Keyboard properties:

Keyboards are the most important tool of some one who works with computers, it’s my primary way of input into the system. Which is why I’m very picky about it. The physical keyboard structure/layout itself is important, but so is the software side of things too; and it’s these little things that can drive me mad.

So here’s my preferred settings on the keyboard properties:

Do the following:

<Win> + <R> → “control keyboard” → <Enter>

Then adjust the following settings:

Repeat delay: Short
Repeat rate: Fast

The blink rate should be around 3/4, but never the fastest as that gets distracting very quickly.


For my mechanical keyboard it also doesn’t have a right context menu key, so I fixed this with an AutoHotkey script this mimics the functionality of it by replacing the right Ctrl key with it instead. The script runs at startup, and has become muscle memory to me now. I also have other AutoHotkey scripts or keyboards that don’t have media keys.

I’ll probably get around to finding a better keyboard at some point, as I tend to have far too many shortcuts for specific tasks I use every day. There are a lot of dealer breakers out there though for me.

Mouse Trackpad Properties:

Although I really dislike using the mouse to do work, there are times I need to for specific tasks. Sometimes the software doesn’t have adequate support for keyboard bindings, sometimes website developers just don’t like people who only use keyboards for browsing. However the trackpad on laptops (at least this one on the ASUS UX303) just make it an entire pain to work with.

Again with some of the basic properties:

<Win> + <R> → “control keyboard” → <Enter>

Cursor shadow: Enabled


That’s about as much as I can say about trackpads, as laptop seem to come with their very own software/firmware which they never get right. Well they did (Looking at the classic Think Pads, or even the Macbook Pros), but then they redesign them and it’s a true deal breaker.

This guy understands the frustration for professionals who use computers as tools to get work done.


Came across a website that when it detects you have and ad blocker enabled, it would change the font of the entire page to comic sans.



This has been bugging me for literally years; it’s the save dialog box for notepad++.

The default one is not very nice…

21-07-2015 19-39-44-558


Now this is so much better!

21-07-2015 19-43-52-476

How To:

TCHAR * FileDialog::doSaveDlg() 
	::GetCurrentDirectory(MAX_PATH, dir); 
	//_ofn.lpstrInitialDir = dir;

	NppParameters * params = NppParameters::getInstance();
	_ofn.lpstrInitialDir = params->getWorkingDir();


	//_ofn.Flags |= OFN_ENABLEHOOK; // Comment this line out.
	_ofn.lpfnHook = OFNHookProc;

	TCHAR *fn = NULL;
	try {
		fn = ::GetSaveFileName(&_ofn)?_fileName:NULL;
		if (params->getNppGUI()._openSaveDir == dir_last)
			::GetCurrentDirectory(MAX_PATH, dir);
	} catch(std::exception e) {
		::MessageBoxA(NULL, e.what(), "Exception", MB_OK);
	} catch(...) {
		::MessageBox(NULL, TEXT("GetSaveFileName crashes!!!"), TEXT(""), MB_OK);


	return (fn);

Recompile and that’s it!

I found this solution once on the source forge np++ forums years ago, with no other comments and very little views. Then the issue/solution came up again after the whole merge to GitHub due to the bad practices of SF. Hopefully it will finally be recoded and put into the release build soon. For now I’m keeping this so it’s easier to find/reference.


I reformatted my computer, and took myself upon a challenge. If the source is available, and I can’t compile it, I can’t install/use it. It’s going pretty damn well too!

Except there’s one thing that always strikes a nerve in me. Why advertise that your project is all open source and advertise it under an open source license, but then not provide any links or ideas on where to get the source from. I don’t usually come across this situation often, but damn is it annoying when I do.

Please, if one of your main advertising points is “OPEN SOURCE!” then please add a link to where to get the source code from.


Today I made a python script that can extract the master boot record from devices connected to the computer. It’s not very great, but it’s an achievement for me.

While developing a filetype search toolkit (more to come of that in a later post), my  acting as managing director advised me on making a cross platform master boot record (MBR) analyser. At first I was set back to the thought of making one, I’ve never dealt with extracting such low level data from a computer before; without the use of commercial forensic tools anyway. I’ve done some basic analysis on MBRs before, locating the partitions, and building up an image of what the partitions would look like in a visual way given their partition locations and sizes.

