The title says it all.
Give me the following:
a link to download from
name of the program
the specific purpose of it
any possible commentary on it
Please only give me tools that you use or have used in the past.
Printable View
The title says it all.
Give me the following:
a link to download from
name of the program
the specific purpose of it
any possible commentary on it
Please only give me tools that you use or have used in the past.
Hey Hey,
I use and really enjoy SectorSpy... It has two versions SectorySpy98 and SectorySpyXP...
Link: http://www.sofotex.com/SectorSpyXP/9...oad_L7531.html
I can't remember how, or where, I initially stumbled across it... it was prolly on here... but it lets you go over your harddrives and floppys sector by sector, so that you can view the raw data....
Peace,
HT
Restoration
For recovering files from slack space
http://www3.telus.net/mikebike/RESTORATION.html
Disk Investigator
For looking at slack space.
http://www.theabsolute.net/sware/dskinv.html
Forensic Toolkit
From Foundstone
http://www.foundstone.com/index.htm?...ic-toolkit.htm
Fport
For live investigations, finding out what’s listening on ports.
http://www.foundstone.com/index.htm?...desc/fport.htm
Netport
For live investigations, finding out what’s listening on ports.
http://softgears.com/netport.html
Irongeek: nice selection, I use those myself. :)
http://www.sysinternals.com/ntw2k/utilities.shtml
Too many to name... and they do a good enough job at describing them.
EnCase, not cheap... but great.
http://www.guidancesoftware.com/prod...sic/index.shtm
Some sort of harware write blocker so you can be sure nothing has been changed while mirroring.
http://www.data-recovery-software.net/
R-Studio
Not great for legal purposes but it downright just works for recovering lost / hidden files.
The network version allows you to mount volumes over the network which is a feature I
really like.
http://www.remote-exploit.org/?page=auditor
Auditor Security Collection
A KNOPPIX-STD type of boot linux with some fun software including an evidence locker.
NOT great but worth a look.
Just to name a few off the top of my head
Nmap
Fport
Hping2
Cheops
Etherape <<--I really like this one, anybody know of any programs with the same look but more grainular options?
SMAC
Snort, ACID
ngrep
netsed <<--really fun if your the default gateway and somebody like say your sister is running AIM
Thats what I've been playin with lately, theres many more, alot of them are on insecure.org's top 100. Hope this helps some.
-Jonesy
For my Win 2K server, I like
ShareWatch - a small program that monitors whose connected, what shares they're using, what files they're using, etc.
TCPView - a simple program that monitors all connections, applications connected, remote addresses, etc.
There are better descriptions on the links I provided (both are linked to webattack.com where I downloaded them from).
Hate to point this out, but a large number of these apps really don't apply to forensics. Now I understand hogfly wasn't specific in his original post, but it seems to me that this was posted in the Computer Forensics forum for a reason. Fport and Netport aren't really reliable, I don't see how many of these tools could be used for forensic analysis. Network monitors sure, provided they aren't run on the compromised machine.
I haven't done much forensics, but the little I've toyed with has been accomplished via linux and a hex editor (I was using xxd, which seems to be native to most linux distributions).
I was debating about posting this..but I figure it's best to..
chsh is right.
I was looking for forensics tools( I figured that the post was in this forum, and I am the moderator of it, that it would be clear), but since I consider forensics a broad topic I'd like to open it up to:
Incident Response tools
Forensic analysis tools
This is a list of tools that I've compiled for my incident response toolkit. This is for incident response only, and most of it should not be used for forensics work. If anyone wants the raw set of tools, just ask me, and we'll work out the transfer. It's roughly 70MB.
#Hogfly's Incident Response CD
#Last updated 8/11/04
#Contents
#Clean Versions Of:
arp.exe
cmd.exe
ipconfig.exe
nbtstat.exe
net.exe
net1.exe
netsh.exe
netstat.exe
nslookup.exe
ping.exe
ping6.exe
recover.exe
reg.exe
sc.exe
sort.exe
tracert.exe
tskill.exe
gdisk.exe #symantec ghost gdisk -similar to fdisk, but more powerful.
