-
September 29th, 2004, 11:08 PM
#1
Call for tools..that people ACTUALLY use
The title says it all.
Give me the following:
a link to download from
name of the program
the specific purpose of it
any possible commentary on it
Please only give me tools that you use or have used in the past.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
September 29th, 2004, 11:19 PM
#2
Hey Hey,
I use and really enjoy SectorSpy... It has two versions SectorySpy98 and SectorySpyXP...
Link: http://www.sofotex.com/SectorSpyXP/9...oad_L7531.html
I can't remember how, or where, I initially stumbled across it... it was prolly on here... but it lets you go over your harddrives and floppys sector by sector, so that you can view the raw data....
Peace,
HT
-
September 30th, 2004, 12:07 AM
#3
Restoration
For recovering files from slack space
http://www3.telus.net/mikebike/RESTORATION.html
Disk Investigator
For looking at slack space.
http://www.theabsolute.net/sware/dskinv.html
Forensic Toolkit
From Foundstone
http://www.foundstone.com/index.htm?...ic-toolkit.htm
Fport
For live investigations, finding out what’s listening on ports.
http://www.foundstone.com/index.htm?...desc/fport.htm
Netport
For live investigations, finding out what’s listening on ports.
http://softgears.com/netport.html
-
September 30th, 2004, 01:56 AM
#4
Irongeek: nice selection, I use those myself.
http://www.sysinternals.com/ntw2k/utilities.shtml
Too many to name... and they do a good enough job at describing them.
EnCase, not cheap... but great.
http://www.guidancesoftware.com/prod...sic/index.shtm
Some sort of harware write blocker so you can be sure nothing has been changed while mirroring.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 30th, 2004, 02:14 AM
#5
http://www.data-recovery-software.net/
R-Studio
Not great for legal purposes but it downright just works for recovering lost / hidden files.
The network version allows you to mount volumes over the network which is a feature I
really like.
http://www.remote-exploit.org/?page=auditor
Auditor Security Collection
A KNOPPIX-STD type of boot linux with some fun software including an evidence locker.
NOT great but worth a look.
-
September 30th, 2004, 02:17 AM
#6
Member
Just to name a few off the top of my head
Nmap
Fport
Hping2
Cheops
Etherape <<--I really like this one, anybody know of any programs with the same look but more grainular options?
SMAC
Snort, ACID
ngrep
netsed <<--really fun if your the default gateway and somebody like say your sister is running AIM
Thats what I've been playin with lately, theres many more, alot of them are on insecure.org's top 100. Hope this helps some.
-Jonesy
-
September 30th, 2004, 03:47 AM
#7
For my Win 2K server, I like
ShareWatch - a small program that monitors whose connected, what shares they're using, what files they're using, etc.
TCPView - a simple program that monitors all connections, applications connected, remote addresses, etc.
There are better descriptions on the links I provided (both are linked to webattack.com where I downloaded them from).
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
September 30th, 2004, 04:05 AM
#8
Hate to point this out, but a large number of these apps really don't apply to forensics. Now I understand hogfly wasn't specific in his original post, but it seems to me that this was posted in the Computer Forensics forum for a reason. Fport and Netport aren't really reliable, I don't see how many of these tools could be used for forensic analysis. Network monitors sure, provided they aren't run on the compromised machine.
I haven't done much forensics, but the little I've toyed with has been accomplished via linux and a hex editor (I was using xxd, which seems to be native to most linux distributions).
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
September 30th, 2004, 04:21 AM
#9
I was debating about posting this..but I figure it's best to..
chsh is right.
I was looking for forensics tools( I figured that the post was in this forum, and I am the moderator of it, that it would be clear), but since I consider forensics a broad topic I'd like to open it up to:
Incident Response tools
Forensic analysis tools
This is a list of tools that I've compiled for my incident response toolkit. This is for incident response only, and most of it should not be used for forensics work. If anyone wants the raw set of tools, just ask me, and we'll work out the transfer. It's roughly 70MB.
#Hogfly's Incident Response CD
#Last updated 8/11/04
#Contents
#Clean Versions Of:
arp.exe
cmd.exe
ipconfig.exe
nbtstat.exe
net.exe
net1.exe
netsh.exe
netstat.exe
nslookup.exe
ping.exe
ping6.exe
recover.exe
reg.exe
sc.exe
sort.exe
tracert.exe
tskill.exe
gdisk.exe #symantec ghost gdisk -similar to fdisk, but more powerful.
