Andrew Hay

• Dates from Unallocated Space « SANS Computer Forensics, Investigation, and Response
  (tags: sans forensic analysis)
• Bell Canada customer billed $207,000 after hacker breach
  Woah…that's a lot of phone calls.
  (tags: phone breach hacker)

• McAfee Security Insights Blog » What is the difference between DLP, ILP, CMF and EPS ?
  (tags: dlp ilp cmf eps)
• Spin-Stand Microscopy of Hard Disk Data « SANS Computer Forensics, Investigation, and Response
  (tags: sans forensics)
• Should Certification Exams Change? : The Security Catalyst
  I feel kind of dirty tagging myself
  (tags: certification exams)
• Recovering Open But Unlinked File Data « SANS Computer Forensics, Investigation, and Response
  (tags: forensics incident response)
• TaoSecurity: Why Network Taps
  I agree with Richard on this. I'm a big fan of network taps for traffic collection but be prepared to pay for the convenience.
  (tags: network tools monitoring)
• Test your defenses against malicious USB flash drives – Computerworld Blogs
  Great article!
  (tags: malware flash malicious usb registry)

The business had a requirement to validate the time on a handful of remote Windows XP machines to ensure that their times were all synchronized. This audit point was a show stopper and required a solution ASAP. The current solution was to VNC to the system and visually validate the time. I started thinking that there must be a way to remotely check this from a script so I posted a call for help out on Twitter.

Special thanks to @domdingelmom for pointing me to the WMI Tasks: Dates and Times article on MSDN.

Using this link as a guide I was able to create the following visual basic script to make the remote call:

Set dtmInstallDate = CreateObject( _
"WbemScripting.SWbemDateTime")
strComputer = "__NETBIOS__"
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer _
(strComputer, "root\cimv2", _
"__DOM\USER__", "__PASSWORD__")
Set objOS = objSWbemServices.ExecQuery( _
"Select * from Win32_OperatingSystem")
For Each strOS in objOS
dtmInstallDate.Value = strOS.InstallDate
Wscript.Echo dtmInstallDate.GetVarDate
Next

Where:
- __NETBIOS__ is the NETBIOS name of the machine
- __DOM\USER__ is the user name allowed to make the query (e.g. DOMAIN\andrew)
- __PASSWORD__ is the password to authenticate

You then take the code and put it into a file called test.vbs. This should make validating the time a 5 second task by simply running: cscript test.vbs > results.txt

Not the most monumental scripting task ever undertaken but not bad for a guy who hates to code. With some further tweaking I hope to make this script capable of handling more than one system (possibly a list of systems) and allow for the input of credentials.

Enjoy

• Payment Processor Breach May Be Largest Ever – Security Fix
  Wow…that's a lot.
  (tags: breach payment)

• Security Ninja Blog | Code flaws matrix version 1
  Thanks to Brian Honan for pointing me at this list.
  (tags: code flaws programming)
• Decoys: 8 Inflatable Military Decoys
  I can't help but wonder how effective fake appliances with blinky lights might be at deterring potential attackers if you let pictures of your data center "leak" out onto the Internet?
  (tags: military decoy)
• Finshake
  (tags: snort ids ips)
• Single drive wipe protects data, research finds
  I still feel better following DoD standards…but that's just me.
  (tags: security forensics privacy)