Archive for category IT

Mickyj Whitehat series now has an email list

The YouTube Mickyj Whitehat series is getting quite a following.

I have decided to back it up with an email list.

If you subscribe to the list, I will send you a copy of a PDF with my top 10 Dynamic malware analysis tools.

If you refer 5 people to the list, I will send you my Static analysis tools list.

Go to and click the blue email hat to go to the sign up page !

Please consider joining me !

Ever overlook the obvious ?

I have a fancy Webcam. I know it is no longer the best compared to the latest in HD technology.

I like the way it works and I hate throwing out technology (unless it is correctly recycled).

It is from the old XP days and of course, I am no longer using XP. I have a Logitech Quickcam Orbit.

I plug it in and Windows says it is installing new hardware. It can’t find a driver.

It is listed under Device manager as an “Unknown device”.

I plug, re-plug, reboot and hunt for drivers.

I download various Logitech drivers and start my hunt on the internet.

Then I notice just how many other people with the same camera are also hunting for drivers.


This looks like a lost case.


After trying to avoid being scammed by various third party driver download websites, hours of searching, I am about to throw my webcam out.

All my Logitech installers fail to run as they are not designed for the latest windows.


There is something I overlooked. Something so simple I am ashamed to admit it. Running an application in Windows compatibility mode.


I downloaded “qc1051enu_x64.exe” from Logitech, right click – properties – set the compatibility to Vista SP2.

Right click “Run as administrator”, it installs.

I reboot, I now have a Logitech Quickcam Orbit again !


Like many things in life, try not to over look the obvious.

Microsoft gave us a great feature but I was so fixated on the problem, I could not see the solution.

Tags: , ,

Recovering failed RAID set on failed Netgear ReadyNAS NV+ series

I have been presented with a failed NETGEAR NAS. The unit is not powering on. We replaced the power supply and it is still not working.

There are 4 disks in the NAS in XRAID format. How are we going to get the data back?

NETGEAR quoted (Estimated) quite a large cost to recover the data. They warned us not to try and put the drives into another unit as the unit will likely blank them ready for new use.

We have to pull the drives and attach via Sata (Actually we used powered usb adaptors) and use data recovery software.

First, we need to know a little about NETGEAR NAS units.

NETGEAR is one of the well-known NAS vendors. Inside its ReadyNAS devices disks are combined into a RAID and used to store data, plus provide a variety of other storage-related services.
All these functions are controlled by a Linux-based operating system inside the NAS, which NETGEAR calls “NAS OS”. NETGEAR devices can be divided into two groups.

The first group includes the devices released before 2013 with operating system versions prior to NAS OS 6. In these “old” NETGEAR devices data storage is organized in the following way – disks are cut into partitions which are combined into a RAID with md (Linux RAID), and then md-arrays are combined into a single LVM volume. As for filesystem, Linux ext4 is used in such configurations.

The second group includes devices that use NAS OS 6, released in 2013 or later (Or units with upgraded firmware). In modern NETGEAR NASes data is stored in another way. Disks are still combined into a RAID using md, but the next level is BTRFS filesystem rather than LVM.

This unit is using BTRFS.

So what is BTRFS and why should I care ?

BTRFS is a Linux filesystem which is sometimes used in ready-made NAS devices. Starting with 2013 NETGEAR switched to BTRFS as the main filesystem in their NETGEAR ReadyNAS devices. Synology NAS vendor uses BTRFS filesystem in some devices as well. BTRFS has many features like copy-on-write, checksumming, and creating snapshots designed to protect against data loss; however, you can still lose data, most probably to a software bug.

What to expect from BTRFS recovery

BTRFS uses copy-on-write feature, meaning that when you edit a file BTRFS does not delete previous data, but writes changes to the new place instead. Because of this, file fragmentation is possible, slowing down file copying. The same copy-on-write feature also leads to another difficulty – the recovery time will be quite long, since the software has to analyze different versions of files and other metadata to choose the latest one. However, in the end the recovery quality tends to be fairly good.

What software did we try ?

  • Get back Data – RAID reconstructor
  • Get back Data – NAS Data Recovery
  • Rstudio
  • ReclaiMe File recovery

We tried RAID reconstructor and it failed to locate a RAID. Even with manual settings, it found nothing. We could have selected stripe size, RAID sort order and more for days, and got nowhere.

