Security Incidents mailing list archives
Re: Forensics CD (was: Re: Strange Folder
From: "sunzi" <sunzi () mod-x co uk>
Date: Wed, 9 Oct 2002 07:36:18 -0400
You can find a self-extracting exe meant for floppy, based on Carv's articles on SecurityFocus here: http://isso.red-division.org/projects/Win32_Analyzer/ sunzi ----- Original Message ----- From: "Brian Taylor" <btaylor () neri org> To: "'Neil Dickey'" <neil () geol niu edu>; <meritt_james () bah com>; <incidents () securityfocus com> Sent: Tuesday, October 08, 2002 8:34 AM Subject: RE: Forensics CD (was: Re: Strange Folder
I like some of the tools you have listed. Here is a batch file that I run when I think there is a potential comprimise or threat: time /t date /t fport netstat -an nbtstat -c pslist listdlls psloggedon time /t date /t doskey /history exit One important thing here is that I run this from a floppy that has a known good cmd.exe since I could never trust a cmd.exe on a comprimsed system. Additionally I write the resultant output file to the floppy so that the file system on the hard drive does not change and therefore contaminate your evidence. Obviously you can see that I work in
a
windows environment, I hope this was helpful. -----Original Message----- From: Neil Dickey [mailto:neil () geol niu edu] Sent: Monday, October 07, 2002 11:08 AM To: meritt_james () bah com; incidents () securityfocus com Subject: Re: Forensics CD (was: Re: Strange Folder "Meritt James" <meritt_james () bah com> wrote in response to me: [ ... Kit of tools on a CD-ROM ... ]REAL good suggestion! Any specific recommendations as to what should be on the CD?Thanks! I think I picked up the idea from someone on this list, as a matter of fact. I wish I could remember who. Here's what I have on mine at the moment: bintext.exe (http://www.foundstone.com) Reads ASCII, unicode, and resource strings in a binary. The equivalent of 'strings' in unix. fport.exe (http://www.foundstone.com) Reports open ports, PID of the process listening on them, and the path to the program. handle.exe (http://www.sysinternals.com) Reports what files are open by what processes. listdlls.exe (http://www.sysinternals.com) List the DLLs that are open, the path to the DLL, and the version number. netstat.exe A copy of netstat from the W2K operating system. netstat95.exe Another copy of netstat from the W95 operating system. patchit.exe (http://www.foundstone.com) Binary file byte-patching program. procexp.exe (http://www.sysinternals.com) Shows what files, registry keys, and other objects processes have open, along with process ownership. regmon.exe (http://www.sysinternals.com) Monitors registry activity in real time. showin.exe (http://www.foundstone.com) Shows information about hidden or disabled windows that exist on the desktop. ( I had no idea .... ) tcpview.exe (http://www.sysinternals.com) Shows all TCP and UDP end- points. On WinNT and above it shows what process owns the endpoint. I've borrowed much of the wording in these descriptions from the
respective
websites, but I don't think they'll mind since I'm bragging about their stuff. It's all free, by the way, and I'm just a satisfied user. ;-) There's a lot more than this available, but some of it is OS-specific and may not be useful to you. Personally, I'd put just about anything on my forensics CD that I thought might ever be useful to me. One word of
advice,
though: Most of us probably don't do forensics as our day job, and some time may pass between making the disk and using it. I therefore set up a convenient 'bin' directory with all the executables on mine, and put all the raw stuff, readmes, etc., in separate directories named for each utility. That way remembering what each one is good for and where I got it isn't so difficult. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)