Gathering evidence

Gathering evidence from the scene of an incident

Assuria Auditor

Assuria Auditor provides deep configuration and vulnerability scanning, inventory reporting, compliance assessment and powerful change detection through an extensible and flexible architecture. It provides vital information assurance and protection for critical business servers and helps maintain systems in a secure ‘known state’. Assuria Auditor utlises a comprehensive built-in Knowledge Base of known security vulnerabilities, security control configurations, up to date patch checks and security best practice information to enable organisations to easily bring their IT infrastructures up to high standards of security, especially servers. Internal IT security knowledge or experience is not necessary, because the built-in Assuria Auditor knowledge base includes not only the thousands of individual checks for a wide range of operating platforms, but also explanations of the implications of each vulnerability and step by step instructions on remediation.

Assuria Log Manager (ALM)

ALM is a CESG CCTM Accredited Forensic Log Management and SIM/SIEM solution used by government agencies, major commercial organisations, local government departments and IT service providers to deliver IT security intelligence and complete visibility into system activity. ALM provides automated collection and management of audit logs from across the whole enterprise, as well as security event analysis, alerting and reporting. ALM is fully scalable to meet the needs of organisations from SME’s right through to major global enterprises. ALM is designed to automate the management of logs from almost any IP based system or device, including MS Windows, Unix and Linux servers, workstations, databases, applications, network devices, firewalls, routers, physical access control systems and much more.

Dumpevt - Dump Windows Event log

SomarSoft's DumpEvt is a (free) Windows NT program to dump the event log in a format suitable for importing into a database. Similar to the DUMPEL utility in the NT resource kit, but without some of the limitations. DumpEvt has been updated to now allow dumping the new Windows 2000 event logs (DNS, File Replication, and Directory Service)

Dumpreg - Dump Windows Registry

SomarSoft's DumpReg is a (free) program for Windows NT and Windows 95 that dumps the registry, making it easy to find keys and value containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software, for example. Must-have product for Windows NT systems administrators.

Dumpsec - Dump Windows ACL and Audit settings

SomarSoft's DumpSec is a (free) security auditing program for Microsoft Windows NT/2000. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. DumpSec is a must-have product for Windows NT systems administrators and computer security auditors.

Encase

Encase is a commercial evidence gathering and analysis tool, which performs all stages from imaging disks through investigation to preparing a final report. Once a disk has been imaged, Encase can be used to search the image, including deleted files and freespace, using built-in search tools or a macro language. Encase is commonly run on a dedicated forensic workstation: typical configurations are: Desktop PC with 50Gb of hard disk, DDS-4 tape drive and CD Writer Laptop PC with 20Gb of hard disk for work outside office The website includes examples of the use of the package.

Fstat

The fstat command lists open files on a system so can be used to identify any unexpected logfiles, for example from packet sniffers.

Incident Handling / Forensics FAQ

A paper about doing forensic work on Windows systems

Netcat

Netcat is a program to create network connections, TCP or UDP, to or from any port number. It is most commonly used with other commands as part of a script. In the security field it can be used to capture or orginate flows of packets for network or traffic debugging. It can also be used for scanning networks for vulnerable servers, testing firewalls, building proxies, etc.