We tried NAS Data Recovery and even though it supports NETGEAR, it failed to locate a RAID. Even with manual settings, it found nothing. Same as RAID Reconstructor.

We tried Rstudio (Many online people said they had success). Nothing. At one point, it even locked up.

We downloaded the trial for ReclaiMe and within seconds, it found the NTRFS container and started showing files. It was super quick.

As soon as we had a file tree, we started to save files out. I noted that the precent in the tool bar was still at 0.3% scanned. Apparently we have all the files we need but the software keeps scanning looking for scattered meta data, in case the product can’t find anything in the initial scan. After 3 days, it got to 1.8% scanned and found nothing new. I also noted a drive was powering down (Must have been a 3 disk RAID 5 with a spare)

We are a big fan of the Getback data tools and Rstudio. They work very well. Just goes to show you, there is no one specific tool to fix all problems. Glad we keep looking for a solution and found ReclaiMe.

After so much time wasted with Getback data and Rstudio it made sence to give up. After seeing ReclaiMe me find data in mere seconds, maybe the easy option to give up is not always the correct action !


My experience with data recovery service – Australia – Payam Data Recovery

Being an IT guy, every time a client’s hard disk fails and they don’t have a backup, I share their pain and run home to make sure I back everything up.

This means I try and be prepared and don’t trust hard disks as my sole backup. Due to the high number of  drive failures I see, I get a regular dose of fear and injection of pain.

As it turns out, between backing up my devices, backing up my USB drives, burning some items to DVD disk and some in the cloud …. I forgot something important.

Yes, it’s a disk of irreplaceable data.

Most of the drives out there, USB or internal, are mechanical and can suffer mechanical fault. There are many faults where you can recover data, and quite a few where you can’t.

There are many data recovery services out there and Payam Data Recovery are one of the best (With specialist cleanrooms and the like).


Their services seem cost a lot for the average person but compared to the chance of getting your important data back, are very inexpensive.

They are too expensive* for a one off test. They are too expensive* to simply try out so we can tell you how good they are.

*As far as data recovery goes, they are not expensive. It’s all relative and depends on what you want to pay to get your data back. There are consumables involved in the data recovery and experts. A clean room is used and much more.
Really, you are getting a bargain, it’s just that the amounts can be large and people have gotten used to using the word “expensive”.

How fortunate are you, that I have had a disk failure and I am paying for the recovery and am here to tell you about my experience (at no cost to you).

Calling them was the easy part. They were very professional on the phone. They explained things in great detail and made sure I knew exactly what I was in for.

They gave me options, they reassured me. I signed up on the website and received a job number, an address to send my well packed drive too and loads of information about what to expect.

I was already very impressed. They then assessed my drive for free, then gave a quote estimate. (They quote devices on a case by case basis. They provide a free assessment over 1-2 business days and quote based on the issue.)

As my fault was mechanical the quote started at $1,500 AUD. The drive need to head off to the clean room.

Payam need to purchase identical donor drives and start transplanting parts. They gave me options of the economical recovery (Done in their time) or the super fast service (Starts at $4,000 AUD). They then offered to sell me an external USB hard disk to return the data on.

All the while, keeping me informed and giving me options.

They charged me $500 for their initial attempt fee (Which would form a part if the overall cost). This is not refundable regardless of the outcome and covers the attempt time, labour, effort, the expertise of their class-100 clean room data recovery team and the cost of as many donor drives/spare parts required to get the best possible result. They usually use 2-3 sets of heads.

Again, they fully explained to me what was happening. Not once was I left alone and in the dark.

When the bad news arrived, I had crashed heads and the recovery had failed, I was at peace. I knew where I was, I knew it was a possible outcome and extremely happy with their service.

My story turned out not so good but their success rate is very high. I have held onto my dead drive in the case recovery techniques improve.

Would I recommend these guys, absolutely.

What are crashed heads ?

The mechanism that floats just above the surface of the drive with the platter spinning past at 7200 revolutions per minute, is a head. A vibration, mechanical failure or heat can cause the head to make contact, crashing into the drive platter.

This is a normal drive platter


This is a crashed head platter with an engraved line where the heads were resting as the platter spun past


Why should I do an extensive vehicle check before going off road? (Why should I maintain servers?)

