Evidence gathering tools

[align=center]Evidence gathering tools[/align]

From http://chiht.dfn-cert.de/functions/evidence_gathering.html

These programs can be used to collect information about the state of systems or media either during an incident or afterwards (post-mortem).

Examining media

Name: The Coroner's Toolkit (TCT)
Source: http://www.porcupine.org/forensics/
Platform: Unix

TCT is a collection of programs by Weitse Venema and Dan Farmer that
can be used for a post-mortem analysis of a Unix system after a
break-in. The website includes handouts from a tutorial session, as
well as examples of use of the tools' in practical situations.

Used by team: Funet CERT, CERT Polska, SWITCH-CERT,

More information

Name: Encase
Source: http://www.encase.com/
Platform: Windows

Encase is a commercial evidence gathering and analysis tool, which
performs all stages from imaging disks through investigation to
preparing a final report. Once a disk has been imaged, Encase can be
used to search the image, including deleted files and freespace,
using built-in search tools or a macro language. Encase is commonly
run on a dedicated forensic workstation: typical configurations are:

- Desktop PC with 50Gb of hard disk, DDS-4 tape drive and CD Writer
- Laptop PC with 20Gb of hard disk for work outside office
The website includes examples of the use of the package.

Used by team: CERT Polska,

More information

Examining Systems and Processes

Name: Netcat
Source: http://netcat.sourceforge.net/
Platform: Unix, Windows

Netcat is a program to create network connections, TCP or UDP, to or
from any port number. It is most commonly used with other commands
as part of a script. In the security field it can be used to capture
or orginate flows of packets for network or traffic debugging. It
can also be used for scanning networks for vulnerable servers,
testing firewalls, building proxies, etc.

Used by team: Funet CERT, CERT Polska, SWITCH-CERT,

More information

Name: sockstat
Source: Built-in command
Platform: FreeBSD

The sockstat command lists open sockets on a system so can be used
to identify any unexpected connections, for example from packet
sniffers.

More information

Name: Fstat
Source: Built-in command
Platform: FreeBSD

The fstat command lists open files on a system so can be used to
identify any unexpected logfiles, for example from packet sniffers.

More information

Name: Dumpreg - Dump Windows Registry
Source: http://www.systemtools.com/somarsoft/
Platform: Windows

SomarSoft's DumpReg is a (free) program for Windows NT and Windows
95 that dumps the registry, making it easy to find keys and values
containing a string. For Windows NT, the registry entries can be
sorted by reverse order of last modified time, making it easy to see
changes made by recently installed software, for example. Must-have
product for Windows NT systems administrators.

Used by team: CERT Polska,

More information

Name: Dumpsec - Dump Windows ACL and Audit settings
Source: http://www.systemtools.com/somarsoft/
Platform: Windows

SomarSoft's DumpSec is a (free) security auditing program for
Microsoft Windows NT/2000. It dumps the permissions (DACLs) and
audit settings (SACLs) for the file system, registry, printers and
shares in a concise, readable format, so that holes in system
security are readily apparent. DumpSec also dumps user, group and
replication information. DumpSec is a must-have product for Windows
NT systems administrators and computer security auditors.

Used by team: CERT Polska,

More information

Name: Dumpevt - Dump Windows Event log
Source: http://www.systemtools.com/somarsoft/
Platform: Windows

SomarSoft's DumpEvt is a (free) Windows NT program to dump the event
log in a format suitable for importing into a database. Similar to
the DUMPEL utility in the NT resource kit, but without some of the
limitations.  DumpEvt has been updated to now allow dumping the new
Windows 2000 event logs (DNS, File Replication, and Directory
Service)

Used by team: CERT Polska,

More information

Name: Foundstone Forensic tools
Source: http://www.foundstone.com/knowledge/forensics.html
Platform: Windows

The Foundstone Forensics toolkit includes programs to list open
ports and the processes controlling them; to track logins and
activity on Windows systems; to examine file access times and
permissions.

Used by team: CERT Polska,

More information

Name: Sysinternals tools
Source: http://www.sysinternals.com/
Platform: Windows

SysInternals tools for Windows includes utilities to examine Windows
processes, files and ports. The site also includes a great deal of
information on undocumented features of Windows operating systems.

Used by team: CERT Polska, SWITCH-CERT,

More information

Name: Incident Handling / Forensics FAQ
Source: http://www.paladion.net/media/insights/ihfaq.htm
Platform: Web Site

Paper about doing forensic work on Windows systems.

More information