IT Forensics in HK
My growing but still very limited collection of resources regarding computer forensic career in HK. Just ping me if you know more.
財經透視 2009-10-18 – 崛起的商業鑑證 / 爵士音樂巿場 – http://mytv.tvb.com/news/financemagazine/101386/111
Some of the companies providing forensic services:
- http://www.pwchk.com/home/eng/forensic_tech_solution.html
- http://www.ey.com/CN/en/Services/Assurance/Fraud-Investigation—Dispute-Services
- http://www.lecg.com
- http://www.ferrierhodgson.com/en/Our%20Services/Forensics.aspx
- http://www.gthk.com.hk/web/tc/services/forensic
Trainings you can get:
- HKU Space Postgraduate Diploma in IT Forensic – http://hkuspace.hku.hk/web_course/show_course.php?code=521&page_code=4414&seq=8&no_of_course=223&start=0&parent_seq=&col=&sort=ASC&keyword=
- SWPearl – http://www.swpearl.com/eng/scripts/enrolment/titlelist.php?id=c1607938316
Organization
KB: Enable multiple Netscreen Ethernet interfaces with IP addresses in the same subnet
Problem: Interfaces cannot have overlapping subnet by default. For example in testing environment, a “Dual-Untrust”port mode configuration connected to the same subnet as DHCP clients, the second interface cannot be enabled:
DHCP client on interface ethernet3 was offered IP xxx.xxx.xxx.xxx/255.255.224.0 and did not proceed with DHCPREQUEST. Reason — Interface: Illegal overlapping subnet
Resolution:
1) Configure the network into different subnets
2) Enable overlapping subnet by the following command:
set vrouter trust-vr ignore-subnet-conflict
KB: Cheat sheet for adding persistent iSCSI volume in Windows Server 2008 Server Core
- Set iSCSI service to autostart
sc config msiscsi star= auto
- Add persistent iSCSI target
iscsicli.exe
QAddTargetPortal <Portal IP Address>
ListTargets
QloginTarget <target_iqn>
PersistentLoginTarget <target_iqn> T * * * * * * * * * * * * * * * 0
ListPersistentTargets
ReportTargetMappings
- Create disk partition and volume
diskpart.exe
list disks
select disk <disk number>
online disk
attribute disk clear readonly
create partition primary
format fs=ntfs quick
assign letter=<drive letter>
list volume
Remarks: The step for clearing readonly flag in DiskPart is important for Windows Server 2008, otherwise creating partition will end up giving “Media is write protected”error. See http://support.microsoft.com/kb/971436/EN-US for details.
KB: Microsoft iSCSI Software Target 3.2 MSI package hack to remove SKU limitation
The Microsoft iSCSI Software Target 3.2 is designed for Windows Storage Server 2008 and it’s only distributed to storage OEM partners and MSDN Subscriptions. The iSCSI target MSI package will check for Windows SKU and show error message “Installation is not supported on this operating system.”if it’s not installing on Windows Storage Server.
To install the iSCSI target on other Windows Server SKU for testing purpose, the MSI database can be modified to remove the Launch Condition.
IMPORTANT: This is never a supported configuration and do it at your own risk.
- Install the tool “Orca” in Windows SDK. See http://support.microsoft.com/kb/255905
- Open the iscsitarget.msi with Orca, look for the IsSupportedSKU condition in LaunchCondition table.
- Remove the IsSupportedSKU condition
- In Tools->Options->Database, make sure the “Copy embedded streams during “Save As”” is checked.
- Click File->Save As to export the modified MSI package.
KB: Windows Storage Server 2008 default password
Password: wSS2008!
