Here's a list with some of the things I carry around. Hope it of some use! Cheers, Rod PsExec execute processes remotely PsFile shows files opened remotely PsGetSid display the SID of a computer or user PsKill kill processes by name or process ID PsInfo list information about a system PsList list detailed information about processes PsLoggedOn see who's logged on locally and via resource sharing PsLogList dump event log records PsService view and control services PsShutdown shuts down and optionally reboots a computer PsSuspend suspends processes PsUptime shows you how long a sysytem has been running since its last reboot (PsUptime's funtionality has been incorporated into PsInfo) ListDLLs shows DLLs loaded procexp shows information about which handles and DLLs processes have opened or loaded procexp as above but account must have "load driver" and "debug privileges" HandleEx shows information about which handles and DLLs processes have opened or loaded frhed hex editor filemon monitors and displays file system activity on a system in real time fport reports all open TCP/IP and UDP ports and maps them to the owning application cmd the command prompt for Windows NT and Windows 2000 netstat enumerates all listening ports and all current connections to those ports nbtstat lists recent NetBIOS connections for approximately the last 10 minutes arp shows the MAC addresses of systems that the target system has been recently communicating with doskey displays the command history for an open CMD.EXE shell netcat a utility which reads and writes data across a network connection netcat a utility which reads and writes data across a network connection cryptcat a utility which reads and writes encrypted data across a network connection pwdump2 an application which dumps the password hashes from NT's SAM database and Active Directory ntlast security log analyzer afind lists files by last access times and allows searches for access times between time frames sfind scans the disk for hidden data streams and lists the last access times hfind scans the disk for hidden files and lists the last access times filestat a quick dump of all file and security attributes (works only on one file at a time) hunt a quick way to see if a server reveals too much info via NULL sessions -- Rod Morris KPMG Forensic Technology tel +31 (0) 20 656 8884 mob +31 (0) 6 5207 8815 fax +31 (0) 20 656 7790 e-mail Morris.Rodat_private X.400 c=NL;a=CONCERT;p=KPMG;s=morris;g=rod > -----Original Message----- > From: Meritt James [mailto:meritt_jamesat_private] > Sent: maandag 7 oktober 2002 15:12 > To: Neil Dickey > Cc: incidentsat_private; rootman22at_private > Subject: Forensics CD (was: Re: Strange Folder > > > REAL good suggestion! Any specific recommendations as to > what should be > on the CD? > > Jim > > Neil Dickey wrote: > > > It's a good idea to have a kit of such tools on a read-only > > CD in advance of an incident like this, so that you have > > tools you know you can trust -- that haven't been trojanned > > -- ready to use. It's rather like the instructions in a > > snake-bite kit. You want to be familiar with them *before* > > Mr. Snake has his way with you. > > -- > James W. Meritt CISSP, CISA > Booz | Allen | Hamilton > phone: (410) 684-6566 > ********************************************************************** De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschonings- recht. Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure and the attorney-client privilege. ********************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 08:27:06 PDT