">1. Download the </span><a href="http://www.pfsense.org/mirror.php?section=downloads" style="font-weight: normal;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">PFSense nanobsd Image</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> image for the size of your CF memory card. I downloaded the </span><span style="font-family: Arial; font-size: 15px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img.gz </span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">to install on my 4 GB card.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">2. Decompress the .gz file<b> </b></span></b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">via the <b>"tar" </b>command:</span><br />
<br />
<span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> <u>Command Used</u>: </span><span style="background-color: #cccccc;"><b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"></span>tar -xvf ./pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img.gz</span></b></span><br />
<b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">3. Write the PFSense image to your CF Memory card. Connect your CF memory card to your card writer and identify the disk device as previously done in “Step 2 - Backup the WatchGuard Firebox CF Image”. Write the PFSense image you downloaded and decompressed to the CF Memory card by using the following <b>"dd</b>" command:</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><i>Command Syntax:</i><span style="font-weight: normal;"> <span style="background-color: #ead1dc;">dd if=/{path to PFSense image} of=/dev/{disk device} bs=16k</span></span></span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><u>Command used</u>: </span><span style="background-color: #cccccc; font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">sudo dd if=./pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img of=/dev/sdd bs=16k</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">4. Install CF Memory Card with PFSense installed in the WatchGuard appliance and open a session with your serial cable as you did previously using the </span><span style="font-family: Arial;">"screen" </span><span style="font-family: Arial; font-size: 15px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">command: </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><i><b>Command Syntax</b></i>: screen /dev/{your serial cable device} 9600</span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">5. Power on your WatchGuard Appliance and this time you should be presented with the PFSense initial setup Wizard. </span><br /><span style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">From this point on you would set up PFSense just like a regular installation.</span></b><br />
<br />
<b><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">See <a href="http://blog.basementpctech.com/2012/02/having-personal-firewall-makes-sense.html" target="_blank">How to Install PFSense</a> and<b> </b> <a href="http://blog.basementpctech.com/2012/02/webconfigurator-pfsense-basic-setup.html" target="_blank">How to Configure PFSense</a>.</span></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b>
<br />
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;">I want to thank the following sites with helping me to successfully install PFSense on my Watchguard appliance. </span></span><br />
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span>
<b id="internal-source-marker_0.6707111226860434" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.nettechonline.net/index.php/pfsense/pfsense-watchguard/78-x700-led-fix-pfsense-on-watchguard.html?catid=49%3Apfsense-watchguard">http://www.nettechonline.net/index.php/pfsense/pfsense-watchguard/78-x700-led-fix-pfsense-on-watchguard.html?catid=49%3Apfsense-watchguard</a></span></b><b id="internal-source-marker_0.6707111226860434" style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.nettechonline.net/index.php/pfsense/75-x700-a-pfsense-20-rc1.html?catid=49%3Apfsense-watchguard">http://www.nettechonline.net/index.php/pfsense/75-x700-a-pfsense-20-rc1.html?catid=49%3Apfsense-watchguard</a> </span></b><br />
<b style="font-weight: normal;"><span style="vertical-align: baseline;"></span><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span><a href="http://practicalkungfu.net/2012/02/20/how-to-install-pfsense-2-0-on-a-watchguard-x750e-core/"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">http://practicalkungfu.net/2012/02/20/how-to-install-pfsense-2-0-on-a-watchguard-x750e-core/</span></a></b><br />
<b style="font-weight: normal;"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com4tag:blogger.com,1999:blog-7896091347668688704.post-4877225463008918682012-04-14T23:09:00.005-04:002012-04-15T19:29:19.650-04:00Malware Memory Analysis - Volatility<div style="margin-bottom: 0in;">In the <a href="http://blog.basementpctech.com/2012/04/average-basement-pc-tech-memory.html" target="_blank">Acquiring Memory</a> blog a list of tools that could be used to acquire the memory of a live system was listed. Once you have successfully acquire the memory of the system, a tool like volatility can be used to analyze the memory for data. In this assessment I will be evaluating the memory sample as a person that has no formal training in memory analysis or on how to use the tool to see if I can still use the tool to identify malicious code contain within the memory image. For this test the <b>Zeus</b><span style="font-weight: normal;"> memory sample acquired from the <a href="http://code.google.com/p/volatility/wiki/MemorySamples" target="_blank">Google Code – Volatility Memory Sample</a> page will be used. </span> </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-weight: normal;">I will use practical troubleshooting steps to established my approach of analyzing the memory sample. </span> </div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Look for strange processes</div></li>
<li><div style="margin-bottom: 0in;">Look for strange network connections</div></li>
<li><div style="margin-bottom: 0in;">Check registry for strange entries added by the malicious code. </div></li>
<li><div style="margin-bottom: 0in;">Analyze suspicious code </div></li>
</ul><h1 class="western"><span style="color: #2300dc;">Volatility</span></h1>Here is the official description of the tool from the developer page:<br />
<div style="margin-bottom: 0in;"><span style="color: #2300dc;">“<i>The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. “</i></span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><a href="http://code.google.com/p/volatility/">http://code.google.com/p/volatility/</a></div><div style="margin-bottom: 0in;"><br />
</div><h1 class="western"><span style="color: #2300dc;">Installation</span></h1><span style="font-style: normal;">Installation of volatility is very simple. If you are using Windows, it just a matter of downloading the version you want and running the installer. For UNIX base systems, the hardest part of the installation may be determining where you want to extract the the source code after you download it. Once the source code has been extracted, your ready to use volatility. No compiling needed. </span> <br />
<span style="font-style: normal;"><b>Note:</b></span><span style="font-style: normal;"> </span>There is one main requirement when it comes to using Volatility – <i><b>python</b></i><i>.</i><span style="font-style: normal;"> You must have a working version of python installed on your system. If you are using an up to date UNIX base system to include OS X, you already have a working version of python installed on your system. Windows users may want to download and install the volatility standalone version. It comes with everything you need to use volatility including a runtime version of python. Check the download page on the volatility main website for more detail. </span> <br />
<br />
<br />
<h1 class="western"><span style="color: #2300dc;"><span style="font-style: normal;">Using Volatility</span></span></h1><h3 class="western"><span style="color: #2300dc;"><span style="font-style: normal;">Basic usage</span></span></h3><span style="font-style: normal;">Basic usage of volatility is as follows:</span><br />
<br />
<br />
<b><span style="font-style: normal;">$ python vol.py </span><span style="color: #2300dc;"><span style="font-style: normal;">[plugin]</span></span><span style="font-style: normal;"> </span><span style="color: #355e00;"><span style="font-style: normal;">-f [image] –</span></span><span style="color: #6b2394;"><span style="font-style: normal;">profile=[PROFILE]</span></span></b><br />
<br />
<br />
<div style="margin-bottom: 0in;">The options after the “vol.py” command can be in any order as long as all like options are together. During my evaluation, I discovered that it was best to use the following order when running volatility from the command line. It allowed me to edit the last command ran from the command line easier.</div><div style="margin-bottom: 0in;"><br />
</div><b><span style="font-style: normal;">$ python vol.py </span><span style="color: #355e00;"><span style="font-style: normal;">–</span></span><span style="color: #6b2394;"><span style="font-style: normal;">profile=[PROFILE] </span></span><span style="color: #355e00;"><span style="font-style: normal;">-f [image] </span></span><span style="color: #6b2394;"><span style="font-style: normal;"> </span></span><span style="color: #2300dc;"><span style="font-style: normal;">[plugin]</span></span><span style="color: #6b2394;"><span style="font-style: normal;"> </span></span></b> <br />
<div style="margin-bottom: 0in;"></div><h3 class="western"><span style="color: #2300dc;"> </span></h3><h3 class="western"><span style="color: #2300dc;">Volatility Commands</span></h3>During this test I essentially reference the volatility command reference page which listed all the commands along with sample output of each commands. All similar commands are group together under the below section on the CommandReference page :<br />
<ul><li>Image Identification<br />
</li>
<li>Processes and DLLs <br />
</li>
<li>Process Memory<br />
</li>
<li>Kernal Memory and Objects<br />
</li>
<li>Networking<br />
</li>
<li>Registry<br />
</li>
<li>Crash Dumps, Hibernation, and Conversion<br />
</li>
<li>Malware and Rootkits<br />
</li>
<li>Miscellaneous<br />
</li>
</ul>Command Reference Page: <a href="http://code.google.com/p/volatility/wiki/CommandReference">http://code.google.com/p/volatility/wiki/CommandReference</a><br />
<br />
<h3 class="western"><span style="color: #2300dc;">Step 1 - Image Identification</span></h3>Having not capture the memory sample myself, it seem logical to run the plugin command “imageinfo” against the Zeus memory image to see what information the plugin can provide about the memory image. <br />
<br />
<div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py imageinfo -f zeus.vmem </span></b></div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-_ZCz8x7KwD0/T4o0Q1vIXlI/AAAAAAAAALc/ekG1-QRmpiQ/s1600/imageinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="http://2.bp.blogspot.com/-_ZCz8x7KwD0/T4o0Q1vIXlI/AAAAAAAAALc/ekG1-QRmpiQ/s400/imageinfo.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “imageinfo” plugin provided some valuable information such as the date and time of the image and local date and time of the system the memory was acquired. It also suggested which profile should be used when using the “--profile” option with volatility. The <b>WinXPSP2x86</b> profile was the profile suggested to be used for this Zeus memory sample. </div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western"><span style="color: #2300dc;">Step 2 - Looking for strange processes</span> </h3><div style="margin-bottom: 0in;">Using the CommandReference page, I identify the plugin command to list the processes that were running in the memory sample when the memory was acquired. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 pslist -f zeus.vmem</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-PD17VqqDupQ/T4o0e5nmmaI/AAAAAAAAALk/JuJM7_FXevE/s1600/pslist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://2.bp.blogspot.com/-PD17VqqDupQ/T4o0e5nmmaI/AAAAAAAAALk/JuJM7_FXevE/s400/pslist.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">At 1<sup>st</sup> glance, there appears to be no strange processes running. </div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western"><span style="color: #2300dc;">Step 3 - Looking for Strange Network Connections</span></h3><div style="margin-bottom: 0in;">The next step in my hunt for malware was to check the memory for any strange connections. Once again I used the CommandReference page to identify the plugin command to use to list all current network connections: </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py –profile=WinXPSP2x86 connections -f zeus.vmem</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-eAjxrAKEtyE/T4o0rk2r8wI/AAAAAAAAALs/PUzB8GUnItE/s1600/connections.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="37" src="http://3.bp.blogspot.com/-eAjxrAKEtyE/T4o0rk2r8wI/AAAAAAAAALs/PUzB8GUnItE/s400/connections.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Just my luck, no current connections were found. Well right under the “connection” plugin command on the CommandReference page was the command to scan for previous connections found in the memory - “connscan”. I tried that plugin command next. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);"> python vol.py --profile=WinXPSP2x86 connscan -f zeus.vmem</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-JC87hpt4dzQ/T4o03b5mUoI/AAAAAAAAAL0/ZRUOKHuiCxs/s1600/connscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="http://1.bp.blogspot.com/-JC87hpt4dzQ/T4o03b5mUoI/AAAAAAAAAL0/ZRUOKHuiCxs/s400/connscan.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Ahhh Yea, two connections found and now I just to learn more about the Remote Address. Using freegeoip.net website I enter the remote IP Address to learn the geolocaton of the IP. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Freegeoip.net <a href="http://freegeoip.net/static/index.html">http://freegeoip.net/static/index.html</a> </div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-JLuv6Wz--zI/T4o1A-gBeeI/AAAAAAAAAL8/KrtfRyjeAmw/s1600/ip_lookup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="http://1.bp.blogspot.com/-JLuv6Wz--zI/T4o1A-gBeeI/AAAAAAAAAL8/KrtfRyjeAmw/s400/ip_lookup.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;">Yes I agree that I could have just used ARIN to do a simple whois on the remote address, but I'm a visual person and I tell you that I love seeing that little green arrow pointing the possible geolocation of the Remote Address which in this case is in the Replublic of Moldova. It's so much cooler to look at then looking at the following:</div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-F78JXsyXqyQ/T4o1OMXoAfI/AAAAAAAAAME/e4jPnrhVZhQ/s1600/arins.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/-F78JXsyXqyQ/T4o1OMXoAfI/AAAAAAAAAME/e4jPnrhVZhQ/s400/arins.png" width="275" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Now we know where the Remote Address is located but this is not the only valuable piece of data we can acquire from “connscan” output. The “connscan” output also displays the process ID (PID) of the process that was associated with the connection to the Remote Address which happens to be PID 856. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Referring back to the output we got from the “pslist” plugin, we identify that “scvhost.exe” is the process that was associated with the connection to the Remote Address. According to the “plist” output we also see that the parent process ID (PPID) was 676 (services.exe) which in turn was started by PID 632 (winlogon.exe)</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">PID 632 winlogon.exe</div><div style="margin-bottom: 0in;"> PID 676 services.exe </div><div style="margin-bottom: 0in;"> PID 856 (svchost.exe) </div><div style="margin-bottom: 0in;"> Remote address: 193.104.41.75</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"></div><h1 class="western"><span style="color: #2300dc;">Step 4 - Dump process</span></h1>So from my previous outputs I have identified at least two processes that I want to take a closer look at “svchost.exe” and the process that started it “services.exe”. Using the volatility plugin command for dumping a process from the memory image - “procexedump” I proceeded to dump each process.<br />
<br />
<br />
<div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem -p 856 procexedump -D ../zeus/</span> </b> </div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem -p 676 procexedump -D ../zeus/</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-AeBCa2K_zIo/T4o15IwQSVI/AAAAAAAAAMM/3URt8_MZwZU/s1600/svchost.exe.dump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="http://2.bp.blogspot.com/-AeBCa2K_zIo/T4o15IwQSVI/AAAAAAAAAMM/3URt8_MZwZU/s400/svchost.exe.dump.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Pspo0wN5R0g/T4o2BU_5rhI/AAAAAAAAAMU/GGdSQNYBIOo/s1600/services.exe.dump1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="http://1.bp.blogspot.com/-Pspo0wN5R0g/T4o2BU_5rhI/AAAAAAAAAMU/GGdSQNYBIOo/s400/services.exe.dump1.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">I submitted both processes that was dump by volatility to VirusTotals.com for analysis and received the following results:</div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western">svchost.exe analysis</h3><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-N19ud7DXan0/T4o2Yyuj9kI/AAAAAAAAAMc/Jd0xVgC0-Q4/s1600/svchost.exe.dump1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="http://1.bp.blogspot.com/-N19ud7DXan0/T4o2Yyuj9kI/AAAAAAAAAMc/Jd0xVgC0-Q4/s400/svchost.exe.dump1.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “svchost.exe” process had 1 detection by Emsisoft for Packed.Win32.Krap.g!A2 out of the 42 antivirus scanners that scanned the process. </div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western">Services.exe analysis</h3><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-jKY0hJ1nryw/T4o2q7ONWjI/AAAAAAAAAMk/we2XkxgZTwE/s1600/VT-services1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://3.bp.blogspot.com/-jKY0hJ1nryw/T4o2q7ONWjI/AAAAAAAAAMk/we2XkxgZTwE/s400/VT-services1.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “service.exe” process had no detection out of the 42 antivirus scanners that scanned the process. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Volatility also offers an additional plugin for dumping the process and it's slack space by using the plugin command “procmemdump”. I decided to dump the processes again using this option to see if my results would change. </div><div style="margin-bottom: 0in;"><b>Note:</b> unless you specify a different output location or rename any previous PID process output, volatility will overwrite any process dumps with the same PID. I found this out the hard way LOL</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Dumping the processes including slack space from memory </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem -p 856 procmemdump -u -D ../zeus/</span></b></div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem -p 676 procmemdump -u -D ../zeus/</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">As before, I submitted the dumped processes to VirusTotal.com and this time the results were more interesting. </div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western">svchost.exe with slack space analysis</h3><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-fRhj1dKqJFQ/T4o3A4_x9BI/AAAAAAAAAMs/emUUs5yoLY4/s1600/VT-svchost2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://2.bp.blogspot.com/-fRhj1dKqJFQ/T4o3A4_x9BI/AAAAAAAAAMs/emUUs5yoLY4/s400/VT-svchost2.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “svchost.exe” process had 6 detection out of the 42 antivirus scanners that scanned the process. </div><div style="margin-bottom: 0in;"><br />
