Category Archives: Windows 7

How To Use BitLocker With Attached VHD Drive Image Files And RAM Disks

1
Posted by Jason Fossen on November 17, 2009 – 7:37 pm
Filed under Misc, Windows 7

You can mount a VHD image file as a drive letter and then encrypt the contents of that VHD with BitLocker.  This allows multiple users to share a computer and use BitLocker to keep their files secret from each other.  When a VHD file using BitLocker is backed up or copied to a plaintext USB drive, the VHD file stays encrypted, which is not not true of the files on a volume using whole drive encryption.  If you copy the VHD file to a portable drive, the portable drive can stay in plaintext while the contents of the VHD file will be BitLocker-encrypted, which is nice when you need some regular plaintext portable storage too.  You can conveniently mount/unmount VHD drives from within Windows Explorer or from the command line.  The following will show you how to do it.

Requirements

To create a BitLocker VHD drive, you must have Windows 7 Enterprise or Ultimate, Windows Server 2008-R2, or later operating systems.  (Home and Professional editions of Windows 7 cannot be used to create BitLocker To Go drives, but they can use such drives after they are created on another system.)

You will likely want to install the free VHD Attach utility.  It isn’t absolutely required, but it makes working with VHD drives much more convenient.  With this utility you can simply right-click a VHD file to attach (mount) or detach (unmount) it as a drive letter.

AttachVHD

Procedures

Download and install the free VHD Attach utility, if you wish to use it (recommended).

In the Administrative Tools folder of the Start Menu, go to Computer Management > Storage > right-click Disk Management > Create VHD.  Create a VHD file larger than 64MB in size.

Scroll down in Disk Management, find the new disk > right-click its box (left side) > Initialize Disk > OK > right-click the disk’s partition area (right side) > New Simple Volume > follow the wizard to format the volume using NTFS or one of the FATs (NTFS preferred).

In Windows Explorer, right-click the new drive > Turn On BitLocker.  Encrypt the VHD drive with BitLocker To Go in the regular way with a passphrase or smart card.  Remember not to store the recovery key file on the same computer as the VHD drive!

(Optional) In Windows Explorer, right-click the new drive > Manage BitLocker > Automatically Unlock This Drive On This Computer.  This protects the BitLocker VHD drive with your desktop logon credentials.  If you want to be prompted for your BitLocker passphrase whenever you first attach the VHD drive, do not select this option (perhaps because others know your logon password).

In Windows Explorer, if you installed the VHD Attach utility, find the VHD file on the host hard drive (probably C:\) > right-click the VHD file > select Detach/Attach/Open.  Detach will unmount the drive letter.  Attach will mount the VHD file as a drive and then you’ll be prompted for your BitLocker passphrase or smart card (or neither, if you enabled the Automatic Unlock feature).  Open will show information about the VHD drive such as sector size, volume identifier, vendor ID, etc.

Command-Line Use

The VHD Attach utility installs a binary named VhdAttachExecutor.exe.  This supports two command-line switches: /attach vhdfilepath and /detach vhdfilepath.  This can be used in custom scripts or desktop shortcuts to simplify the use of VHD drives. You can also use the built-in DISKPART.EXE tool, but this is much less convenient.

Concealment

If you want to try to conceal the fact that you have a BitLocker-encrypted VHD file, keep in mind that VHD files have a binary signature which can be scanned-for and identified.  However, you might try this: 1) Install the VHD Attach tool on another computer, 2) copy the VHD Attach program files to a flash drive, 3) create a BitLocker-encrypted VHD file on the desired machine, 4) detach or unmount the VHD drive, 5) rename the VHD file and its filename extension to something which will not draw attention, e.g., like a paging file, memory dump, temp file, etc., perhaps moving and hiding the file as well, 6) use a shortcut or batch script on the flash drive to run VhdAttachExecutor.exe to mount the renamed VHD file when desired.

Keep in mind that installing the VHD Attach tool modifies the registry, and so does running the tool, even from a flash drive, so you cannot easily conceal its usage.  Mounting VHD drives also leaves forensic traces that are difficult or impossible to erase.  Your custom attachment script on the flash drive would have to try to scrub these traces.  Hence, the above concealment steps are just for a bit of weak obscurity.

Other BitLocker Tricks: RAM Disks and Virtual Machines

And for inquiring minds that want to know, the answer is: Yes, you can use BitLocker to encrypt a RAM disk, at least with Dataram’s RAMDisk freeware (I haven’t tried it with any other products).  Why you would do this is another question, but there are creative uses for the restless…

You can also use BitLocker inside of a virtual machine to encrypt the boot partition (the partition with the \Windows folder in the VM) but you’ll need to turn off BitLocker’s default TPM requirement in the VM first.  The hard part is tricking your VM software into mounting the USB flash drive with the BitLocker key during boot-up, and, if you can’t get your VM to do this, you’ll have to type in the BitLocker recovery PIN each time you reboot the VM (resuming a suspended VM, as opposed to rebooting, does not prompt for the recovery PIN if you really want to play around with this “feature”).  Encrypting the VM’s files on the host OS with EFS is possible too and certainly less of a hassle.

And you can encrypt a physical USB drive mounted from within a virtual machine too of course, then move that USB drive around to other physical and virtual machines running Windows 7/2008-R2 or later.

