Category:Incident Response

From SecurityForest

Description

Computer Forensics and Incident Response utilize many similar techniques, and tools can often work in both categories. However, for organizational purposes, put tools that are to be used to investigate an on-going activity, or to gather volatile data from a currently running computer, into the Incident Response category. Put tools that are used to create, or work with, images of hard drives or other data volumes, in Computer Forensics.

Tools

AIRT : Advanced Incident Response Tool

AIRT is a set of incident response assistant tools for the Linux platform. It is useful for finding out what a malicious program is doing on your system and if one exists. Presently it consists of the following modules: mod_hunter - Searches for hidden modules on the system. process_hunter - Searches for processes hidden to normal detection methods. sock_hunter - Detects hidden ports that are opened on the machine. modumper - Dumps a hidden module into file. dismod - Tries to analyze a dumped module created with modumper. Currently Supported Platforms: Linux with kernel 2.6.x and newer.

http://159.226.5.93/projects/airt-0.1.tar.bz2

PsTools : Windows System Information & Monitoring Utilities

What sets these tools apart from the windows resource kit tools is that they all allow you to manage remote systems as well as the local one.

PsExec - execute processes remotely

PsFile - shows files opened remotely

PsGetSid - display the SID of a computer or a user

PsKill - kill processes by name or process ID

PsInfo - list information about a system

PsList - list detailed information about processes

PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)

PsLogList - dump event log records

PsPasswd - changes account passwords

PsService - view and control services

PsShutdown - shuts down and optionally reboots a computer

PsSuspend - suspends processes

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

Download Package (http://www.securityforest.com/downloads/Pstools.zip)

Fport : Foundstone's enhanced netstat

Fport reports all open TCP/IP and UDP ports on the machine you run it on and shows what application opened each port. So it can be used to quickly identify unknown open ports and their associated applications. It only runs on Windows, but many UNIX systems now provided this information via netstat (try 'netstat -pan' on Linux).

http://www.foundstone.com

LSOF : LiSt Open Files

This Unix-specific diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. It can also list communications sockets open by each process.

ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/