Sizing up CVE-2010-1885 Exploit Artifacts

Monday, December 13, 2010 Posted by Corey Harrell 0 comments
There are numerous resources available to assist you during a system examination. A few of them include search engines, blogs, books, forums, and listservs. These resources have helped me gain a better understanding of the data I’m seeing when processing cases. I thought one of the benefits of documenting the exploit artifacts left on a system would be to have a resource that could be referenced during examinations of compromised systems. I felt this would have been helpful during the examination of the system I discussed in the post Anatomy of a Drive-by II. I was unfamiliar with some of the artifacts from the attack against the system and this made it difficult to determine what vulnerability was exploited which lead to the malware being downloaded.

The one area of the attack vector I wasn't as confident about was the exploit used. The examination showed it could have involved Java, Adobe Reader, or the Windows Help Center Vulnerability. This was one of the reasons of why I started documenting the various attack vector artifacts by focusing on exploits instead of the delivery mechanisms. To identify the potential exploit artifacts I’m using the exploits in Metasploit by running the exploits against various test systems in order to see what artifacts are created. The first vulnerability I researched using Metasploit was the CVE-2010-1885 (Windows Help Center vulnerability) explot and the potential artifacts I found are documented here. However, this testing made me question if it’s feasible to use the artifacts left by Metasploit as a reference to compare against the exploits being used in the wild. I wondered if there was enough similarity between the various implementations of exploits (various exploit packs available) to make identifying the various artifacts meaningful. One way to find out is to compare the artifacts left by Metasploit against the artifacts left by an exploit pack being used in the wild. I'm going to be comparing the CVE-2010-1885 exploit artifacts against the system I suspected this vulnerability was exploited by an exploit pack. This will not only help determine the feasibility of using Metasploit to document exploit artifacts but the comparison can also show how useful a reference about attack vector artifacts could be.

Metasploit Potential Artifacts Summary
The potential artifacts of the CVE 2010-1885 exploit included the exploit itself and the changes the exploit caused in the operating system environment. As a reminder, the following is the summary of the five artifact areas and the artifacts located in those areas:

        * Artifact with references to the ASX and iframe variables
            - htm file located in a temporary folder

        * Artifacts associated with the files specified in the ASX and iframe variables being accessed
            - ASX file located in a temporary folder (parname = )
            - htm file containing the iframe pointing to the hcp string
            - Image file located in a temporary folder
            - References to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed].

        * Folder of interest associated with the exploit
            - Activity involving the helpctr folder

        * Artifacts associated with the hcp protocol
            - Internet Explorer’s index.dat file recorded the activity of the hcp protocol
            - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder

        * Artifacts associated with the Windows programs executed during the exploit
           - Programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe

Review of the Anatomy of a Drive-by Examination
The comparison will be made using the timeline and image of the system I referenced in the Anatomy of a Drive-by posts. The system will be examined to identify any of the potential artifacts from the Windows Help Center vulnerability being exploited. The bullets below show the attack artifacts I located when I examined this system (I copied the bullets from the drive-by post):

* 09/12/10 06:38:25PM show[1].htm file was created on the system. This file had references to a few of the artifacts (jar file and the Windows Help Center vulnerability). Also, this file was associated with the xhaito[dot]com domain.

* 09/12/10 06:38:35PM The hcp[1].htm file was created on the system. The content of this file is associated with the Windows Help Center vulnerability.

* 09/12/10 06:38:35PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.

To be safe I'm starting the review one minute before 06:38:25PM and five minutes afterwards. I think this timeframe is sufficient to identify if any CVE-2010-1885 exploit artifacts are present. The picture below shows the first portion of the system activity involving the Windows Help center vulnerability.

The xhaito domain was hosting an exploit pack used to compromise the system. There was a hidden iframe in the rain[1].htm that pointed to the xhaito domain (Line 847906) and the PrivacIE entry showed the system visited the malicious domain (Line 847904). The first artifact of the CVE-2010-1885 exploit was the htm file named show[1].htm in the Temporary Internet Files folder (line 847907). Jsunpack was used to examine the htm file when the malicious domain was still active. As a result, not only could you see a reference to an ASX file but the ASX file was actually downloaded as shown below.