What other BitLocker or TPM tricks are possible?  ;-)

Conclusion

A common question is “How can I use BitLocker to keep my files secure from other people who share my computer?”  Using BitLocker-encrypted VHD files is one possibility.  But you should also investigate using the NTFS Encrypting File System (EFS), which also supports smart card key storage, encryption of external USB drives, and encryption of VHD files with- or without BitLocker.  All this is covered in the six-day Securing Windows track (SEC505) at SANS of course.  Good luck!

WinDump Color Highlighting PowerShell Script

1
Posted by Jason Fossen on October 22, 2009 – 3:54 pm
Filed under PowerShell, Windows 7

windump-colors

SniffScreenShot2

WinDump.exe is a free command-line packet sniffer and protocol analyzer for Windows (similar in command-line options to tcpdump for UNIX/Linux).  Staring at the output of WinDump for hours can cause eye strain, especially when sniffing in verbose mode or when showing the output on a projector to an audience.

Sniff.ps1 is a PowerShell script which will colorize the fields of WinDump output and insert zero or more blank lines in between each line of output for readability.  You can download the script free from here, it’s in the public domain.

To have the script simply guess which network adapter to listen on and start sniffing:

.\sniff.ps1

To have the script ask you which network adapter to use:

.\sniff.ps1 -ask

To add one or more blank lines in between each line of output (nice for teaching):

.\sniff.ps1 -spacing 1

To specify additional WinDump command-line options (-options parameter optional) just put the arguments inside double-quotes:

.\sniff.ps1 -options "-v -t -X not arp and not port 1900"
.\sniff.ps1 "-s 500 tcp port 80" -ask
.\sniff.ps1 "-r capturefile.pcap -X -s 0" -spacing 2

If the script is in your PATH or the Sniff() function from inside the script has been copied into your profile script (see $profile), you don’t need the folder path or filename extension, and you can abbreviate the full names of the parameters:

sniff
sniff -a -s 1
sniff "-t -X not port 3389"

If you want to change the colors, they are listed in one spot inside the script, so they are easy to find and edit.

Pipe Into Colorize-WinDump() Filter Instead

If you don’t want to use the Sniff.ps1 wrapper, but you do want the color highlighting sometimes, open the script and copy out the Colorize-WinDump() filter (which is inside the Sniff() function).  Copy the filter code to another file for dot-sourcing or paste the code into your profile script, then you can pipe WinDump.exe output into the filter as desired:

windump.exe -i 2 -v -X | colorize-windump

Requirements & Caveats

Script requires PowerShell 2.0 or later.  Only Windows 7 and Server 2008-R2 and later have this by default, so for earlier operating systems you must download PowerShell 2.0 or later from Microsoft’s site (it comes as a part of the “Windows Management Framework”).

WinDump.exe and the WinPcap driver must be installed before running script.

WinDump.exe must be in the PATH or you must edit the $WindumpPath variable in the script.

Not every protocol can be colorized by the script, so the script defaults to showing in monochrome the output lines it can’t parse correctly.

WinDump’s -e switch, for showing the link-level header, is not supported, but the monochrome output will still be shown.  Other verbose switches, such as -tttt, -vvv and -X, are supported though.

The default color scheme assumes that your shell’s background color is black, which is not the PowerShell default, but you can easily change your background color (right-click the shell’s titlebar > Properties > Colors) and you can easily edit the colors defined inside the script (they are all listed in one spot in the script for easy editing).

Windows 7 and IE8 CIS Security Baselines

0
Posted by Jason Fossen on July 9, 2009 – 2:05 pm
Filed under CIS, Windows 7

[From Blake Frantz at the Center for Internet Security (CIS)]

The Center for Internet Security (CIS) and Microsoft are collaborating on security baselines for Windows 7 and Internet Explorer 8.  On July 13, 2009, beta versions of these baselines will be available for review from the Microsoft Connect site. On August 5, 2009, Microsoft will host a Live Meeting session to discuss these security baselines and gather feedback from the CIS Community – and you’re invited! This is a great opportunity to get answers to your Internet Explorer 8 and Windows 7 security questions, get a head start on defining your organization’s configuration standards for these technologies, and contribute your expertise to the community.

 Here’s what you need to do to get involved:

1) Join the Microsoft Connect Beta program for the Windows 7 and Internet Explorer 8 security baseline project by following this invitation link.  (Please note: You will need a Windows Live ID to login to this site. If you do not already have one, a link is provided for you to create one.)

2) Download and review the Windows 7 and Internet Explorer 8 security compliance baselines. The following resources are included:

The Widnows 7 Security Compliance Baseline Beta includes:
• Windows 7 Security Guide
• Windows 7 Security Baseline Settings
• Windows 7 GPO Back-up Files
• BitLocker Security Baseline Settings
• BitLocker GPO Back-up Files

The Internet Explorer 8 Security Compliance Baseline Beta includes:
• Internet Explorer 8 Security Guide
• Internet Explorer 8 Security Baseline Settings
• Internet Explorer 8 GPO Back-up Files

3) Provide your feedback on the baselines using the Microsoft Connect feedback form. Instructions and a link are provided on the Beta program page.

On August 5, 2009, attend the Live Meeting session to discuss the security baselines.

Important Dates:
July 13, 2009 – Beta release of Windows 7 and Internet Explorer 8 security baselines.
August 5, 2009 – Live Meeting session to discuss and provide feedback on the security baselines.