Security Incidents mailing list archives

Re: Forensics CD (was: Re: Strange Folder

From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Oct 2002 10:07:37 -0500 (CDT)


"Meritt James" <meritt_james () bah com> wrote in response to me:

[ ... Kit of tools on a CD-ROM ... ]

REAL good suggestion!  Any specific recommendations as to what should be
on the CD?


Thanks!  I think I picked up the idea from someone on this list, as a
matter of fact.  I wish I could remember who.

Here's what I have on mine at the moment:

bintext.exe     (http://www.foundstone.com)  Reads ASCII, unicode, and
                resource strings in a binary.  The equivalent of 'strings'
                in unix.
                
fport.exe       (http://www.foundstone.com)  Reports open ports, PID of
                the process listening on them, and the path to the 
                program.
                
handle.exe      (http://www.sysinternals.com)  Reports what files are open
                by what processes.
                
listdlls.exe    (http://www.sysinternals.com)  List the DLLs that are open,
                the path to the DLL, and the version number.
                
netstat.exe     A copy of netstat from the W2K operating system.

netstat95.exe   Another copy of netstat from the W95 operating system.

patchit.exe     (http://www.foundstone.com)  Binary file byte-patching
                program.
                
procexp.exe     (http://www.sysinternals.com)  Shows what files, registry
                keys, and other objects processes have open, along with
                process ownership.

regmon.exe      (http://www.sysinternals.com)  Monitors registry activity
                in real time.

showin.exe      (http://www.foundstone.com)  Shows information about hidden
                or disabled windows that exist on the desktop.  ( I had
                no idea .... )
                
tcpview.exe     (http://www.sysinternals.com)  Shows all TCP and UDP end-
                points.  On WinNT and above it shows what process owns the
                endpoint.

I've borrowed much of the wording in these descriptions from the respective
websites, but I don't think they'll mind since I'm bragging about their
stuff.  It's all free, by the way, and I'm just a satisfied user.  ;-)

There's a lot more than this available, but some of it is OS-specific and
may not be useful to you.  Personally, I'd put just about anything on my
forensics CD that I thought might ever be useful to me.  One word of advice,
though:  Most of us probably don't do forensics as our day job, and some
time may pass between making the disk and using it.  I therefore set up
a convenient 'bin' directory with all the executables on mine, and put all
the raw stuff, readmes, etc., in separate directories named for each utility.
That way remembering what each one is good for and where I got it isn't so
difficult.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
  - Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)