tasklist.exe /S r01tdoty
taskkill.exe /S r01tdoty /IM bitcoin.exe
taskkill.exe /S r01tdoty /PID 2028
taskkill.exe /S r01tdoty /PID 2028 /F

• scsi0:0.fileName = “zimbra-000001.vmdk“
• uuid.bios = “56 4d 3f 3d 32 80 5b f2-94 31 21 c9 b2 c3 93 b9“
• ethernet0.generatedAddress = “00:0c:29:c3:93:b9“

And then build the command-line:

kvm -drive file=zimbra-000001.vmdk,boot=on \
  -net nic,macaddr=00:0c:29:c3:93:b9 -net tap \
  -uuid 564d3f3d-3280-5bf2-9431-21c9b2c393b9

The UUID is optional, but might be useful for applications using it for validation (i.e. Windows), and the MAC address as well.

Second way could be to convert the disk image:

kvm-img convert -O qcow2 zimbra-000001.vmdk zimbra.qcow

vmware-vdiskmanager -r VMWareDisk.vmdk -t 0 VMWareSingleDisk.vmdk

(note it is “-t zero” above, thank you, fun with fonts…)

The resulting image can then be used directly, or converted to a “friendlier” format such as raw disk image or qcow.

qemu-img convert VMWareSingleDisk.vmdk -O qcow2 KVMDiskImage.qcow
qemu-img convert VMWareSingleDisk.vmdk -O raw KVMDiskImage.img

My preference is to use raw disk image files as they can be directly processed with normal forensic tools.

GNU grep is very slow in the UTF-8 locale. It is orders of magnitude faster in the C locale. To check your current locale, type the following at shell prompt: locale

LANG=en_US.utf8
LC_CTYPE="en_US.utf8"
LC_NUMERIC="en_US.utf8"
LC_TIME="en_US.utf8"
LC_COLLATE="en_US.utf8"
LC_MONETARY="en_US.utf8"
LC_MESSAGES="en_US.utf8"
LC_PAPER="en_US.utf8"
LC_NAME="en_US.utf8"
LC_ADDRESS="en_US.utf8"
LC_TELEPHONE="en_US.utf8"
LC_MEASUREMENT="en_US.utf8"
LC_IDENTIFICATION="en_US.utf8"
LC_ALL=

In the above example, my locale is en_US.UTF-8. If you are grep’ing very large files, you can greatly improve the speed by changing the locale to C. In bash, you would type: export LC_ALL=C

Then type locale again, the display should look something like this :

LANG=en_US.utf8
LC_CTYPE="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_COLLATE="C"
LC_MONETARY="C"
LC_MESSAGES="C"
LC_PAPER="C"
LC_NAME="C"
LC_ADDRESS="C"
LC_TELEPHONE="C"
LC_MEASUREMENT="C"
LC_IDENTIFICATION="C"
LC_ALL=C

At some point grep is supposed to address this issue. Until then, use the C locale with grep. If you frequently use grep to search for large text files you should alter the locale in your  .bash_profile.

DumpIt

For those who missed the news MoonSols DumpIt had been released as a free version. It supports both 32bits and 64bits memory acquisition, it’s fast and only one executable which makes it really easy to deploy on a USB storage for instance.

More information there :

http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/

http://www.tateu.net/software/

Although the road was very slightly more circuitous it serves no useful purpose to elaborate. What works and what doesn’t:

Installation — this goes just swimmingly and leaves a false impression

Error: there’s a commandline error about opengl. It was eliminated by calling as follows:

LD_PRELOAD=/usr/lib32/nvidia-current/libGL.so wine ~/.wine/drive_c/Program\ Files/DAZ\ 3D/Carrara8/Carrara.exe

It accepted the registration information no problem and I added a run time. Some icons (I haven’t checked for a commonality) are not displayed, but the two items tried (AE Boat, Victoria 4.2) load without issue. The GUI is amazingly responsive

Rendering fails 100% of the time, instantly on launch. It might have to do with multi-threaded code, I’m not sure. The error message is the ever informative “An error occured.”

Visiting the shader room gives an immediate error due to the mini-render view. All the sphere previews for the different parts of the shader tree are blank (no ability to render).

Eliminating the overhead of Windows operating system bloat overall seems to be a good thing performance-wise. But the inability to render anything ultimately makes this an exercise in futility.

F-Prot has a linux client that is a command line scanner and very easy suitable though it does not appear to have good detection.

AVG also has a free linux client, but it appears to be focused on the desktop and did not appear to have a way to on demand scan a file, or to prevent attempts at removal or containment. It relies on a service that, after installation, was not enabled. It may also require a paid license to function, despite being “free.”

Supposedly SuperAntiSpyware works perfectly in Linux using WINE, though I have not tested that yet.

Malwarebytes has pretty good detection rates, but it has not been tested in WINE either.

Another option is to generate file hashes and check those against VirusTotal or similar services. For example, to get the hashes, associate names, remove duplicates and check against Team Cymry’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/):

$ find /mnt/ntfs -type f -exec md5sum ‘{}’ ‘;’ > windows_file_hashes
$ cat windows_file_hashes | awk ‘{print $1}’ > just_hashes
$ sort just_hashes | uniq > sorted_hashes
$ netcat hash.cymru.com 43 < sorted_hashes > scanned_hashes

Information for creating and managing VMs with KVM

Create a new hard disk:

# Pre-allocated
dd if=/dev/zero of=newDisk.dd bs=1024 count=8000
# Sparse
dd if=/dev/zero of=newDisk.dd bs=1 count=0 seek=8G

Initial Install

# Windows
kvm -hda newDisk.dd -net nic -net user -cdrom WinXPCD.iso

Running KVM

# emulate specific real hardware
kvm -cpu athlon -soundhw ac97 -m 512M -vga cirrus
# using a VMWare image
kvm <other settings> -vga vmware
# avoid writing to hard drive
# ** doing this WILL change the hard disk file, even if pre-allocated (par2 detected re-ordered blocks)
kvm <other settings> -snapshot

Backing up a disk image

# create parity files for a state, use par2 to "repair" the disk image to restore the state
# -m is used to speed loading of the disk image
# -r sets the level of redundancy as a percent
par2create -m100000000 -r20 newDisk.dd-YYYYMMDD-title.par2
# use rsync to update a snapshot image of a sparse hard drive file
dd if=/dev/zero of=snapshotDisk.dd bs=1 count=0 seek=8G
rsync -av --inplace /path/to/newDisk.dd /path/to/snapshotDisk.dd