Evidence gathering tools
2007-01-16 16:20
429 查看
[align=center]Evidence gathering tools[/align]
From http://chiht.dfn-cert.de/functions/evidence_gathering.html
These programs can be used to collect information about the state of systems or media either during an incident or afterwards (post-mortem).
Source: http://www.porcupine.org/forensics/
Platform: Unix
Used by team: Funet CERT, CERT Polska, SWITCH-CERT,
More information
Name: Encase
Source: http://www.encase.com/
Platform: Windows
Used by team: CERT Polska,
More information
Source: http://netcat.sourceforge.net/
Platform: Unix, Windows
Used by team: Funet CERT, CERT Polska, SWITCH-CERT,
More information
Name: sockstat
Source: Built-in command
Platform: FreeBSD
More information
Name: Fstat
Source: Built-in command
Platform: FreeBSD
More information
Name: Dumpreg - Dump Windows Registry
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
Used by team: CERT Polska,
More information
Name: Dumpsec - Dump Windows ACL and Audit settings
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
Used by team: CERT Polska,
More information
Name: Dumpevt - Dump Windows Event log
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
Used by team: CERT Polska,
More information
Name: Foundstone Forensic tools
Source: http://www.foundstone.com/knowledge/forensics.html
Platform: Windows
Used by team: CERT Polska,
More information
Name: Sysinternals tools
Source: http://www.sysinternals.com/
Platform: Windows
Used by team: CERT Polska, SWITCH-CERT,
More information
Name: Incident Handling / Forensics FAQ
Source: http://www.paladion.net/media/insights/ihfaq.htm
Platform: Web Site
More information
From http://chiht.dfn-cert.de/functions/evidence_gathering.html
These programs can be used to collect information about the state of systems or media either during an incident or afterwards (post-mortem).
Examining media
Name: The Coroner's Toolkit (TCT)Source: http://www.porcupine.org/forensics/
Platform: Unix
TCT is a collection of programs by Weitse Venema and Dan Farmer that can be used for a post-mortem analysis of a Unix system after a break-in. The website includes handouts from a tutorial session, as well as examples of use of the tools' in practical situations.
Used by team: Funet CERT, CERT Polska, SWITCH-CERT,
More information
Name: Encase
Source: http://www.encase.com/
Platform: Windows
Encase is a commercial evidence gathering and analysis tool, which performs all stages from imaging disks through investigation to preparing a final report. Once a disk has been imaged, Encase can be used to search the image, including deleted files and freespace, using built-in search tools or a macro language. Encase is commonly run on a dedicated forensic workstation: typical configurations are: - Desktop PC with 50Gb of hard disk, DDS-4 tape drive and CD Writer - Laptop PC with 20Gb of hard disk for work outside office The website includes examples of the use of the package.
Used by team: CERT Polska,
More information
Examining Systems and Processes
Name: NetcatSource: http://netcat.sourceforge.net/
Platform: Unix, Windows
Netcat is a program to create network connections, TCP or UDP, to or from any port number. It is most commonly used with other commands as part of a script. In the security field it can be used to capture or orginate flows of packets for network or traffic debugging. It can also be used for scanning networks for vulnerable servers, testing firewalls, building proxies, etc.
Used by team: Funet CERT, CERT Polska, SWITCH-CERT,
More information
Name: sockstat
Source: Built-in command
Platform: FreeBSD
The sockstat command lists open sockets on a system so can be used to identify any unexpected connections, for example from packet sniffers.
More information
Name: Fstat
Source: Built-in command
Platform: FreeBSD
The fstat command lists open files on a system so can be used to identify any unexpected logfiles, for example from packet sniffers.
More information
Name: Dumpreg - Dump Windows Registry
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
SomarSoft's DumpReg is a (free) program for Windows NT and Windows 95 that dumps the registry, making it easy to find keys and values containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software, for example. Must-have product for Windows NT systems administrators.
Used by team: CERT Polska,
More information
Name: Dumpsec - Dump Windows ACL and Audit settings
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
SomarSoft's DumpSec is a (free) security auditing program for Microsoft Windows NT/2000. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. DumpSec is a must-have product for Windows NT systems administrators and computer security auditors.
Used by team: CERT Polska,
More information
Name: Dumpevt - Dump Windows Event log
Source: http://www.systemtools.com/somarsoft/
Platform: Windows
SomarSoft's DumpEvt is a (free) Windows NT program to dump the event log in a format suitable for importing into a database. Similar to the DUMPEL utility in the NT resource kit, but without some of the limitations. DumpEvt has been updated to now allow dumping the new Windows 2000 event logs (DNS, File Replication, and Directory Service)
Used by team: CERT Polska,
More information
Name: Foundstone Forensic tools
Source: http://www.foundstone.com/knowledge/forensics.html
Platform: Windows
The Foundstone Forensics toolkit includes programs to list open ports and the processes controlling them; to track logins and activity on Windows systems; to examine file access times and permissions.
Used by team: CERT Polska,
More information
Name: Sysinternals tools
Source: http://www.sysinternals.com/
Platform: Windows
SysInternals tools for Windows includes utilities to examine Windows processes, files and ports. The site also includes a great deal of information on undocumented features of Windows operating systems.
Used by team: CERT Polska, SWITCH-CERT,
More information
Name: Incident Handling / Forensics FAQ
Source: http://www.paladion.net/media/insights/ihfaq.htm
Platform: Web Site
Paper about doing forensic work on Windows systems.
More information
相关文章推荐
- Collection of Online Information Gathering Tools
- eclipse 中使用autotools plugins
- Create apealing Dashboards with PeopleTools 8.52
- Android requires compiler compliance level 5.0 or 6.0. Found '1.7' instead. Please use Android Tools > Fix Project Properties.
- Entity Framework Power Tools使用提示参数错误
- ExtJs中Tools的使用
- ubuntu中xen-tools安装半虚拟化的虚拟机(转自http://www.linuxidc.com/Linux/2012-04/58209.htm)
- Tools
- 升级Android Sdk Tools时遇到Failed to rename directory \tools to \temp\ToolPackage.old01的解决办法
- Chrome Developer Tools 调试javascript
- Ruby uuidtools
- ant 时 --java.lang.NoSuchMethodError: org.apache.tools.ant.util.FileUtils.getFileUtils 解决方法
- maven引用JDK里的tools.jar时出现的问题
- 【翻译】Chrome Developer Tools: 脚本面板
- CentOS5.4编译安装IPSEC TOOLS
- java annotation processor tools(error:annotation processor xx not found 错误:找不到注解处理程序xx)
- Tools--1.4
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 8 Command Line Tools to Monitor Linux Performance
- SconsVsOtherBuildTools - SCons Wiki