Analysing evidence
Assuria Auditor
Assuria Auditor provides deep configuration and vulnerability scanning, inventory reporting, compliance assessment and powerful change detection through an extensible and flexible architecture. It provides vital information assurance and protection for critical business servers and helps maintain systems in a secure ‘known state’. Assuria Auditor utlises a comprehensive built-in Knowledge Base of known security vulnerabilities, security control configurations, up to date patch checks and security best practice information to enable organisations to easily bring their IT infrastructures up to high standards of security, especially servers. Internal IT security knowledge or experience is not necessary, because the built-in Assuria Auditor knowledge base includes not only the thousands of individual checks for a wide range of operating platforms, but also explanations of the implications of each vulnerability and step by step instructions on remediation.
Assuria Log Manager (ALM)
ALM is a CESG CCTM Accredited Forensic Log Management and SIM/SIEM solution used by government agencies, major commercial organisations, local government departments and IT service providers to deliver IT security intelligence and complete visibility into system activity. ALM provides automated collection and management of audit logs from across the whole enterprise, as well as security event analysis, alerting and reporting. ALM is fully scalable to meet the needs of organisations from SME’s right through to major global enterprises. ALM is designed to automate the management of logs from almost any IP based system or device, including MS Windows, Unix and Linux servers, workstations, databases, applications, network devices, firewalls, routers, physical access control systems and much more.
Encase
Encase is a commercial evidence gathering and analysis tool, which performs all stages from imaging disks through investigation to preparing a final report. Once a disk has been imaged, Encase can be used to search the image, including deleted files and freespace, using built-in search tools or a macro language. Encase is commonly run on a dedicated forensic workstation: typical configurations are: Desktop PC with 50Gb of hard disk, DDS-4 tape drive and CD Writer Laptop PC with 20Gb of hard disk for work outside office The website includes examples of the use of the package.
Norman sandbox
Today new viruses are spreading faster and faster as they continue to exploit vulnerabilities found in popular applications. Traditional signature-based antivirus tools are insufficient in the fight against these upcoming threats. Norman SandBox Technology is a proactive solution designed to protect against new and unknown viruses.
TC Console
TC Console is a web based user interface that improves the user's visibility of malicious activity on an organization's network. The data displayed is collected from Team Cymru's various sources around the world and pertains to each specific user's own network. The tool also provides a historical summary of malicious activity on the user's network, as well as a quantitative summary of data traffic on that network. It also enables collaboration among organizations so that users may provide each other with additional data beyond what is already presented to them by Team Cymru. The product is specifically for those responsible for network security involving routable IP space with corresponding autonomous system numbers. Basically, those who can take action based on the insight it provides. TC Console is offered as a community effort. The richness and value of the data is made possible by contributions from the community in order to ultimately benefit the community. Therefore, those wishing to enjoy the benefits of TC Console should expect to contribute to further enhance the service.
tcpdump
tcpdump is a tool to dump traffic on a network. It prints out the headers of packets on a network interface. Packets can be selected according to a boolean expression.
Team Cymru IP to ASN Mapping Service
Team Cymru provides various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. These services come in various flavors, including Whois (TCP 43), DNS (UDP 53), HTTP (TCP 80) and HTTPS (TCP 443). Each of the services is based on the same BGP feeds from 50+ BGP peers, and is updated at 4 hour intervals. Using the above services one can obtain all of the following information: BGP Origin ASN, BGP Peer ASN, BGP Prefix, Prefix Country Code (assigned), Prefix Registry (assigned), Prefix Allocation date, ASN Country Code (assigned), ASN Registry (assigned), ASN Allocation date and ASN Description The country code, registry, and allocation date are all based off of data obtained directly from the regional registries including: ARIN, RIPE, AFRINIC, APNIC, LACNIC.
The Coroner's Toolkit (TCT)
TCT is a collection of programs by Weitse Venema and Dan Farmer that can be used for a post-mortem analysis of a Unix system after a break-in. The website includes handouts from a tutorial session, as well as examples of use of the tools' in practical situations.
WinMHR (beta)
WinMHR (malware hash registry) is a tool from registered not-for-profit Team Cymru. It integrates with your Windows PC and uses Team Cymru's Malware Hash Registry to quickly find malicious files residing or running on your computer.