The first decision was what programming language to use. At first, it was C++, with the thought that it’s cross platform compatible, and no doubt allows the ability to read the MBR. Downsides of course, means a lot of code to not blow my leg off with the pit falls of C++. There was some pieces of code around that is able to extract the MBR with C, but it needed some modification for my own requirements. The initial plan was that the program would extract the MBR into a file, then the user could upload the file to the filetype search toolkit, which would then analyse it and show graphical results. Then I started to see some pit falls, making the program work for windows was easy, but then to also work on Linux, and OSX was when I decided to jump off C++ and think of an alternative language. There was just too much code writing platform checks, than actual code that did the job I wanted.

So a new language… Python! Why didn’t I go with python to begin with? It’s cross compatible (to an extent), supports a GUI (tkinter), and doesn’t need to be recompiled for each platform. I think the main reason I didn’t go with python to begin with is because I wasn’t 100% sure of its capabilities. So after a few hours browsing around, I found a few techniques on how to extract the MBR which I could then analyse. Awesome! Time to start programming. A few more hours past, debugging, testing, cleaning up code, restructuring code execution layout, more testing, and manual MBR analysing just because I found it interesting being able to view the MBR on all my devices. Here’s a screenshot of what was happening:


This picture shows quite a lot of information. It shows a MBR of physicaldrive6 (the SanDisk Cruzer USB memory stick), list of disk drives, the SanDisk Cruzer properties, Samsung SSD properties (more on that later), a calculator, and the Administrator Command Prompt showing the bytes per sector for the SanDisk Cruzer (as well as the remains of the output of the MBR extractor. So what really went on in this image? Well, after running the MBR extractor upon all paths known (yes, I know, it’s trying to get the MBR from osx/linux directories, the program isn’t complete yet for platform detection), it outputs *.mbr files for each drive. You can download the PhysicalDrive6.mbr here to follow along. Now lets do some analysis on it!

Open the file up in your favourite hex editor, in my case it was wxHexEditor since it supports a feature that allows tagging bytes to a colour and giving them a name (very useful for this kind of thing; an alternative is HxD. In the next picture there are five blocks highlighted, the first four are the partitions, the last is the MBR boot signature 0x55 0xAA. The last four bytes of the first partition are highlighted red, this represents the number of sectors (in little endian; so read them backwards!).


Lets shamelessly plug these numbers into our programmers calculator and see how many sectors there are:


Now we know how many sectors there are, lets find out how many bytes are stored within a sector:


So now we know there are 15630336 sectors, and within each sector is 512 bytes. The next logical step is to multiply the values together to get total available bytes: 15630336 * 512 = 8002732032B
You can go further and divide it into number of kilobytes now: 8002732032 / 1024 = 7815168KB
and further for number of megabytes: 7815168 / 1024 = 7632MB
once more to gigabytes: 7632 / 1024 = 7.453125GB
or the shameless way: (including the 1000 trick of marketing bytes)


and that’s how you determine the size of a partition! What else is there?


The first byte 0x80 means it’s a bootable partition, the next three bytes are the start of the cylinder/head/sector (CHS), the 0x0B is the partition type code for WIN95 OSR2 FAT32, the next three bytes are the end of the CHS, another four bytes for the logical block address (LBA) and then finally as we covered, the number of sectors.

The CHS and LBA will be for another post… But now you can do basic analysis of a master boot record!

Also here’s a (incomplete) script of the MBR extractor python source code. Use it at your own risk!

I’ll do some more development on this script as I have more bugs to kill features to implement in the future, as well as how to incorporate it into the filetype search toolkit currently under development.


Python Chat Client DevLog

During the process of the networks and security module at university we have been given the push to work towards a single server, multi-client application where the server would hold all the logic, and the clients simply connect and play games. So as a simple development log of my current progress, here’s a screenshot of the multiple clients connecting to a single server that will echo the messages received back to the client that sent it.


The top left window is the server, and then 4 clients that are connected to it, of which each client is able to send a message and receive the echo response back at any time. This is the main backbone of the system in place, however due to the differences between the Windows and UNIX operating systems and how the std/IO is handled, an alternative (but still cross compatible) method of approach will be implemented to support a complete chat room.

In the mean time while working on the new client part to support a chat room, I created a GUI in python which will soon be ready to connect to the server and receive/display responses in a well formatted manner. Here is a current sneak peek as to what it will look like.



With auto scrolling text, simple connection status report, button and keyboard enter binding support to send the text, it’s a simple interface that will soon directly connect to the server.

Quick Edit:

Here’s a screenshot of what it looks like when clients connect and drop from the server at different times.



