Security Basics mailing list archives
RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Tue, 18 Feb 2003 11:42:45 -0000
I would back up the use of Encase and TASK toolkits @stack have some good stuff too (www.atstake.com look for latest tool download). Also BackByte is an excellent tool. Well it works for me :) Also on the point of copying files over the network first, correct me if I'm wrong but that damages the chain of evidence. Have a look at the link below, goes about it a bit long winded but essentially shows how to clone a hard drive over a network connection. This can be done with Windows machines as DD and Netcat can be run from floppy on a Windows machine. Never install anything on a disk that is being investigated as part of that investigation, run it from floppy. Then analise the clone. I have the details of cloning a windows machine with DD and Netcat if you need them, just can't find the link at the moment. http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html Hope this helps By the way don't forget to note your MD5 signature before working on clones. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: 17 February 2003 13:18 To: security-basics () securityfocus com Subject: re: tools used to examine a computer Joshua,
I was able to copy some files over the network
before I
took the computer into custody. What tools are out
there
that can really be helpful in monitoring/forensics.
It really depends on what you want to do. As far as forensics goes, there have been some good recommendations from EnCase and commercial tools to freeware such as TCT, Autopsy, and TASK. If the system you're working with is Windows (NT/2K/XP), there are plenty of things you can do. You can collect a great deal of volatile information from the system (processes, ports, process-to-port mappings, etc) with a wide variety of freeware tools. Grabbing that information and analyzing it can tell you what, if anything, is wrong with the system. Pslist, handle, and listdlls from SysInternals, fport from Foundstone and the native netstat can be used, and then procdmp.pl from http://patriot.net/~carvdawg can be used to consolidate the process information out into an HTML file (example output file http://patriot.net/~carvdawg/pd.html). HTH __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- tools used to examine a computer Hopkins, Joshua (Feb 14)
- Re: tools used to examine a computer Chuck Swiger (Feb 14)
- Re: tools used to examine a computer Ivan Hernandez (Feb 18)
- Re: tools used to examine a computer planz (Feb 19)
- <Possible follow-ups>
- RE: tools used to examine a computer Michael Parker (Feb 14)
- RE: tools used to examine a computer Mitchell, Edmund (Feb 14)
- RE: tools used to examine a computer Nickels, Walter P (Nick), SOLCM (Feb 14)
- re: tools used to examine a computer H C (Feb 17)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)