</div><table cellpadding="4" cellspacing="0" style="width: 452px;"><colgroup><col width="116"></col> <col width="318"></col> </colgroup><tbody>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: 1px solid #000000; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0.04in;" width="116">Antivirus</td> <td style="border: 1px solid #000000; padding: 0.04in;" width="318">Results</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">AntiVir</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">TR/Crypt.XPACK.Gen</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">CAT-QuickHeal</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">(Suspicious) – DNAScan</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">Comodo</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">UnclassifiedMalware</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">Emsisoft</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">Trojan.Crypt!IK</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">Esafe</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">Win32.TRCrypt.XPACK</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="116">Ikarus</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">Trojan.Crypt</td> </tr>
</tbody></table><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western">Services.exe with slack space analysis</h3><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-D1QiK5_s82g/T4o3No0wgEI/AAAAAAAAAM0/rRaTwWhGU-w/s1600/VT-services2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="http://4.bp.blogspot.com/-D1QiK5_s82g/T4o3No0wgEI/AAAAAAAAAM0/rRaTwWhGU-w/s400/VT-services2.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “service.exe” process had 2 detection out of the 42 antivirus scanners that scanned the process. </div><table cellpadding="4" cellspacing="0" style="width: 451px;"><colgroup><col width="115"></col> <col width="318"></col> </colgroup><tbody>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: 1px solid #000000; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0.04in;" width="115">AntiVirus</td> <td style="border: 1px solid #000000; padding: 0.04in;" width="318">Results</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="115">CAT-QuickHeal</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">(Suspicious) – DNAScan</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="115">Symantec</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="318">WS.Reputation.1</td> </tr>
</tbody></table><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">So it appears that if you are going dump a process out of memory that it's best to use the “procmemdump” plugin as compare to “procexedump” plugin. Now I'm pretty satisfied that I was able to find some malicious code in the memory image but I don't really know how it got there. Maybe the registry can provide me with that answers.</div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western"><span style="color: #2300dc;">STEP 5 – Search the Registry for signs of Malware</span> </h3><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Now it time to search the registry for suspicious entries. I know of the normal places to search the in the registry for signs of malware such as “Run” keys but I decided to do a search on the Internet to see if there may actually be a list of the most used registry keys by malware and not to be disappointed, there was a list of the top 10 registry keys to look for signs of malware by F-Secure.</div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;">Top 10 Launch points</div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xMEZzylclN8/T4o3ehFo8MI/AAAAAAAAAM8/1rP1akiVONU/s1600/Top10LaunchPoints.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="http://4.bp.blogspot.com/-xMEZzylclN8/T4o3ehFo8MI/AAAAAAAAAM8/1rP1akiVONU/s400/Top10LaunchPoints.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><a href="http://www.f-secure.com/weblog/archives/00001207.html">http://www.f-secure.com/weblog/archives/00001207.html</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">With list in hand now it time to use volatility to search the registry hives contained within the memory. Referring back to the Volatility CommandReference page, I identify the plugin command that would list the current registry hives in memory - “hivelist”. I used this plugin command to list the registry hives in my memory sample:</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem hivelist</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-8hAWLYuKSQY/T4o3pMP3awI/AAAAAAAAANE/4jpiGzCUycw/s1600/hivelist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="http://2.bp.blogspot.com/-8hAWLYuKSQY/T4o3pMP3awI/AAAAAAAAANE/4jpiGzCUycw/s400/hivelist.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">From the output of the “hivelist” plugin, I see that the following registry hives are available:</div><ul><li><div style="margin-bottom: 0in;">Software</div></li>
<li><div style="margin-bottom: 0in;">SAM</div></li>
<li><div style="margin-bottom: 0in;">System</div></li>
<li><div style="margin-bottom: 0in;">NTUSER.DAT</div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">This is great because the hives that I need to review according to the F-Secure top 10 list are present. </div><div style="margin-bottom: 0in;"><br />
</div><h3 class="western">Displaying values in the registry</h3><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">I review all the registry key as suggested by the F-Secure list using the “printkey” plugin in the following convention:</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem printkey -o {virtual address} -K {regestry key}</div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">{virtual address} is the address acquired from the “hivelist” plugin. </div></li>
<li><div style="margin-bottom: 0in;">{registry key} is the path of the registry key you want to display the data value</div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">After searching all the keys in the F-Secure top 10 list, only one actually had something suspicious. The “Microsoft\Windows NT\CurrentVersion\Winlogon” key.</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><b><span style="background: none repeat scroll 0% 0% rgb(255, 255, 0);">python vol.py --profile=WinXPSP2x86 -f ../zeus/zeus.vmem printkey -o 0xe153ab60 -K "Microsoft\Windows NT\CurrentVersion\Winlogon"</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-JIqBi5NuIZM/T4o3x6M43lI/AAAAAAAAANM/uUNdJVjT9BA/s1600/winlogon-registry.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://1.bp.blogspot.com/-JIqBi5NuIZM/T4o3x6M43lI/AAAAAAAAANM/uUNdJVjT9BA/s400/winlogon-registry.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">The “Userinit” key seems to have an additional value added which will start at login - “sdra64.exe”. Since we do not have the actual system at hand that the memory sample was acquired to upload the sdra64.exe file to VirusTotal.com to be examine I performed a Google search on “sdra64.exe” to see what I could find. The Google Search returned over 56,400 results in just .25 seconds which many referred to the files as being the Zbot. I think I found the origin of the Zeus infection. </div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com3tag:blogger.com,1999:blog-7896091347668688704.post-4149277546777191162012-04-11T22:58:00.003-04:002012-04-13T00:25:41.455-04:00Malware Memory Analysis<style type="text/css">
<!--
@page { margin: 0.79in }
TD P { margin-bottom: 0in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style><br />
<div style="margin-bottom: 0in;"><h2 style="color: blue;">Acquiring RAM From A Live System</h2><br />
In the not so far past, it was common practice when encountering a system that needed to be acquired or has been compromised to disconnect the power from the system in order to save the "state" of the system to be forensically analyzed later. We have since learned that valuable data is lost when the system is powered off and all attempts to collect this volatile data should be capture before the system is powered off. This may include but not limited to the following: </div><ul><li><div style="margin-bottom: 0in;">current network connections </div></li>
<li><div style="margin-bottom: 0in;">running processes </div></li>
<li><div style="margin-bottom: 0in;">current mapped drives or shares</div></li>
<li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-family: Times New Roman,serif;"><span style="font-size: small;">Users currently logon</span></span></div></li>
<li><div style="margin-bottom: 0in;"><span style="color: blue;"><b>system memory</b></span> </div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Acquiring the memory from a system is a relatively new item to acquire when it comes to collecting volatile data. It wasn't until the recent years that we learn how to analyze this data in order to extract the valuable data contain within the memory.</div><div style="margin-bottom: 0in;"><br />
</div><div lang="en-US" style="margin-bottom: 0in;"><span style="font-size: small;">Some of this valuable data that can be found in the memory consist of the following:</span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-size: small;">Current process and DLLs</span></div></li>
<li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-size: small;">Network connections</span></div></li>
<li><div style="margin-bottom: 0in;"><span style="font-size: small;"><span lang="en-US">Unencrypted password</span></span></div></li>
<li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-size: small;">Registry entries</span></div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div lang="en-US" style="margin-bottom: 0in;"><span style="font-size: small;">There are many tools available that you can use to acquire the live memory from a system. Below is a list of some of the popular free tools: </span></div><div style="margin-bottom: 0in;"><br />
</div><style type="text/css">
<!--
@page { margin: 0.79in }
TD P { margin-bottom: 0in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> <br />
<div style="margin-bottom: 0in;"><br />
</div><table cellpadding="0" cellspacing="0" style="width: 552px;"><colgroup><col width="162"></col> <col width="73"></col> <col width="315"></col> </colgroup><tbody>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: 1px solid #000000; padding: 0in;" width="162">Tool</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: 1px solid #000000; padding: 0in;" width="73">OS</td> <td style="border: 1px solid #000000; padding: 0in;" width="315">Comments</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><span style="color: navy;"><span lang="zxx"><u><a href="http://accessdata.com/support/adownloads#FTKImager" target="_blank">FTK Imager</a></u></span></span></td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">Windows</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><ul><li>Lite version does not need to be installed and can run from usb<br />
</li>
</ul></td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><span style="color: navy;"><span lang="zxx"><u><a href="http://hbgary.com/free-tools#fastdump" target="_blank">HBGary FastDump</a></u></span></span></td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">Windows</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><ul><li>Support only 32bit<br />
</li>
<li>up to 4 gigs of RAM<br />
</li>
<li>Does not support Vista, Windows 2003, Windows 2008<br />
</li>
</ul></td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><span style="color: navy;"><span lang="zxx"><u><a href="http://www.moonsols.com/ressources/" target="_blank">MoonSols DumpIt</a></u></span></span></td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">Windows</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><ul><li>works with both x86 (32-bits) and x64 (64-bits) machines<br />
</li>
</ul></td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><span style="color: navy;"><span lang="zxx"><u><a href="http://www.mandiant.com/products/free_software/memoryze/" target="_blank">Mandiant Memoryze</a></u></span></span></td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">Windows</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315">Officially Supports:<br />
<ul><li>Windows 2000 Service Pack 4 (32-bit)<br />
</li>
<li>Windows XP Service Pack 2 and Service Pack 3 (32-bit)<br />
</li>
<li>Windows Vista Service Pack 1 and Service Pack 2 (32-bit)<br />
</li>
<li>Windows 2003 Service Pack 2 (32-bit)<br />
</li>
<li>Windows 2003 Service Pack 2 (64-bit)<br />
</li>
<li>Windows 7 Service Pack 0 (32-bit)<br />
</li>
<li>Windows 7 Service Pack 0 (64-bit)<br />
</li>
<li>*Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)<br />
</li>
<li>Windows 2008 R2 Service Pack 0 (64-bit)<br />
</li>
</ul></td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162">dd </td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">*nix </td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><ul><li>Comes standard on most *nix systems<br />
</li>
<li>can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem)<br />
</li>
</ul></td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><br />
<br />
</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73"><br />
<br />
</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><br />
<br />
</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="162"><span style="color: navy;"><span lang="zxx"><u><a href="http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader" target="_blank">Mac Memory Reader</a></u></span></span></td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding: 0in;" width="73">Mac</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding: 0in;" width="315"><ul><li>It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer or any Intel processor.<br />
</li>
</ul></td> </tr>
</tbody></table><div lang="en-US" style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: small;"><span lang="en-US">Once you acquire the system memory, then comes the task of extracting the data from the image. Below are three tools that can be used to extract this data and over the next couple of blog postings, I will use each tool on the same memory samples to evaluate the ease of use of each program along with their differences. I will utilize and evaluate each program as a person that has not had any formal training on using each tool or malware analysis but can deploy common troubleshooting skills to identify the threats contained within each memory sample. All samples used for this evaluation will be acquired from the publicly available sample found on the </span></span><span style="font-size: small;"><span lang="en-US">Google Code - </span></span><span style="font-size: small;"><span lang="en-US">Volatility page.</span></span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: small;"><span lang="en-US">http://code.google.com/p/volatility/wiki/MemorySamples </span></span></div><div style="margin-bottom: 0in;"><br />
</div><div lang="en-US" style="margin-bottom: 0in;"><span style="font-family: Times New Roman,serif;"><span style="font-size: small;">The three applications used for memory analysis are:</span></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-family: Times New Roman,serif;"><span style="font-size: small;">Volatility</span></span></div></li>
<li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-family: Times New Roman,serif;"><span style="font-size: small;">Mandiant Redline</span></span></div></li>
<li><div lang="en-US" style="margin-bottom: 0in;"><span style="font-family: Times New Roman,serif;"><span style="font-size: small;">HBGray Responder (community edition) </span></span> </div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com2tag:blogger.com,1999:blog-7896091347668688704.post-39271387388001501392012-03-31T21:17:00.003-04:002012-05-10T22:15:38.272-04:00Best Free Apps<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-44WwBWy9Y_Y/T3ULdPU1hFI/AAAAAAAAALU/0jdosxVReW8/s1600/preferences-system-windows.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-44WwBWy9Y_Y/T3ULdPU1hFI/AAAAAAAAALU/0jdosxVReW8/s200/preferences-system-windows.png" width="200" /></a></div>
<div style="font-family: Georgia,"Times New Roman",serif; margin-bottom: 0in; text-align: justify;">
<span style="font-size: large;">This has been an interesting month in which I found myself rebuilding many systems that I use to do work which consequently makes for a great time to share some of my favorite applications. As a Basement PC Tech you may feel that these applications may have some value to you too. Please feel free to share some of you favorites applications too that may be of value to other Basement PC Tech's </span></div>
<div style="font-family: Georgia,"Times New Roman",serif; margin-bottom: 0in;">
<br />
Received some good recommendation so I have updated the list 5-10-2012.<br />
<div>
<div>
</div>
<div>
<span style="border-collapse: separate; color: black; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b> </b></span></div>
<div>