The hard disk drive provides a means of storing data persistently within a computer system; In computer forensics this would be called non-volatile memory. By abusing the techniques used to store data on the drive, it is possible to hide data, a sort of anti forensics. Detecting if there is hidden data can easily be achieved by comparing the reported space available on the drive to the actual space on the drive itself. If a physical drive of 120GB is partitioned to only 80GB, then where is the other 40GB? That 40GB could be used by the user as a container for hidden files, alternatively it could be used as a recovery means which were setup by the factory for prebuilt systems. This topic can be put into another blog post however, as first it’s vital to understand the key components of a HDD on a physical level, in the next post on this topic I will talk about the logical side of how data is stored on this medium.

The following diagram illustrates the internal components of a generic HDD. All modern HDDs have this very similar layout, where differences may be the physical size, number of platters, or slight variation to the layout/shape to the components.
physical components

Data is magnetically stored on the platter with the use of positive/negative charges to differentiate between the values 1 and 0 which represent bits on a computer system. The platter rotates around the spindle which can reach speeds ranging from 5400 RPM (Rotations Per Minute) and 15,000 RPM. These bits of data are written to the platter by the read/write head; this component can only perform the reading of bits from the platter, or writing to it by applying a charge; it can not do both in synchronous. The read/write head is attached to the actuator arm which pivots on the actuator axis. This allows the head to move along the platter surface as it spins. This movement is controlled by the voice recoil actuator which functions by passing a electrical current through it; depending on the strength of the current, determines how much the arm moves. When the device is powered down, the actuator arm goes to it’s parking location. This is so the read/write head does not scratch the surface of the platter when it’s not in use. Some modern hard drives implement a free fall monitor that detects when the device is being dropped or moved suddenly; this then controls the actuator arm to go to the resting position to prevent any damage from occurring during operation of the device. The platter is prone to damage from very small particles, which could lead to severe data loss and because of this reason an air filter is put in place to keep the enclosed environment as clean as possible during operator to catch these particles.

This post covers only a brief overview of the physical components of the hard disk drive storage medium. In later posts I will write about file systems which is the data structure computer systems use to organise and store data.


While in university I am learning about network security. I’ve finally being forced to learn the python language, at least to a competent level. So here’s a simple port scanner that I threw together as one of my first actual scripts in python.

Selec All Code:
# Simple port scanner
# Change the ipAddress to the destination to scan
import concurrent.futures as concftr
import socket as sk
# destination to scan
ipAddress = ""
# range to scan
rangeMin = 0
rangeMax = 1000
# list of all open ports
openPorts = []
# maximum number of threads/connections
connectionsMax = 200
def Scan(port):
	s = sk.socket(sk.AF_INET, sk.SOCK_STREAM)
		#s.connect((s.gethostname(), port))
		s.connect((ipAddress, port))
		print(str(port) + " open")
		s.shutdown() # networking etiquette
	except: pass
if __name__ == "__main__":
	print("Port scanner 3000\n")
	with concftr.ThreadPoolExecutor(max_workers=connectionsMax) as executor:
		executor.map(Scan, range(rangeMin, rangeMax))
	f = open("ports.txt", "w")
		f.write("Open ports on IP: " + ipAddress + "\n")
		for x in openPorts:
			f.write(str(x) + "\n")
		print("Error writing to file!")



In computer forensic investigation there are varying modes to committing a crime. New technology will create new crimes that we have never before imagined.

The computer could be the object of the crime, such as if it were to be stolen or destroyed.

The computer could be the subject of a crime, such as if it had contained a malicious software that would collect the users details which could be used for fraud.

The computer could be the tool of the crime, where the act of a crime is performed through the use of a computer like forging documents, or gaining access to another computer through a network.

The computer could also be the symbol of a crime such as a hoax to frighten individuals; even if the computer does not exist.

Useful resources

Parliament Office Science Technology Post Note

Computer Crime and Computer Fraud – University of Maryland – Crime Study – [page 7]

Cyber Crime – Computers As Targets Or Criminal Tools

Computer and Intrusion Forensics

Digital Evidence and Computer Crime – Forensic Science, Computers and the Internet – Eoghan Casey



Network enumeration – Research the target.

Vulnerability analysis – Detect how to attack the target.

Exploitation – Compromise the system.

A Standard Intrusion Scenario

Reconnaissance – Network enumeration and vulnerability analysis.

Exploitation – The intruder launches their attack.

Reinforcement – Escalate privileges, import tools onto the victim, hide their presence. May even patch the vulnerability to prevent other hackers from their “territory”.

Consolidation – Verify the reliability of the attack, then “run silently”; not connecting to the victim for some length of time.

Pillage – The intruder executes their ultimate plan.