Re: Forensics CD (was: Re: Strange Folder

From: sunzi (sunzi@mod-x.co.uk)
Date: Wed Oct 09 2002 - 04:36:18 PDT

Next message: oliver.biermannat_private: "Antwort: Re: Forensics CD (was: Re: Strange Folder"

Previous message: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
In reply to: Brian Taylor: "RE: Forensics CD (was: Re: Strange Folder"
Next in thread: Neil Dickey: "Re: Forensics CD (was: Re: Strange Folder"
Next in thread: P.P. Lodder: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can find a self-extracting exe meant for floppy, based on Carv's
articles on SecurityFocus here:
http://isso.red-division.org/projects/Win32_Analyzer/

sunzi
----- Original Message -----
From: "Brian Taylor" <btaylorat_private>
To: "'Neil Dickey'" <neilat_private>; <meritt_jamesat_private>;
<incidentsat_private>
Sent: Tuesday, October 08, 2002 8:34 AM
Subject: RE: Forensics CD (was: Re: Strange Folder


> I like some of the tools you have listed. Here is a batch file that I run
> when I think there is a potential comprimise or threat:
>
> time /t
> date /t
> fport
> netstat -an
> nbtstat -c
> pslist
> listdlls
> psloggedon
> time /t
> date /t
> doskey /history
> exit
>
> One important thing here is that I run this from a floppy that has a known
> good cmd.exe since I could never trust a cmd.exe
> on a comprimsed system. Additionally I write the resultant output file to
> the floppy so that the file system on the hard drive does not change and
> therefore contaminate your evidence. Obviously you can see that I work in
a
> windows environment,
> I hope this was helpful.
>
>
>
>
> -----Original Message-----
> From: Neil Dickey [mailto:neilat_private]
> Sent: Monday, October 07, 2002 11:08 AM
> To: meritt_jamesat_private; incidentsat_private
> Subject: Re: Forensics CD (was: Re: Strange Folder
>
>
>
> "Meritt James" <meritt_jamesat_private> wrote in response to me:
>
> [ ... Kit of tools on a CD-ROM ... ]
>
> >REAL good suggestion!  Any specific recommendations as to what should be
> >on the CD?
>
> Thanks!  I think I picked up the idea from someone on this list, as a
> matter of fact.  I wish I could remember who.
>
> Here's what I have on mine at the moment:
>
> bintext.exe (http://www.foundstone.com)  Reads ASCII, unicode, and
> resource strings in a binary.  The equivalent of 'strings'
> in unix.
>
> fport.exe (http://www.foundstone.com)  Reports open ports, PID of
> the process listening on them, and the path to the
> program.
>
> handle.exe (http://www.sysinternals.com)  Reports what files are open
> by what processes.
>
> listdlls.exe (http://www.sysinternals.com)  List the DLLs that are open,
> the path to the DLL, and the version number.
>
> netstat.exe A copy of netstat from the W2K operating system.
>
> netstat95.exe Another copy of netstat from the W95 operating system.
>
> patchit.exe (http://www.foundstone.com)  Binary file byte-patching
> program.
>
> procexp.exe (http://www.sysinternals.com)  Shows what files, registry
> keys, and other objects processes have open, along with
> process ownership.
>
> regmon.exe (http://www.sysinternals.com)  Monitors registry activity
> in real time.
>
> showin.exe (http://www.foundstone.com)  Shows information about hidden
> or disabled windows that exist on the desktop.  ( I had
> no idea .... )
>
> tcpview.exe (http://www.sysinternals.com)  Shows all TCP and UDP end-
> points.  On WinNT and above it shows what process owns the
> endpoint.
>
> I've borrowed much of the wording in these descriptions from the
respective
> websites, but I don't think they'll mind since I'm bragging about their
> stuff.  It's all free, by the way, and I'm just a satisfied user.  ;-)
>
> There's a lot more than this available, but some of it is OS-specific and
> may not be useful to you.  Personally, I'd put just about anything on my
> forensics CD that I thought might ever be useful to me.  One word of
advice,
> though:  Most of us probably don't do forensics as our day job, and some
> time may pass between making the disk and using it.  I therefore set up
> a convenient 'bin' directory with all the executables on mine, and put all
> the raw stuff, readmes, etc., in separate directories named for each
> utility.
> That way remembering what each one is good for and where I got it isn't so
> difficult.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: oliver.biermannat_private: "Antwort: Re: Forensics CD (was: Re: Strange Folder"
Previous message: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
In reply to: Brian Taylor: "RE: Forensics CD (was: Re: Strange Folder"
Next in thread: Neil Dickey: "Re: Forensics CD (was: Re: Strange Folder"
Next in thread: P.P. Lodder: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 15:27:01 PDT