Security Incidents mailing list archives
Re: Forensics CD (was: Re: Strange Folder
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Oct 2002 10:07:37 -0500 (CDT)
"Meritt James" <meritt_james () bah com> wrote in response to me: [ ... Kit of tools on a CD-ROM ... ]
REAL good suggestion! Any specific recommendations as to what should be on the CD?
Thanks! I think I picked up the idea from someone on this list, as a matter of fact. I wish I could remember who. Here's what I have on mine at the moment: bintext.exe (http://www.foundstone.com) Reads ASCII, unicode, and resource strings in a binary. The equivalent of 'strings' in unix. fport.exe (http://www.foundstone.com) Reports open ports, PID of the process listening on them, and the path to the program. handle.exe (http://www.sysinternals.com) Reports what files are open by what processes. listdlls.exe (http://www.sysinternals.com) List the DLLs that are open, the path to the DLL, and the version number. netstat.exe A copy of netstat from the W2K operating system. netstat95.exe Another copy of netstat from the W95 operating system. patchit.exe (http://www.foundstone.com) Binary file byte-patching program. procexp.exe (http://www.sysinternals.com) Shows what files, registry keys, and other objects processes have open, along with process ownership. regmon.exe (http://www.sysinternals.com) Monitors registry activity in real time. showin.exe (http://www.foundstone.com) Shows information about hidden or disabled windows that exist on the desktop. ( I had no idea .... ) tcpview.exe (http://www.sysinternals.com) Shows all TCP and UDP end- points. On WinNT and above it shows what process owns the endpoint. I've borrowed much of the wording in these descriptions from the respective websites, but I don't think they'll mind since I'm bragging about their stuff. It's all free, by the way, and I'm just a satisfied user. ;-) There's a lot more than this available, but some of it is OS-specific and may not be useful to you. Personally, I'd put just about anything on my forensics CD that I thought might ever be useful to me. One word of advice, though: Most of us probably don't do forensics as our day job, and some time may pass between making the disk and using it. I therefore set up a convenient 'bin' directory with all the executables on mine, and put all the raw stuff, readmes, etc., in separate directories named for each utility. That way remembering what each one is good for and where I got it isn't so difficult. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)