Forensic Knowledge Series

If you think technology can solve your security problems, then you dont understand the problems and you don�t understand the technology.
� Bruce Schneier

Hoaxes use weaknesses in human behavior to ensure they are replicated and distributed. In other words, hoaxes prey on the Human Operating System.
� Stewart Kirkpatrick

Knowledge Series.This page will have short artciles on various topic related to forensic.Below is the list of artcile on this page.

Changing MAC Address of the Computer.

Uncovering Hidden Processes on Windows System

Sorry no hyperlinks. Browse page manually

Changing MAC Address of the Computer.

Any packet sent to remote system on the network contains MAC address and IP address of your computer. Many of us are still under the impression that IP address can be changed, but MAC address is fixed and cannot be changed unless network card is replaced. Though we cannot change the MAC address of the network card, we can certainly change it in the operating system.

Here are the steps to change the MAC address on various operating systems

Changing MAC Address on Linux

On Linux platform you can just use 'ifconfig' command to set the new MAC address as shown below.
ifconfig eth1 down
ifconfig eth1 hw ether 11:12:13:14:15:16
ifconfig eth1 up

Changing MAC Address on Windows

In windows you can use a console tool called 'etherchange' to change the MAC address. When you run this tool, it will show you all available network interfaces and then you can select particular interface to change its MAC address. You can just disable and enable that network adapter for changes to take effect. Once you have finished playing your game, you can run this tool again to restore the MAC address back to original.

It is basically achieved through a following registry hack. Open up your registry editor and move to the following location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\
{4D36E972-E325-11CE-BFC1-08002bE10318}

The above key has many subkeys with names such as 0000, 0001, 0002 etc. Each of these keys have a "DriverDesc" value on the right side which contains the description of the network card. You have to go through each one of these entries until you find out the one with the same description as your current network interface. Once you have found it, just create following string value to set new MAC address (in hexadecimal).

NetworkAddress REG_SZ 111213141516

Once you have changed it, disable & re-enable the network card for changes to take effect. Then use the command 'ipconfig /all' to verify new MAC address. To set that network interface back to the original address, just delete the above value from registry.

Now you know what can be changed and what not..!

References:

�EtherChange : Console tool to change the MAC address on Windows.

�SMAC : GUI tool for Windows to modify MAC address.

Uncovering Hidden Processes on Windows System

The Real Problem: When you start your PC, lot of processes will be running. Some processes run by default and some are started by you. As you keep installing more and more software's, the process list goes bigger and bigger. Some day it reaches the stage where in it gets difficult to manage those processes and in between if some spyware come and sit on your machine, you can't make out easily until some really bad thing happens.

Detection Tools:

Here I will throw some light on various methods of detecting spyware or any malicious programs running on the computer, starting from basic to advanced level.

Usually startup programs are managed through various registry settings. If you are an expert, then you can edit these registry settings yourself. You can find a good list of startup registry locations here.

Below are the some of very useful tools which can either be used alone or in combination with others.

Autoruns
One more good tool is Autoruns from Sysinternals. This tool shows all startup entries (processes, services, drivers, Winlogon notify entries, winsock providers etc). Also you can make it to display non-microsoft entries by selecting "Hide microsoft entries" from the options menu.

Process Explorer
You can use the 'Process Explorer' from SysInternals.com to find out more detailed information about all the running processes. Once you find the process or DLL, you wants to know if its really spyware or any kind of malware programs. You can find out this by connecting to ProcessLibrary.com.

This website provides information about a process or DLL to make out if its legitimate process or not. By the way you can always use Google to find out more information about any suspicious looking process.

WinServiceManager
WinServiceManager provides single point of administration for managing various aspects of Windows services. It has got more features and provides better management functionality than built-in Windows service management console.

It shows list of non-windows services which allows the user to quickly identify and remove the additional services, most of these are installed by spyware to monitor the activities.

RemoteDLL
Some of the spywares use the DLLs to monitor and control their life cycle. Usually these DLL's are injected into windows processes such as explorer.exe, winlogon.exe etc to hide their presence. You can remove these DLL's from the process using the RemoteDLL tool.

Anti Rootkits
All the above mentioned tools are the basic ones to find out more information about running programs.

But there are more stealth programs such as rootkits which cannot be detected by normal programs. You need more sophisticated tools to view those programs.

There are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from SysInternals.com.

IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

MSConfig
The 'msconfig' tool comes with Windows. It not only shows you list of processes which are started by default when you start your computer but also allows you to modify execution of startup processes.

HijackThis
This is very good tool which shows all startup entries (processes, BHOs, services..etc) from non-windows applications. This way you can easily find out and knock off suspicious processes.

Do visit this website Baap of all Hack

Hackers Home Page

References

*. HijackThis: Remove the hijacked entries from the system.

*. Autoruns: System startup entries enumerator and eliminator.

*. Process Explorer: Dispalys process details including loaded modules.

*. WinServiceManager: Manage Windows services at one point

*. RemoteDLL: Tool to inject or remove the DLL from process

*. BlackLight: Light rootkit detecttior from F-Secure.

*. Rootkit Detective: Rootkit detection tool from McAfee.

*.Rootkit Revealer: Sysinternal's rootkit detection tool.