For work, and pleasure, my company car is equally happy on or off road. Why should I be constantly looking over a smoothly running car?

When I go to install  a new server or software application for a client, I always audit the site, look for the unknowns and basically “Kick the tyres“.

After a server has been in for some time, again, I go and “kick the tyres”.

So many times people tell me, if I am going off-road in my car, be sure to “kick the tyres”.

They are of course referring to checking tyre pressures, fluid levels and that everything is tied down and working.

Just as with IT, people get complacent with car maintenance. When something happens over and over, they get sedentary and are not as thorough with their checks.

I have been Rock sliding, river crossing,  sand duning, beach driving and climbed/performed various dangerous treks in the outback. Every time, I checked everything over.


Until recently, I found nothing wrong.


I have had countless trips (Thousands of kilometres on hard and challenging terrain) and it is not until my most recent trip was in planning, that this kicking the tyres paid off.

I have been back from my last trip about 4 weeks. I was cleaning the mud from under the car and noticed, two bolts in the under carriage, which hold the bash plates in place, had been sheered off.

I got out my trolley jack to jackup the car, the main pin in the trolley jack was missing, worked it’s way loose and fallen somewhere. I then was fitting my long handled shovel to the roof, and the 100 mm carry pipe moved.

The two metal brackets that hold it in place, were missing. Obviously vibrated off on the undulating roads I was travelling. I then opened the carry pipe and pulled out my 3 meter sand flag … in pieces. The assembly which makes it quick fit to the front bar, was in pieces.

Then I noticed the muck in the spotlight protector and the missing Kangaroo scarer on the front of the car.

Yes, this last trip had a lot to answer for.


None of this was immediately obvious and I had been driving like this. “It was like I was operating a server that was about to crash and burn, loosing a business lots of time and money, due to lack of maintenance”.

Yes, this is like a server with a drive about to fail, a temperature a little wrong, a failed Microsoft update about to install at next reboot or some other non obvious lurking issue.

You need to poke and prod a server. You need maintenance. It does not matter that the last 10 maintenances were clear of fault !

In my situation, the bash plate could have completely come loose and flung up killing someone. The carry pipe could have slide forward and caused an accident or death. The trolley Jack could have failed when the car was up in the air and I was under it. The sand flag could have snapped and gone through my window. The missing Roo scarer …. I could have hit a Kangaroo. The spot lights … I would have lacked light at night.

All problems that could have occurred, but were averted due to maintenance, were very serious.

My life, your life and others around you are important. In your business, your staff, clients and livelihood are important. You have commitments. If you want to continue making your commitments on time and keep running your infrastructure … Kick your servers tyres.





Warning: Correspondence from “Harcourt Management LLP”

If you have received any faxed correspondence from “Harcourt Management LLP”, in relation to a supposedly unclaimed inheritance, Bin it. It is a scam.

I see loads of people online asking questions as to the legitimacy of this fax. It is a fake. Key words to check:

  • Edward Baach JD
  • Harcourt Management LLP
  • Harclaw
  • HarclawLLP
  • Gilmoora house
  • Fax +44 207 806 8315
  • Ph +44 742 403 1888
  • Mark Dewing of 89 Nile Road, Bunbury, Western Australia as the registrant of

Don’t communicate as per the directions on the fax. They will ask you to fly over to London to sign paperwork and from there, who knows but it will end badly.

Scams are getting more and more sophisticated. They are getting tricker to detect and look more convincing.

I have personally received such a scam this week and after research online,  I can see that this scam is just starting to occur and is more widespread than I thought.
It is for this reason, I am bringing this to your attention and am going to tell you how I confirmed it is a scam.

Always remember,

If it is too good to be true, it’s likely not true!

That should be your first test. Is what you have received bordering on the unlikely, unbelievable and unfathomable?

At our office,  we have received a fax. (Not an email, a fax). It is directed at me and refers to very real family heritage in the UK.
It promises big rewards and no risk (First test fail!).

It is a directed attack. They have the correct name, correct fax number and correct family lineage.
They have done some research.

Please refer to this image (A copy of the fax). See if it fails your first test.

I am on a number of historical websites, my name is on our Business website and so is the business fax number. This could still be a real fax offer.
So why do I suspect it is not real? Lessons for you to use in any scam that comes your way!

