Thursday, December 20, 2018

Exiftool, grep and choco fun

I thought I’d share some holiday command line cheer.

If you have Windows 10 then you also have a command line package manager named “choco”. Many tools can be installed just like in Linux from a command prompt.

Exiftool is a great command line tool for looking at document metadata. Much of this metadata may not show up otherwise and can be very useful investigators.

Grep, a great Linux tool for searching files can also be installed via choco.

If you would like to install it just type “choco install exiftool” and it will install.

Or grep

“Choco install grep”

Now, to use exiftool or grep just open a command prompt and run the program you just installed like so

exiftool c:\path_to_file

grep -h

Enjoy!


by Dave via EasyMetaData

Wednesday, September 26, 2018

Edge browser about:config

Recently I became curious what you can configure in Edge browser. In this short post I’m going to talk about the about:config in MS edge browser. The options are limited but helpful.

Privacy over VPN?

  • WebRTC What is WebRTC? It is an API for JavaScript to do lots of things. You can check a box to hide your local IP address over WebRTC connections. You can simply check this box. If you are on VPN this may help to reduce the exposure of your computers IP address in Edge and Windows Apps utilizing Edge.
  • Make sure “Allow Adobe Flash localhost loop-back is unchecked. Unchecked should be the default.
  • Turn on “View Source” to look at the page source like you can in Firefox.

by Dave via EasyMetaData

Edge browser about:config

Recently I became curious what you can configure in Edge browser. In this short post I’m going to talk about the about:config in MS edge browser. The options are limited but helpful.

Privacy over VPN?

  • WebRTC What is WebRTC? It is an API for JavaScript to do lots of things. You can check a box to hide your local IP address over WebRTC connections. You can simply check this box. If you are on VPN this may help to reduce the exposure of your computers IP address in Edge and Windows Apps utilizing Edge.
  • Make sure “Allow Adobe Flash localhost loop-back is unchecked. Unchecked should be the default.
  • Turn on “View Source” to look at the page source like you can in Firefox.

by Dave via EasyMetaData

Monday, August 27, 2018

Security Onion is what #SIEM @securityonion #dfir #infosec

It’s been a while since I have written a post. I need to write something so I figured I’d write about what takes up most of my days… Honestly, a lot has happened in my personal life. I got married, purchased a house and I’m expecting a baby. So it doesn’t take much imagination to guess where my free time has gone.

I have also branched out beyond disk based forensics to SIEM (or Security Information and Event Management) using a production called Security Onion. I have a networking and Linux background so the concepts weren’t at all foreign to me.  It took a while to getting my head around it though. The layers of integrated products built on top of Security Onion took a lot more time to learn than I expected. What I learned was that when you are new to it you will fail, repeatedly at first.

What drew us in were a couple of things we needed. #1 it’s free, #2 it scales and #3 it uses Logstash/Elastic/Kibana so it’s flexible and json friendly.

Security Onion has been around a long time, nearly 10 years based on the first blog post on the Security Onion blog back in 2008… But, what really made it interesting to us was the impending switch to Logstash/Elastic/Kibana.

Since I started the implementations it has moved from experimental to production with Kibana. With the full switch away from Elsa to Kibana it has allowed flexibility that you expect from Elastic. Also helpful, new releases come out regularly… I find that to be a sign of a strong and active community behind the project.

The documentation is decent if you understand the product well. The google groups are only modestly helpful however and a lot of the learning requires trial and error along with a strong Linux, Syslog, networking and Elastic understanding.

Anyway, if you are doing Security Onion stuff and want to connect feel free to ping me on Twitter. I am still learning and can use all the help I can get. If there is a Slack group out there let me know!

-Dave


by Dave via EasyMetaData