Archive for the ‘Forensics’ Category

My articles in Chmag

October 3, 2011 Leave a comment

Well its a late announcement phir bhi
My articles have been posted in Chmag on forensics for Matriux Vibhag, More to come yet 

Forensics Part-I — Introduction and Acquisition
Foreniscs Part-II — Analysis
Forensics Part-III – Analysis part II have to be published , article submitted 🙂

Your Comments and suggestion will make my articles more interesting and knowledge sharing stuff . Please give the feed back after go through them :).

First Indian Security and Hacking Magazine

Articles related to Forensics

Hi friends,

Here is some of the interesting Forensics articles, More coming soon

Linux live forensics

Analysis of Stuxnet using System internals

Stuxnet’s Footprint in Memory with Volatility 2.0

Prefetch files at Face Value


Virtual Machine Data recovery using Open VMFS Driver


All the credits will go for the respective authors of the posts , i am only sharing the data .


December 9, 2010 Leave a comment
Hi friends,

In India we were waiting to see any ‘hacking’ magazine to happen and the wait was getting little longer. So finally ClubHack decided to come out with its own 1st  Indian “Hacking” Magazine called CHmag. We at ClubHack are very much excited about the magazine and this fits into our main objective of making hacking and information security a common sense for a commn man.To start with we have the sections below. We hope to add a lot of sections in future, all we need is input from you on what would you like to see in your magazine Moving further we need a lot of help form the whole information security community of the country to make this a success.

ClubHack magazine which has 11 issues till date u can check  for the issues.Its a free magazine to get and to contribute if you have any new ideas / want to share any new technologies with security enthusiasts u can send here it will printed in the magazine if the topic has the stuff and  We at ClubHack aremore than thrilled about the magazine and this fits into our main objective of making hacking and information security a common sense This magazine is divided into the following sections:
0x00 Tech Gyan of the month
0x01 Legal Gyan of the month
0x02 Tool Gyan of the month
0x03 Command Line Gyan of the month
0x04 Mom’s Guide of the month
0x05 Awareness Poster of the month

We hope to add a lot of sections in future, all we need is input from you as to what you would like to see in your magazine

Recent CHmagazine issue

Hope you enjoy the magazine and get the knowledge .

Support is the need for the development.


KERNEL the heart of operating system

November 15, 2010 1 comment
Hi Friends,
    Most of us use Linux boxes we can identify and update our Linux kernels if any updates / patches released we know that how to patch /update the kernels but what about windows box , will windows use kernels ? The answer is yes no operating system will run without a kernel, kernel is the heart /mind for the operating systems. Then
Can we identify our windows Kernel versions? How?
Will Linux and windows use same kernel?
How can we update our kernels in windows?
What details can we get in kernel?
                We can identify our windows kernel, but we don’t have any direct option to get windows kernel version, but yes we can get them by some log entries and using some third party tools or from the registry entries.
    When we boot a windows box an entry is generated in event log with “EVENT ID 6009”.
    The log entry doesn’t indicate whether you booted the PAE (Physical Address Extension) version of the Kernel.    We can determine the PAE Kernel version in the registry entry HKLM/SYSTEM/Current Control Set/Control/Session Manager > Physical Address Extension.

Another Process to identify your kernel details by using System Internals tools like WinDBG. Open a local Kernel version using debugging session type “List Module” to list the details for the kernel image.

*please be sure the symbols are present.

We can check Product Type and Product Suite under HKLM/System/Current Control Set/Control/Product Options > Product Type and Product Suite.

Kernel is purely works on the base of HAL (HAL is a layer of code that isolates the kernel, device drivers, and the rest of the Windows executive from platform-specific hardware differences).

Linux and windows use different Kernels

By changing / upgrading our operating systems we can change the kernel versions till now Windows vista have WinNT and Windows server 2008 have Lanman NT / server NT as a product ID.

We can use tools like SIPolicy and Windows Driver Kit to get more details about Kernel.

