10 Free Windows Incident Response & Forensic Tools

Enter the Portal of Deals, Discounts, Sales, & Coupons

10 Free Windows Incident Response & Forensic Tools

May.13, 2008 in Forensic Tools, Incident Response, Windows

10 Windows Incident Response & Forensic Tools You shouldn’t be without

A medieval knight cannot go into battle without his armor. In the same manner, an information security officer cannot respond to an attack without his or her forensic tools. Preparing an incident response CD, to house an investigative toolkit, is the preferred method to work from.

The first essential component is the command shell found on every windows machine called cmd.exe. Most of the tool’s commands will be run through this “trusted” version of cmd.exe located in the toolkit. I suggest renaming the file in an effort to thwart newer malware which attempts to end cmd.exe processes.

Netcat
Netcat, dubbed the “TCP/IP Swiss Army Knife”, is the port of a simple UNIX utility which reads and writes data across network connections, using TCP or UDP transport protocols. The tool allows an examiner to capture all commands executed on the victimized machine, and output the record to a secure location for evidence processing. Saving the data to an external source limits the changes on the attacked system, and protects the information for investigation.

Fport
Foundstone, Inc. has developed a product called Fport, which maps all open TCP and UDP ports on a system to an executable and its path. Fport helps to find the entry point of a hacker by displaying the open port list, and looking for a suspicious executable or Process Identifier. Fport is also an excellent tool to initially harden a system by determining the services running, which are not needed, and thus disabling them.

NetStat
Netstat is similar to Fport in that it retrieves connected IP addresses, opened ports, and the executable association with a “-b” parameter. Netstat is a Windows NT, 2000, and XP application that can be copied from the system32 directory . Netstat’s function is to establish if a port is open, and from which IP address it is communicating. Netstat can also capture routing tables to examine possible attacks to the flow of traffic within the network. In Windows XP Service Pack 2, Microsoft introduced another tag to include the processes listening, associated executables, and any dynamic link libraries loaded using active ports. Running commands such as “netstat –naob” will give you all this information in search of suspicious activity.

NbtStat
Nbtstat, a NetBIOS utility, is used to list the computers recently connected to the compromised machine. Unidentified systems can be exposed by Nbtstat’s display of the NetBIOS name cache. Fortunately, Nbtstat is also a component of windows , and is found in the system32 directory.

ARP Command
The Address Resolution Protocol table maps the Ethernet card’s MAC address to the related IP address on the network. The ARP command outputs the associated addresses to assist in locating an attacker cloaked as someone else. The ARP tool is found in the same location as Nbtstat and Netstat .

PsList
The PsList tool has the ability to capture the process table listing. The list will show any rogue processes, such as backdoors, sniffers, and password crackers that the attacker may have executed on a system after an attacker has compromised it. An entire PsTools Suite with various other functions can be downloaded for free.

Dumpel.exe
To avoid disrupting the data on a victimized machine, examining the GUI event log is not recommended. Instead, the command tool dumpel.exe will create an event log readable offline. The three different commands D:\>dumpel –l system (application) (security) will dump all three event viewer logs from the command prompt preserving the time stamped originals.

Regdmp.exe
The tool regdmp.exe will dump all the registry data into readable plain text format. This valuable technique can reveal the last places the machine connected to with telnet, the most recently used MRU documents for each program, the commands executed through explorer, and the executables started when the machine is booted. Regdmp.exe is included in the Microsoft resource toolkit.

Process Explorer
Dubbed by developer Mark Russinovich as the “Super Task Manager”, Process Explorer is a GUI tool useful in finding Malware left by an intruder. The program displays parent child relationships of processes, and allows for quick identification of windows services, the ruling out of digitally signed images, and the searching of a database full of known processes. It also highlights packed images usually associated with malware attempting to avoid antivirus detection.

Sysinternals
Sysinternals isn’t just one tool, but I had to include the entire package. Sysinternals is a collection of free utilities to administrate, monitor, troubleshoot, and respond in a Windows environment. The suite includes Rootkit Revealer, PSList, PSLoggedOn, and Process Explorer (already mentioned previously). The package includes many tools which could be used in a variety of situations. For Example, Autoruns is a GUI driven application that lists programs configured to startup automatically. It is far superior to msconfig, and may unveil auto startups not found by “in the box” tools. BgInfo allows a user to quickly access systems and network information without going through numerous menus. Process Monitor is a partner of process explorer and replaces Filemon and Regmon by actively monitoring file systems, registry, and process thread activity. It also logs event properties, session IDs, usernames, and is ideal for determining operating system changes caused by infections. PsTools is a child bundle of sysinternals and includes the tools herein with the prefix “Ps”. In addition, the “Ps” collection contains utilities that allow for the execution of processes remotely, the showing of opened files, the viewing of control services, the killing of processes, and more. Sigcheck is another tool within systinternals of exceptional quality. It can quickly ascertain and verify if images are digitally signed, and can eliminate possible malware suspicions.

I will probably write a lengthy article on the specific uses of one or more of these tools. Maybe I’ll do a mock investigation or an image driven tutorial. Man, I love this blogging thing. Let me know how I’m doing. Anyhow, this was a summary of 10 very powerful incident response and forensic tools that we should all have in our arsenal.

Tags: arp command, dumpel.exe, fport, nbtstat, netcat, netstat, process explorer, pslist, regdmp.exe, sysinternals

Comments are closed.

Welcome!

An Information Security Professionals Blog to assist general users on Computer Security, and to explore with other InfoSec Professionals topics of Systems Security, Forensics, ethical hacking, and Incident Response.

Most Popular Posts
Do Not Fall Victim to Internet Auction Fraud

Setup a Secure Wireless Network at Home

Selling Used Computers Identity Theft Concerns

Barack Obama Denied National Security Clearance

Exciting Computer Security Career Jobs

CONTESTS:

Funniest Computer Security Story Contest

SERIES:

Do Not Fall Victim to Internet Scams

CISSP Study Sheets

SURVEY:
Which film is the Most Realistic Hacker Movie?