Supportive tools
ARP - Address resolution protocol
The Address Resolution Protocol is used by computers to translate IP addresses for machines on the local network segment into ethernet addresses. Most operating systems maintain a cache of this information, and the arp command can be used to print out the current contents of this cache. Given knowledge of how the particular operating system manages its ARP cache, this can give information about which other network hosts the machine has been communicating with.
Assuria Auditor
Assuria Auditor provides deep configuration and vulnerability scanning, inventory reporting, compliance assessment and powerful change detection through an extensible and flexible architecture. It provides vital information assurance and protection for critical business servers and helps maintain systems in a secure ‘known state’. Assuria Auditor utlises a comprehensive built-in Knowledge Base of known security vulnerabilities, security control configurations, up to date patch checks and security best practice information to enable organisations to easily bring their IT infrastructures up to high standards of security, especially servers. Internal IT security knowledge or experience is not necessary, because the built-in Assuria Auditor knowledge base includes not only the thousands of individual checks for a wide range of operating platforms, but also explanations of the implications of each vulnerability and step by step instructions on remediation.
Assuria Log Manager (ALM)
ALM is a CESG CCTM Accredited Forensic Log Management and SIM/SIEM solution used by government agencies, major commercial organisations, local government departments and IT service providers to deliver IT security intelligence and complete visibility into system activity. ALM provides automated collection and management of audit logs from across the whole enterprise, as well as security event analysis, alerting and reporting. ALM is fully scalable to meet the needs of organisations from SME’s right through to major global enterprises. ALM is designed to automate the management of logs from almost any IP based system or device, including MS Windows, Unix and Linux servers, workstations, databases, applications, network devices, firewalls, routers, physical access control systems and much more.
awk / gawk
AWK is a text processing utility that can be used for extracting and analysing information from log files. Various implementations exist for both Unix and Windows platforms.
Bogon Reference
A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks. We have attempted to make the task of maintaining bogon filters simpler for network operators by providing a wide range of formats and methods through which you can receive this data, which are all updated on the same interval, and based on the authoritative sources of the data (the relevant RFCs, the IANA IPv4 allocation list, and RIR data). Changes in all of these sources are constantly monitored and quickly reflected within the documents we provide. Bogon tracking and alerting is currently available through HTTP, BGP Peering, Routing Registries (RADb and RIPE NCC) and DNS.
DD - Raw data copier
The dd command can be used to make binary copies of computer media. It can therefore be used as a simple disk imaging tool if given a raw disk device as its input. Note that command line parameters can cause the output not to be an exact binary copy of the input, so these should be used, and documented, with care.
Find
The find command is built in to many versions of unix, but is also available as part of the GNU binutils package for both Unix and Windows. Find can be used to search through a directory tree looking for files that have particular names, permissions, or almost any other combination of attributes. Find can execute commands on each matching file: note that this can be a very powerful and destructive option, so find commands should be developed with care.
grep
The unix grep command searches text files for patterns matching regular expressions. Grep is typically used to extract interesting information from log files. Grep is a built-in command on many unix systems, or an open source version is available as part of the GNU project. Versions of grep for Windows also exist.
ifconfig
The ifconfig command is used to report the state of network interfaces on unix systems. It's most common use in investigating incidents is to check for interfaces that are running in promiscuous mode; this may indicate that a network sniffer program has been running on the interface.
ls
The Unix ls command is used to list files and directories on a filesystem. It can be used to check for files that may have been installed by intruders during the course of an incident.