<span style="font-size: large;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Tools that every Basement PC Tech should have as part of their toolkit</b></span></span></div>
<div style="color: #0b5394;">
<span style="font-size: large;"><span style="border-collapse: separate; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br />
</span></span></div>
<div style="color: #0b5394;">
<span style="font-size: small;"><span style="border-collapse: separate; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="font-size: large;"><b>Utilities</b></span></span></span></div>
<div>
</div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>7zip</b> - Open Source file archiver with high compression ratio</span></span></span></div>
<div>
<span style="font-size: small;"><a href="http://www.7-zip.org/">http://www.7-zip.org/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>VLC media player</b> - a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols.</span></b></span></span></div>
<div>
<span style="font-size: small;"><a href="http://www.videolan.org/vlc/">http://www.videolan.org/vlc/</a></span></div>
<span style="font-size: small;"><br />
</span></div>
<span style="font-size: small;"><b>MalwareBytes</b> - One of the best Anti-virus program on the market</span></div>
<div>
<span style="font-size: small;"><a href="http://www.malwarebytes.org/products/malwarebytes_free">http://www.malwarebytes.org/products/malwarebytes_free</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Sysinternal</b> - a collection of advance system utilities for Windows.</span></span></div>
<div>
<span style="font-size: small;"><a href="http://technet.microsoft.com/en-us/sysinternals">http://technet.microsoft.com/en-us/sysinternals</a> or <a href="http://live.sysinternals.com/">http://live.sysinternals.com/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>sqlitebrowser</b> - a light GUI editor for SQLite databases</span></div>
<div>
<span style="font-size: small;"><a href="http://sourceforge.net/projects/sqlitebrowser/">http://sourceforge.net/projects/sqlitebrowser/</a></span></div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Mandiant Highlighter</b> - is a free utility designed primarily for security analysts and system administrators. Highlighter provides a user with three views of the log or text file being analyzed:</span></span></div>
<div>
<ul>
<li><span style="font-size: small;">a text view that allows users to highlight interesting keywords and remove lines with “known good” content</span></li>
<li><span style="font-size: small;">a graphical, full-content view that shows all content and the full structure of the file, rendered as an image that is dynamically editable through the user interface</span></li>
<li><span style="font-size: small;">a histogram view that displays patterns in the file over time. Usage patterns become visually apparent and provide the examiner with useful metadata that is not available in other text viewers/editors. </span></li>
</ul>
<span style="font-size: small;"><a href="http://www.mandiant.com/products/free_software/highlighter/">http://www.mandiant.com/products/free_software/highlighter/</a></span></div>
<div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b><br />
Firefox</b> - a free and open source web browser</span></span></div>
<div>
<span style="font-size: small;"><a href="http://www.mozilla.org/en-US/firefox/fx/">http://www.mozilla.org/en-US/firefox/fx/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Firefox plug in NoScript</b> - pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.</span></div>
<div>
<span style="font-size: small;"><a href="http://noscript.net/">http://noscript.net/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Firefox plug in Firebug</b> - Allows inspect, edit and monitor CSS, HTML, JavaScript and Net requests in any web page.</span></div>
<div>
<span style="font-size: small;"><a href="http://getfirebug.com/">http://getfirebug.com/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Oracle VirtualBox</b> - powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use</span></div>
<div>
<span style="font-size: small;"><a href="https://www.virtualbox.org/">https://www.virtualbox.org/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>TeamViewer</b> - Remote Control sharing program.</span></div>
<div>
<span style="font-size: small;"><a href="http://www.teamviewer.com/en/index.aspx?cdsplit=D">http://www.teamviewer.com/en/index.aspx?cdsplit=D</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>CutePDF - </b>Convert to PDF documents on the fly — for Free!</span></div>
<div>
<span style="font-size: small;"><a href="http://www.cutepdf.com/products/cutepdf/writer.asp">http://www.cutepdf.com/products/cutepdf/writer.asp</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Filezilla</b> - FTP and SCP client</span></div>
<div>
<span style="font-size: small;"><a href="http://filezilla-project.org/">http://filezilla-project.org/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Putty</b> - a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator</span></div>
<div>
<span style="font-size: small;"><a href="http://www.chiark.greenend.org.uk/%7Esgtatham/putty/">http://www.chiark.greenend.org.uk/~sgtatham/putty/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>FastResolver</b> - a small utility that resolves multiple host names into IP addresses and vice versa.</span></div>
<div>
<span style="font-size: small;"><a href="http://www.nirsoft.net/utils/fastresolver.html">http://www.nirsoft.net/utils/fastresolver.html</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>DNSDataView</b> - utility is a GUI alternative to the NSLookup tool that comes with Windows operating system. It allows you to easily retrieve the DNS records (MX, NS, A, SOA) of the specified domains. You can use the default DNS server of your Internet connection, or use any other DNS server that you specify. After retrieving the DNS records for the desired domains, you can save them into text/xml/html/csv file.</span></div>
<div>
<span style="font-size: small;"><a href="http://www.nirsoft.net/utils/dns_records_viewer.html">http://www.nirsoft.net/utils/dns_records_viewer.html</a> </span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Expresso</b> (Regex Editor) - an editor that equally suitable as a teaching tool for the beginning user of regular expressions or as a full-featured development environment for the experienced programmer or web designer with an extensive knowledge of regular expressions.</span></div>
<div>
<span style="font-size: small;"><a href="http://www.ultrapico.com/Expresso.htm">http://www.ultrapico.com/Expresso.htm</a> </span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Notepad ++</b> - a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages</span></div>
<div>
<span style="font-size: small;"><a href="http://notepad-plus-plus.org/">http://notepad-plus-plus.org/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Microsoft Log
Parser 2.2 </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">–
is a powerful, versatile tool that provides universal query access to
text-based data such as log files, XML files and CSV files, as well as key data
sources on the Windows operating system such as the Event Log, the Registry,
the file system, and Active Directory.</span></div>
<div class="MsoNormal">
<a href="http://technet.microsoft.com/en-us/scriptcenter/dd919274"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://technet.microsoft.com/en-us/scriptcenter/dd919274</span></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;"> </span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
</div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div style="color: #0b5394;">
<b><span style="font-size: large;">Productivity </span></b></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<span style="font-size: small;"><b>LibreOffice - </b></span> open source personal productivity suite for Windows, Macintosh and GNU/Linux, that gives you six feature-rich applications for all your document production and data processing needs.<br />
<a href="http://www.libreoffice.org/">http://www.libreoffice.org/</a> <br />
<span style="font-size: small;"><b>Evernote</b> - Great note taking application that saves your data in the "cloud". With application designed for Window, MAC, Firefox, Chrome and many of the mobile phones operating systems, you can access your notes from any where. </span><br />
<div>
<span style="font-size: small;"><a href="http://www.evernote.com/">http://www.evernote.com/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span><br />
<div>
<span style="font-size: small;"><b><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Password Management</b> - see One Password to Rule Them All!!!!!</span></b></span></div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="http://blog.basementpctech.com/2012/02/one-password-to-rule-them-all.html">http://blog.basementpctech.com/2012/02/one-password-to-rule-them-all.html</a></span></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Dropbox</b> - is a free service that lets you bring your photos, docs, and videos anywhere and share them easily. Never email yourself a file again!</span></b></span></div>
<div>
<span style="font-size: small;"><a href="https://www.dropbox.com/">https://www.dropbox.com/</a></span></div>
<div>
<span style="font-size: small;"><b><br />
</b></span></div>
<div style="color: #0b5394;">
<span style="font-size: large;"><b><br />
</b></span></div>
<div style="color: #0b5394;">
<span style="font-size: large;"><b>Forensics Related</b></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Sans
Investigate Forensics Toolkit (SIFT) Workstation - </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The SIFT
Workstation is a VMware appliance, pre-configured with the necessary tools to
perform detailed digital forensic examination in a variety of settings. It is
compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF),
and raw (dd) evidence formats. The brand new version has been completely
rebuilt on an Ubuntu base with many new capabilities and tools such as
log2timeline that provides a timeline that can be of enormous value to
investigators.</span></div>
<div class="MsoNormal">
<a href="http://computer-forensics.sans.org/community/downloads"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://computer-forensics.sans.org/community/downloads</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">LINUX OS</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> – Ensure the following is installed
(may be default with many distro)</span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Wireshark</span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Libre
Office</span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Python
(pre-installed)</span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Perl
(pre-installed)</span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">The
Sleuth Kit </span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Access
Data Command Line Version of FTK Imager<span style="mso-spacerun: yes;">
</span>Linux Version </span><a href="http://accessdata.com/support/adownloads"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://accessdata.com/support/adownloads</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Log2Timeline
(Optional) (Installed in SIFT Workstation)<span style="mso-spacerun: yes;">
</span></span><a href="http://log2timeline.net/"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://log2timeline.net/</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoListParagraph" style="margin-left: 1.0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Symbol; font-size: 12.0pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Volatility
Memory Analysis (Optional) (Installed in SIFT Workstation) </span><a href="https://www.volatilesystems.com/default/volatility"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">https://www.volatilesystems.com/default/volatility</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<br />
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>Mandiant Web Historian</b> - helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome</span></span></div>
<div>
<span style="font-size: small;"><a href="http://www.mandiant.com/products/free_software/web_historian/">http://www.mandiant.com/products/free_software/web_historian/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Mandiant Redline</b> - Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection </span></div>
<div>
<span style="font-size: small;"><a href="http://www.mandiant.com/products/free_software/redline/">http://www.mandiant.com/products/free_software/redline/</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Access Data FTK Imager</b> - Forensics Imager </span></div>
<div>
<span style="font-size: small;"><a href="http://accessdata.com/support/adownloads">http://accessdata.com/support/adownloads</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><b>Access Data Registry Viewer</b> - Offline Windows Registry Viewer</span></div>
<div>
<span style="font-size: small;"><a href="http://accessdata.com/support/adownloads">http://accessdata.com/support/adownloads</a></span></div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b><br />
</b></span></span></div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>HBGary</b> FastDump - forensically sound Windows™ memory dumping utility <span style="color: red;">(Requires login)</span></span></span></div>
<div>
<span style="font-size: small;"><a href="http://www.hbgary.com/free-tools">http://www.hbgary.com/free-tools</a></span></div>
<div>
<span style="font-size: small;"><b><br />
</b></span></div>
<div>
<span style="font-size: small;"><b>HBGary Responder Community Edition</b> - provides the most thorough and comprehensive memory analysis capability in the industry. Responder™ Community Edition virtually rebuilds all the underlying data structures up to 6 gigabytes of RAM. This includes all physical to virtual address mappings, recreates the object manager, exposes all objects, and enables investigators to perform a complete and comprehensive computer investigation. </span><span style="color: red; font-size: small;">(Requires login)</span></div>
<div>
<span style="font-size: small;"><a href="http://www.hbgary.com/free-tools">http://www.hbgary.com/free-tools</a></span></div>
<div>
<span style="font-size: small;"><br />
</span></div>
<div>
<span style="font-size: small;"><span style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b>QCC Casenote</b> - Application to allow forensic analysts and examiners to securely record their contemporaneous notes electronically. </span></span></div>
<div>
<span style="font-size: small;"><a href="http://qccis.com/resources/forensic-tools/casenotes-lite/" target="_blank">http://qccis.com/resources/forensic-tools/casenotes-lite/</a></span></div>
</div>
</div>
</div>
<div style="font-family: Georgia,"Times New Roman",serif; margin-bottom: 0in;">
<br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">RegRipper</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> – Script to
parse Windows registry files to txt.</span></div>
<div class="MsoNormal">
<a href="http://regripper.wordpress.com/"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://regripper.wordpress.com/</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Prefetch-Parser</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> – Parse the
prefetch files and display information<span style="mso-spacerun: yes;">
</span>from files.</span></div>
<div class="MsoNormal">
<a href="http://redwolfcomputerforensics.com/downloads/parse_prefetch_info_v1.5.zip"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://redwolfcomputerforensics.com/downloads/parse_prefetch_info_v1.5.zip</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Pasco</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> – Internet
Explorer Activity Forensic Analysis Tool</span></div>
<div class="MsoNormal">
<a href="http://www.mcafee.com/us/downloads/free-tools/pasco.aspx"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.mcafee.com/us/downloads/free-tools/pasco.aspx</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">IECacheView
– </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Internet
Explorer Cache View is s a small utility that reads the cache folder of
Internet Explorer, and displays the list of all files currently stored in the
cache. </span><a href="http://www.nirsoft.net/utils/ie_cache_viewer.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/ie_cache_viewer.html</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">IE
PassView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">
– Recover lost passwords stored by Internet Explorer - is a small password
management utility that reveals the passwords stored by Internet Explorer Web
browser.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/internet_explorer_password.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/internet_explorer_password.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">MozillaCacheView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> –
Mozilla/Firefox Browsers History Viewer is a small utility that reads the
history data file (history.dat) of Firefox/Mozilla/Netscape Web browsers, and
displays the list of all visited Web pages in the last days.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/mozilla_history_view.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/mozilla_history_view.html</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">PasswordFox</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> - is a small
password recovery tool that allows you to view the user names and passwords
stored by Mozilla Firefox Web browser.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/passwordfox.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/passwordfox.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">SkypeLogView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> – Skype Log
Viewer (.dbb and main.db files) is reads the log files created by Skype
application, and displays the details of incoming/outgoing calls, chat
messages, and file transfers made by the specified Skype account.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/skype_log_view.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/skype_log_view.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Mail
PassView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">
- is a small password-recovery tool that reveals the passwords and other
