Examining system
Assuria Auditor
Assuria Auditor provides deep configuration and vulnerability scanning, inventory reporting, compliance assessment and powerful change detection through an extensible and flexible architecture. It provides vital information assurance and protection for critical business servers and helps maintain systems in a secure ‘known state’. Assuria Auditor utlises a comprehensive built-in Knowledge Base of known security vulnerabilities, security control configurations, up to date patch checks and security best practice information to enable organisations to easily bring their IT infrastructures up to high standards of security, especially servers. Internal IT security knowledge or experience is not necessary, because the built-in Assuria Auditor knowledge base includes not only the thousands of individual checks for a wide range of operating platforms, but also explanations of the implications of each vulnerability and step by step instructions on remediation.
Assuria Log Manager (ALM)
ALM is a CESG CCTM Accredited Forensic Log Management and SIM/SIEM solution used by government agencies, major commercial organisations, local government departments and IT service providers to deliver IT security intelligence and complete visibility into system activity. ALM provides automated collection and management of audit logs from across the whole enterprise, as well as security event analysis, alerting and reporting. ALM is fully scalable to meet the needs of organisations from SME’s right through to major global enterprises. ALM is designed to automate the management of logs from almost any IP based system or device, including MS Windows, Unix and Linux servers, workstations, databases, applications, network devices, firewalls, routers, physical access control systems and much more.
Dumpevt - Dump Windows Event log
SomarSoft's DumpEvt is a (free) Windows NT program to dump the event log in a format suitable for importing into a database. Similar to the DUMPEL utility in the NT resource kit, but without some of the limitations. DumpEvt has been updated to now allow dumping the new Windows 2000 event logs (DNS, File Replication, and Directory Service)
Dumpreg - Dump Windows Registry
SomarSoft's DumpReg is a (free) program for Windows NT and Windows 95 that dumps the registry, making it easy to find keys and value containing a string. For Windows NT, the registry entries can be sorted by reverse order of last modified time, making it easy to see changes made by recently installed software, for example. Must-have product for Windows NT systems administrators.
Dumpsec - Dump Windows ACL and Audit settings
SomarSoft's DumpSec is a (free) security auditing program for Microsoft Windows NT/2000. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. DumpSec is a must-have product for Windows NT systems administrators and computer security auditors.
Fstat
The fstat command lists open files on a system so can be used to identify any unexpected logfiles, for example from packet sniffers.
Incident Handling / Forensics FAQ
A paper about doing forensic work on Windows systems
Netcat
Netcat is a program to create network connections, TCP or UDP, to or from any port number. It is most commonly used with other commands as part of a script. In the security field it can be used to capture or orginate flows of packets for network or traffic debugging. It can also be used for scanning networks for vulnerable servers, testing firewalls, building proxies, etc.
sockstat
The sockstat command lists open sockets on a system so can be used to identify any unexpected connections, for example from packet sniffers.
Sysinternal suite
SysInternals tools for Windows includes utilities to examine Windows processes, files and ports. The site also includes a great deal of information on undocumented features of Windows operating systems. (Now owned by Microsoft).