I examined the show[1].htm file again to see if there was still a reference to an ASX file when the malicious domain was no longer active. The ASX file wasn’t downloaded but there was still a reference indicating an ASX file was involved.

 The show[1].htm file also had a reference to the htm file containing the hcp string. The entire string was captured by Jsunpack when the malicious domain was still active as shown below.

There was only a reference to the htm file containing the hcp string when the domain was active. This reference can still be used to explain where the htm file came from.

The picture below shows the next portion of the system activity involving the Windows Help Center vulnerability.

 The htm file (hcp[1].htm) referenced in the show[1].htm file was created on the system in the Temporary Internet Files folder (line 847947). The file’s content was obfuscated as shown below.

 I used Jsunpack to examine the file in order to deobfuscate the file’s content. This revealed the hcp string as shown below.

The picture below shows the last portion of the system activity involving the Windows Help Center vulnerability.

The first artifact in the picture occurred on Line 847985 which was a modification to the registry key HKU\Software\Microsoft\MediaPlayer\Health. This same registry key was modified when Metasploit was run against the test systems running Internet Explorer 8. I didn’t find a lot of information about this key but I came across a forum where a person stated Windows Media Player may use this key to determine if the player shut down properly. I ran a few tests using Procmon and found that Windows Media Player creates a subkey in this location with a name similar to {4AC12489-C148-4C7F-9FA0-3C5D8A590E0D} when the player is started. This subkey is deleted when the player shuts down properly but remains if not properly shut down. I consistently saw this behavior in my testing on XP and this registry modification may indicate that Windows Media Player was running. The last artifact was the pchealth\helpctr folder being accessed. This activity occurred on Lines 847993 and 847994.

Potential Artifacts Comparison
The examination was able to locate various artifacts associated with the CVE 2010-1885 exploit. It may not be clear how many of the Metasploit artifacts were actually located on the system. To help this comparison the five Metasploit artifact areas and the artifacts located in those areas are listed below with notes in red highlighting if the artifact was present on the system:

* Artifact with references to the ASX and iframe variables
     - htm file located in a temporary folder *** Artifact not present ***

* Artifacts associated with the files specified in the ASX and iframe variables being accessed
     - ASX file located in a temporary folder (parname = ) *** show[1].htm file with references to an ASX file ***
     - htm file containing the iframe pointing to the hcp string *** show[1].htm file with references to the iframe containing the hcp exploit ***
     - Image file located in a temporary folder *** Artifact not present ***
     - References to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed] *** Artifact not present ***

* Folder of interest associated with the exploit
     - Activity involving the helpctr folder *** helpctr folder was accessed ***

* Artifacts associated with the hcp protocol
     - Internet Explorer’s index.dat file recorded the activity of the hcp protocol *** Artifact not present ***
     - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder *** Artifact not present ***

* Artifacts associated with the Windows programs executed during the exploit
     - programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe *** Only artifact present in the timeline of interest was the registry key HKU\Software\Microsoft\MediaPlayer\Health indicating the player was running. Verclsid.exe executed 30 minutes after my timeline of interest ***

Conclusion
As I was going back over the examination of this system I kept thinking how useful this information would have been when I first examined the system. I was still able to identify the CVE-2010-1885 exploit was involved with the attack but I didn’t locate all of the artifacts of this attack such as the helpctr folder activity. Having a resource with this information would have allowed me to see the pattern of this attack in the data. I think this pattern could be helpful even when certain artifacts are not present on the system.

The system didn’t have the entire documented CVE-2010-1885 exploit artifacts present. However, I don’t think the same artifacts would appear between the various exploit packs targeting this vulnerability. For example, a member of the Win4n6 Yahoo group said they located the web browser entries in unallocated space showing activity of the hcp protocol. One of the entries even contained the hcp exploit string. This artifact wasn’t present on the system I examined but this artifact was present on the test system Metasploit was run against. Even with this slight variation, I think the artifacts that are present could be used to determine if this vulnerability was targeted in an attack.