Other Utilities:
dd.exe #Windows port of *nix dd
findexe.exe #Finds executables without .exe extensions
filealyz.exe #Installer for FileAnalyzer, hex viewer for file contents and properties
listdlls.exe #list current dll's in use
Systemtools.exe #Sysinternals system tools installer
cryptcat.exe #Twofish encrypted netcat
bintext.exe #Search for strings in a file
filewatch.exe #file modification monitor
fport.exe #map PID to tcp/udp port
ntlast.exe #security log analyzer
showin.exe #show windows information, reveal passwords
patchit.exe #a binary file byte patching utility
visionsetup.exe #report all open tcp and udp connections and map them to an application or PID
Directories:
\Atstake
nc.exe #Good ole' netcat, if you can't find a use for it, then you shouldn't be using this cd.
nbtdump.exe #Dump netbios information from computers
rpcdump #Dumps sun rpc information same as running rpcinfo -p <host> from *nix
\Diamond_CS
apt.exe #Advanced Process termination
cmdline.exe #show processes at the command line with path to executable
httpget.exe #similar to wget
openports.exe #show open tcp/udp ports mapped to PID
passdump.exe #dump hidden passwords
pwreveal.exe #reveal applications passwords
regprot.exe #check registry for startup applications
rpadmin.exe #manage regprot
sendmail.exe #send mail from the command line
\Forensic_tools
\davory #forensic data recovery--trial version
davory.exe #data recovery
\forensic_aquisition #Tools by George Garner Jr. http://users.erols.com/gmgarner/forensics/
dd.exe #build 1033
md5lib.dll #md5 checksum implementation in a dll
md5sum.exe #md5sum utility
volume_dump.exe #dump volume information
wipe.exe #sterilizes media prior to duplication
zlibu.dll #zlib library
nc.exe #modified version of netcat
getopt.dll #posix getopt function in a dll
\FTK #Foundstone's forensic toolkit
afind.exe #list files without altering the timestamp
hfind.exe #scan for hidden files
sfind.exe #scan for hidden data streams
filestat.exe #dump file and security attributes
hunt.exe #null session attempts
daclchk.exe #NTFS DACL ACE order detector
audited.exe #NTFS SACL reporter
\winhex-e #windows hex editor
winhex.exe #Forensic hex editor
tct-1.15.tar #The coroners toolkit--Linux
\foundstone
\galleta #Cookie examiner
galleta.exe #Examine IE cookies
\pasco #Internet Explorer examination
pasco.exe #Examine IE history (can get deleted files)
\rifiuti #Recycle bin examination
rifiuti.exe #Examine info2 file in the recycle bin
\lynx #command line browsing
cp.exe #copy files
lynx.exe #command line browser --when internet explorer can't be trusted
mv.exe #move files
sendmail.exe #send email from the command line
\scanning
sl.exe #command line port scanner
superscan4.exe #Super scan port scanner
\Spyware_removal
aawpersonal.exe #lavasoft's Adaware personal edition
Hijackthis.exe #Analyzer for possible spyware, trojans etc..
spybotsd13.exe #Spybot S&D
\Sysinternals
accessenum.exe #enumerate file,registry,directory access
adrestore.exe #restore deleted active directory objects
bginfo.exe #show computer information in the background
diskview.exe #graphical volume analyzer-cluster analysis
filemon.exe #real time file monitor
livekd.exe #Microsoft kernel debugging on a live system
loadord.exe #show load order for drivers and services
logonsessions.exe #show who is logged on and how
ntfsinfo.exe #NTFS Information gatherer
pagedfrg.exe #Page file defragger
portmon.exe #Port monitor
procexp.exe #process explorer
psexec.exe #execute a command remotely
psfile.exe #list remotely opened files
psgetsid.exe #get sid of computer or user
psinfo.exe #get process information
pskill.exe #kill processes
pslist.exe #list processes
psloggedon.exe #show logged on users
psloglist.exe #dump event logs
pspasswd.exe #change password
psservice.exe #show current services
psshutdown.exe #shut down computers
pssuspend.exe #suspend or resume processes
regmon.exe #realtime registry monitor
sdelete.exe #secure delete
\Trojan_removal
cleaner41.exe #30 day trial of moosoft's the cleaner
tauscan.exe #trial of Agnitum's tauscan
tds3setup.exe #trial of trojan defense suite
\Unxutils
\usr\local\wbin
Various unix utilities ported to windows.
-Very helpful!
I'll share my forensics toolkit once I compile a list of what I have. There will be overlaps with this list.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
September 30th, 2004, 05:58 AM
#10
Hogfly, thats quite a list.
I'm not involved in forensics but a have done a little data recovery. Anyway this is what i have used with some success:
Knoppix STD.
Norton Undelete.
Encase ver3
Other Tools
TDS3 Licenced (comes with netstat,ping,tracert,whois,lanscanand lots more)
Spybot
Adaware
Ps Tools
Most of Symantecs Worm Removal Tools
Blaster/sasser patch from MS
A few vbs scripts. Get ip, bios info, installed software, etc (from technet script repository)
Nmap
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|