:::: MENU ::::

Spammer Strategy

I saw a tweet from Spaf recommending this article, which is briefly quoted below:

I learned something in MBA school: as an industry matures, competition moves along five frontiers:

  • functionality (can we get the damn thing to work at all?)
  • reliability (will the damn thing please stop crashing?)
  • convenience (let’s shrink it so i can take it with me.)
  • price (if it’s a commodity, give me the cheapest)
  • fashion (indigo or graphite? hey, maybe key lime.)

Only after one frontier is crossed does a market focus on dimensions relevant to the next….

As a spammer, you can exploit this. How? …

… You must have patience. You must wait, wait, wait. Wait until the medium has moved through the frontiers, until the industry is competing on price. They must be made to ignore security until it’s too late….

Read more….

Keeping track of screws when disassembling Apple products

I recently saw a post from someone who had an extra screw left over after reassembling an iMac. I thought I’d share how I keep track of this. First, I go to iFixit and read the instructions for the disassembly (or I find a YouTube video). While going through the instructions, I make a screw template sheet for my use, like I did with my friend Mike’s MacBook Pro laptop:


That’s how I keep track of screws. I’ve also seen someone put a magnetic backing under the paper to keep them from moving, but I’m not a fan of magnetizing all of the screws. How do you do it?

Batch Restore Files Using Sleuthkit and Bash Scripting

I was performing data recovery for my brother-in-law on a failing drive and needed to recover as much data as possible. After spending a few minutes restoring files one by one (on a disk where the only tool I could get to recognize the partitions was Sleuthkit), I determined that a bash script was needed to batch restore the files (because repetitive work is boring—and time consuming).

I found a script for mass-restoring files using Sleuthkit, but it didn’t work for me. I kept getting errors related to how the cut command was being used (you can’t use a string as a delimiter). Aleksey Zapparov (the creator of the original script) informed me that it was supposed to be a horizontal tab character rather than blank spaces (\x09), but I decided to get it to work without that command.

The methodology is as follows:

  • Create an image of the drive (or you could work off the original, but this isn’t recommended).
  • Create a list of files to be restored and format the file list for easier processing using

    fls -f ext2 -p -r ./sdb-data 8650754 | grep -v '^..-' | grep -v '^... \*' > files.lst

    (keeping in mind that I was not all that interested in deleted files since I was recovering data).

  • Run the script to restore the list.

The original script written by Aleksey Zapparov was:

HT=`printf '\x09'`

cat $LIST | while read line; do
    filetype=`echo "$line" | awk {'print $1'}`
    filenode=`echo "$line" | awk {'print $2'}`
    filename=`echo "$line" | cut -f 2 -d "$HT"`

    if [ $filetype == "r/r" ]; then
        echo "$filename"
        mkdir -p "`dirname "$DEST/$filename"`"
        icat -f ext2 -r -s $IMAGE "$filenode" > "$DEST/$filename"

However, I could not get this to work and didn’t want to use a cut command dependent on a tab character. Here is the final working code that I used to parse the file list:


while  IFS=$' \t:' read filetype filenode filename; do
    if [ "$filetype" = "r/r" ]; then
       echo "$filename"
       mkdir -p "`dirname "$DEST/$filename"`"
       icat -f ntfs -o 409600 -r -s $IMAGE "$filenode" > "$DEST/$filename"
done < $LIST

I hope one of these saves you lots of time some day if you ever find yourself using Sleuthkit to batch restore files.

Finding the login password in plain text in RAM on Mac OS X 10.8 Mountain Lion

The login password is stored in plain text in memory on Mac OS X 10.8 Mountain Lion. To find it, use the following command:

strings ram_dump | grep -C 6 -i longname | grep -C 6 -i password

First I piped the ram_dump to strings to get rid of non-ASCII data, then I piped that output to grep and grep’d with six lines of context for ‘long name’ (I made the search case insensitive, but it is in lowercase so this isn’t necessary) and then piped the content to another grep expression searching for ‘password’ with the same parameters. This produces output similar to the following:


I’m not sure if Mac OS X 10.9 Mavericks still stores the password in plain text in RAM or not, but Mountain Lion certainly does (therefore presumably also previous versions).