Security Incidents mailing list archives

RE: Forensics CD (was: Re: Strange Folder

From: "Morris, Rod" <Morris.Rod () kpmg nl>
Date: Thu, 10 Oct 2002 10:39:38 +0200

Here's a list with some of the things I carry around. Hope it of some use!

Cheers,

Rod

PsExec  execute processes remotely
PsFile  shows files opened remotely
PsGetSid        display the SID of a computer or user
PsKill  kill processes by name or process ID
PsInfo  list information about a system
PsList  list detailed information about processes
PsLoggedOn      see who's logged on locally and via resource sharing
PsLogList       dump event log records
PsService       view and control services
PsShutdown      shuts down and optionally reboots a computer
PsSuspend       suspends processes
PsUptime        shows you how long a sysytem has been running since its last
reboot 
                (PsUptime's funtionality has been incorporated into PsInfo)
ListDLLs        shows DLLs loaded
procexp shows information about which handles and DLLs processes have opened
or loaded
procexp as above but account must have "load driver" and "debug privileges"
HandleEx        shows information about which handles and DLLs processes
have opened or loaded
frhed           hex editor
filemon monitors and displays file system activity on a system in real time
fport           reports all open TCP/IP and UDP ports and maps them to the
owning application
cmd             the command prompt for Windows NT and Windows 2000
netstat enumerates all listening ports and all current connections to those
ports
nbtstat lists recent NetBIOS connections for approximately the last 10
minutes
arp             shows the MAC addresses of systems that the target system
has been recently communicating with
doskey  displays the command history for an open CMD.EXE shell
netcat  a utility which reads and writes data across a network connection
netcat  a utility which reads and writes data across a network connection
cryptcat        a utility which reads and writes encrypted data across a
network connection
pwdump2 an application which dumps the password hashes from NT's SAM
database and Active Directory
ntlast  security log analyzer
afind           lists files by last access times and allows searches for
access times between time frames
sfind           scans the disk for hidden data streams and lists the last
access times
hfind           scans the disk for hidden files and lists the last access
times
filestat        a quick dump of all file and security attributes (works only
on one file at a time)
hunt            a quick way to see if a server reveals too much info via
NULL sessions

--
Rod Morris
KPMG 
Forensic Technology
tel +31 (0) 20 656 8884
mob +31 (0) 6 5207 8815
fax +31 (0) 20 656 7790
e-mail Morris.Rod () kpmg nl
X.400 c=NL;a=CONCERT;p=KPMG;s=morris;g=rod

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: maandag 7 oktober 2002 15:12
To: Neil Dickey
Cc: incidents () securityfocus com; rootman22 () attbi com
Subject: Forensics CD (was: Re: Strange Folder


REAL good suggestion!  Any specific recommendations as to 
what should be
on the CD?

Jim

Neil Dickey wrote:

It's a good idea to have a kit of such tools on a read-only
CD in advance of an incident like this, so that you have
tools you know you can trust -- that haven't been trojanned
-- ready to use.  It's rather like the instructions in a
snake-bite kit.  You want to be familiar with them *before*
Mr. Snake has his way with you.


-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566



**********************************************************************
De informatie verzonden met dit e-mailbericht (en bijlagen)
is uitsluitend bestemd voor de geadresseerde(n) en zij die
van de geadresseerde(n) toestemming kregen dit bericht te
lezen. Gebruik door anderen dan geadresseerde(n) is
verboden. De informatie in dit e-mailbericht (en bijlagen)
kan vertrouwelijk van aard zijn en kan binnen het bereik
vallen van een geheimhoudingsplicht en een verschonings-
recht.

Any information transmitted by means of this e-mail (and any
of its attachments) is intended exclusively for the addressee
or addressees and for those authorized by the addressee
or addressees to read this message. Any use by a party
other than the addressee or addressees is prohibited.
The information contained in this e-mail (or any of its 
attachments) may be confidential in nature and fall under a
duty of non-disclosure and the attorney-client privilege.
**********************************************************************


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Nick FitzGerald (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder robjeh (Oct 08)
- <Possible follow-ups>
- RE: Forensics CD (was: Re: Strange Folder Brian Taylor (Oct 08)
  - Re: Forensics CD (was: Re: Strange Folder sunzi (Oct 09)
- Re: Forensics CD (was: Re: Strange Folder Neil Dickey (Oct 09)
- RE: Forensics CD (was: Re: Strange Folder Morris, Rod (Oct 10)
- RE: Forensics CD (was: Re: Strange Folder Jonathan Watts (Oct 11)