I will mark items on this list which can be checked by an IT person. Not all of this will easily be reviewed by a non IT person.

Firstly, Why did I get this fax? Why not my Father, Cousins, Uncle’s? Surely someone else other than myself would be in line to receive any money before me?

  • Locating the website on the paperwork (, emailing the email addresses on the website, many of the emails bounce (mailbox unknown). A real company would not let their info@ email address bounce.
  • Looking at the registration for the website, it was registered 28 days ago. The website has stamps on it from 2011 (IT Help required)
  • Looking at the web html code in their website, I can clearly see that the website has been ripped from someone else website and had the text changed. (IT Help required)(From the source code, it seems the design was a template taken from
  • The lady justice logo on the fax looks grainy, not at all professional.
  • The fax changes through a few fonts on the fax. Not professional.
  • No mention of where the deceased person concerned actually worked or what the Top insurance agency was.
  • The fax comes from the UK and the stamp on the fax confirms this however, the fax report printed at the printer showed an Australian number.
  • The website was registered by someone in Western Australia. (IT Help required)
  • The western Australian registrant comes up in Google as hosting other scam sites
  • Looking up the law society in the UK (in Google), Harcourt Management LLP does not exist. ( )
  • Googling Edward Baach JD, he does not exist (At least not as a barrister or solicitor)
  • Reputable business rarely communicate via a gmail account. Especially when they have business addresses
  • Mixing Gmail and email addresses on the same fax looks bad
  • Gmail account with “2020” in the email address looks wrong for a business.
  • Overuse of exciting logos barcodes, rubber stamps and watermarks.
  • There are two different contact phone numbers on the fax. Googling brings up neither. Law firms would advertise their numbers.
  • The website is very sparse. It was very recently registered  (IT Help required)
  • There is no online mention or obituary for Arthur Jenkin. Being such a wealthy person, surely there would be something in a newspaper.
  • There is no reference to a person of this name, in London or working for any energy company. (In Google)
  • My family name in the fax is in bold, it has an unusual amount of spaces after it (looks like a mailmerge).
  • LinkedIn found the company name – they are in real estate, not law
  • Searching more for the company, , the address that comes up does not match
  • Emailed Golmoora house (Address on the Fax), they say there is no tenant of that name
  • Googled and found others online trying to establish of this guy was a scammer
  • I Emailed the staff listed on the website staff page (using secondary contact information I found from google). Each one said they did not work there and their images and credentials are being fraudulently used.
  • Clicking Edward Baach JD on the website goes to a William Baach ?
  • This fax was Highly confidential yet faxed to a business with 12 people to read it before it got to my desk … how could he expect a fax to be a secret?
  • The servers for the website are in Russia  (IT Help required) is a 28 days old domain, situated in Russian Federation. The domain is linked to the IP address
Registration details show that it was registered on 10 Apr 2018 through pdr ltd. d/b/a and will expire on 10 Apr 2019.
The site returns a status code of 404. The site is being served through nginx/1.9.12.

So, without a doubt this is a scam. I played along. I emailed the address only to be told, please use gmail.
I reviewed the email header (IT Help required) and noted that they are using an email platform called Zoho, it is hosted email in UK. It is often used for spam attacks.

I then made contact via google Gmail. I reviewed the email header (IT Help required) and noted that google lists the email being from a Russian address and also that webmail was used to send it.

This just further adds evidence to this being a huge scam.

The person replying was doing so in broken English. I would suspect that this is not how a lawyer would respond.
In the Communication with the remote person, they tried to put the pressure on to allow them to sign documents in my name, documents unseen.
They also wanted my banking details. They then want me to fly to the UK next week to meet with him. (All designed to put pressure on me and stop me thinking clearly).

I asked the person if family living in London can meet with him as my proxy, he said no, although the fax stated he only came to me due to my last name. Weird. Surely a local “Jenkin” would be better.
He has now tried to convince me to setup my own Gmail as it is more confidential.

I am still in communication and gathering as much detail as I can for a Police case.

I have taken this a lot further than the average person however, this has become the classic example of what to look out for.

Hopefully this will help you all be careful with scams and be able to detect them early, else after further research, determine that they are a scam.

Always remember,

If it is too good to be true, it’s likely not true!