Forensics CD

["Schmehl, Paul L" <pauls () utdallas edu>]

Thanks to everyone that's emailed me privately as well as those who have
responded to the list.  I should have been more clear about what I was
looking for. :-)

I've downloaded and created a boot CD using FIRE.  That's a really nice
compilation of useful programs.  However, I also have to create a CD
that can be used without having to reboot.  In some cases we may not
want to take a machine offline until we're certain that it's
compromised.  Thus the need for a CD of utilities that can be used to do
preliminary testing.

I found a place on the web that had statically compiled programs for
Linux 2.2 and 2.4 and Solaris 2.7.  I'm probably going to end up
compiling static copies for other OSes as well.  The following is a list
of utilities that I think would be useful.

I invite comments, additions, subtractions from this list.  Is there
anything missing?  Keep in mind, this is for a preliminary inspection
(including md5 checksum work) without taking a machine offline for an
in-depth forensic analysis.  I'll also include chkrootkit and tct as
well, just for completeness.

To answer one question - at this point I don't know if this will be made
publicly available.  It *may* be, but there's a lot of work to be done
before I get to that point.

bindshell
cat
chfn
chgrp
chmod
chown
chroot
chsh
cp
cpio
cut
date
df
dig
du
echo
env
file
find
grep
ifconfig
inetd
infingerd
less
login
ls
lsof
md5sum
more
netstat
passwd
ping
ps
rpcinfo
rpm
rshd
strace (ktrace, etc.)
sshd
Strings
syslogd
sz
tar
telnetd
top
traceroute
vi
whois

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html