Re: Forensics CD (was: Re: Strange Folder

• Previous message: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
• Maybe in reply to: Meritt James: "Forensics CD (was: Re: Strange Folder"
• Next in thread: Nick FitzGerald: "Re: Forensics CD (was: Re: Strange Folder"
• Next in thread: P.P. Lodder: "Re: Strange Folder"
• Reply: Nick FitzGerald: "Re: Forensics CD (was: Re: Strange Folder"
• Reply: robjehat_private: "Re: Forensics CD (was: Re: Strange Folder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Meritt James" <meritt_jamesat_private> wrote in response to me:

[ ... Kit of tools on a CD-ROM ... ]

>REAL good suggestion!  Any specific recommendations as to what should be
>on the CD?

Thanks!  I think I picked up the idea from someone on this list, as a
matter of fact.  I wish I could remember who.

Here's what I have on mine at the moment:

bintext.exe	(http://www.foundstone.com)  Reads ASCII, unicode, and
		resource strings in a binary.  The equivalent of 'strings'
		in unix.
		
fport.exe	(http://www.foundstone.com)  Reports open ports, PID of
		the process listening on them, and the path to the 
		program.
		
handle.exe	(http://www.sysinternals.com)  Reports what files are open
		by what processes.
		
listdlls.exe	(http://www.sysinternals.com)  List the DLLs that are open,
		the path to the DLL, and the version number.
		
netstat.exe	A copy of netstat from the W2K operating system.

netstat95.exe	Another copy of netstat from the W95 operating system.

patchit.exe	(http://www.foundstone.com)  Binary file byte-patching
		program.
		
procexp.exe	(http://www.sysinternals.com)  Shows what files, registry
		keys, and other objects processes have open, along with
		process ownership.

regmon.exe	(http://www.sysinternals.com)  Monitors registry activity
		in real time.

showin.exe	(http://www.foundstone.com)  Shows information about hidden
		or disabled windows that exist on the desktop.  ( I had
		no idea .... )
		
tcpview.exe	(http://www.sysinternals.com)  Shows all TCP and UDP end-
		points.  On WinNT and above it shows what process owns the
		endpoint.

I've borrowed much of the wording in these descriptions from the respective
websites, but I don't think they'll mind since I'm bragging about their
stuff.  It's all free, by the way, and I'm just a satisfied user.  ;-)

There's a lot more than this available, but some of it is OS-specific and
may not be useful to you.  Personally, I'd put just about anything on my
forensics CD that I thought might ever be useful to me.  One word of advice,
though:  Most of us probably don't do forensics as our day job, and some
time may pass between making the disk and using it.  I therefore set up
a convenient 'bin' directory with all the executables on mine, and put all
the raw stuff, readmes, etc., in separate directories named for each utility.
That way remembering what each one is good for and where I got it isn't so
difficult.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: SB CH: "Why can I see other traffic at switch environment just tcpdump?"
• Previous message: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
• Maybe in reply to: Meritt James: "Forensics CD (was: Re: Strange Folder"
• Next in thread: Nick FitzGerald: "Re: Forensics CD (was: Re: Strange Folder"
• Next in thread: P.P. Lodder: "Re: Strange Folder"
• Reply: Nick FitzGerald: "Re: Forensics CD (was: Re: Strange Folder"
• Reply: robjehat_private: "Re: Forensics CD (was: Re: Strange Folder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 18:49:04 PDT