Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Call for tools..that people ACTUALLY use

  1. #1
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672

    Call for tools..that people ACTUALLY use

    The title says it all.

    Give me the following:

    a link to download from
    name of the program
    the specific purpose of it
    any possible commentary on it


    Please only give me tools that you use or have used in the past.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I use and really enjoy SectorSpy... It has two versions SectorySpy98 and SectorySpyXP...
    Link: http://www.sofotex.com/SectorSpyXP/9...oad_L7531.html


    I can't remember how, or where, I initially stumbled across it... it was prolly on here... but it lets you go over your harddrives and floppys sector by sector, so that you can view the raw data....

    Peace,
    HT

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Restoration
    For recovering files from slack space
    http://www3.telus.net/mikebike/RESTORATION.html

    Disk Investigator
    For looking at slack space.
    http://www.theabsolute.net/sware/dskinv.html

    Forensic Toolkit
    From Foundstone
    http://www.foundstone.com/index.htm?...ic-toolkit.htm

    Fport
    For live investigations, finding out what’s listening on ports.
    http://www.foundstone.com/index.htm?...desc/fport.htm

    Netport
    For live investigations, finding out what’s listening on ports.
    http://softgears.com/netport.html

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Irongeek: nice selection, I use those myself.

    http://www.sysinternals.com/ntw2k/utilities.shtml
    Too many to name... and they do a good enough job at describing them.

    EnCase, not cheap... but great.
    http://www.guidancesoftware.com/prod...sic/index.shtm

    Some sort of harware write blocker so you can be sure nothing has been changed while mirroring.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    http://www.data-recovery-software.net/

    R-Studio

    Not great for legal purposes but it downright just works for recovering lost / hidden files.
    The network version allows you to mount volumes over the network which is a feature I
    really like.



    http://www.remote-exploit.org/?page=auditor

    Auditor Security Collection

    A KNOPPIX-STD type of boot linux with some fun software including an evidence locker.
    NOT great but worth a look.

  6. #6
    Just to name a few off the top of my head

    Nmap
    Fport
    Hping2
    Cheops
    Etherape <<--I really like this one, anybody know of any programs with the same look but more grainular options?
    SMAC
    Snort, ACID
    ngrep
    netsed <<--really fun if your the default gateway and somebody like say your sister is running AIM

    Thats what I've been playin with lately, theres many more, alot of them are on insecure.org's top 100. Hope this helps some.

    -Jonesy

  7. #7
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    For my Win 2K server, I like
    ShareWatch - a small program that monitors whose connected, what shares they're using, what files they're using, etc.
    TCPView - a simple program that monitors all connections, applications connected, remote addresses, etc.
    There are better descriptions on the links I provided (both are linked to webattack.com where I downloaded them from).
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Hate to point this out, but a large number of these apps really don't apply to forensics. Now I understand hogfly wasn't specific in his original post, but it seems to me that this was posted in the Computer Forensics forum for a reason. Fport and Netport aren't really reliable, I don't see how many of these tools could be used for forensic analysis. Network monitors sure, provided they aren't run on the compromised machine.

    I haven't done much forensics, but the little I've toyed with has been accomplished via linux and a hex editor (I was using xxd, which seems to be native to most linux distributions).
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  9. #9
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I was debating about posting this..but I figure it's best to..

    chsh is right.
    I was looking for forensics tools( I figured that the post was in this forum, and I am the moderator of it, that it would be clear), but since I consider forensics a broad topic I'd like to open it up to:

    Incident Response tools
    Forensic analysis tools

    This is a list of tools that I've compiled for my incident response toolkit. This is for incident response only, and most of it should not be used for forensics work. If anyone wants the raw set of tools, just ask me, and we'll work out the transfer. It's roughly 70MB.


    #Hogfly's Incident Response CD
    #Last updated 8/11/04


    #Contents
    #Clean Versions Of:

    arp.exe
    cmd.exe
    ipconfig.exe
    nbtstat.exe
    net.exe
    net1.exe
    netsh.exe
    netstat.exe
    nslookup.exe
    ping.exe
    ping6.exe
    recover.exe
    reg.exe
    sc.exe
    sort.exe
    tracert.exe
    tskill.exe
    gdisk.exe #symantec ghost gdisk -similar to fdisk, but more powerful.