account details for popular email clients.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/mailpv.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/mailpv.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">PstPassword</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> - is a small
utility that recover lost password of Outlook .PST (Personal Folders) file.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/pst_password.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/pst_password.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">OperaCacheView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> - is a small
utility that reads the cache folder of Opera Web browser, and displays the list
of all files currently stored in the cache.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/opera_cache_view.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/opera_cache_view.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">ChromeCacheView</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> - is a small
utility that reads the cache folder of Google Chrome Web browser, and displays
the list of all files currently stored in the cache.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/chrome_cache_view.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/chrome_cache_view.html</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">LiveContactsView
</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">-
is a small utility that allows you to view the details of all contacts in your
Windows Live Messenger.</span></div>
<div class="MsoNormal">
<a href="http://www.nirsoft.net/utils/live_messenger_contacts.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">http://www.nirsoft.net/utils/live_messenger_contacts.html</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Thumbnail_html
– </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">Read a directory of graphics and create a webpage to
display them plus display EXIF info</span></div>
<div class="MsoNormal">
<a href="http://redwolfcomputerforensics.com/downloads/thumbnail_html_gui.zip"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://redwolfcomputerforensics.com/downloads/thumbnail_html_gui.zip</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">FragView
- </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">application that allows a recursive list of html,
jpg and Flash files to be viewed in an adjacent pane without having to manually
navigate to each one individually and open it. A great time saver, especially
for previewing exported webmail fragments!</span></div>
<div class="MsoNormal">
<a href="http://qccis.com/resources/forensic-tools/fragview/"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://qccis.com/resources/forensic-tools/fragview/</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">VideoTriage
- </span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">designed to produce thumbnails of selected movie
files so that the movie doesn’t need to be watched.</span></div>
<div class="MsoNormal">
<a href="http://qccis.com/resources/forensic-tools/videotriage/"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://qccis.com/resources/forensic-tools/videotriage/</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Windows
File Analyzer</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> – an application that decodes and analyzes the
following Windows OS files: Thumbnail Database, ACDSee Thumbnail database,
Google Picasa Thumbnail Database, FastStone Viewer Thumbnail Database, HP
Digital Imaging Thumbnail Database, Prefetch, Shortcut, Index.dat and Recycle
Bin. </span></div>
<div class="MsoNormal">
<a href="http://www.mitec.cz/Downloads/WFA.zip"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://www.mitec.cz/Downloads/WFA.zip</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">FixEvt</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> - is a tool for automating the recovery and analysis of Windows NT5 (XP
and 2003) event logs, primarily for computer forensics.</span></div>
<div class="MsoNormal">
<a href="http://www.murphey.org/fixevt.html"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://www.murphey.org/fixevt.html</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Vista-thumbcache-parser</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> – Parse the Vista thumbcache file</span></div>
<div class="MsoNormal">
<a href="http://redwolfcomputerforensics.com/downloads/thumbcache-installer.exe"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://redwolfcomputerforensics.com/downloads/thumbcache-installer.exe</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Windows
ShellBag Parser</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> – Parse registry shellbag key. ShellBag information
is a set of keys in a user registry hive (eg. ntuser.dat file) used by the
Windows operating system to track user window viewing preferences.</span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">Explanation<span style="color: #1f497d; mso-themecolor: dark2;">: </span></span><a href="http://computer-forensics.sans.org/blog/2011/07/05/shellbags"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://computer-forensics.sans.org/blog/2011/07/05/shellbags</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">Download<span style="color: #1f497d; mso-themecolor: dark2;">: </span></span><a href="http://www.tzworks.net/prototype_page.php?proto_id=14"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://www.tzworks.net/prototype_page.php?proto_id=14</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Recycle-Bin</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> – parse the Recycle bin and output information about it. </span></div>
<div class="MsoNormal">
<a href="http://redwolfcomputerforensics.com/downloads/Recycle_bin.zip"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://redwolfcomputerforensics.com/downloads/Recycle_bin.zip</span></a><span style="color: #1f497d; font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold; mso-themecolor: dark2;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Rifiuti</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> - A Recycle Bin Forensic Analysis Tool.</span></div>
<div class="MsoNormal">
<a href="http://www.mcafee.com/us/downloads/free-tools/rifiuti.aspx"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://www.mcafee.com/us/downloads/free-tools/rifiuti.aspx</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt;">Forensic
Toolkit v2.0</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> – contains several Win32 Command line tools that
can help you examine the files on a NTFS disk partition for unauthorized
activity. </span></div>
<div class="MsoNormal">
<a href="http://www.mcafee.com/us/downloads/free-tools/forensic-toolkit.aspx"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;">http://www.mcafee.com/us/downloads/free-tools/forensic-toolkit.aspx</span></a><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-bidi-font-weight: bold;"> </span></div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com4tag:blogger.com,1999:blog-7896091347668688704.post-31987589159680266182012-03-01T09:08:00.003-05:002012-04-13T00:33:46.058-04:00Free Security Awareness Training<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-J7n7Gv5xVT8/T0-E4hc6DWI/AAAAAAAAALI/H5qYUWN44BE/s1600/11971497511117136851nlyl_reading_man_with_glasses.svg.med.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="http://3.bp.blogspot.com/-J7n7Gv5xVT8/T0-E4hc6DWI/AAAAAAAAALI/H5qYUWN44BE/s200/11971497511117136851nlyl_reading_man_with_glasses.svg.med.png" width="197" /></a></div><style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> <br />
<div style="margin-bottom: 0in;">If you currently work for the Government as a DOD or Federal Employee you may already be aware of the free security awareness training material available to you and your office but did you know that as a contractor, civilian and corporation you too may be eligible to receive this free training and resources too. Below is a summary of CD/DVD available to order. You can order as many of the CD/DVD as you want but you can not make copy of the material. I highly recommend them as a great addition to your security awareness and training material. DISA also offer a few on-line security awareness training courses too, see the bottom of this blog. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: large;"><b>CD/DVD Subjects: </b></span> </div><div style="margin-bottom: 0in;"><br />
</div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>IA Awareness Training </b></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Portable Electronic Devices / Removable Storage Media </div></li>
<li><div style="margin-bottom: 0in;">Social Networking </div></li>
<li><div style="margin-bottom: 0in;">Using PKI </div></li>
<li><div style="margin-bottom: 0in;">Phishing Awareness </div></li>
<li><div style="margin-bottom: 0in;">Personally Identifiable Information (PII) </div></li>
<li><div style="margin-bottom: 0in;">Information Assurance Awareness Shorts </div></li>
<li><div style="margin-bottom: 0in;">Information Operations (IO) Fundamentals </div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>IA Training for Senior Leaders </b></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="font-weight: normal; margin-bottom: 0in;">Designated Accrediting Authority (DAA)</div></li>
<li><div style="margin-bottom: 0in;">IA Briefing for Senior Operational Leaders</div></li>
</ul><div style="margin-bottom: 0in;"><span style="font-size: large;"><br />
</span> </div><div style="margin-bottom: 0in;"><span style="font-size: large;"><b><span style="color: blue;">IA Training for IA Professionals</span> </b></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Information Assurance Policy and Technology (IAP&T) </div></li>
<li><div style="margin-bottom: 0in;">Information Assurance for Professionals Shorts </div></li>
<li><div style="margin-bottom: 0in;">Introduction to IDS Analysis </div></li>
<li><div style="margin-bottom: 0in;">Computer Network Defense (CND )</div></li>
<li><div style="margin-bottom: 0in;">IA/CND Information Sharing </div></li>
<li><div style="font-weight: normal; margin-bottom: 0in;">Enhancing Information Assurance through Physical Security </div></li>
</ul><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>IA Technical Training </b></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Windows Server 2003 Incident Preparation & Response (IP&R): Part 1 </div></li>
<li><div style="margin-bottom: 0in;">Windows Server 2003 Incident Preparation & Response (IP&R): Part II </div></li>
<li><div style="margin-bottom: 0in;">UNIX Security for System Administrators </div></li>
<li><div style="font-weight: normal; margin-bottom: 0in;">System Administrator Incident Preparation & Response for UNIX (SAIPR UNIX) </div></li>
</ul><div style="font-weight: normal; margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: large;"><b><span style="color: blue;">Cyberlaw</span> </b></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Cyber Law I </div></li>
<li><div style="margin-bottom: 0in;">Cyber Law 2 </div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>IA Simulations </b></span> </div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;">Cyber Protect </div></li>
</ul><div style="margin-bottom: 0in;"><a href="http://www.blogger.com/goog_1569618811"><br />
</a> </div><div style="margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/downloads/pdf/products_order_form.pdf" target="_blank">Order your <b><span style="color: red;">free</span></b> DISA Free Training material</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: large;"><b>On-line Training</b></span></div><div style="margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/using_pki/using_pki/launchpage.htm" target="_blank">Using Public Key Infrastructure</a></div><div style="color: black; margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/sns_v1/sn/launchPage.htm" target="_blank">Social Networking</a></div><div style="color: black; margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/phishing/Phishing/launchPage.htm" target="_blank">Phishing</a></div><div style="color: black; margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/pedrm_v2/pedrm_v2/launchPage.htm">Portable Electronic Devices / Removable Storage Media</a></div><div style="color: black; margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><a href="http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html">Personally Identifiable Information (PII)</a></div><div style="color: black; margin-bottom: 0in;"><br />
</div><div style="color: black; margin-bottom: 0in;"><b><a href="http://iase.disa.mil/eta/dns/basicconcepts/launchPage.htm" target="_blank"><span style="font-weight: normal;">Domain Name System (DNS) Basic Concepts Overview </span></a></b> </div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com16tag:blogger.com,1999:blog-7896091347668688704.post-45442256550061854342012-02-29T03:01:00.005-05:002012-04-13T00:45:12.607-04:00Security Incident Response<style type="text/css">
<!--
@page { margin: 0.79in }
H2 { margin-top: 0.14in; margin-bottom: 0in; color: #4f81bd; page-break-inside: avoid }
H2.western { font-family: "Cambria", serif; font-size: 13pt }
H2.cjk { font-family: "DejaVu Sans"; font-size: 13pt }
H2.ctl { font-family: ; font-size: 13pt }
P { margin-bottom: 0.08in }
H1 { margin-top: 0.33in; margin-bottom: 0in; color: #365f91; page-break-inside: avoid }
H1.western { font-family: "Cambria", serif; font-size: 14pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 14pt }
H1.ctl { font-family: ; font-size: 14pt }
-->
</style> <br />
<h2 class="western">UNIX System </h2><h2 class="western">Purpose:</h2><div style="margin-bottom: 0in;">This document is to serve as a “guide” for SIRT personnel when encountering a possible compromised Unix/Linux system and in no way serves as an absolute requirement to perform every tasked listed within. The SIRT personnel shall apply best effort to acquire as much information within a minimal amount of time in order identify, contain and eradicate any security threat to minimize it’s affects to the organization. </div><h1 class="western">Identification Phase:</h1><div style="margin-bottom: 0in;"><b>Note</b>: Depending on the OS distribution, version and configuration, some item may be located in different areas or not present on the host. </div><h2 class="western">Vital Data to Collect</h2><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>script {hostname}.txt</b>”</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>date >> systeminfo.txt</b>” </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>w >> systeminfo.txt</b>” </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>last >> systeminfo.txt</b>”</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>lastlog >> systeminfo.txt</b>”</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>uname –a >> systeminfo.txt</b>”</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>ls / –alRu > atime.txt</b>” </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>ls / –alRc > ctime.txt</b>” </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>ls / –alR > mtime.txt</b>” </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>ps –aux > process.txt</b>” (Solaris “ps –eaf > process.txt”)</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>netstat –an > netstat.txt</b>”</div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “<b>netstat –anp > netstatp.txt</b>” (Solaris “lsof –i > netstatp.txt”)</div><h2 class="western">Area to look for compromise</h2><div style="margin-bottom: 0in;"><span style="font-size: x-small;">The below section is a list of area that you may want to look at for indication of compromise. This list is not all inclusive and depending on the host some of the below items may or may not be present on the host or in the location indicated.</span></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Is a sniffer installed? Check to see if the network card is in promiscuous mode</div><ul><ul><li><div style="margin-bottom: 0in;"><b>Ifconfig –a</b> (root access)</div></li>
</ul></ul><div style="margin-bottom: 0in; margin-left: 0.5in;"></div><div style="margin-bottom: 0in; margin-left: 0.5in;">System Logs (/var/adm or /var/log) </div><ul><ul><li><div style="margin-bottom: 0in;"><b>/var/log/httpd/access_log</b> check web logs access to webserver</div></li>
<li><div style="margin-bottom: 0in;"><b>syslog </b>look for anomalies in the file</div></li>
<li><div style="margin-bottom: 0in;"><b>xferlog </b>ftp transfer log</div></li>
<li><div style="margin-bottom: 0in;"><b>messages </b>look for anomalies in the file</div></li>
</ul></ul><div style="margin-bottom: 0in; margin-left: 1in;"><br />
</div><div style="margin-bottom: 0in; margin-left: 0.5in;">System Configuration</div><ul><ul><li><div style="margin-bottom: 0in;"><b>/etc/passwd</b> to look for unauthorized users accounts or privileges</div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/shadow </b>to ensure every account requires password authentication (root access)</div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/groups </b>to look for escalation in privileges and scope of access</div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/hosts</b> to list the local DNS entries</div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/hosts.allow </b>and <b>/etc/hosts.deny</b> to check TCP Wrapper rules</div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/crontab</b></div></li>
<li><div style="margin-bottom: 0in;"><b>/etc/inetd.conf</b> and <b>xinetd.conf</b> to list the services initiated by the config files</div></li>
</ul></ul><h2 class="western">Final Steps</h2><div style="margin-bottom: 0in; margin-left: 0.5in;">Stop “script” command by using control-D </div><div style="margin-bottom: 0in; margin-left: 0.5in;">Run “md5sum * > md5sum.txt” on all files collected</div><div style="margin-bottom: 0in; margin-left: 0.5in;"><br />
</div><div style="margin-bottom: 0in; margin-left: 0.5in;"><style type="text/css">
<!--
@page { margin: 0.79in }
H1 { margin-top: 0.33in; margin-bottom: 0in; color: #365f91; page-break-inside: avoid }
H1.western { font-family: "Cambria", serif; font-size: 14pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 14pt }
H1.ctl { font-family: ; font-size: 14pt }
P { margin-bottom: 0.08in }
-->