Other Utilities:
dd.exe #Windows port of *nix dd
findexe.exe #Finds executables without .exe extensions
filealyz.exe #Installer for FileAnalyzer, hex viewer for file contents and properties
listdlls.exe #list current dll's in use
Systemtools.exe #Sysinternals system tools installer
cryptcat.exe #Twofish encrypted netcat
bintext.exe #Search for strings in a file
filewatch.exe #file modification monitor
fport.exe #map PID to tcp/udp port
ntlast.exe #security log analyzer
showin.exe #show windows information, reveal passwords
patchit.exe #a binary file byte patching utility
visionsetup.exe #report all open tcp and udp connections and map them to an application or PID
Directories:
\Atstake
nc.exe #Good ole' netcat, if you can't find a use for it, then you shouldn't be using this cd.
nbtdump.exe #Dump netbios information from computers
rpcdump #Dumps sun rpc information same as running rpcinfo -p <host> from *nix
\Diamond_CS
apt.exe #Advanced Process termination
cmdline.exe #show processes at the command line with path to executable
httpget.exe #similar to wget
openports.exe #show open tcp/udp ports mapped to PID
passdump.exe #dump hidden passwords
pwreveal.exe #reveal applications passwords
regprot.exe #check registry for startup applications
rpadmin.exe #manage regprot
sendmail.exe #send mail from the command line
\Forensic_tools
\davory #forensic data recovery--trial version
davory.exe #data recovery
\forensic_aquisition #Tools by George Garner Jr. http://users.erols.com/gmgarner/forensics/
dd.exe #build 1033
md5lib.dll #md5 checksum implementation in a dll
md5sum.exe #md5sum utility
volume_dump.exe #dump volume information
wipe.exe #sterilizes media prior to duplication
zlibu.dll #zlib library
nc.exe #modified version of netcat
getopt.dll #posix getopt function in a dll
\FTK #Foundstone's forensic toolkit
afind.exe #list files without altering the timestamp
hfind.exe #scan for hidden files
sfind.exe #scan for hidden data streams
filestat.exe #dump file and security attributes
hunt.exe #null session attempts
daclchk.exe #NTFS DACL ACE order detector
audited.exe #NTFS SACL reporter
\winhex-e #windows hex editor
winhex.exe #Forensic hex editor
tct-1.15.tar #The coroners toolkit--Linux
\foundstone
\galleta #Cookie examiner
galleta.exe #Examine IE cookies
\pasco #Internet Explorer examination
pasco.exe #Examine IE history (can get deleted files)
\rifiuti #Recycle bin examination
rifiuti.exe #Examine info2 file in the recycle bin
\lynx #command line browsing
cp.exe #copy files
lynx.exe #command line browser --when internet explorer can't be trusted
mv.exe #move files
sendmail.exe #send email from the command line
\scanning
sl.exe #command line port scanner
superscan4.exe #Super scan port scanner
\Spyware_removal
aawpersonal.exe #lavasoft's Adaware personal edition
Hijackthis.exe #Analyzer for possible spyware, trojans etc..
spybotsd13.exe #Spybot S&D
\Sysinternals
accessenum.exe #enumerate file,registry,directory access
adrestore.exe #restore deleted active directory objects
bginfo.exe #show computer information in the background
diskview.exe #graphical volume analyzer-cluster analysis
filemon.exe #real time file monitor
livekd.exe #Microsoft kernel debugging on a live system
loadord.exe #show load order for drivers and services
logonsessions.exe #show who is logged on and how
ntfsinfo.exe #NTFS Information gatherer
pagedfrg.exe #Page file defragger
portmon.exe #Port monitor
procexp.exe #process explorer
psexec.exe #execute a command remotely
psfile.exe #list remotely opened files
psgetsid.exe #get sid of computer or user
psinfo.exe #get process information
pskill.exe #kill processes
pslist.exe #list processes
psloggedon.exe #show logged on users
psloglist.exe #dump event logs
pspasswd.exe #change password
psservice.exe #show current services
psshutdown.exe #shut down computers
pssuspend.exe #suspend or resume processes
regmon.exe #realtime registry monitor
sdelete.exe #secure delete
\Trojan_removal
cleaner41.exe #30 day trial of moosoft's the cleaner
tauscan.exe #trial of Agnitum's tauscan
tds3setup.exe #trial of trojan defense suite
\Unxutils
\usr\local\wbin
Various unix utilities ported to windows.
-Very helpful!
I'll share my forensics toolkit once I compile a list of what I have. There will be overlaps with this list.
Hogfly, thats quite a list.
I'm not involved in forensics but a have done a little data recovery. Anyway this is what i have used with some success:
Knoppix STD.
Norton Undelete.
Encase ver3
Other Tools
TDS3 Licenced (comes with netstat,ping,tracert,whois,lanscanand lots more)
Spybot
Adaware
Ps Tools
Most of Symantecs Worm Removal Tools
Blaster/sasser patch from MS
A few vbs scripts. Get ip, bios info, installed software, etc (from technet script repository)
Nmap