Didier Stevens

Monday 26 February 2007

How I prepared my CISSP exam

Filed under: Certification — Didier Stevens @ 12:00

As promised, I’ll tell you how I prepared for my CISSP exam. Of course, this is no recommendation for a guaranteed path to success, your results may vary. For example, I studied the Common Body of Knowledge on my own, I didn’t take a CBK Review Seminar and I didn’t join a study group. Self-study works great for me (I like reading books in my easy chair), but it may not for you.

I spend about one year (elapsed time) preparing for the exam. My original planning was 6 months, from fall 2005 until spring 2006. Unfortunately, this time there was no spring exam in Belgium, so I had to wait for the fall exam. It allowed me to take a break of several months. I cannot tell you how many man-days I spend, but it must be at least a man-month.

The “Official (ISC)² ® Guide to the CISSP Exam” was the first book I started reading. To wet my appetite, I didn’t start reading the book from the first chapter, but I started with a fun chapter: cryptography (well, I consider it to be a fun read, you may think otherwise). But the official guide turned out to be quite terse prose, so I looked for other books. Shon Harris’ “CISSP All-in-One Exam Guide” popped up a lot in my search results, so I gave it a try. And it turned out to be an excellent study guide. I read it from cover to cover, and occasionally referred to the official guide for more reading material, when I wasn’t so familiar with a particular domain. The chapter about the exam itself is also very good, Shon gives a lot of good tips.

I would read a chapter, and then I would take the quiz at the end of the chapter. This is quite a strict procedure I follow (I also did this for my other certs): I write down my answers in a spreadsheet, with a special mark if I feel uncertain about my answer, and only after answering each question, I’ll look up the answers. If I answered incorrectly or if I marked a correct answer as “uncertain”, I would carefully read the explanation. If it turned out I misread the question, and would otherwise have answered correctly, I just moved on. For example, it happens that I misread a “not”: it reads “what does not apply” and I read “what does apply” …
However, if I didn’t misread the question, I reviewed the sections of the chapter pertaining to this particular question until I understood what the correct answer was.
It turned out that I would always answer 80% or more of the questions correctly.

For many domains I consulted extra information on the Internet (Wikipedia is a good source for technical information), and I also tried to find practical uses for the concepts I was learning. For example, I applied cryptography in my tool ZIPEncryptFTP. I can also recommend CrypTool to study crypto algorithms.

After studying all the domains and feeling confident, I rehearsed the exam itself: I answered all questions of the trial exam provides in Shon’s book in one go and timed myself. This took me several hours. Although I had about 73% correct answers, I still I reviewed the wrong answers (several of them were of the “not”-type).

I also took a trial exam with all the questions of the official guide.

Finally I took a few days before the exam to cram. There is always stuff you need to memorize unless you’ve a lot of experience in the domain. For example, I had to memorize the list of the different types of glass and how they compared to each other for their impact-resistance.

An upcoming post is about the exam taking strategy I followed.

Monday 19 February 2007

Restoring Safe Mode with a .REG file

Filed under: Malware — Didier Stevens @ 13:57

I posted about a virus that disables Safe Mode by deleting the SafeBoot registry keys, and later I talked about tricks to restore the SafeBoot keys. Now I’m posting another way to restore the SafeBoot keys: merging a .reg file with the missing SafeBoot entries.

A comment by Mirco made me take a closer look at the SafeBoot registry key. I thought that they would contain settings and drivers that
are hardware dependent, but this turned out to be false. In fact, it just contains a list of references to devices, drivers and services that have to be started when booting into Safe Mode.

The registry keys to boot into Safe Mode are under the SafeBoot key:


You can boot into Safe Mode without or with networking, there is a subkey for each mode: Minimal (no networking) and Network (with networking).

Each device, driver or service that has to be started has a subkey under the Minimal or Network key.
In this screenshot, you see the Cryptographic Services service:


BTW, if you want to disable a device, driver or service in Safe Mode, just delete the corresponding subkey (make a backup first).
I tested this with key {4D36E965-E325-11CE-BFC1-08002BE10318} (resulted in a disabled CD-ROM drive) and PlugPlay (resulted in a disabled Plug and Play service).

I compared several SafeBoot registry keys for Windows XP SP2 on different hardware platforms, and they were all identical. However, there were some small differences when comparing different operatings systems (Windows XP SP1, SP2 and Windows 2003 SP1). Remember that Safe Mode was introduced with Windows 2000.
These are minor differences, just listing devices, drivers or services that are only present on one version of Windows. For example, I found Volume shadow copy on a Windows 2003 and not on Windows XP. And Windows 2003 also had less network services than Windows XP, this is probably a result of the default hardening of Windows 2003: more services and applications are disabled by default on Windows 2003 than on Windows XP.

I’m now publishing a registry export file (.reg) with the SafeBoot keys from a clean Windows XP SP2 install and a clean Windows 2000 SP4 Professional install. You can use it to repair your PC when the SafeBoot keys have been deleted and System Restore cannot help you. I would not be surprised if you can use this REG file with other versions of Windows as well.

Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg or SafeBoot-for-Windows-2000-SP4-Professional.reg file on the crippled PC and merge it into the registry by double-clicking it:



SafeBoot.zip (https)

MD5: 5C1E3698877F79DD1C35F3107D4DC459

SHA256: 876D1C85E7556A334664C96F263781F5A9DBC9AB4DA26EDC6070AD947D09641D

Thursday 15 February 2007

UserAssist article published in (IN)SECURE Magazine

Filed under: My Software — Didier Stevens @ 11:30

My article about my UserAssist forensic tool has been published in the February 2007 issue of (IN)SECURE Magazine .

Monday 12 February 2007

Reverse Engineering Mentoring

Filed under: Reverse Engineering — Didier Stevens @ 18:19

I started mentoring someone on Reverse Engineering. We use a Wiki to communicate, feel free to join as a mentor or mentee.


Filed under: My Software — Didier Stevens @ 11:51

ZIPEncryptFTP is a program I developed to make off-site backups of important data. Like its name suggests, it ZIPs one or more directories, Encrypts the ZIP file with AES and uploads it to a FTP server.

Find the details here.

Monday 5 February 2007

A running light with a PIN

Filed under: Hardware,Nonsense — Didier Stevens @ 1:49

We all know the problem, you’ve set-up a running light as Christmas decoration, and then a kid starts changing the patterns you’ve programmed.

But not anymore, I’ve made a running light with security: you need a PIN to access the configuration switches!

The movie is hosted here on YouTube, and you can find a hires version (XviD) here.

Joking aside: I got a set of E-blocks from Matrix Multimedia for Christmas.

E-blocks are a suite of small circuit boards each of which contains a block of electronics that you would typically find in an electronic system. Each E-block performs a separate function as either an input sub-system, an output subsystem or a processing subsystem. E-blocks are connected together using 8 wire buses on 9 way D-type plugs and sockets.

My microcontroller is an ARM board. I develop the embedded programs on my laptop in C/C++, and then transfer the executable to the ARM’s flash memory via USB. Once programmed, the ARM executes the program independently, my laptop is disconnected.

To familiarize myself with the E-blocks, I started programming some simple applications, like a running light. And after that, just for fun, I added security…

Blog at WordPress.com.