</style> </div><h1 class="western" style="page-break-before: always;">Explanation of the collection of data.</h1><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">When performing an analysis of a live Unix system for signs of Compromise, all efforts should be made to collect as much vital data that is feasible. Vital data is that data that would be lost if the system was to be powered off i.e. current processes running on the system, network connections, who currently logged on the system etc.</div><div style="margin-bottom: 0in;">Command: <b>script {hostname}.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Records the active terminal session activity to a file with the name of the host. Can later be printed with the lpr command. To exit from script command press the control-D, exit or logout from terminal shell. </div><div style="margin-bottom: 0in;">Command: <b>date</b> <b>>> systeminfo.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Documenting the date and time of the system is critical. It provides the Incident Respondent a time reference to gage and compare activity discovered on the system. </div><div style="margin-bottom: 0in;">Command <b>w >> systeminfo.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Identifies who is currently logged on the system by displaying the user IDs of the logged on users, what system they logged on from and what they are currently executing on the system.</div><div style="margin-bottom: 0in;">Command <b>last >> systeminfo.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Searches back through the binary file <i>/var/log/wtmp</i> and saves a list of all users logged in (and out) of the host since the file was created to the systeminfo.txt file. </div><div style="margin-bottom: 0in;">Command <b>lastlog >> systeminfo.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Formats and prints content of the binary last login log /var/log/lastlog file to the systeminfo.txt file. </div><div style="margin-bottom: 0in;">Command <b>uname –a >> systeminfo.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Saves system information i.e. kernel-name, kernel-version, operating system, version etc to systeminfo.txt file. </div><div style="margin-bottom: 0in;">Command <b>ls / –altRu > atime.txt</b></div><div style="line-height: 100%; margin-bottom: 0in; margin-left: 0.5in; orphans: 2; widows: 2;"><span style="color: black;">List “access times” about the files in the “/” (root) directory and below. Saves the results to the “atime.txt” file.</span></div><div style="line-height: 100%; margin-bottom: 0in; orphans: 2; widows: 2;"><br />
</div><div style="margin-bottom: 0in;">Command <b>ls -altRc > ctime.txt</b></div><div style="line-height: 100%; margin-bottom: 0in; margin-left: 0.5in; orphans: 2; widows: 2;"><span style="color: black;">List “change times” about the files in the “/” (root) directory and below. Saves the results to the “ctime.txt” file.</span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Command <b>ls / –altR > mtime.txt</b></div><div style="line-height: 100%; margin-bottom: 0in; margin-left: 0.5in; orphans: 2; widows: 2;"><span style="color: black;">List “modification times” about the files in the “/” directory and below. Saves the results to the “mtime.txt” file.</span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Command <b>netstat –an > netstat.txt</b></div><div style="margin-bottom: 0in; text-indent: 0.5in;">Enumerates the open ports on the system and writes the results in the netstat.txt file</div><div style="margin-bottom: 0in;">Command <b>netstat –anp > netstatp.txt</b></div><div style="margin-bottom: 0in; margin-left: 0.5in;">Enumerates the open ports of the system along with mapping the name of the application and it’s process ID (PID) to the open ports. </div><div style="line-height: 100%; margin-bottom: 0in; orphans: 2; widows: 2;"><br />
</div><div style="margin-bottom: 0in; margin-left: 0.5in;"><br />
</div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com0tag:blogger.com,1999:blog-7896091347668688704.post-17978541345752173562012-02-27T23:52:00.004-05:002012-04-13T00:46:58.178-04:00Password Management<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style><br />
<div style="margin-bottom: 0in;"><h2><a href="http://2.bp.blogspot.com/-RTJD0t8MNR4/T0xh5BiPUBI/AAAAAAAAALA/xKmwi9D-2QY/s1600/numberone.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://2.bp.blogspot.com/-RTJD0t8MNR4/T0xh5BiPUBI/AAAAAAAAALA/xKmwi9D-2QY/s200/numberone.png" width="85" /></a><span style="color: blue;">One Password to Rule Them ALL!!!! </span></h2>If a website that you use is compromise by an attacker and they get access to your login information for that website, will they be able to access other website with that information?</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">One of the best security practices that anyone can follow beside creating a secure password is not using that same secure password on multiple websites. This will greatly reduce the damage that can be done to you by an attacker that has compromised a website that contains your information. If you are using a secure password, it may become a challenge to manage multiple passwords for multiple resources. This is when a password management application can be very helpful. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Password management applications are application designed to securely store your passwords for multiple resources. The password management application is usually protected by a master password that allow you access to view all the other password stored within the application – <b><span style="color: blue;">One Password to Rule Them All!!!</span></b></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Password management application may have the ability to be installed on your desktop, mobile device or accessible via the web. Many password management application use some from of encryption to store the password securely in a database, have the ability to generate password for you, integrate with your local web browser and can be synced between multiple installed installations. There are many of these password management application you can choose from but there is nothing like the ones below that are <span style="color: red;">FREE</span>. :)</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><i>The following application are listed in no particular order of preference.</i></div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><br />
</span> </div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>Lastpass</b></span></div><div style="margin-bottom: 0in;"><a href="https://lastpass.com/">https://lastpass.com/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Probably the most OS supported application on the market, Lastpass is available for Windows, Mac OS, Iphone/Ipad, Linux, WebOS, Andriod, Symbian, and BlackBerry OS systems. Lastpass also include browser integration with all major web browsers (IE, Firefox, Safari, Chrome and Opera) and is accessible from the web so you never will be without access to your password when you need it. Some of the major feature of Lastpass consist of:</div><ul><li><div style="margin-bottom: 0in;">Synchronization between multiple browsers and computer that you may have installed Lastpass, so if you make a change on one system all other installations will be updated with the latest information. </div></li>
<li><div style="margin-bottom: 0in;">Ability to generate strong random passwords</div></li>
<li><div style="margin-bottom: 0in;">Ability to share login information securely with others</div></li>
<li><div style="margin-bottom: 0in;">Export your data </div></li>
<li><div style="margin-bottom: 0in;">Import data from other application</div></li>
<li><div style="margin-bottom: 0in;">Accessible from the Internet</div></li>
<li><div style="margin-bottom: 0in;">Backup and Restore features</div></li>
</ul><div style="margin-bottom: 0in;">Cons – Some installations of Lastpass (non-Desktop installations) require you to subscribe to the premium version of Lastpass but for some that is a small price to pay to have your password synced across multiple devices. </div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
</div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>KeePass</b></span></div><div style="margin-bottom: 0in;"><a href="http://keepass.info/">http://keepass.info/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">As an open source application that is supported by the Internet community, KeePass is totally 100% free, all features and installation versions are free. KeePass support Windows, Mac OS, Linux, Iphone/Ipad, Android, J2ME mobile phone and PalmOS. KeePass also support some unique installation options such as <a href="http://portableapps.com/" target="_blank">PortableApps Suite</a>, <a href="http://www.u3applications.com/" target="_blank">U3 Devices</a>, <a href="http://nu2.nu/pebuilder/" target="_blank">Preinstalled Environments (PE)</a>, <a href="http://partedmagic.com/" target="_blank">Parted Magic</a> and <a href="http://spoon.net/" target="_blank">Spoon</a>. </div><div style="margin-bottom: 0in;">Some of the major features of KeePass consist of:</div><ul><li><div style="margin-bottom: 0in;">Portable and No Installation Required - Accessibility</div></li>
<li><div style="margin-bottom: 0in;">Multi-Language Support</div></li>
<li><div style="margin-bottom: 0in;">Strong Random Password Generator</div></li>
<li><div style="margin-bottom: 0in;">Export your data</div></li>
<li><div style="margin-bottom: 0in;">Import your data from multiple formats</div></li>
<li><div style="margin-bottom: 0in;">Open Source – source code available for you to compile yourself</div></li>
</ul><div style="margin-bottom: 0in;">Cons – Does not sync passwords across multiple installation but you may be able to use a file sync services like Dropbox to sync the database file.Have to manually backup database file.</div><div style="margin-bottom: 0in;"><br />
</div><div style="color: blue; margin-bottom: 0in;"><span style="font-size: large;"><b>Password Safe</b></span></div><div style="margin-bottom: 0in;"><a href="http://passwordsafe.sourceforge.net/">http://passwordsafe.sourceforge.net/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">As another open source application that supported by the Internet community, Password Safe is also free for desktop use but also support an Disk-on-Key and U3 version. Currently it only officially supports Windows but has a Linux beta. Some of the major features of Password Safe consist of:</div><ul><li><div style="margin-bottom: 0in;">Multi-Language Support</div></li>
<li><div style="margin-bottom: 0in;">Export your data</div></li>
</ul><div style="margin-bottom: 0in;">Cons – Disk-on-Key and U3 version not free but all purchases include free upgrades for one year from date of purchases. Does not support Mac OS. </div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com1tag:blogger.com,1999:blog-7896091347668688704.post-2501251033105656532012-02-12T22:04:00.002-05:002017-04-17T10:12:12.366-04:00Password Strength<div style="margin-bottom: 0in;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tfd-J7CHT4c/TziAqdhblwI/AAAAAAAAAK0/Px53oEkiW7I/s1600/password_computer.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="199" src="https://4.bp.blogspot.com/-tfd-J7CHT4c/TziAqdhblwI/AAAAAAAAAK0/Px53oEkiW7I/s200/password_computer.png" width="200" /></a></div>
<b><span style="color: blue;">How secure is your password from being compromised?</span></b><br />
<br />
The average user will create a password using one of the following: </div>
<ul>
<li><div style="margin-bottom: 0in;">
Name of a family member</div>
</li>
<li><div style="margin-bottom: 0in;">
A pet’s name</div>
</li>
<li><div style="margin-bottom: 0in;">
Favorite sports team</div>
</li>
<li><div style="margin-bottom: 0in;">
Yours or a family member birthday </div>
</li>
</ul>
<div style="margin-bottom: 0in; margin-left: 0.5in;">
<br /></div>
<div style="margin-bottom: 0in;">
They may also try to make that password “more” secure by substituting vowels with numbers, adding numbers behind it or a combination of the two. Attackers can use a process known as a dictionary attack to try to guess your password. There are public available dictionary files on the Internet that consist of thousands of entries such as popular used passwords, names, and word combinations that attackers can use to reveal your password if your password happens to be one of the entries in the dictionary files. Depending on where your password is utilized i.e. password protected file or site/system that does not have a password lockout if you enter the password incorrectly to many times, attackers can utilize what is known as a brute force attack which essentially tries every combination of characters for each position but at a cost of time depending on the length of the password. So if your password was one character, the brute force attack could possibly try 62 characters to guess your password. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
[A->Z->a->z->0->9] </div>
<div style="margin-bottom: 0in;">
Upper Case Letters 26</div>
<div style="margin-bottom: 0in;">
Lower Case Letters 26</div>
<div style="margin-bottom: 0in;">
Numbers 10</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Total Characters 62</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
For a system that able to process 500,000 password per second, it would take that system up to a minute to guess your password using a brute-force attack. The time required for a brute-force attack grows exponentially with the increase in size of the password. For that same system the following is the amount of time it will take a brute force the following length passwords: </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result2"></a>4 Characters Password Brute Force Attack will take up to <b style="color: red;">a minute</b></div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result21"></a><b><span style="font-weight: normal;">5 Characters Password</span></b><b> </b><b><span style="font-weight: normal;">Brute Force Attack will take up to</span></b><b> <span style="color: red;">31 minutes</span></b></div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result22"></a><b><span style="font-weight: normal;">6 Characters Password</span></b><b> </b><b><span style="font-weight: normal;">Brute Force Attack will take up to </span></b><b style="color: red;">32 hours</b></div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result23"></a><b><span style="font-weight: normal;">7 Characters Password</span></b><b> </b><b><span style="font-weight: normal;">Brute Force Attack will take up to</span></b><b> <span style="color: red;">82 days</span></b></div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result25"></a>12 Characters Password Brute Force Attack will take up to <b style="color: red;">207450281 years</b></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<b style="font-weight: normal;">Brute Force times were calculated</b><b><span style="font-weight: normal;"> using a password calculator from LastBit <a href="http://lastbit.com/pswcalc.asp">http://lastbit.com/pswcalc.asp</a> </span></b> </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<b>Note</b>: Adding a special character to your password such as !@#$%^&*()_+? will also increase the time of a brute-force attack example:</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<a href="http://www.blogger.com/post-edit.g?blogID=7896091347668688704&postID=250125103310565653&from=pencil" name="result24"></a>5 Characters Password will now take up to <b>74 minutes </b><b><span style="font-weight: normal;">instead of </span></b><b><b>31 minutes</b></b><b><span style="font-weight: normal;"> with out special characters. </span></b> </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="color: blue; margin-bottom: 0in;">
<b>Picking a secure password</b></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
So the best way to make sure you password will not be compromised is by selecting a secure password using the following guidelines:</div>
<div style="margin-bottom: 0in;">
<br /></div>
<ul style="color: blue;">
<li><div style="margin-bottom: 0in;">
Select a strong 6 or 7 characters password, then double it (type it twice). You now have a 12 or 14 character password but only really have to remember 6 or 7 characters. </div>
</li>
<li><div style="margin-bottom: 0in;">
If the system allows it, always include a special character i.e. !@#$%& It normally best to start your password with the special character because it can throw off password crackers before they event start to guess your password. </div>
</li>
<li><div style="margin-bottom: 0in;">
Don't use any of the following for your password, you want your password to be as random as possible so that it can't be easily guessed just by knowing information about you:</div>
<ul><ul>
<li><div style="margin-bottom: 0in;">
Name of a family member</div>
</li>
<li><div style="margin-bottom: 0in;">
A pet’s name</div>
</li>
<li><div style="margin-bottom: 0in;">
Favorite sports team</div>
</li>
<li><div style="margin-bottom: 0in;">
Yours or a family member birthday </div>
</li>
</ul>
</ul>
</li>
<li><div style="margin-bottom: 0in;">
Try to avoid using the same password for multiple sites and system.</div>
</li>
</ul>
<div style="margin-bottom: 0in; margin-left: 0.5in;">
<br /></div>
<div style="margin-bottom: 0in;">
By following the above guidelines, it will greatly increase the strength of you password. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Test you password strength using the Microsoft password strength page that can be found at the below URL or determine how long it would take someone to attack your password using brute-force via the GRC Interactive Brute-force Password Search Space Calculator. Double your password and see how it will greatly increase the security of your password. </div>
<div style="margin-bottom: 0in;">
<b><br /></b>
<b>comparitech - Test my password strength page</b><br />
<a href="https://www.comparitech.com/privacy-security-tools/password-strength-test/">https://www.comparitech.com/privacy-security-tools/password-strength-test/</a></div>
<div style="margin-bottom: 0in;">
<b><br /></b>
<b>Password Meter</b><br />
<b><a href="http://www.passwordmeter.com/">http://www.passwordmeter.com/</a></b></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<b>GRC's Interactive Brute Force Password “Search Space” Calculator</b></div>
<div style="margin-bottom: 0in;">
