Investigating evidence
AbuseHelper
AbuseHelper is toolkit for CERT and Abuse teams. It is a modular, (hopefully) scalable and robust framework to help you in your abuse handling. With Abuse Helper you can retrieve Internet Abuse Handling related information via several sources, you can then aggregate that information based on different keys, such as AS numbers or country codes and send out reports in different formats, via different transports and using different timings.
APNIC - Asia Pacific Network Information Centre
The Asia Pacific Network Information Centre issues IP addresses and Autonomous System (AS) Numbers in that geographic region. Its web site provides a searchable Whois database which can be queried to trace the ownership of IP address ranges. The whois server can also be queried directly using the whois protocol to whois.apnic.net.
ARIN - American Registry for Internet Numbers
The American Registry for Internet Numbers issues IP addresses and Autonomous System (AS) Numbers in North and South America, the Caribbean and sub-Saharan Africa. Its web site provides a searchable Whois database which can be queried to trace the ownership of IP address ranges. The whois server can also be queried directly using the whois protocol to whois.arin.net.
Assuria Auditor
Assuria Auditor provides deep configuration and vulnerability scanning, inventory reporting, compliance assessment and powerful change detection through an extensible and flexible architecture. It provides vital information assurance and protection for critical business servers and helps maintain systems in a secure ‘known state’. Assuria Auditor utlises a comprehensive built-in Knowledge Base of known security vulnerabilities, security control configurations, up to date patch checks and security best practice information to enable organisations to easily bring their IT infrastructures up to high standards of security, especially servers. Internal IT security knowledge or experience is not necessary, because the built-in Assuria Auditor knowledge base includes not only the thousands of individual checks for a wide range of operating platforms, but also explanations of the implications of each vulnerability and step by step instructions on remediation.
Assuria Log Manager (ALM)
ALM is a CESG CCTM Accredited Forensic Log Management and SIM/SIEM solution used by government agencies, major commercial organisations, local government departments and IT service providers to deliver IT security intelligence and complete visibility into system activity. ALM provides automated collection and management of audit logs from across the whole enterprise, as well as security event analysis, alerting and reporting. ALM is fully scalable to meet the needs of organisations from SME’s right through to major global enterprises. ALM is designed to automate the management of logs from almost any IP based system or device, including MS Windows, Unix and Linux servers, workstations, databases, applications, network devices, firewalls, routers, physical access control systems and much more.
BGP Ranking
BGP ranking is a free software and free services to calculate the security ranking of Internet Service Provider (ASN).
Dig - DNS query tool
The dig command can be used to query DNS address data, as an alternative to nslookup.
Encase
Encase is a commercial evidence gathering and analysis tool, which performs all stages from imaging disks through investigation to preparing a final report. Once a disk has been imaged, Encase can be used to search the image, including deleted files and freespace, using built-in search tools or a macro language. Encase is commonly run on a dedicated forensic workstation: typical configurations are: Desktop PC with 50Gb of hard disk, DDS-4 tape drive and CD Writer Laptop PC with 20Gb of hard disk for work outside office The website includes examples of the use of the package.
Host - information about Internet hosts
The host command can be used to collect address and naming information from various Internet sources.
InterNIC
InterNIC provides a searchable Whois database which can be queried to trace the ownership of IP address ranges. The database has access to information about most of the generic top level domains, such as .com, .edu etc.
