I like some of the tools you have listed. Here is a batch file that I run when I think there is a potential comprimise or threat: time /t date /t fport netstat -an nbtstat -c pslist listdlls psloggedon time /t date /t doskey /history exit One important thing here is that I run this from a floppy that has a known good cmd.exe since I could never trust a cmd.exe on a comprimsed system. Additionally I write the resultant output file to the floppy so that the file system on the hard drive does not change and therefore contaminate your evidence. Obviously you can see that I work in a windows environment, I hope this was helpful. -----Original Message----- From: Neil Dickey [mailto:neilat_private] Sent: Monday, October 07, 2002 11:08 AM To: meritt_jamesat_private; incidentsat_private Subject: Re: Forensics CD (was: Re: Strange Folder "Meritt James" <meritt_jamesat_private> wrote in response to me: [ ... Kit of tools on a CD-ROM ... ] >REAL good suggestion! Any specific recommendations as to what should be >on the CD? Thanks! I think I picked up the idea from someone on this list, as a matter of fact. I wish I could remember who. Here's what I have on mine at the moment: bintext.exe (http://www.foundstone.com) Reads ASCII, unicode, and resource strings in a binary. The equivalent of 'strings' in unix. fport.exe (http://www.foundstone.com) Reports open ports, PID of the process listening on them, and the path to the program. handle.exe (http://www.sysinternals.com) Reports what files are open by what processes. listdlls.exe (http://www.sysinternals.com) List the DLLs that are open, the path to the DLL, and the version number. netstat.exe A copy of netstat from the W2K operating system. netstat95.exe Another copy of netstat from the W95 operating system. patchit.exe (http://www.foundstone.com) Binary file byte-patching program. procexp.exe (http://www.sysinternals.com) Shows what files, registry keys, and other objects processes have open, along with process ownership. regmon.exe (http://www.sysinternals.com) Monitors registry activity in real time. showin.exe (http://www.foundstone.com) Shows information about hidden or disabled windows that exist on the desktop. ( I had no idea .... ) tcpview.exe (http://www.sysinternals.com) Shows all TCP and UDP end- points. On WinNT and above it shows what process owns the endpoint. I've borrowed much of the wording in these descriptions from the respective websites, but I don't think they'll mind since I'm bragging about their stuff. It's all free, by the way, and I'm just a satisfied user. ;-) There's a lot more than this available, but some of it is OS-specific and may not be useful to you. Personally, I'd put just about anything on my forensics CD that I thought might ever be useful to me. One word of advice, though: Most of us probably don't do forensics as our day job, and some time may pass between making the disk and using it. I therefore set up a convenient 'bin' directory with all the executables on mine, and put all the raw stuff, readmes, etc., in separate directories named for each utility. That way remembering what each one is good for and where I got it isn't so difficult. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 20:15:13 PDT