<span style="color: navy;"><span lang="zxx"><u><a href="https://www.grc.com/haystack.htm">https://www.grc.com/haystack.htm</a></u></span></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com7tag:blogger.com,1999:blog-7896091347668688704.post-64537689363031979392012-02-06T23:04:00.001-05:002013-04-28T23:33:40.425-04:00pfSense Log Analysis with Splunk<br />
<div style="margin-bottom: 0in;">
<h2>
<span style="color: blue;">Customizing Splunk to parse pfSense logs</span></h2>
For those Basement PC Techs (BPCT) out there that want to send their pfSense traffic to Splunk or have tried and realized that Splunk doesn't automatically parse the logs as it should. Well I got good news for you, I have create the necessary configuration that will allow Splunk to not only parse your data but parses the data the way you want to see your firewall traffic in Splunk by the following fields:</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Source IP</div>
<div style="margin-bottom: 0in;">
Source Port</div>
<div style="margin-bottom: 0in;">
Destination IP</div>
<div style="margin-bottom: 0in;">
Destination Port</div>
<div style="margin-bottom: 0in;">
Protocol</div>
<div style="margin-bottom: 0in;">
Action (Pass or Block) </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
PRE.cjk { font-family: "WenQuanYi Micro Hei", monospace }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
</style>
</div>
<br />
<div style="margin-bottom: 0in;">
The pfSense logs for each firewall event is split into two lines when it is sent to Splunk which Splunk doesn't automatically recognize. By editing two configuration files you can configure Splunk to parse the pfSense event as one so it can be parsed correctly. The two files that we will create/edit are the<span style="color: red;"> props.conf</span> and<span style="color: red;"> transforms.conf</span>. Each file will need to be created (or edited if one already exist) in the following location: </div>
<div style="margin-bottom: 0in;">
<br /></div>
<pre class="western" style="color: red; margin-bottom: 0.2in;">$SPLUNK_HOME/etc/system/local/</pre>
<div style="color: #073763; margin-bottom: 0in;">
<span style="font-size: medium;"><u><b>props.conf</b></u></span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The props.conf file is were we will configure Splunk to recognized the multi-line events sent from pfSense as one. If you want more detail on what is the purpose of the props.conf file please see the Splunk website: <a href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<ol>
<li><div style="margin-bottom: 0in;">
Create / Edit a props.conf file in $SPLUNK_HOME/etc/system/local/</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
</div>
<ol start="2">
<li><div style="margin-bottom: 0in;">
Cut and Paste the following into the props.con file: </div>
</li>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
[syslog] </div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
</div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
SHOULD_LINEMERGE = true </div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
TRUNCATE = 0 </div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
MUST_NOT_BREAK_AFTER = pf: .* rule ([-\d]+\/\d+)\(.*?\): </div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
MUST_BREAK_AFTER = pf: .* (<|>) +(\d+\.\d+\.\d+\.\d+)\.?(\d*)\: </div>
<span style="color: #cc0000;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.91in;">
REPORT-pf2 = pf2</div>
<div style="margin-bottom: 0in;">
<br /></div>
<ol start="3">
<li><div style="margin-bottom: 0in;">
Save the file</div>
</li>
</ol>
<script type="text/javascript">
ch_client = "bpct_admin";
ch_width = 468;
ch_height = 90;
ch_type = "mpu";
ch_sid = "Chitika Default";
ch_color_site_link = "0000CC";
ch_color_title = "0000CC";
ch_color_border = "FFFFFF";
ch_color_text = "000000";
ch_color_bg = "FFFFFF";
</script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>
<br />
<div style="color: #073763; margin-bottom: 0in;">
<span style="font-size: medium;"><u><b>transforms.conf</b></u></span></div>
<div style="color: #073763; margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
The transforms.conf file is were we will configure Splunk to parse the pfSense events received into the fields we want to see. If you want more detail on what can be done with the transforms.conf file please visit the Splunk website: <a href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf</a> </div>
<div style="margin-bottom: 0in;">
<br /></div>
<br />
<ol>
<li><div style="margin-bottom: 0in;">
Create / Edit a transforms.conf file in $SPLUNK_HOME/etc/system/local/</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
</div>
<ol start="2">
<li><div style="margin-bottom: 0in;">
Cut and Paste the following into the transforms.conf file:</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.93in;">
<span style="font-size: x-small;">[pf2] </span></div>
<span style="color: #cc0000; font-size: x-small;"> </span><br />
<div style="color: #cc0000; margin-bottom: 0in; margin-left: 0.93in;">
<span style="font-size: x-small;">REGEX= .* (?<action>pass|block) .* (?<protocol>TCP|UDP|IGMP|ICMP) .* (?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)): (.*)</span></div>
<span style="color: #a64d79; font-size: x-small;"> </span><br />
<div style="margin-bottom: 0in;">
<br /></div>
<ol start="3">
<li><div style="margin-bottom: 0in;">
Save the file</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
</div>
<ol start="4">
<li><div style="margin-bottom: 0in;">
Reboot Splunk in order for the new changes to take affect.</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<b><span style="color: red;">Note</span></b>: Although the above "REGEX" statement may shows on multiple lines it is actually all on one line. Ensure word wrap is off when you paste the text to your transforms.conf file or <span style="color: blue;">download the following transforms.conf from</span> <a href="http://www.basementpctech.com/content/download-transformsconf"><b><span style="color: blue;">here</span></b></a>.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<script type="text/javascript">
ch_client = "bpct_admin";
ch_width = 450;
ch_height = 90;
ch_type = "mpu";
ch_sid = "Chitika Default";
ch_color_site_link = "0000CC";
ch_color_title = "0000CC";
ch_color_border = "FFFFFF";
ch_color_text = "000000";
ch_color_bg = "FFFFFF";
</script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com10tag:blogger.com,1999:blog-7896091347668688704.post-3643865816273772122012-02-05T02:15:00.001-05:002012-11-30T13:07:49.616-05:00How to configure pfSense<script type="text/javascript">
ch_client = "bpct_admin";
ch_width = 450;
ch_height = 90;
ch_type = "mpu";
ch_sid = "Chitika Default";
ch_color_site_link = "0000CC";
ch_color_title = "0000CC";
ch_color_border = "FFFFFF";
ch_color_text = "000000";
ch_color_bg = "FFFFFF";
</script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
<span style="color: blue;">The "webConfigurator" - pfSense basic setup part 2</span> </h2>
<b>Note: </b>The following is a continuation of the <a href="http://blog.basementpctech.com/2012/02/having-personal-firewall-makes-sense.html" target="_blank">How to Install pfSense posting. </a><br />
<br />
1. Using your favorite browser, connect to you newly installed pfSense firewall via the LAN interface IP Address. Type the IP Address of the LAN interface in your browser and you should be presented with a “Security Issue/Warning” for the server's certificate. This is a warning that your browser gives you when it receives a security certificate that the browser can not validated against a Certificate Authority. It's the browser way or warning the end user that the site may be untrustworthy. During the installation of pfSense, a security certificate was created by the system which is known as a self-signed certificate in order to have a security certificate available to encrypt your connection between your web browser and the pfSense firewall. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-AJ0u7FT01J4/Ty4iRgD3LiI/AAAAAAAAAG4/2pMeBMVfR0U/s1600/PFSense16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="http://1.bp.blogspot.com/-AJ0u7FT01J4/Ty4iRgD3LiI/AAAAAAAAAG4/2pMeBMVfR0U/s320/PFSense16.png" width="320" /></a></div>
<br />
<br />
2. If you take a closer look at the certificate that was issue to your browser, you will discover that the security certificate has the IP Address of your pfSense firewall but all other identifying information is blank. Since this warning is to be excepted because the security certificate was self-signed and it does have the IP Address of your pfSense firewall, you should have a good confident level that this system is the pfSense firewall and not another system posing as your pfSense firewall. Accept the security certificate and continue to the site. (<span style="color: red;">Note: It's never a good idea to accept any certificate issued to your browser that can not be validated if your surfing on the Internet</span>.) <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-braR5HlDyM4/Ty4i1MjO2DI/AAAAAAAAAHA/W9BX-Av1oF0/s1600/PFSense17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://1.bp.blogspot.com/-braR5HlDyM4/Ty4i1MjO2DI/AAAAAAAAAHA/W9BX-Av1oF0/s400/PFSense17.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
3. After accepting the security certificate, you should then be presented with the pfSense webConfigurator login screen. Your first time logging into your pfSense firewall, the default username is “<b><span style="background-color: white; color: blue;">admin</span></b>” with a password of “<b><span style="color: blue;">pfsense</span></b>”. Login to you pfSense firewall. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-a4ZKVPOYjGk/Ty4jM-J_WvI/AAAAAAAAAHY/qjDQraGiJ5M/s1600/PFSense19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="395" src="http://4.bp.blogspot.com/-a4ZKVPOYjGk/Ty4jM-J_WvI/AAAAAAAAAHY/qjDQraGiJ5M/s400/PFSense19.png" width="400" /></a></div>
<br />
<br />
<script type="text/javascript">
ch_client = "bpct_admin";
ch_width = 450;
ch_height = 90;
ch_type = "mpu";
ch_sid = "Chitika Default";
ch_color_site_link = "0000CC";
ch_color_title = "0000CC";
ch_color_border = "FFFFFF";
ch_color_text = "000000";
ch_color_bg = "FFFFFF";
</script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>
4. After successfully login to your pfSense firewall, you will be presented with the pfSense Status Dashboard which provides you with a summary of your system information along with the status of your interfaces installed. The dashboard is configurable and can include additional information about other components of your pfSense firewall. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-v6g1LqHG2wg/Ty4jU8Uj0eI/AAAAAAAAAHg/4N_6xSAIlYo/s1600/PFSense20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://4.bp.blogspot.com/-v6g1LqHG2wg/Ty4jU8Uj0eI/AAAAAAAAAHg/4N_6xSAIlYo/s400/PFSense20.png" width="400" /></a></div>
<br />
<br />
5. Let's continue configuring the pfSense firewall. From the <b><span style="color: blue;">System</span></b> menu select <b><span style="color: blue;">Setup Wizard</span></b> to start the pfSense setup wizard. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-AUz67QdhQ4s/Ty4jjQ670zI/AAAAAAAAAHo/m0nMiVB3-VE/s1600/PFSense21-c.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://4.bp.blogspot.com/-AUz67QdhQ4s/Ty4jjQ670zI/AAAAAAAAAHo/m0nMiVB3-VE/s400/PFSense21-c.png" width="400" /></a></div>
<br />
6. You should then be greeted with the pfSense setup wizard, click the <b><span style="color: blue;">Next</span></b> button to continue. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-qkuez1H0zzM/Ty4jq7gTg1I/AAAAAAAAAHw/SLL_hJ-rnWI/s1600/PFSense22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="http://1.bp.blogspot.com/-qkuez1H0zzM/Ty4jq7gTg1I/AAAAAAAAAHw/SLL_hJ-rnWI/s400/PFSense22.png" width="400" /></a></div>
<br />
<br />
7. Complete the “<span style="color: blue;">General Information</span>” section and click the <b><span style="color: blue;">Next</span></b> button when complete:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-EexFsGr-dqE/Ty4jykMfY1I/AAAAAAAAAH4/Q9mUUda8jdM/s1600/PFSense23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="http://1.bp.blogspot.com/-EexFsGr-dqE/Ty4jykMfY1I/AAAAAAAAAH4/Q9mUUda8jdM/s400/PFSense23.png" width="400" /></a></div>
<br />
<br />
<b>Hostname</b>:<br />
Enter the name of what you want to call your firewall<br />
<br />
<b>Domain</b>: <br />
Unless you currently have a domain, create one that will be used on your local network.<br />
<br />
<b>Primary DNS Server</b> & <b>Secondary DNS Server</b>:<br />
Enter the IP Address of your local Internet Provider DNS Server or third party DNS such as OpenDNS or leave it blank to have this information automatically provided via the Override DNS setting.<br />
<br />
<b>Override DNS</b>:<br />
If you prefer pfSense to use the Primary and Secondary DNS received from your Internet service provider, ensure that “<b><span style="color: blue;">Allow DNS server to be overridden by DHCP/PPP on WAN</span></b>” check-box is checked. <br />
<br />
8. Configure “<span style="color: blue;">Time Server Information</span>”. <br />
<br />
<b>Time server hostname</b>:<br />
Keep default<br />
<br />
<b>Timezone</b>:<br />
Chane to your local time zone.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-s-0IaP8Unr8/Ty4k2waxsaI/AAAAAAAAAIA/n3gDPvmKgkQ/s1600/PFSense24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="http://3.bp.blogspot.com/-s-0IaP8Unr8/Ty4k2waxsaI/AAAAAAAAAIA/n3gDPvmKgkQ/s400/PFSense24.png" width="400" /></a></div>
<br />
<br />
9. WAN Interface configuration. Unless you need to authenticate to your ISP provider when accessing the Internet which is usually a requirement of some DSL providers or there are configuration you need in order to access the Internet, this section can be bypassed. Just click the <b><span style="color: blue;">Next</span></b> button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-yoGPhMn5DW4/Ty4lF-pjwCI/AAAAAAAAAII/Av5ewLsfqxU/s1600/PFSense25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-yoGPhMn5DW4/Ty4lF-pjwCI/AAAAAAAAAII/Av5ewLsfqxU/s640/PFSense25.png" width="345" /></a></div>
<br />
<br />
10. Review the "<span style="color: blue;">Configure LAN Interface</span>" screen. This screen can be left as default unless you want to change the IP Address scheme provided by pfSense to match a current IP Scheme being used on your or your client network. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-EWwvK-1kinM/Ty4lSSHcsBI/AAAAAAAAAIQ/vKNs_APdGrM/s1600/PFSense26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://4.bp.blogspot.com/-EWwvK-1kinM/Ty4lSSHcsBI/AAAAAAAAAIQ/vKNs_APdGrM/s400/PFSense26.png" width="400" /></a></div>
<br />
11. The "<span style="color: blue;">Set Admin WebGUI Password</span>" screen. Enter a new pfSense “<b><span style="color: blue;">admin</span></b>” user password. <span style="color: #cc0000;">Recommend that your password be longer then 7 characters and incorporate a combination of Upper case/Lower case letters, number and a special character such as !, #, %, etc to make it strong. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-SzAh2TiIQJQ/Ty4lbpWUqNI/AAAAAAAAAIY/IPZ4CCblW-c/s1600/PFSense27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="http://2.bp.blogspot.com/-SzAh2TiIQJQ/Ty4lbpWUqNI/AAAAAAAAAIY/IPZ4CCblW-c/s400/PFSense27.png" width="400" /></a></div>
<br />
12. Reload of pfSense web browser – After configuring a new password, pfSense will require you login again with the new password. Click the <b><span style="color: blue;">Reload</span></b> button to refresh the screen and login with your new password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-sIExnh203v0/Ty4lnH6Q6SI/AAAAAAAAAIg/fyAOVIW7RRc/s1600/PFSense28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="http://3.bp.blogspot.com/-sIExnh203v0/Ty4lnH6Q6SI/AAAAAAAAAIg/fyAOVIW7RRc/s400/PFSense28.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-BqHNXlu7UYs/Ty4lsZ3ZEHI/AAAAAAAAAIo/IsbWzvoMjhA/s1600/PFSense29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="http://2.bp.blogspot.com/-BqHNXlu7UYs/Ty4lsZ3ZEHI/AAAAAAAAAIo/IsbWzvoMjhA/s400/PFSense29.png" width="400" /></a></div>
<br />
13. At the end of the “<span style="color: blue;">Setup Wizard</span>” you will be presented with the pfSense “<span style="color: blue;">Wizard Completed</span>” page indicating that you have successfully completed the setup wizard and configured pfSense with the basic configuration to protect your and yours client network work from the dangers of the Internet. Your pfSense firewall will automatically allow traffic destine to the Internet to leave your network but block any traffic that was not initiated from your network to enter your network.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-hedZZA9hjYw/Ty4l3KRMpHI/AAAAAAAAAIw/TzX7XEl67DQ/s1600/PFSense30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://1.bp.blogspot.com/-hedZZA9hjYw/Ty4l3KRMpHI/AAAAAAAAAIw/TzX7XEl67DQ/s400/PFSense30.png" width="400" /></a></div>
<br />
14. Now that we have successfully configured the basic setting in pfSense we will make a couple more changes to personalize your pfSense installation. First let start with the self-signed security certificate. As you remember in step 2 the pfSense security certificate only contained the IP Address of your pfSense firewall and no other identifying information. We will now configure the security certificate with that identifying info which is useful if you decided to configure VPN access in the future and allow others to connect to your or your clients network thru the pfSense firewall. <br />
<br />
From the pfSense menu, select <b style="color: blue;">System</b> | <b><span style="color: blue;">Cert Manager</span></b> to access pfSense <span style="color: blue;">System Certificate Authority Manager</span> application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-_CgM7hQ2NAM/Ty4l9mIWaUI/AAAAAAAAAI4/WKxjnyo3Sus/s1600/PFSense31-c.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="http://1.bp.blogspot.com/-_CgM7hQ2NAM/Ty4l9mIWaUI/AAAAAAAAAI4/WKxjnyo3Sus/s400/PFSense31-c.png" width="400" /></a></div>
<br />
15. Configure pfSense as a trusted Certificate Authority – Ensure the “<b style="color: blue;">CA</b>” tab is selected and click on the “<b style="color: blue;">+</b>” to create the CA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-vUcdNnwCBCU/Ty4mK6eRQiI/AAAAAAAAAJA/MKzNJKb8TOw/s1600/PFSense32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="http://2.bp.blogspot.com/-vUcdNnwCBCU/Ty4mK6eRQiI/AAAAAAAAAJA/MKzNJKb8TOw/s400/PFSense32.png" width="400" /></a></div>
