Thursday, January 6, 2022

Windows File operation during IR

 

Windows File operation during IR (Incident Response)

 

(Just for my references)

Sort files by date

 

dir *.* /s /O:D > c:\temp\filelist.txt

dir /O:-D: sort by time, newer to older

 

Show file ownership

dir *.exe /ah /q

 

Search file using Where command:

WHERE /R c:\windows *.exe *.dll *.bat

 

File Property

Powershell:

Get-ItemProperty -Path .\test.exe | Format-list -Property * -Force

Get-Item .\test.exe | select-object -Property *

Get-acl .\test.exe | select-object -Property *

 

Search files with modified day

Command line: (new files since 2021-12-21)

forfiles.exe /D +2021-12-21 /S /C "cmd.exe /c IF @isdir==FALSE dir /q @file"

If you got “ERROR: Invalid date specified.”, type "FORFILES /?" to find out the correct date format.

 

PowerShell: (new files since 10 days ago)

$time = (Get-Date).AddDays(-10)

Get-ChildItem c:\windows -Recurse | Where-Object {$_.LastWriteTime -gt $time}

 

Get file hash

Command line: certutil.exe -hashfile c:\test.exe sha256

Powershell: Get-FileHash c:\test.exe | Format-List

 

Delete file / folder

Below commands delete all *.txt files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=c:\temp\"

Set "daysold=10"

If Exist "%Target%" (

 rem ECHO Y| Icacls %Target% /T /C /grant Administrators:F

"forfiles.exe" /p "%Target%" /M *.txt /d -%daysold% /c "cmd /c if @isdir==FALSE del @file /q"

)

 

Below commands delete all $Recycle.Bin folder under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=C:\temp\$Recycle.Bin"

Set "daysold=10"

If Exist "%Target%" (

"forfiles.exe" /p "%Target%" /d -%daysold% /c "cmd.exe /c IF @isdir==TRUE RD @Path /S /Q"

)

 

Another example:

Rem if starting from c:\, use c:\\, “c:\” doesn’t seem to work

Set "Target=c:\\"

If Exist "%Target%" (

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c attrib @file -S -H +A"

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c rmdir @file /s /q"

)

 

 

Below commands delete all files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

 

$DateToDelete = 10

$StartFolder = "c:\temp"

dir $StartFolder -Recurse -Force -ea 0 | ?{!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-$DateToDelete)} | rmdir -Force

 

Tuesday, August 31, 2021

How to import eBooks to iPad mini

(Just for my reference)

Environment:

1.     Mac OS Big Sur

2.     Build-in tool: SimpleHTTPServer

3.     iPad mini

 

Steps:

1.   Make sure iPad mini and the MacBook are in the same network.

2.   Open Terminal window on Mac.

3.   Go to the folder where the eBooks were located. (cd commad)

4.   Run command: python -m SimpleHTTPServer 8000

5.   Parameter 8000 is the port number. It can be changed.

6.   Open Safari of the iPad mini.

7.   On the Address bar, enter http://MacIP:8000, it should list the books on the folder.

8.   Click one of the books. And then click “Open from ‘iBooks’”

9.   The book will be copied to iBooks app.

10.          Return to Safari, and repeat it.

11.          After finishing the importing, close the Safari browser.

12.          On MacBook, press Ctrl+c to end the simple http server.

Monday, August 30, 2021

Fix the MacBook Big Sur slowness

I used to be able to run 3 VMs on Vmware Fusion at the same time on Catalina. After I upgraded my MacBook Pro to Big Sur, even 1 vm could cause slowness. If I run the vm along with Teams or Zoom meeting, it simply stopped responding. I couldn’t even move the mouse sometimes. 

 

My MacBook is Pro 2019, 32G memory, 2 video cards. CPU: 2.3GHz, 8-Core Intel Core i9. This configuration is not that bad.

 

I googled and found many users have the same problem. And there were many solutions. However, I’ve tried all of them, including but not limited:

1.    Disable "Enable hypervisor applications in this virtual machine"

2.    On the guest windows, on settings > Windows Security > device security > turn off “Memory integrity”

3.    Modify the .vmx file (https://communities.vmware.com/t5/VMware-Fusion-Discussions/VMware-Fusion-12-1-0-Big-Sur-Host-Windows-10-Guest-Running-Slow/m-p/2814913/highlight/false#M170980)

4.    Set windows.vbs.enabled = "FALSE"

5.    Use Parallels but it seems to have the same problem.

 

After many attempts, I am thinking of moving back to Catalina, however, it means a lot of work because I didn’t have the backup in Time-Machine. 

 

It would be better if the issue could be solved in Big Sur so I don’t have to rollback. 

 

I started my investigation. So far in my MacBook Pro, there were 4 applications that could cause the slowness: VMware Fusion, (Parallels), Teams, Zoom. I noticed whenever the slowness happened, there was a process call “kernel-task” that has more than 1000%CPU usage and the fan was running like crazy. 



I googled what “kernel-task” is really doing, on Apple support site (https://support.apple.com/en-ca/HT207359), it mentioned: 

 

Activity Monitor might show that a system process named kernel_task is using a large percentage of your CPU, and during this time you might notice more fan activity. 

One of the functions of kernel_task is to help manage CPU temperature by making the CPU less available to processes that are using it intensely. In other words, kernel_task responds to conditions that cause your CPU to become too hot, even if your Mac doesn't feel hot to you. It does not itself cause those conditions. When the CPU temperature decreases, kernel_task automatically reduces its activity.

 

So, I think, if I cool down the laptop, maybe this process won’t use that much CPU resources. 

 

I bought a laptop cooling pad, it helped, now I can run 1 vm without any slowness. However, I still couldn’t run more than 1 vm at the same time. 

 

I need a stronger cooler, so I took a First Aid Ice pack from the refrigerator and put it under the laptop. Now, I can run 3 vms at the same time again.

 

I think maybe Apple changed the way of how the process “kernel_task” be triggered on Big Sur to better protect the CPU. but it causes the whole system to be slow.