Categories: cyberstack, Forensics

Booting Process in windows :

September 15, 2010 3 comments
Booting Process in windows :

                        Hi , every one uses Desktops or laptops these days but some of us don’t know how the computer starts how it boot up the windows and what are the importance of some files which we delete accidentally when we see them as hidden, I hope this Post will help for the beginners and advanced user as a reference.

Firstly when we power on SMPS starts and generates Power good signal to the components and CPU started then CPU reads first instruction stored in BIOS (Error message is given if any error in RAM / CMOS).
BIOS performs the POST (Power On Self Test) operation – checks all the hardware components then
BIOS loads MBR and 
MBR (Master Boot Record) stores the booting record loads Boot sector from system
Boot sector Loads NTLDR
NTLDR reads BOOT.ini 
BOOT.ini file stores information regarding which operating system is to be booted if the system is of Dual operating system and the display time for the operating system selection.
**From this we can change name of the operating system shown at boot time and can change the display time.
BOOT.ini Loads and executes from system to perform BIOS Hardware detection then loads NTOSKRNL.exe, HAL.dll, BOOTTVID.dll, KDCOM.dll from the boot volume
Here NTOSKRNL is linked against the HAL (Hardware Abstraction layer), which is in turn linked against NTOSKRNL. (They both use functions in each other.) NTOSKRNL is also linked to the following binaries: 
Pshed.dll (Platform-Specific Hardware Error Driver). It provides an abstraction of the hardware error reporting facilities of the underlying platform by hiding the details of a platform’s error handling mechanisms from the operating system and exposing a consistent interface to the Windows operating system. 
Bootvid.dll (Boot Video Driver).It provides support for the VGA commands required to display boot text and the boot logo during startup. On x64 kernels, this library is built into the kernel to avoid conflicts with Kernel Patch Protection (KPP).
NTLDR loads windows\system32\system which is your system hive HKLM\system in regedit
NTLDR loads drivers flagged as “boot” in the system hive then passes control to NTOSKRNL.exe
NTOSKRNL.exe brings up the loading splash screen and initializes the kernel subsystem
then starts the boot-start drivers and then loads & starts the system-start drivers then creates the Session Manager process (SMSS.EXE
SMSS.exe runs any programs specified in Boot Execute like chkdsk, cleaning virus files by the antivirus.
Then processes any installations like update service packs.
 SMSS.exe then initializes the paging files and the remaining registry hives then starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS) and the user-mode portion of the Win32 subsystem (CSRSS.EXE) , starts WINLOGON.exe
WINLOGON.exe starts the Local Security Authority (LSASS.EXE) and loads the Graphical User Identification and Authentication DLL. and displays the logon window by user action it starts the services controller (SERVICES.EXE)

SERVICES.EXE: starts all services.
This process is same in windows XP, Windows vista and seven, but in windows vista and seven it has been updated and security is provided. My next post will discuss more about other system files.
Categories: cyberstack, Forensics

How To Test a software

Every  one uses many Software’s in our day to day life, a user have a chance to report the bugs and errors in the software to the manufacturer, then how can we test a software, there are many ways to test a software for example if we take a software which uses Microsoft operating system, mostly users use Windows operating systems as a interface as it is very user friendly, We can check in Performance, Usability, and Security perspectives.

Performance: We can check most of the performance details in our powerful tool “Windows Task Manager”. It includes application access time and how it performs for a single operation, what is the CPU usage and Processes usage when running the application, it depends on the application how much it uses but every application should be run with normal priority how much time taken to access the service, how much virtual memory used, what is the processor ID and how much page file size used all those stuff.

Usability: The usability of the application can be identified as we use it , stopping the services from services.msc,changing the users while running the applications, restarting the services while application is running, accessing the application at a same time i.e running the application and opening the same application again, observing the installations and UN-installations by canceling, going front and back while installing and more …

Security:Securing a product is the most interesting part of testing and working with the software.We can check this from Exact path of the file locations where it is installed and shortcuts created, what are the services it is using for running the applications which port numbers it is using for communication, is there any chance of deleting and replacing the running application files in installation folders replacing registry entries of the software and more ..

Categories: cyberstack, Forensics