16. From the “<b style="color: blue;">Method</b>” pull down, select “<b style="color: blue;">Create an internal Certificate Authority</b>” and complete the following field pressing the “<b style="color: blue;">Save</b>” button when finished.<br />
<br />
<b>Descriptive Name</b>:<br />
Enter a name for CA<br />
<br />
<b>Method</b>:<br />
Create an internal Certificate Authority<br />
<br />
<b>Key length:</b><br />
Keep at default (2048) bits<br />
<br />
<b>Lifetime</b>:<br />
Keep at default (3650) days<br />
<br />
<b>Country Code: </b><br />
<b> </b>Change to your country<br />
<br />
<b>State or Providence</b>:<br />
Enter your State or Providence<br />
<br />
<b>City</b>:<br />
Enter your City<br />
<br />
<b>Organization</b>:<br />
Enter what you would want to display as the organization that the pfSense firewall belongs. This could be a business name, household name or any other name you like to display in the security certificate. <br />
<br />
<b>Email Address</b>:<br />
Enter the email address that others can send an email if they have question about the security certificate.<br />
<br />
<b>Common Name</b>:<br />
Enter a name for the CA security certificate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-MkhQC48ijLE/Ty4mVcp_5TI/AAAAAAAAAJI/hF1Ucgc7NsA/s1600/PFSense33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-MkhQC48ijLE/Ty4mVcp_5TI/AAAAAAAAAJI/hF1Ucgc7NsA/s400/PFSense33.png" width="400" /></a></div>
<br />
17. Your pfSense firewall should now be configured as a trusted Certificate Authority.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-wVQvjSVpW-U/Ty4nBEk2XqI/AAAAAAAAAJQ/_ovqxAeej-k/s1600/PFSense34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="http://3.bp.blogspot.com/-wVQvjSVpW-U/Ty4nBEk2XqI/AAAAAAAAAJQ/_ovqxAeej-k/s400/PFSense34.png" width="400" /></a></div>
18. Next we will configure the Internal Certificate. Click on the “<b style="color: blue;">Certificates Tab</b>” and then select “<b style="color: blue;">Create an internal Certificate</b>” from <b style="color: blue;">Method</b> drop down box. Many of the fields will automatically filled-in from what was entered in the CA tab. Just complete the following fields below:<br />
<br />
<b>Descriptive name</b>:<br />
Enter a name to describe the security certificate you are creating.<br />
<br />
<b>Certificate Type</b>:<br />
From the drop down menu, select “<span style="color: blue;">Server Certificate</span>”<br />
<br />
<b>Common Name</b>:<br />
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client have a domain that will point to the firewall such as a static or dynamic DNS name, you can type that domain name here.<br />
<br />
Press the "<b style="color: blue;">Save</b>" button to save changes. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-egAbK9Ou2nY/Ty4nT4hqjdI/AAAAAAAAAJg/CvNqNNiyyvA/s1600/PFSense36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://4.bp.blogspot.com/-egAbK9Ou2nY/Ty4nT4hqjdI/AAAAAAAAAJg/CvNqNNiyyvA/s400/PFSense36.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
19. You should now display two security certificate under the “<b style="color: blue;">Certificates</b>” tab, one that was created during the installation of the pfSense and the one you just created. Currently only the security certificate created during the installation of pfSense is in use and being used by the webConfigurator.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-qNfY6T1WtsA/Ty4nq0jgoQI/AAAAAAAAAJo/Vga7YV41mHU/s1600/PFSense37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="http://3.bp.blogspot.com/-qNfY6T1WtsA/Ty4nq0jgoQI/AAAAAAAAAJo/Vga7YV41mHU/s400/PFSense37.png" width="400" /></a></div>
20. Next we will change pfSense to use the new security certificate we created for the webConfigurator. From the “<b style="color: blue;">System</b>” menu, select “<b><span style="color: blue;">Advanced</span></b>”<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-9MNsaVFVX38/Ty4n03WnGoI/AAAAAAAAAJw/8hQZyDjA3Eo/s1600/PFSense38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="http://3.bp.blogspot.com/-9MNsaVFVX38/Ty4n03WnGoI/AAAAAAAAAJw/8hQZyDjA3Eo/s400/PFSense38.png" width="400" /></a></div>
<br />
21. The <span style="color: blue;">System: Advance</span> screen should now be displayed. On the “<b style="color: blue;">Admin Access</b>” tab, find the following setting:<br />
<br />
<b>Protocol</b>:<br />
Ensure “HTTPS” is selected<br />
<br />
<b>SSL Certificate: </b><br />
<b> </b>In the drop down menu, change the SSL certificate to the internal certificate made n the previous steps. <br />
<br />
<b>TCP port</b>:<br />
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future use. <span style="color: blue;">Hint:</span> VPN connections on port 443 is ensure to be allowed out from any were you may be when on the road if you later decide to configure remote VPN access. <br />
<br />
<b>Secure Shell Server</b>:<br />
Enable Secure Shell. This allow for remote console access to your firewall.<br />
<br />
Press the "<b style="color: blue;">Save</b>" button to save changes. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-vksr6d05EJM/Ty4n-EycTxI/AAAAAAAAAJ4/De7d3AFGZGM/s1600/PFSense39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-vksr6d05EJM/Ty4n-EycTxI/AAAAAAAAAJ4/De7d3AFGZGM/s400/PFSense39.png" width="372" /></a></div>
22. Once your save the changes in the <span style="color: blue;">System: Advance - Admin</span> tab, pfSense will reissue the security certificate causing your browser to display the Security Certificate Warning again. This is to be excepted since we configured pfSense to use the new security certificate we created except this time if you look at the detail of the security certificate, it should now display the identifying information contained in the new security certificate. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ETaxWsqrQ-o/Ty4oacOSi5I/AAAAAAAAAKA/NAeqnocCeZ4/s1600/PFSense41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/-ETaxWsqrQ-o/Ty4oacOSi5I/AAAAAAAAAKA/NAeqnocCeZ4/s400/PFSense41.png" width="400" /></a></div>
<br />
23. You may also notice that pfSense now has an alert displayed in the upper right hand corner of your screen. The alert is to notify you that pfSense has created the keys required for your SSH communication. This is the result of enabling the Secure Shell Server option on the <span style="color: blue;">System: Advance - Admin</span> tab. <b style="color: blue;">Click the alert</b> to acknowledge the change and the alert should disappear. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-okWKvLAidwg/Ty4ohvoRzcI/AAAAAAAAAKI/tQSgCNgQ_68/s1600/PFSense43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="39" src="http://4.bp.blogspot.com/-okWKvLAidwg/Ty4ohvoRzcI/AAAAAAAAAKI/tQSgCNgQ_68/s320/PFSense43.png" width="320" /></a></div>
<br />
24. One additional change that I recommend but is not required for pfSense to work is to configure pfSense to show log entries in reverse order (newest entries on top). This is really convenient when your looking at a log that may be very long and you can save time by not having to scroll to the bottom to see the latest events.<br />
<br />
From the menu select “<b style="color: blue;">Status</b>” and then “<b style="color: blue;">System Logs</b>”.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-0J8pUUSXfDQ/Ty4ooc9z6LI/AAAAAAAAAKQ/q0jQbZWIpcg/s1600/PFSense45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://3.bp.blogspot.com/-0J8pUUSXfDQ/Ty4ooc9z6LI/AAAAAAAAAKQ/q0jQbZWIpcg/s400/PFSense45.png" width="400" /></a></div>
<br />
25. Once on the <span style="color: blue;">Status: System Log</span> screen, select the “<b style="color: blue;">Setting</b>” tab and then enable the “<b style="color: blue;">Show log entries in reverse order (newest entries on top)</b>" option and click the “<b style="color: blue;">Save</b>” button at the bottom of the page. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-hKNngMLLPko/Ty4ouhsByKI/AAAAAAAAAKY/TL7b2v541yI/s1600/PFSense46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="http://2.bp.blogspot.com/-hKNngMLLPko/Ty4ouhsByKI/AAAAAAAAAKY/TL7b2v541yI/s400/PFSense46.png" width="400" /></a></div>
<br />
26. <b><span style="color: lime;">CONGRATULATIONS </span></b>-- You have now completed the Basement PC Tech basic pfSense firewall setup. Your pfSense installation should be up and running and by selecting the “<b style="color: blue;">Firewall</b>” tab while you are still in the “<b style="color: blue;">Status</b>” section you will be able to see all the Internet traffic that is being denied and logged by pfSense for traffic that is no longer allowed to enter yours or your client network with out authorization. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-zyg6fevX4cs/Ty4o3-l_lTI/AAAAAAAAAKg/BvnEyyYk24Y/s1600/PFSense47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="http://2.bp.blogspot.com/-zyg6fevX4cs/Ty4o3-l_lTI/AAAAAAAAAKg/BvnEyyYk24Y/s400/PFSense47.png" width="400" /></a></div>
<script type="text/javascript">
ch_client = "bpct_admin";
ch_width = 450;
ch_height = 90;
ch_type = "mpu";
ch_sid = "Chitika Default";
ch_color_site_link = "0000CC";
ch_color_title = "0000CC";
ch_color_border = "FFFFFF";
ch_color_text = "000000";
ch_color_bg = "FFFFFF";
</script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com5tag:blogger.com,1999:blog-7896091347668688704.post-32673706035202469332012-02-04T01:54:00.001-05:002012-04-13T01:04:10.700-04:00How to Install pfSense<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> <br />
<div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-VrEvdxLYaHw/Ty2bG94irKI/AAAAAAAAAGw/67mHed0yykU/s1600/pfsenselogo.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-VrEvdxLYaHw/Ty2bG94irKI/AAAAAAAAAGw/67mHed0yykU/s1600/pfsenselogo.PNG" /></a></div><h2> pfSense Basic Install and Setup</h2>pfSense is a FreeBSD LINUX distribution that has been customized to be used as a firewall and router. It's a pretty powerful firewall that has many of the same features found in commercial firewalls but is supported by the open source community under the General Public License (GPL) which makes it Free to all to use. As with many LINUX distribution, pfSense does not take much to run. The minimum hardware requirements to use pfSense is a computer with the following:</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: x-small;">CPU – 100 MHz Pentium</span></div><span style="font-size: x-small;"> </span><br />
<div style="margin-bottom: 0in;"><span style="font-size: x-small;">RAM – 128 MB</span></div><span style="font-size: x-small;"> </span><br />
<div style="margin-bottom: 0in;"><span style="font-size: x-small;">CD-ROM for initial installation</span></div><span style="font-size: x-small;"> </span><br />
<div style="margin-bottom: 0in;"><span style="font-size: x-small;">1 GB hard drive </span></div><span style="font-size: x-small;"> </span><br />
<div style="margin-bottom: 0in;"><span style="font-size: x-small;">Two Network Interface Cards</span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">This blog posting will serve as a basic tutorial for a Basement PC Tech to use as a guide to install pfSense as a basic firewall to be used on yours or your client network.</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: medium;"><b>Get pfSense</b></span></div><div style="margin-bottom: 0in;"><br />
</div><ol><li><div style="margin-bottom: 0in;">Download the latest version of pfSense (Version 2.0.1 was used for this tutorial) </div></li>
</ol><div style="margin-bottom: 0in;"><a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46">http://www.pfSense.org/index.php?option=com_content&task=view&id=58&Itemid=46</a></div><div style="margin-bottom: 0in;"></div><ol start="2"><li><div style="margin-bottom: 0in;">Using your favorite CD burning software, burn the pfSense ISO to CD.</div></li>
</ol><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: medium;"><b>Install pfSense</b></span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><ol><li><div style="margin-bottom: 0in;">Boot your chosen PC with the pfSense CD. You will be present with the following "<span style="color: blue;">Welcome to pfSense!</span>" screen. For our basic install of pfSense, you can press <span style="color: blue;"> </span><b style="color: blue;">[Enter]</b> for the default option.</div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-bcglJoadAaQ/TyzS10d3fhI/AAAAAAAAAE4/tbAtTd7v_9M/s1600/pfsense1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="http://3.bp.blogspot.com/-bcglJoadAaQ/TyzS10d3fhI/AAAAAAAAAE4/tbAtTd7v_9M/s400/pfsense1.png" width="400" /></a></div><ol start="2"><li><div style="margin-bottom: 0in;">Press the “<b style="color: blue;">I</b>” key to invoke the installer.</div></li>
</ol><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-IJy33jy7o2c/TyzS5RZfAdI/AAAAAAAAAFA/EbRFmI58Yw0/s1600/PFsense2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="http://2.bp.blogspot.com/-IJy33jy7o2c/TyzS5RZfAdI/AAAAAAAAAFA/EbRFmI58Yw0/s400/PFsense2.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><ol start="3"><li><div style="margin-bottom: 0in;">If you can see the "<span style="color: blue;">Configure Console</span>" screen, chances are there aren't any changes you need to make to the console. Press the Down arrow on your keyboard to highlight the “<b style="color: blue;"><Accept these Setting></b>” option and press <b style="color: blue;">[Enter]</b>. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Tzq5RHrkQUE/TyzTJ9ziT6I/AAAAAAAAAFI/OWITJdrLNo4/s1600/PFSense3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="http://3.bp.blogspot.com/-Tzq5RHrkQUE/TyzTJ9ziT6I/AAAAAAAAAFI/OWITJdrLNo4/s400/PFSense3.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><ol start="4"><li><div style="margin-bottom: 0in;">On the “<span style="color: blue;">Select Task</span>” window, select the “<b style="color: blue;"><Quick/Easy Install></b>” and press <b style="color: blue;">[Enter]</b>. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-DkmqHP0eZog/TyzTNkrIBFI/AAAAAAAAAFQ/3fHJk8Hcql8/s1600/PFSense4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="http://3.bp.blogspot.com/-DkmqHP0eZog/TyzTNkrIBFI/AAAAAAAAAFQ/3fHJk8Hcql8/s400/PFSense4.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><ol start="5"><li><div style="margin-bottom: 0in;">At the “<span style="color: blue;">Are you SURE?</span>” screen, confirm your decision to install pfSense by highlighting the “<b style="color: blue;">< OK ></b>” option and pressing <b style="color: blue;">[Enter]</b>. Any data currently on the first hard drive of the system will be destroyed in order to install pfSense. </div></li>
</ol><div style="margin-bottom: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ZME-6dREQEg/TyzTTw0NWWI/AAAAAAAAAFY/fwix_W8JP_Y/s1600/PFSense5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://2.bp.blogspot.com/-ZME-6dREQEg/TyzTTw0NWWI/AAAAAAAAAFY/fwix_W8JP_Y/s400/PFSense5.png" width="400" /></a></div><br />
</div><ol start="6"><li><div style="margin-bottom: 0in;">Take a break :) - It can take up to 10 minutes for pfSense to finish this stage of the install depending on your hardware. pfSense is formatting your drive and copying the software to your system. </div></li>
</ol><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-4Y9X6c4WkMw/TyzTXzQMz-I/AAAAAAAAAFg/8rRPeGcy7Mg/s1600/PFSense6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://1.bp.blogspot.com/-4Y9X6c4WkMw/TyzTXzQMz-I/AAAAAAAAAFg/8rRPeGcy7Mg/s320/PFSense6.png" style="cursor: move;" width="320" /></a></div><div style="margin-bottom: 0in;"><br />
</div><ol start="7"><li><div style="margin-bottom: 0in;">At the “<span style="color: blue;">Install Kernel(s)</span>” screen, ensure “<b style="color: blue;">< Symmetric multiprocessing kernel (more than one processor) ></b>” is highlighted and press <b style="color: blue;">[Enter]</b>. </div></li>
</ol><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Jl_xD24rYZY/TyzTeEHZhWI/AAAAAAAAAFo/EZT6KYmV3yQ/s1600/PFsense7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://4.bp.blogspot.com/-Jl_xD24rYZY/TyzTeEHZhWI/AAAAAAAAAFo/EZT6KYmV3yQ/s400/PFsense7.png" width="400" /></a></div><div style="margin-bottom: 0in;"><br />
</div><ol start="8"><li><div style="margin-bottom: 0in;">At the “<span style="color: blue;">Reboot</span>” screen, remove the pfSense CD and ensure that “<b style="color: blue;">< Reboot ></b>” is highlighted and press <b style="color: blue;">[Enter]</b>. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-qpqFYC81-js/TyzTjGrF5UI/AAAAAAAAAFw/bRAQ8rSmkXQ/s1600/PFSense8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://4.bp.blogspot.com/-qpqFYC81-js/TyzTjGrF5UI/AAAAAAAAAFw/bRAQ8rSmkXQ/s400/PFSense8.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="9"><li><div style="margin-bottom: 0in;">After the system reboots, you will be presented with the initial “<span style="color: blue;">Welcome to pfSense!</span>” menu. Press <b style="color: blue;">[Enter]</b> to select the default.<br />
<u>Note</u>: This is the default action of pfSense and if now key is press before the pause timer reaches 0, the default boot profile will be used. </div></li>
</ol><div style="margin-bottom: 0in;"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-6Fom3DYhzww/TyzToLkdc9I/AAAAAAAAAF4/N60Ml8i609k/s1600/PFSense9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://2.bp.blogspot.com/-6Fom3DYhzww/TyzToLkdc9I/AAAAAAAAAF4/N60Ml8i609k/s400/PFSense9.png" width="400" /></a></div></div><ol start="10"><li><div style="margin-bottom: 0in;">During the boot phase of pfSense, the detected network interface cards will be display which can be used by pfSense. <u> </u><br />