I know this is only one comparison but there appears to be enough similarity between the various implementations of an exploit to make identifying the various artifacts meaningful. Metasploit is one tool that could be used to help identify and document these artifacts.


Thoughts? Comments?

CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts

Monday, December 6, 2010 Posted by Corey Harrell 0 comments
Artifact Name

CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts

Attack Vector Category

Exploit

Description

Vulnerability in the helpctr.exe affects Microsoft Windows XP and Windows Server 2003. Exploitation allows remote attackers to bypass the trusted documents option and execute arbitrary commands using a crafted hcp:// URL.

Attack Description

The following is the sequence of the attack as described by the Seclist Full disclosure reference..

1. Using “an html page, email, document, or other application force a user to fetch an .asx file containing an HtmlView element”. Author mentioned this could be accomplished using the variable: var asx =http://something/something.asx. Also, the author mentioned Windows Media Player could be used in the attack.

2. “From the HtmlView element, invoke the hcp protocol handler that would normally require confirmation”. Author mentioned the hcp protocol can be invoked from within an iframe in an ASX HtmlView element.

3. “From the HCP Protocol handler, bypass the /fromhcp whitelist by using the string miscalculation”. Author mentioned to defeat the whitelist use the following string:

4. “Once the whitelist has been defeated, invoke a help document with a known” cross-site scripting vulnerability. Author mentioned one help document available in a default installation is system/sysinfo/sysinfomain.htm.

5. “Use the defer property of a script tag to execute script in a privileged zone”.

6. “Invoke an arbitrary command using the wscript.shell object”.

Exploits Tested

Metasploit v3.5 ms10_042_helpctr_xxs_cmd_exec

Target System Information

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with non-administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with non-administrative user account

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Tested Software Versions

Yes, different artifacts between Internet Explorer 7 and 8

Potential Artifacts

The potential artifacts include the CVE 2010-1885 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following five areas:
      * Artifact with references to the ASX and iframe variables
      * Artifacts associated with the files specified in the ASX and iframe variables being accessed
      * Folder of interest associated with the exploit
      * Artifacts associated with the hcp protocol
      * Artifacts associated with the Windows programs executed during the exploit

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

      * Artifact with references to the ASX and iframe variables located in a temporary folder
           - htm file located in a temporary folder [Temporary Internet Files folder]. Image below highlights the variables.

      * Artifacts associated with the files specified in the ASX and iframe variables being accessed (the artifacts varied based on the version of Internet Explorer)
           - ASX file located in a temporary folder [Temporary Internet Files folder]. This file invokes the hcp protocol handler through an iframe. In the image below, the iframe is located in the file named [c.html]. The ASX file line containing "REF href" mentions an image file [gif image] which is accessed by the Windows Media Player. This ASX file wasn’t present with Internet Explorer 7.

           - htm file containing the iframe pointing to the hcp string located in a temporary folder [Temporary Internet Files folder]. In the image below, notice the iframe is referencing the sysinfo/sysinfomain.htm document which contains a cross site scripting vulnerability. The iframe is detected by VirusTotal as CVE-2010-1885 exploit.

           - image file [gif image] located in a temporary folder [Temporary Internet Files folder] and files associated with Windows Media Player executing [Windows Media Player prefetch file and registry entries]. These artifacts weren’t present with Internet Explorer v7

           - references to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed]. In the image below, the ASX filename is lk.asx, iframe is in the file named c.html, the image filename is t.gif, and 192.168.11.200 was the computer running the Metasploit exploit.

     * Folder of interest associated with the exploit
           - There was a lot of activity involving the helpctr folder [C:\WINDOWS\pchealth\helpctr]. The image below shows a portion of this activity involving files being accessed as well as a cache file being created.

     * Artifacts associated with the hcp protocol
           - Internet Explorer’s index.dat file recorded the activity of the hcp protocol. In the image below, notice the iframe located in the 7:18:05PM entry.

          - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder [C:\WINDOWS\pchealth\helpctr]. This was determined through a comparison of the files’ hashes and the arrows in the image below highlight two of those files.

     * Artifacts associated with the Windows programs executed during exploit
           - The following programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe. The Prefetch folder had files indicating the execution of these programs [C:/WINDOWS/Prefetch/VERCLSID.EXE-3667BD89.pf], [C:/WINDOWS/Prefetch/HELPCTR.EXE-3862B6F5.pf], and [C:/WINDOWS/Prefetch/HELPSVC.EXE-2878DDA2.pf].

Timeline View of Potential Artifacts

The images below shows above artifacts in a timeline created from the Windows XP SP3 Internet Explorer 8 with the administrative user account test system. However, this timeline doesn't include the Internet Explorer history entries.

















References

        Vulnerability Information
            Mitre’s CVE-2010-1885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
            NIST Vulnerability Database CVE-2010-1885 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885

        Full Disclosure Information
           Seclists Full Disclosure http://seclists.org/fulldisclosure/2010/Jun/205
           Neohapsis Archives http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html
           Microsoft Security and Research Blog http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx

        Other Information
           Microsoft Security Bulletin MS10-042 http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx

Reviewing Timelines with Calc

Monday, November 22, 2010 Posted by Corey Harrell 3 comments
At one point I could have been considered a blog stalker. By this I mean I would follow and read numerous blogs without ever providing feedback to the author. I wouldn't contact them offline and I wouldn’t leave a comment on their blogs. The only indication of my presence would appear in the website’s statics as a unique visitor on a certain day. During my stalking days I didn't realize how valuable feedback was to an author about the information they are sharing. I also didn't realize how comments on a blog post could help start discussions or help point to other areas of further research and testing.

I mention this because an anonymous reader asked a question to my post Reviewing Timelines with Excel. The reader wanted to know if Calc (spreadsheet program in the OpenOffice suite) could be used to review timelines similar to Excel. I didn't know the answer to this question since I 'm not that familiar with Calc. However, it was a great question and I wondered how Calc compares to Excel as a tool for reviewing timelines. The purpose of this post is to compare the functionality of Calc against Excel as it relates to reviewing timelines.

The first thing I needed to know before I spent the time testing Calc was the maximum number of rows supported by the program. The maximum number of rows for a spreadsheet program is important for reviewing timelines because all of the timeline data has to included. I didn't want to waste my time testing Calc if it couldn't handle the potential large datasets created by timelines. For example, the timeline I'm using in this post was from a Windows XP SP3 virtual machine that only had Adobe Reader and Java installed. This timeline still had over 100,000 rows. Excel started supporting over a million rows with the release of Excel 2007 (prior versions of Excel only supported about 65,000 rows). The latest version of Calc at the time of this post was version 3.2.1 and this version only supports about 65,000 rows. I attempted to load a timeline into Calc v3.2.1 and the data was truncated to 65,000 rows resulting in half of my data being lost. However, OpenOffice version 3.3.0 is available for download and this version supports over a million rows. (I tested OpenOffice v3.3 Release Candidate 4)

The comparison can be made between Calc and Excel since Calc can handle the large datasets involved with timelines. Calc will be compared to Excel using the different functionality I covered in the post Reviewing Timelines with Excel. The following are the four areas being compared:
     * Importing Data
     * Filters
     * Advanced Filters
     * Find

Side note: I will be using the timeline from the post How Did the System Become Infected Part 2. The keywords I will be using are aaclientt.exe and 75622830.exe since these were two rogue processes identified running on the system. The Excel pictures I'm using as a comparison are from the Reviewing Timelines with Excel post.

