In some cases, you might want to keep the computer from going to sleep, hibernate, log off, turn the screen saver on. In a digital forensics case, you would need to keep the computer alive while transporting the device to the lab or a safer environment while the system would stay in a state that will not require re-login when the password is not known.
Thus, the easiest way would be to simulate user activity to keep the system "thinking" that the user is still using the system while in transit.
Instead of creating a separate GUI, I decided to just launch notepad from the system and move the mouse while notepad is open. If notepad is closed, the program exists. This is an AutoIt script if you want to see it work. Of course, you can set any executable besides notepad, but make sure you chose a small footprint file like calc.exe.
Opt("WinTitleMatchMode",2)
WinActivate("Notepad")
Dim $offset=50
Sleep(2000)
$checkWin=WinExists("Notepad")
if $checkWin = 0 then
ShellExecute ( "C:\Windows\notepad.exe" )
Sleep(2000)
$title = WinGetTitle("")
WinSetOnTop($title, "", 1)
WinActivate($title)
EndIf
$checkWin=WinExists("Notepad")
while 1 and $checkWin
if $checkWin = 1 then
WinActivate("Notepad")
MouseMove ( @DesktopWidth/2,(@DesktopHeight/2) + $offset, 10 )
Sleep(1000)
$checkWin=WinExists("Notepad")
if $offset == -50 then
$offset=50
Else
$offset=-50
EndIf
EndIf
WEnd
Sunday, May 10, 2015
Saturday, May 9, 2015
GPT Partition Table Structure
GPT was designed to slowly replace the limited MBR structure. for backward compatibility, the old MBR structure is still maintained.
The boot code is the first 446 bytes that still includes the drive serial number for backward compatibility, but it is not used with GPT partitions when mounting it in Windows.
Each one of the 16 byte partition entries will have the structure:
Boot indicator - 1 byte
Start head - 1 byte
Start sector/cylinder - 2 bytes
Partition type - 1 byte
End head - 1 byte
End sector/cylinder- 2 bytes
Sectors preceding partition - 4 bytes
Sectors in partition - 4 bytes
Following the MBR's master partition entries, the standard 0x55AA is set.
0x200 - >SIGNATURE 8 characters ( "EFI PART" )
Revision ( 00 00 01 00 = 1.0 )
Headersize ( 92 bytes )
CRC32 of header ( set this field's values to all zeros to validate the value )
Reserved
Current LBA ( first should be 01 00 00 00 00 00 00 00 )
Backup LBA //location of the other head copy
First usable LBA //primary partition table last LBA+1 ( should be 22 00 00 00 00 00 00 00 )
Last usable LBA //secondary partition table first LBA-1
Disk GUID 16 byte values
Partition entries ( what will be visible in disk manager )
Number of partitions ( 128 )
Size of partitionEntry ( 128 )
CRC32 of partition array (128*128 bytes should be selected to verify)
// ensures no modifications if not used
420 bytes reserved //must be zeros
0x400 -> Each partition entries will have the same structure
Partition type GUID 16 hex values //http://en.wikipedia.org/wiki/GUID_Partition_Table
//first one should be EFI System partition C12A7328-F81F-11D2-BA4B-00A0C93EC93B
Partition GUID 16 hex values ( see image below )
Partition start LBA
Partition end LBA
Partition property //http://en.wikipedia.org/wiki/GUID_Partition_Table
Partition name up to 36 characters
The image below shows the GPT partition table entry and as it is used by the operating system to mount the partition ( HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices ).
The boot code is the first 446 bytes that still includes the drive serial number for backward compatibility, but it is not used with GPT partitions when mounting it in Windows.
Each one of the 16 byte partition entries will have the structure:
Boot indicator - 1 byte
Start head - 1 byte
Start sector/cylinder - 2 bytes
Partition type - 1 byte
End head - 1 byte
End sector/cylinder- 2 bytes
Sectors preceding partition - 4 bytes
Sectors in partition - 4 bytes
Following the MBR's master partition entries, the standard 0x55AA is set.
0x200 - >SIGNATURE 8 characters ( "EFI PART" )
Revision ( 00 00 01 00 = 1.0 )
Headersize ( 92 bytes )
CRC32 of header ( set this field's values to all zeros to validate the value )
Reserved
Current LBA ( first should be 01 00 00 00 00 00 00 00 )
Backup LBA //location of the other head copy
First usable LBA //primary partition table last LBA+1 ( should be 22 00 00 00 00 00 00 00 )
Last usable LBA //secondary partition table first LBA-1
Disk GUID 16 byte values
Partition entries ( what will be visible in disk manager )
Number of partitions ( 128 )
Size of partitionEntry ( 128 )
CRC32 of partition array (128*128 bytes should be selected to verify)
// ensures no modifications if not used
420 bytes reserved //must be zeros
0x400 -> Each partition entries will have the same structure
Partition type GUID 16 hex values //http://en.wikipedia.org/wiki/GUID_Partition_Table
//first one should be EFI System partition C12A7328-F81F-11D2-BA4B-00A0C93EC93B
Partition GUID 16 hex values ( see image below )
Partition start LBA
Partition end LBA
Partition property //http://en.wikipedia.org/wiki/GUID_Partition_Table
Partition name up to 36 characters
The image below shows the GPT partition table entry and as it is used by the operating system to mount the partition ( HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices ).
Friday, May 1, 2015
Apple Watch Customized
I not just got a hold of my first apple, but hacked it to my custom needs, and installed fingerprint authentication on top of it. I even managed to keep the air filtration system in place for reliable operation. The time values are encrypted, so only I can find out the actual time. It is not cheap plastic, but well engineered space age metal. It is not connected to the Internet to provide a very secure operation. Of course, it does not need battery anymore, just a single apple can provide hours of energy. ( I'm not sure if it is genetically modified, it was not labeled. )
P.S. I just had a hard time posting this since I had to find a replacement hard drive for my laptop :-)
Subscribe to:
Posts (Atom)