<u>Note</u>: If you do not see all your network card listed, press the <b style="color: red;"> [CTRL – C]</b> keys to end the setup script and then select option “<b><span style="color: red;">6</span></b>” (<span style="color: blue;">Halt system</span>). After system shuts down, confirm that your network interface cards a properly seated and/or working. After you have remediated the issue with the network interface cards, boot pfSense and repeat step 9 and forward of this tutorial. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-sOtJw4Tdyok/TyzTtlCyHGI/AAAAAAAAAGA/eEsUJZK9VJ4/s1600/PFSense10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="http://4.bp.blogspot.com/-sOtJw4Tdyok/TyzTtlCyHGI/AAAAAAAAAGA/eEsUJZK9VJ4/s400/PFSense10.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="11"><li><div style="margin-bottom: 0in;">Since this is a basic setup of pfSense, we will not be configuring a “<span style="color: blue;">VLAN</span>” so type “<b style="color: blue;">n</b>” and press <b style="color: blue;">[Enter]</b>. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-SyCEOX5joas/TyzT19P84BI/AAAAAAAAAGI/eG7mG298AG0/s1600/PFSense11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="53" src="http://2.bp.blogspot.com/-SyCEOX5joas/TyzT19P84BI/AAAAAAAAAGI/eG7mG298AG0/s400/PFSense11.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="12"><li><div style="margin-bottom: 0in;">From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected directly to the Internet (cable modem, dsl, etc) </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-YZJT8tksNSA/TyzT6i-k_UI/AAAAAAAAAGQ/R28bTvYangs/s1600/PFSense12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="http://3.bp.blogspot.com/-YZJT8tksNSA/TyzT6i-k_UI/AAAAAAAAAGQ/R28bTvYangs/s400/PFSense12.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="13"><li><div style="margin-bottom: 0in;">From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected to your internal network. This will serve as your “<span style="color: blue;">LAN</span>” interface. Repeat this step for each additional network interface card listed as a valid interface by pfSense and will be use by the firewall i.e. wireless, DMZ, etc. Once you are finished, press the <b style="color: blue;">[Enter]</b> to select nothing and move to the next step of the setup. </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-c7mJlF_pv00/TyzT--bi_8I/AAAAAAAAAGY/FCEcvljCZgE/s1600/PFSense13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="http://1.bp.blogspot.com/-c7mJlF_pv00/TyzT--bi_8I/AAAAAAAAAGY/FCEcvljCZgE/s400/PFSense13.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="14"><li><div style="margin-bottom: 0in;">Confirm that you have selected the correct network interface cards for each interface on your firewall and type “<b style="color: blue;">y</b>” and press <b><span style="color: blue;">[Enter]</span>. </b> </div></li>
</ol><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-feZ7wpS4o9w/TyzUD2s3VkI/AAAAAAAAAGg/RW9hGm2P014/s1600/PFSense14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="http://1.bp.blogspot.com/-feZ7wpS4o9w/TyzUD2s3VkI/AAAAAAAAAGg/RW9hGm2P014/s400/PFSense14.png" width="400" /></a></div><div style="margin-bottom: 0in;"></div><ol start="15"><li><div style="margin-bottom: 0in;">Once you are complete this initial setup, you will be presented with the pfSense console menu. Your firewall is now up and running. We have finished all configuration steps required to be done from the pfSense console. You can actually disconnect the monitor and keyboard from the system (as an added security precaution) for all other configuration will be done via the web console. (See <a href="http://blog.basementpctech.com/2012/02/webconfigurator-pfsense-basic-setup.html" style="color: #0b5394;">The "webConfigurator" - pfSense basic setup part 2</a> )</div></li>
</ol><div style="margin-bottom: 0in;"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-C60FSMQhnpQ/TyzUIQIINDI/AAAAAAAAAGo/F4EyO9831Vw/s1600/PFSense15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://2.bp.blogspot.com/-C60FSMQhnpQ/TyzUIQIINDI/AAAAAAAAAGo/F4EyO9831Vw/s400/PFSense15.png" width="400" /></a></div><br />
</div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com1tag:blogger.com,1999:blog-7896091347668688704.post-47183666793148662842012-02-02T22:45:00.001-05:002012-04-13T09:20:17.202-04:00Free Firewalls<style type="text/css">
<!--
@page { margin: 0.79in }
TD P { margin-bottom: 0in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> <br />
<div style="margin-bottom: 0in;">As a Basement PC Tech (BPCT) your friends and clients except you to assist them with not only their <i>mysterious</i><span style="font-style: normal;"> computer issues but they also except you to help them protect themselves from the evils of the world. </span> In a previous blog (<a href="http://basementpctech.blogspot.com/2012/01/free-anti-virus-software-for-everyone.html">Free Anti-Virus Software for EVERYONE!!!!</a>) I provided a list of free anti-virus applications that could be used by your clients and friends as a security defense against malicious code (malware) that may try to exploit their systems. In this blog I will review what I believe to be the first line of defense when it comes to protecting computers on yours and your clients networks – FIREWALLS. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: medium;"><b>What is a firewall? </b></span> </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">According to Wikipedia:</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><span style="font-size: x-small;"><i>Firewall may refer to:</i></span></div><div style="margin-bottom: 0in;"><br />
</div><ul><li><div style="margin-bottom: 0in;"><span style="font-size: x-small;"><i>Firewall (construction), a barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse</i></span></div></li>
<li><div style="margin-bottom: 0in;"><span style="font-size: x-small;"><i>Firewall (automobile), the part of the vehicle that separates the engine from the driver and passengers</i></span></div></li>
<li><div style="margin-bottom: 0in;"><span style="font-size: x-small;"><i>Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts</i></span></div></li>
</ul><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">All three definitions can be summed up to one definition: A firewall is a barrier designed to protect you from a danger on the other side. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Many users may be familiar with the firewall that is part of the Windows operating system. This is what is considered to be a host-based firewall, a firewall installed on the host to prevent certain traffic from accessing or leaving your computer system. Most commonly firewalls are placed at the boarder of a network to prevent unwanted communications from entering the network from what is considered to be a less secure networks. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">During the infancy of the Internet, large organization such as corporation, educational institutions or the Government were the only entities that could afford a firewall, had the required skills to configure them correctly and had the need for one. Large organization were the only entities that had direct connections to the Internet. Consumers at this time were just learning about the Internet and connecting to it via dial-up. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Now times have changed and with the introduction of broadband Internet access, large organization are not the only ones that have a constant connection to the Internet or the only ones that need to protect themselves from the dangers of the Internet. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">I'm surprised at the number of people I discover that do not have a network firewall. Although Windows has a firewall embedded in the operating system which may deflect an attack to your computer system why late an attacker or malicious traffic get that close to your system? What protecting all the other items you may have connected to your network such as game consoles, burglar<span style="font-weight: normal;"> alarm systems, </span> smartTV and DVD players. </div><div style="margin-bottom: 0in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-pgG25G9Gjxw/TytXex45-fI/AAAAAAAAAEg/SZxeplJE-n0/s1600/HouseNoFirewall.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://1.bp.blogspot.com/-pgG25G9Gjxw/TytXex45-fI/AAAAAAAAAEg/SZxeplJE-n0/s320/HouseNoFirewall.jpeg" width="320" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">A network firewall is your network 1<sup>st</sup> line of defense against defending off attackers or preventing malicious traffic from entering your network. </div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-fhxfABvH1eU/TytXo4l6rII/AAAAAAAAAEo/9riMqe2xPh4/s1600/HouseNoFirewall2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://1.bp.blogspot.com/-fhxfABvH1eU/TytXo4l6rII/AAAAAAAAAEo/9riMqe2xPh4/s320/HouseNoFirewall2.jpeg" width="320" /></a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">In future blogs I will cover many of these free software based network firewalls that you as a BPCT can utilize on yours and your clients networks. The following list are some of the most popular Firewall Distributions out on the Internet. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">List of Free Firewall Distributions</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"></div><table cellpadding="4" cellspacing="0"><colgroup><col width="128*"></col> <col width="128*"></col> </colgroup><tbody>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: 1px solid #000000; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0.04in;" width="50%">Endian Firewall – Community Edition</td> <td style="border: 1px solid #000000; padding: 0.04in;" width="50%"><a href="http://www.endian.com/us/community/download/">http://www.endian.com/us/community/download/</a> </td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">m0n0wall</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%"><a href="http://m0n0.ch/wall/downloads.php">http://m0n0.ch/wall/downloads.php</a> </td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">PfSense Firewall </td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%"><a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46">http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46</a> </td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">SmoothWall Express</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%"><a href="http://www.smoothwall.org/get/">http://www.smoothwall.org/get/</a> </td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">IPCop Firewall</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%"><a href="http://www.ipcop.org/download.php">http://www.ipcop.org/download.php</a> </td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">untangle</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%">http://www.untangle.com/</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">ClearOS</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%">http://www.clearfoundation.com/</td> </tr>
<tr valign="TOP"> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: none; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0in; padding-top: 0in;" width="50%">Astaro Security Gateway – Free Home Use Firewall</td> <td style="border-bottom: 1px solid #000000; border-left: 1px solid #000000; border-right: 1px solid #000000; border-top: none; padding-bottom: 0.04in; padding-left: 0.04in; padding-right: 0.04in; padding-top: 0in;" width="50%"><a href="http://www.astaro.com/landingpages/en-worldwide-homeuse">http://www.astaro.com/landingpages/en-worldwide-homeuse</a><br />
<br />
<br />
</td> </tr>
</tbody></table><div style="margin-bottom: 0in;"><br />
</div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com1tag:blogger.com,1999:blog-7896091347668688704.post-6812912106339728422012-01-24T10:52:00.002-05:002012-04-13T09:27:58.007-04:00SPLUNK Syslog Server<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> <br />
<div style="margin-bottom: 0in;">As a Basement PC Technician (BPCT) there a good chance that you have an assortment of system and devices that produce a rather large amount of logs. As any good BPCT knows you must routinely review your logs for errors and potential security events. Depending on the number of devices you may have and the amount of data produced by each device this can seem to be a taunting task. This is were centralize logging can make your life easier and <a href="http://www.splunk.com/" target="_blank">SPLUNK</a> is the application that can help you do it. <a href="http://www.splunk.com/" target="_blank"> SPLUNK</a> is like a combination of a syslog server and database. It can collect logs from any source and then index it in such a way to make it search-able by you. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://coverall3.splunk.com/web_assets/v5/product/diagrams/diagram_index.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://coverall3.splunk.com/web_assets/v5/product/diagrams/diagram_index.png" /></a></div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;"><span style="font-size: xx-small;">Pictures acquired from SPLUNK website – Why recreate the wheel when SPLUNK has provide a wheel for me to use. Part of being a successful BPCT is know how to work smart hence copy SPLUNK diagrams while giving them credit for their work =)</span></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">An effort to find a security related incident or root cause to an error involving multiple system that may have taken hours or days can now be reduce to a manner of minutes. Don't be surprise if you actually find stuff that you didn't really realize was happen on your network. The best part about <a href="http://www.splunk.com/" target="_blank">SPLUNK</a> is that is fits a BPCT's budget – It's FREE!!! <a href="http://www.splunk.com/" target="_blank"> SPLUNK</a> does offer an Enterprise License if needed that provides additional capabilities such as role-based security, single sign-on and schedule PDF delivery. See the below link for a comparison of the Free License VS Enterprise License. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><a href="http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W">http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W</a> </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><a href="http://www.splunk.com/" target="_blank">SPLUNK</a> can be installed on a Windows or Unix/Linux system in a matter of minutes and offer a well documented and helpful support site to assist you if you encounter any issues during your installation or operation of the <a href="http://www.splunk.com/" target="_blank">SPLUNK</a> application.</div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">One must have tool in your Basement PC Technician arsenal: </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">SPLUNK <a href="http://www.splunk.com/">www.splunk.com</a> </div><div style="margin-bottom: 0in;"></div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com2tag:blogger.com,1999:blog-7896091347668688704.post-54014819373881451192012-01-23T21:46:00.001-05:002012-04-13T09:29:08.949-04:00Window 8 Preview<div class="MsoNormal">Want to get a head start on all the other Basement PC Tech out there? Well here your chance, you can download the “Developer View” of Window 8. Be the 1<sup>st</sup> in your circle to test drive Windows 8. The Windows 8 Developer Preview is a pre-beta version of Windows for developers. It can allow you a 1<sup>st</sup> glance of what’s to come. </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">ISO available for 32-bit and 64-bit.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><a href="http://msdn.microsoft.com/en-us/windows/apps/br229516">http://msdn.microsoft.com/en-us/windows/apps/br229516</a></div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com0tag:blogger.com,1999:blog-7896091347668688704.post-11926819286392329052012-01-23T12:48:00.002-05:002012-04-13T01:09:23.671-04:00Free Anti-Virus<div style="margin-bottom: 0in;"><h2><a href="http://2.bp.blogspot.com/-4wJM51MBIYo/TyQNakh7kkI/AAAAAAAAAEA/mIUbxfqhS7U/s1600/compvirus.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="http://2.bp.blogspot.com/-4wJM51MBIYo/TyQNakh7kkI/AAAAAAAAAEA/mIUbxfqhS7U/s200/compvirus.jpg" width="200" /></a> <span style="color: blue;">Free Anti-Virus Software for EVERYONE!!!!</span></h2>Probably the #1 top issue that you will encounter as a basement PC tech is the removal of malware from someone's system. It's amazing how many system I come across that do not have a valid anti-virus software installed. I blame most of this to the fact that many new computer system are bloated with so much “trial” software that sometimes can leave the end user confused to what they actually have installed on their system. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">When it comes to anti-virus software, there is not reason why anyone should not be protected from the dangers of the Internet. There are many free anti-virus software application that do a good job of detecting and removing malware for free. Below is a quick list of some of these application. </div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Microsoft Security Essentials (Recommended)</div><div style="margin-bottom: 0in;"><a href="http://windows.microsoft.com/en-US/windows/products/security-essentials">http://windows.microsoft.com/en-US/windows/products/security-essentials</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Avast Anti-Virus with anti-spyware</div><div style="margin-bottom: 0in;"><a href="http://www.avast.com/free-antivirus-download">http://www.avast.com/free-antivirus-download</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">AVG | Free</div><div style="margin-bottom: 0in;"><a href="http://free.avg.com/us-en/free-antivirus-download">http://free.avg.com/us-en/free-antivirus-download</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Avira</div><div style="margin-bottom: 0in;"><a href="http://www.avira.com/en/avira-free-antivirus">http://www.avira.com/en/avira-free-antivirus</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Malwarebytes (Recommended)</div><div style="margin-bottom: 0in;"><a href="http://www.malwarebytes.org/">http://www.malwarebytes.org/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">Immunet Free Anti-Virus</div><div style="margin-bottom: 0in;"><a href="http://www.immunet.com/free/index.html">http://www.immunet.com/free/index.html</a></div><div style="margin-bottom: 0in;"></div><div style="margin-bottom: 0in;">Comodo</div><div style="margin-bottom: 0in;"><a href="http://antivirus.comodo.com/">http://antivirus.comodo.com/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;">PC Tools Anti-Virus Free</div><div style="margin-bottom: 0in;"><a href="http://www.pctools.com/free-antivirus/index/d/2/">http://www.pctools.com/free-antivirus/index/d/2/</a></div><div style="margin-bottom: 0in;"><br />
</div><div style="margin-bottom: 0in;"><style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style> </div><div style="margin-bottom: 0in;">Note: Some of the application offer a “trail” of their upgraded products but it not necessary to participate in the trail to use their free version of the product. </div><div style="margin-bottom: 0in;"></div>Basement Techhttp://www.blogger.com/profile/05283073199414549321noreply@blogger.com3