Significant Differences
I noticed two significant differences between Calc and Excel 2007 (besides Calc being free while Excel costs money). The first difference was Calc’s ability to support regular expressions in the filter and find functionality. Regular expressions enable you to create more powerful filters or searches. Excel 2007 supports the usage of two symbols in variables when applying a filter or performing a search. The symbols supported are the question mark (?) to represent any single character and the asterisk (*) to represent any series of characters. It appears Excel can support regular expressions using macros but this isn't an option for me (I would prefer to learn Perl or Enscripting instead of Visual Basic which would be needed to write a macro). The help file in Calc outlines all of the expressions supported but the image below shows the first four regular expressions listed in the help file.

The second difference is Calc supports three types of filters while Excel 2007 only supports two filters (filters and advanced filters). The picture below shows the three types of Calc filters.

Importing Data
Timelines in csv files can be opened directly using a spreadsheet program. However, I have had issues with trying to add edits to timelines by directly opening the csv file in Excel. As a result, I started importing the csv file as a comma delimited file. I haven't fully tested Calc so I don't know if the same issue would be encountered but I wanted to compare how Calc imports a csv file. The process in Calc to import a text file as a comma delimited file is very similar to performing the function is Excel. There are only a few slight differences between the two programs as I’ll demonstrate.

To import a csv file select Insert > Sheet From File as shown below.

An Insert window will appear with a browse option which lets you locate and select the file to be imported. Calc will automatically detect the file as a text file and will display the Text Import window. The picture below highlights the options to import the timeline csv file as a comma delimited file. Once the options are selected then OK can be clicked in order to import the data.

For a comparison I included the image of Excel importing a csv timeline as a comma delimited file.

Autofilters
I think the autofilter filter is not useful for reviewing timelines. Autofilter only lets you select a variable from an automatically generated list and there isn't an option to type in your own variable. This is why I think the standard and advanced filters are better choices when working with timelines. I'm still briefly discussing the autofilter functionality in order for the comparison between Calc and Excel to be complete.

To activate the autofilter filter select Data > Filter > Autofilter. A dialog will appear stating there isn't a column header and the first line can be used as the header.

Drop down arrows will appear in the first row when the autofilter is activated as shown below.

To apply a filter, the drop down arrow has to be used in the column the filter is being applied to. To test the functionality I applied a filter to the File Name column. The picture below shows the automatically generated values that can be used in the filter.

Notice in the picture above that the entire data in the File Name column has to be used for the filter. I think this isn't feasible for reviewing timelines because it will only show the rows with that exact value. I usually want to apply filters using keywords since this will show me all of the rows containing the variable. For example, selecting the value HKCU-Administrator only shows the rows containing that exact value as shown below (notice the slight change in the drop down menu indicating a filter is applied).

To remove the filter select Data > Filter > Remove Filter.

The picture below shows autofilter icon being shaded indicating the filter is turned on. To deactivate the autofilter select Data > Filter > Autofilter.

Standard Filter
Calc's standard filter is the equivalent of Excel's regular filter. However, Calc has the ability to filter on eight different variables combining them with or/and operations while Excel only supports filtering on two variables. As I stated previously, Calc also has the ability to support regular expressions in filters. I think the combination of regular expressions and eight different variables makes Calc a viable alternate to Excel's filter functionality including Excel’s advanced filters using less than eight variables. Accessing the standard filter option (select Data > Filter > Standard Filter) brings up the Standard Filter window as shown below.

A standard filter has three parts which are field name (column to filter on), condition, and value (variable). To demonstrate functionality of a standard filter I will apply a filter for aaclient to the file name column. To select the file name column use the drop down arrow in the Field Name box as shown below.

The condition I'm using is the contains option since it will show all of the rows containing the variable aaclient. The picture below shows the various conditions that could be used in filters.

 Lastly, the variable aaclient has to be typed into the Value box. The filter I'm applying to the timeline only has one variable but Operator’s drop down menu enables up to eight variables to be included in a filter. The picture below shows the two operations available.

At this point this point the filter is configured and can be applied by pressing the OK button. The picture below shows a portion of the timeline with this filter applied.

The filter I demonstrated was pretty basic so it didn't show all of options available in standard filters. These options can be accessed by using the More Options button located in the bottom left of the Standard Filter window. The picture below shows the additional options (note: the regular expressions option needs to be selected in order to use regular expressions).

As I mentioned previously, Calc's standard filter is the equivalent of Excel's regular filter but Calc has additional options. The Calc Standard Filter window above can be compared to Excel's Custom Autofilter window below in order to see the differences between the two programs.

Advanced Filter
Calc's advanced filter is the equivalent of Excel's advanced filter. With the exception of Calc supporting regular expressions, the advanced filter functionality between both programs is very similar. Just like Excel, a database has to be setup in a worksheet in order to use advanced filters. The top row with the column names can be copied and pasted into an area of the worksheet not containing timeline data. The picture below shows I setup the database two rows below the timeline data.

The advanced filters in Calc work the same way as Excel. The variable(s) is placed under the column(s) to be filtered on and variables can be combined using the and/or operations. The and operation is when both variables are on the same row while the or operation is when the variables are on different rows.

Side note: To apply an advanced filter using the contains condition requires the symbols for any series of characters to enclose the variable. In Excel the asterisk (*) symbol was used and the final variable looks like *this*. In Calc two symbols have to be used to accomplish this. The first symbol is the period (.) since it represents any character while the second symbol is the asterisk (*) since it finds zero or more characters of what is preceding the asterisk. The final variable looks like .*this.*

Applying a filter is similar to Excel. Variable(s) are placed under the desired column then any cell containing timeline data is selected followed by selecting the advanced filter (Data > Filter > Advanced Filter). The picture below shows the Advanced Filter window containing a filter. This filter will only display rows containing a newly created file and the word aaclientt.

In the Advanced Filter window above, notice the filter criteria matches the filter in the database (A165360:H165361). The filter contains regular expressions so the regular expressions option must be selected using the More button. The picture below shows the option being selected.

The filter can be applied once the filter criteria is verified and all desired options are selected. The picture below shows the timeline data with the filter applied.

To continue demonstrating the similarity between Calc and Excel's advanced filters I'll show the timeline data with two filters applied. The picture below is the timeline data with a filter containing an and statement applied (I included the advanced filter window so the filter criteria can be seen).

The picture below is the timeline data with a filter containing an or statement applied (again the advanced filter window was included in the screenshot).


Find
Calc supports the ability to find the next instance of a variable or to find all instances of a variable. The find next option in Calc is very similar to Excel but the find all option in Calc doesn't provide you with a quick method for reviewing all of the rows with the variable(s) like Excel. I will first demonstrate the find next functionality then I will demonstrate the find all functionality. To access Calc’s find and replace functionality you can use CTRL + F, select Edit > Find & Replace, or click the find and replace icon (binoculars image) as shown below.

The picture below shows the options available in the Find and Replace window. Similar to the filters, the regular expression option must be selected if the variable contains regular expressions. The Find button is used to find the next instance of the variable while the Find All button will find all instances of the variable in the timeline.

The picture below shows how Calc finds the next instance of the variable aaclient.

The similarities between Calc and Excel can be seen by comparing the picture above with the below picture of Excel’s find next window.

Using the same variable, I selected the Find All button to demonstrate this functionality. The only visible difference with using find all is the background color of the box containing the variable changes.

You have to browse the timeline in order to find the other instances of the variable. I think this is a significant difference compared to Excel because the manual browsing makes it more challenging when working with a large dataset since a row could be overlooked. The picture below shows two other rows containing the variable aaclient.

Calc’s find all functionality is the one area I felt was lacking when compared to Excel. Excel provides a way to quickly locate all of the instances which makes examining the timeline faster and more efficient. The picture below shows how Excel provides this ability to quickly locate rows containing the variable being searched for.

Conclusion
Every tool has its advantages and disadvantages. In one instance a tool may better suit your needs while in a different situation another tool may be the better option. Calc is just another tool that can be used to review timelines and it will have a place in my toolbox.

I wanted to thank the anonymous reader for posting their comment. Not only did I find the comparison of Calc and Excel to be interesting but I also learned how to review timelines with the program.
Labels: ,