    Other Utilities:

    dd.exe #Windows port of *nix dd
    findexe.exe #Finds executables without .exe extensions
    filealyz.exe #Installer for FileAnalyzer, hex viewer for file contents and properties
    listdlls.exe #list current dll's in use
    Systemtools.exe #Sysinternals system tools installer
    cryptcat.exe #Twofish encrypted netcat
    bintext.exe #Search for strings in a file
    filewatch.exe #file modification monitor
    fport.exe #map PID to tcp/udp port
    ntlast.exe #security log analyzer
    showin.exe #show windows information, reveal passwords
    patchit.exe #a binary file byte patching utility
    visionsetup.exe #report all open tcp and udp connections and map them to an application or PID


    Directories:

    \Atstake

    nc.exe #Good ole' netcat, if you can't find a use for it, then you shouldn't be using this cd.
    nbtdump.exe #Dump netbios information from computers
    rpcdump #Dumps sun rpc information same as running rpcinfo -p <host> from *nix

    \Diamond_CS
    apt.exe #Advanced Process termination
    cmdline.exe #show processes at the command line with path to executable
    httpget.exe #similar to wget
    openports.exe #show open tcp/udp ports mapped to PID
    passdump.exe #dump hidden passwords
    pwreveal.exe #reveal applications passwords
    regprot.exe #check registry for startup applications
    rpadmin.exe #manage regprot
    sendmail.exe #send mail from the command line


    \Forensic_tools

    \davory #forensic data recovery--trial version
    davory.exe #data recovery
    \forensic_aquisition #Tools by George Garner Jr. http://users.erols.com/gmgarner/forensics/
    dd.exe #build 1033
    md5lib.dll #md5 checksum implementation in a dll
    md5sum.exe #md5sum utility
    volume_dump.exe #dump volume information
    wipe.exe #sterilizes media prior to duplication
    zlibu.dll #zlib library
    nc.exe #modified version of netcat
    getopt.dll #posix getopt function in a dll

    \FTK #Foundstone's forensic toolkit
    afind.exe #list files without altering the timestamp
    hfind.exe #scan for hidden files
    sfind.exe #scan for hidden data streams
    filestat.exe #dump file and security attributes
    hunt.exe #null session attempts
    daclchk.exe #NTFS DACL ACE order detector
    audited.exe #NTFS SACL reporter

    \winhex-e #windows hex editor
    winhex.exe #Forensic hex editor

    tct-1.15.tar #The coroners toolkit--Linux

    \foundstone
    \galleta #Cookie examiner
    galleta.exe #Examine IE cookies

    \pasco #Internet Explorer examination
    pasco.exe #Examine IE history (can get deleted files)

    \rifiuti #Recycle bin examination
    rifiuti.exe #Examine info2 file in the recycle bin




    \lynx #command line browsing
    cp.exe #copy files
    lynx.exe #command line browser --when internet explorer can't be trusted
    mv.exe #move files
    sendmail.exe #send email from the command line

    \scanning
    sl.exe #command line port scanner
    superscan4.exe #Super scan port scanner

    \Spyware_removal
    aawpersonal.exe #lavasoft's Adaware personal edition
    Hijackthis.exe #Analyzer for possible spyware, trojans etc..
    spybotsd13.exe #Spybot S&D


    \Sysinternals
    accessenum.exe #enumerate file,registry,directory access
    adrestore.exe #restore deleted active directory objects
    bginfo.exe #show computer information in the background
    diskview.exe #graphical volume analyzer-cluster analysis
    filemon.exe #real time file monitor
    livekd.exe #Microsoft kernel debugging on a live system
    loadord.exe #show load order for drivers and services
    logonsessions.exe #show who is logged on and how
    ntfsinfo.exe #NTFS Information gatherer
    pagedfrg.exe #Page file defragger
    portmon.exe #Port monitor
    procexp.exe #process explorer
    psexec.exe #execute a command remotely
    psfile.exe #list remotely opened files
    psgetsid.exe #get sid of computer or user
    psinfo.exe #get process information
    pskill.exe #kill processes
    pslist.exe #list processes
    psloggedon.exe #show logged on users
    psloglist.exe #dump event logs
    pspasswd.exe #change password
    psservice.exe #show current services
    psshutdown.exe #shut down computers
    pssuspend.exe #suspend or resume processes
    regmon.exe #realtime registry monitor
    sdelete.exe #secure delete

    \Trojan_removal
    cleaner41.exe #30 day trial of moosoft's the cleaner
    tauscan.exe #trial of Agnitum's tauscan
    tds3setup.exe #trial of trojan defense suite

    \Unxutils
    \usr\local\wbin
    Various unix utilities ported to windows.
    -Very helpful!

    I'll share my forensics toolkit once I compile a list of what I have. There will be overlaps with this list.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Hogfly, thats quite a list.

    I'm not involved in forensics but a have done a little data recovery. Anyway this is what i have used with some success:

    Knoppix STD.
    Norton Undelete.
    Encase ver3

    Other Tools

    TDS3 Licenced (comes with netstat,ping,tracert,whois,lanscanand lots more)
    Spybot
    Adaware
    Ps Tools
    Most of Symantecs Worm Removal Tools
    Blaster/sasser patch from MS
    A few vbs scripts. Get ip, bios info, installed software, etc (from technet script repository)
    Nmap
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •