RE: tools used to examine a computer

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

I would back up the use of Encase and TASK toolkits @stack have some
good stuff too (www.atstake.com look for latest tool download). Also
BackByte is an excellent tool.  Well it works for me :)

Also on the point of copying files over the network first, correct me if
I'm wrong but that damages the chain of evidence.  Have a look at the
link below, goes about it a bit long winded but essentially shows how to
clone a hard drive over a network connection.  This can be done with
Windows machines as DD and Netcat can be run from floppy on a Windows
machine.  Never install anything on a disk that is being investigated as
part of that investigation, run it from floppy.  Then analise the clone.
I have the details of cloning a windows machine with DD and Netcat if
you need them, just can't find the link at the moment.

http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html


Hope this helps

By the way don't forget to note your MD5 signature before working on
clones.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: 17 February 2003 13:18
To: security-basics () securityfocus com
Subject: re: tools used to examine a computer


Joshua,

> I was able to copy some files over the network
before I 
> took the computer into custody. What tools are out
there 
> that can really be helpful in monitoring/forensics.

It really depends on what you want to do.  As far as
forensics goes, there have been some good
recommendations from EnCase and commercial tools to
freeware such as TCT, Autopsy, and TASK.  

If the system you're working with is Windows
(NT/2K/XP), there are plenty of things you can do. 
You can collect a great deal of volatile information
from the system (processes, ports, process-to-port
mappings, etc) with a wide variety of freeware tools. 
Grabbing that information and analyzing it can tell
you what, if anything, is wrong with the system. 
Pslist, handle, and listdlls from SysInternals, fport
from Foundstone and the native netstat can be used,
and then procdmp.pl from http://patriot.net/~carvdawg
can be used to consolidate the process information out
into an HTML file (example output file
http://patriot.net/~carvdawg/pd.html).

HTH

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************