BSOD's : I'm luving it

Windows systems are notorious for crashing for any number of reasons and in a number of ways. Some of these crashes are mild and can easily be overcome simply by closing a nonresponding application or by rebooting the system. However, others are more serious and can bring the entire system to its knees. Microsoft calls these types of crashes "Stop errors" because the operating system stops responding. When a Stop error occurs, the GUI is replaced by a DOS-like blue screen with a cryptic error message followed by a code number. This screen is affectionately referred to as the Blue Screen Of Death, or BSOD for short.

n this article, I'll try to give an overview to analyze BSODs and extract the relevant troubleshooting information. I have coverder very common Windows XP BSOD errors. Do check the link to an article in Microsoft's Knowledge Base(http://support.microsoft.com/default.aspx?scid=kb;en-us;244617) that describes the troubleshooting steps and possible solutions in detail
. To view screen shots of these BSOD error messages, along with an explanation of each one, check out the photo gallery below.


Dissecting a BSOD

Although Stop errors can be caused by both hardware or software malfunctions, the most typical cause is a hardware malfunction. Each Stop error is accompanied by a specific error description and an eight-digit hexadecimal number error code. It may not be immediately apparent when you see a BSOD (mostly due to the shock factor that hits you when a BSOD occurs), but you can use the description and code to identify the type of error that is occurring. You just need to be able to identify the key parts of the message so you'll have a direction and focus for your troubleshooting expedition. The trick is in finding the relevant information on the BSOD.

STOP: 0x0000000A - IRQL_NOT_LESS_OR_EQUAL
This Stop error, which can be caused by either software or hardware, indicates that a kernel-mode process or driver attempted to access a memory location it did not have permission to access or a memory location that exists at a kernel interrupt request level (IRQL) that was too high.

STOP: 0x0000001E - KMODE_EXCEPTION_NOT_HANDLED


This Stop error indicates that indicates that the Windows XP kernel detected an illegal or unknown processor instruction.

STOP: 0x00000050 - PAGE_FAULT_IN_NONPAGED_AREA


This Stop error indicates that requested data was not in memory. The system generates an exception error when using a reference to an invalid system memory address.

(Psst .. The Resolution for this is ... very Easy !!

Restart ur sys go to safe mode, loginto Admini ac (if XP), Then go to MYCOMPUTER properties> ADVANCED> PERFORMANCE> VIRTUAL MEMORY > SET IT TO ZERO> Apply>OK>OK ... & thne go to Local DISC [C:], > Right CLick> Properties> Tools> Error Checking> Chk the First BOX> Apply>OK > OK > Restart !! & then u can chnage the virtual MEM, Issue Resolved !! )

STOP: 0x0000007B - INACCESSIBLE_BOOT_DEVICE


This Stop error indicates that Windows XP has lost access to the system partition or boot volume during the startup process.

STOP: 0x0000007F - UNEXPECTED_KERNEL_MODE_TRAP


This Stop error indicates a hardware problem resulting from mismatched memory, defective memory, a malfunctioning CPU, or a fan failure that's causing overheating.


STOP: 0x0000009F - DRIVER_POWER_STATE_FAILURE


This Stop error indicates that a driver is in an inconsistent or invalid power state during shutdown or standby or hibernate mode.


STOP: 0x000000D1 - DRIVER_IRQL_NOT_LESS_OR_EQUAL


This Stop error indicates that the system attempted to access pageable memory using a kernel process IRQL that was too high.


STOP: 0x000000EA - THREAD_STUCK_IN_DEVICE_DRIVER


This Stop error indicates that a device driver problem is causing the system to pause indefinitely.


STOP: 0x00000024 - NTFS_FILE_SYSTEM


This Stop error indicates that a problem occurred within Ntfs.sys, the driver file that allows the system to read and write to drives formatted with the NTFS file system.


STOP: 0xC0000218 - UNKNOWN_HARD_ERROR


This Stop error indicates that a necessary registry hive file could not be loaded. STOP: 0xC0000221
STATUS_IMAGE_CHECKSUM_MISMATCH
This Stop message indicates driver, system file, or disk corruption problems (such as a damaged paging file).


STOP: 0xC0000221 - STATUS_IMAGE_CHECKSUM_MISMATCH


This Stop message indicates driver, system file, or disk corruption problems (such as a damaged paging file).


Now that you have a good idea of how to dissect a BSOD and pull out the relevant pieces of information from all the gibberish on the screen, let's look at some of the more common BSODs in Windows XP. I'll only cover just a few of the BSOD conditions, but there are lots of possible Stop errors. For each BSOD I discuss, I'll provide a link to an article on the Microsoft Knowledge Base that covers that particular Stop error. (Since more than one article might address a Stop error, you may want to search the Knowledge Base if you discover that you need more information.)

  • STOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL
This Stop error, which can be caused by either software or hardware, indicates that a kernel-mode process or driver attempted to access a memory location it did not have permission to access or a memory location that exists at a kernel interrupt request level (IRQL) that was too high. A kernel-mode process can access other only processes that have an IRQL that's equal to or lower than its own.
Troubleshooting a Stop 0x0000000A error in Windows XP

  • STOP: 0x0000001E
KMODE_EXCEPTION_NOT_HANDLED
This Stop error indicates that indicates that the Windows XP kernel detected an illegal or unknown processor instruction. The problems that cause this Stop error can be either software or hardware related and result from invalid memory and access violations, which are intercepted by Windows' default error handler if error-handling routines are not present in the code itself.
Possible Resolutions to STOP 0x0A, 0x01E, and 0x50 Errors

  • STOP: 0x00000050
PAGE_FAULT_IN_NONPAGED_AREA
This Stop error indicates that requested data was not in memory. The system generates an exception error when using a reference to an invalid system memory address. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop error.
Possible Resolutions to STOP 0x0A, 0x01E, and 0x50 Errors

  • STOP: 0x0000007B
INACCESSIBLE_BOOT_DEVICE
This Stop error indicates that Windows XP has lost access to the system partition or boot volume during the startup process. Installing incorrect device drivers when installing or upgrading storage adapter hardware typically causes this Stop error. This error could also indicate a possible virus infection.
Troubleshooting Stop 0x0000007B or "0x4,0,0,0" Error

  • STOP: 0x0000007F
UNEXPECTED_KERNEL_MODE_TRAP
This Stop error indicates a hardware problem resulting from mismatched memory, defective memory, a malfunctioning CPU, or a fan failure that's causing overheating.
General causes of "STOP 0x0000007F" errors

  • STOP: 0x0000009F
DRIVER_POWER_STATE_FAILURE
This Stop error indicates that a driver is in an inconsistent or invalid power state. This Stop error typically occurs during events that involve power state transitions, such as shutting down, or moving in or out of standby or hibernate mode.
Troubleshooting a Stop 0x9F Error in Windows XP

  • STOP: 0x000000D1
DRIVER_IRQL_NOT_LESS_OR_EQUAL
This Stop error indicates that the system attempted to access pageable memory using a kernel process IRQL that was too high. The most typical cause is a bad device driver (one that uses improper addresses). It can also be caused by faulty or mismatched RAM or a damaged pagefile.
Error Message with RAM Problems or Damaged Virtual Memory Manager

  • STOP: 0x000000EA
THREAD_STUCK_IN_DEVICE_DRIVER
This Stop error indicates that a device driver problem is causing the system to pause indefinitely. Typically, this problem is caused by a display driver waiting for the video hardware to enter an idle state. This might indicate a hardware problem with the video adapter or a faulty video driver.
Error message: STOP 0x000000EA THREAD_STUCK_IN_DEVICE_DRIVER

  • STOP: 0x00000024
NTFS_FILE_SYSTEM
This Stop error indicates that a problem occurred within Ntfs.sys, the driver file that allows the system to read and write to drives formatted with the NTFS file system. (A similar Stop message, 0x00000023, exists for the file allocation table [FAT16 or FAT32)] file systems.)
Troubleshooting Stop 0x24 or NTFS_FILE_SYSTEM Error Messages