Reference: http://resume.jimmarch.com/2009/05/windows-storage-server-2008-rc-default-password/
Good & Bad News: Synology Disk Station Manager 2.2 BETA added iSCSI target support, but it lacks“persistent reservation”support so making it not usable for Windows Server 2008 cluster storage
Filed under: My Lab | Tags: Cluster Services, iSCSI, Synology, Windows
Leave a Comment I’ve been awaiting for the Synology NAS firmware upgrade with iSCSI support so I can try out Windows Server 2008 failover clustering on my Hyper-V box. The good news is the DSM 2.2 BETA is out with iSCSI but it is IET based which lacks SCSI-3 persistent reservation support required by Windows Server 2008 cluster. Same problem for some other software iSCSI targets, e.g. OpenFiler
Reference:
http://blog.baeke.info/blog/_archives/2007/10/24/3311645.html
KB: Lotus Domino 7 and before do not support 4096-bit key root certificate
4096-bit key is only supported in Domino 8 and above.
Reference:
http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21149988
http://www-01.ibm.com/support/docview.wss?uid=swg21213645
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino
KB: Enable Windows XP Remote Desktop Connection to Windows Vista / Windows Server 2008 requiring Network Level Authentication
Problem: The following error is shown in Windows XP Remote Desktop Connection when connecting Windows Vista / Windows Server 2008 requiring Network Level Authentication.
Solution: Enable CredSSP Security Service Provider in Windows XP SP3 which is disabled by default.
- Install Windows XP SP3
- Follow the instructions in KB951608 to turn on CredSSP http://support.microsoft.com/kb/951608/
More Information:
My Certificate Authority Lab Setup (Part 1) – Offline Root CA
To start with something simple I’m building up a 2-tier CA hierarchy incorporating an offline root CA and and issuing Windows Server 2003 Enterprise CA.
Some notes on my Root CA setup:
- Install Windows Server 2003, Standard Edition is good enough for an offline CA.
- Workgroup only, DO NOT join Domain.
- Think twice on the Computer Name before starting CA installation, computer cannot be renamed afterwards.
- IMPORTANT! Create CAPolicy.inf in C:\WINDOWS (or %SYSTEMROOT%) to specify empty CRL distribution point and AIA.
Example: [Version]
Signature= “$Windows NT$”[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=days
CRLPeriodUnits=180[CRLDistributionPoint]
Empty=TRUE[AuthorityInformationAccess]
Empty=TRUE[PolicyStatementExtension]
Policies=AllIssurancePolicy
Critical=FALSE[AllIssurancePolicy]
OID=2.5.29.32.0
URL=http://www.contoso.com/cert/cps.htm - Install Certificate Services only and do not install IIS and other services to minimize attack surface. You don’t need web enrollment for this offline CA.
- Use custom settings to specify key length as 4096 bits and 5 years validity. (Watch out for Domino root certificate key length support, use 2048-bit if any SubCA is going to issue certificate for S/MIME for Domino 6 & 7. More on MyKB)
- After installation, use “certutil –setreg ca\[name]” to set issuing validity timespan and default container distinguished name referenced by CDP and AIA LDAP URL.
Registry Value ValidityPeriod Years ValidityPeriodUnits 2 DSConfigDN CN=Configuration,DC=contoso,DC=com - Config CA’s CDP and AIA locations. The objective is to use external FQDN instead of computer name for the HTTP URL and to make it comes before LDAP URL.
- Remove the default URLs except the local disk location and add back the followings URLs
CDP URL Options http://www.contoso.com/cert/%3%8%9.crl CSURL_ADDTOCERTCDP — 2 ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOCERTCDP — 2
CSURL_ADDTOFRESHESTCRL — 4
CSURL_ADDTOCRLCDP — 8AIA URL http://www.contoso.com/cert/%1_%3%4.crt CSURL_ADDTOCERTCDP – 2 ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_ADDTOCERTCDP – 2 - Config CRL publication interval and make sure Delta CRL is disabled. (Which an interval of 180 days is already specified in the CAPolicy.inf file).
- Publish the CRL and examine the CDP location. Make sure the DSConfigDN registry is correctly setup and you are not seeing “DC=UnavailableConfigDN namespace”in the LDAP URL.
OK, the root CA is now ready. The next would be the issuing enterprise CA.
References:
