Sunday, May 10, 2015

Mouse Jiggler

In some cases, you might want to keep the computer from going to sleep, hibernate, log off, turn the screen saver on.  In a digital forensics case, you would need to keep the computer alive while transporting the device to the lab or a safer environment while the system would stay in a state that will not require re-login when the password is not known.

Thus, the easiest way would be to simulate user activity to keep the system "thinking" that the user is still using the system while in transit.

Instead of creating a separate GUI, I decided to just launch notepad from the system and move the mouse while notepad is open.  If notepad is closed, the program exists.   This is an AutoIt script if you want to see it work.  Of course, you can set any executable besides notepad, but make sure you chose a small footprint file like calc.exe.

Opt("WinTitleMatchMode",2)
WinActivate("Notepad")
Dim $offset=50

Sleep(2000)
$checkWin=WinExists("Notepad")

if $checkWin = 0 then
     ShellExecute ( "C:\Windows\notepad.exe" )
     Sleep(2000)
     $title = WinGetTitle("")
     WinSetOnTop($title, "", 1)
     WinActivate($title)
EndIf

$checkWin=WinExists("Notepad")

while 1 and $checkWin
if $checkWin = 1 then

WinActivate("Notepad")
   MouseMove ( @DesktopWidth/2,(@DesktopHeight/2) + $offset, 10 )
   Sleep(1000)
  $checkWin=WinExists("Notepad")
  if $offset == -50  then
     $offset=50
  Else
     $offset=-50
  EndIf
EndIf
WEnd

Saturday, May 9, 2015

GPT Partition Table Structure

GPT was designed to slowly replace the limited MBR structure.  for backward compatibility, the old MBR structure is still maintained.


The boot code is the first 446 bytes that still includes the drive serial number for backward compatibility, but it is not used with GPT partitions when mounting it in Windows.

Each one of the 16 byte partition entries will have the structure:
  Boot indicator - 1 byte
  Start head - 1 byte
  Start sector/cylinder - 2 bytes

  Partition type - 1 byte
  End head - 1 byte
  End sector/cylinder- 2 bytes
  Sectors preceding partition - 4 bytes
  Sectors in partition - 4 bytes


Following the MBR's master partition entries, the standard 0x55AA is set.



0x200 - >SIGNATURE 8 characters ( "EFI PART" )

  Revision   ( 00 00 01 00 = 1.0 )
  Headersize ( 92 bytes )
  CRC32 of header ( set this field's values to all zeros to validate the value )
  Reserved
  Current LBA                   ( first should be 01 00 00 00 00 00 00 00 )
  Backup LBA                    //location of the other head copy
  First usable LBA              //primary partition table last LBA+1 ( should be 22 00 00 00 00 00 00 00 )
  Last usable LBA              //secondary partition table first LBA-1
  Disk GUID 16 byte values
  Partition entries ( what will be visible in disk manager )
  Number of partitions ( 128 )
  Size of partitionEntry  ( 128 )
  CRC32 of partition array (128*128 bytes should be selected to verify)
                                                        // ensures no modifications if not used
  420 bytes reserved    //must be zeros


0x400 -> Each partition entries will have the same structure
  Partition type GUID 16 hex values    //http://en.wikipedia.org/wiki/GUID_Partition_Table
                                         //first one should be EFI System partition C12A7328-F81F-11D2-BA4B-00A0C93EC93B
  Partition GUID 16 hex values   ( see image below )
  Partition start LBA
  Partition end LBA
  Partition property   //http://en.wikipedia.org/wiki/GUID_Partition_Table
  Partition name up to 36 characters

The image below shows the GPT partition table entry and as it is used by the operating system to mount the partition ( HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices ).

Friday, May 1, 2015

Apple Watch Customized


I not just got a hold of my first apple, but hacked it to my custom needs, and installed fingerprint authentication on top of it.  I even managed to keep the air filtration system in place for reliable operation.  The time values are encrypted, so only I can find out the actual time.  It is not cheap plastic, but well engineered space age metal.  It is not connected to the Internet to provide a very secure operation.  Of course, it does not need battery anymore, just a single apple can provide hours of energy.   ( I'm not sure if it is genetically modified, it was not labeled. )



P.S. I just had a hard time posting this since I had to find a replacement hard drive for my laptop :-)