  • STOP: 0xC0000218
UNKNOWN_HARD_ERROR
This Stop error indicates that a necessary registry hive file could not be loaded. The file may be corrupt or missing. The registry file may have been corrupted due to hard disk corruption or some other hardware problem. A driver may have corrupted the registry data while loading into memory or the memory where the registry is loading may have a parity error.
How to Troubleshoot a Stop 0xC0000218 Error Message

  • STOP: 0xC0000221
STATUS_IMAGE_CHECKSUM_MISMATCH
This Stop message indicates driver, system file, or disk corruption problems (such as a damaged paging file). Faulty memory hardware can also cause this Stop message to appear.
"STOP: C0000221 unknown hard error" or "STOP: C0000221 STATUS_IMAGE_CHECKSUM_MISMATCH" error message occurs

Hope my analysis will give a very short overview of BSOD's in WindowsXP. I want to give the entire credit to Mark Russinovich of Sysinternals.

Hack your Recycle Bin

Have you ever thought of what happens when you hit the delete button?

Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C:\ drive having FAT32 as file system and we delete a file of C:\ drive then that file will move to C:\Recycled. But if it is an NTFS volume then the file will move to \Recycler\.

Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders.

However forensics tells us the files are NOT actually deleted. The deleted files still exist on the hard disk but the pointer pointing to that file is deleted. The pointer information is stored by the INFO2 record which cannot be seen by a normal user. To view the INFO2 file use ATTRIB -r -s -h info2. We can also use a third party tool like for rifiuti to see whats written in the INFO2 file. Italian dictionary says rifiuti means trash. Tons of thanks to Keith Jones for developing this wonderful tool. Rifuti can be downloaded from here

In Encase one can use Enscripts to find information from INFO2 records. For local machine he can run “Scan local machine” enscript (Encase5) with Recycle Bin Info Record finder module selected. If a user is working on some image then he can simply run “Sweep Case” enscript with Recycle Bin Info Record finder module selected. All the information collected by Encase will be located in the bookmark tab.
All forensic investigators should definitely look for INFO2 record to gather crucial information. There is a good chance of the INFO2 record solving the case, ridding the investigator of further toil.

Happy Blogging.

Demystify “thumbs.db”

Are you working as a cyber crime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Let me help you out in this case.There is a file with a name “thumbs.db” which is automatically generated by Windows XP whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.

Open any folder which has got some jpeg files and make that folder view in thumbs view as shown in











(Click the Image to Enlarge)

As soon as the folder is kept in thumbs view “thumbs.db” file is created. Even if all JPEG files are deleted and thumbs.db file corresponding to those JPEG files is present, then also you can see the images but they will be very small in size. Thumbs.db which was created is now viewed using winhex. Once the file has been opened in winhex view, we will search and select for particular header. Header is “ÿØÿà JFIF” and its hex values are “FFD8FFE000104A464946″. This is shown in an example :-







(Click the Image to Enlarge)

Copy the entire content in a notepad where the header is starting till the end of the file and save the file with the extension JPEG. You can now easily view the extracted content with any of the image viewer. If there are large number of headers in thumbs.db file, then you can use professional tool like “Windows File Analyzer” to see the contents of thumbs.db file.Even if the picture files are deleted, the information will be stored in thumbs.db file which can be very helpful. Hope this information is enough.

Happy Blogging.

Use Tasklist Smartly!

I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!


The MS description for this command says:

This command line tool displays a list of application(s) and associated task(s)/process(es) currently running on either a local or remote system.

Let me illustrate the power of this command with an example: Suppose, you, as an investigator want to see the processes running on a remote system while the suspect is on the system, you would run the following command (assuming you have the password for a valid user on the system)

C:\>TASKLIST.EXE /S 192.168.0.2 /U Domain\Debarghya /FI "USERNAME ne SYSTEM" /FI "STATUS eq RUNNING"

Here:

The IP of the remote system:192.168.0.2

The domain:Domain

The user being used to connect: Debarghya

The above command would enable the investigator to see all the running processes started by the user “Debarghya”. He would be able to see any “out of the ordinary” process being run by the user!


For further information about the filters and options supported, just type

c:\windows\system32>tasklist.exe /?

TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]


Happy experimentation!