Tool #1:
Name: Wireshark
Description: Wireshark is the world's foremost network
protocol analyzer. It lets you see what's happening on your network at a
microscopic level. It is the de facto (and often de jure) standard across many
industries and educational institutions.
Personal Review: Wireshark is one of the best tools I’ve
ever used for analyzing web traffic, it enables you to follow tcptraces,
individual packets, and binary representation of the packets. It is well
organized and has a great depth of information.
Notes on usage: I used Wireshark to follow a TCPTrace of an
IRC conversation which provided me with information on what an attacker was
trying to execute on the system. Additionally, I used it to analyze packets and
traffic flow.
Source URL: www.wireshark.org
Local Source: N/A
Tool #2:
Name: Network Miner
Description: NetworkMiner is a Network Forensic for Analysis
Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).
NetworkMiner can be used as a passive network sniffer/packet capturing tool in
order to detect operating systems, sessions, hostnames, open ports etc. without
putting any traffic on the network. NetworkMiner can also parse PCAP files for
off-line analysis and to regenerate/reassemble transmitted files and
certificates from PCAP files.
Personal Review: I used Network Miner for the first time
this semester and was impressed with the interface. It divided different
functions into separate tabs so you could focus on specific functions depending
on what you are trying to accomplish.
Notes on usage: I really liked the session function of
Network Miner, it was a great visualization of flow and helps one understand
the information out of data.
Source URL: http://www.netresec.com/?page=NetworkMiner
Local Source: N/A
Tool #3:
Name: VMWare Workstation
Description: VMware Workstation is the most advanced
virtualization software for desktop and laptop computers. The VMware
Workstation 10 release further strengthens the product’s leadership in
providing the broadest, deepest OS support (including Windows 8.1),
best-in-class virtual machine architecture, the richest desktop user experience
and an unmatched set of value-added features to enhance the productivity of
technical professionals and the organizations they serve.
Personal Review: VMWare Workstation is one of the pieces of
software when it comes to virtualizing a machine. While there are many other
options, VMWare Workstation has established itself as the best software
available. It provides many options with networking, snapshots, and user
experience specifically with Guest Addition add-ins. When working in a sandbox
there is no better option than VMWare Workstation
Notes on usage: I used VMWare Workstation both to create my
own virtual machines as well as to import those that had already been created.
It is a terrific program.
Source URL:
www.vmware.com
Local Source: N/A
Tool #4:
Name: Netstat
Description: Displays active TCP connections, ports on which
the computer is listening, Ethernet statistics, the IP routing table, IPv4
statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for
the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without
parameters, netstat displays active TCP connections.
Personal Review: I found netstat to be an incredibly useful
program that enabled to see what was happening on my virtual machines network
communication. Very useful when diagnosing a problem, it helped me see when a
program was calling home.
Notes on usage: I used the command line switches of –an. “A”
shows all active TCP connections as well as the TCP and UDP ports which the
computer are listening on. “N” shows the TCP connections as well but doesn’t
attempt to resolve the IP address or port numbers.
Source URL: http://technet.microsoft.com/en-us/library/bb490947.aspx
Local Source: N/A
Tool #5:
Name: sc
Description: Obtains and displays information about the
specified service, driver, type of service, or type of driver.
Personal Review: Using this command line application I was
able to see all the drivers listed on my computer. This was a great
visualization to help me understand what was communicating on my computer.
Notes on usage: I used the parameter “query” to list all the
services and drivers which provides me with all the pertinent information about
what they are.
Source URL: http://technet.microsoft.com/en-us/library/dd228922.aspx
Local Source: N/A
Tool #6:
Name: netcat
Description: Ncat is a feature-packed networking utility
which reads and writes data across networks from the command line. Ncat was
written for the Nmap Project as a much-improved reimplementation of the
venerable Netcat. It uses both TCP and UDP for communication and is designed to
be a reliable back-end tool to instantly provide network connectivity to other
applications and users. Ncat will not only work with IPv4 and IPv6 but provides
the user with a virtually limitless number of potential uses.
Personal Review: Netcat was one of the most useful programs
I discovered during this semester, its biggest benefit to me was that I could
transfer information from one machine to another without modifying the contents
of my compromised machine. This is incredibly important in forensics because
any modified information compromises the integrity of the report.
Notes on usage: I used the command line switches “-l –v –k –p”.
The “l” parameter designates netcat is in listening mode. “v” puts netcat into
verbose mode which means it will print out messages on standard errors. “k”
keeps the connection alive, otherwise it will terminate on one message being
sent. “p” designates the port it will be listening on.
Source URL: http://nmap.org/ncat/
Local Source: N/A
Tool #7:
Name: lsof
Description: Lsof lists information about files opened by
processes. An open file may be a regular file, a directory, a NFS file, a block
special file, a character special file, a shared library, a regular pipe, a
named pipe, a symbolic link, a socket stream, an Internet socket, a UNIX domain
socket, and many others.
Personal Review: It was very useful to see which files were
opened by processes as it gave me an idea of what was going on with the compromised
machine. Lsof helps you narrow down which files on the system might be
compromised no matter what file type it is.
Notes on usage: I used the parameter -n which enabled me to
see the network file systems.
Source URL: http://www.catonmat.net/blog/unix-utilities-lsof/
Local Source: N/A
Tool #8:
Name: ps
Description: ps gives a snapshot of the current processes.
If you want a repetitive update of this status, use top. This man page
documents the /proc-based version of ps, or tries to.
Personal Review: PS is one of my favorite commands in Linux,
it helps you understand what processes are running. This can be very useful if
you are trying to find a specific process id ps will list that for you so you
can accomplish whatever task you are looking for. Additionally, it provides you
with underlying programs that might be running which you didn’t start that
might be representative of a compromised system.
Notes on usage: In order to get the most useful information
I like to use the command line parameter “-aux”. The “a” selects all the
processes on a terminal, even those in use by other users. “u” provides the
user’s id. Lastly, “x” selects the processes without controlling ttys
Source URL: http://linux.about.com/od/commands/l/blcmdl1_ps.htm
Local Source: N/A
Tool #9:
Name: snort
Description: Snort® is an open source network intrusion
prevention and detection system (IDS/IPS) developed by Sourcefire. Combining
the benefits of signature, protocol, and anomaly-based inspection, Snort is the
most widely deployed IDS/IPS technology worldwide. With millions of downloads
and nearly 400,000 registered users, Snort has become the de facto standard for
IPS.
Personal Review: Snort is one of the best Intrusion
Detection Systems available, it has a great free version and is easily
customizable. Using snort you can analyze packets for known vulnerabilities or
you can set up rules to proactively warn you if something suspicious is
happening on your network with Snort rules. It’s awesome.
Notes on usage: I ran Snort on Kali Linux which has all the
necessary repository dependencies such that you can install it using apt-get.
Which is extremely easy and it provides you with all the default rules which
are very helpful. I was able to run a packet capture of suspicious traffic through
Snort and it provided me with an idea of what the attacker might have been
trying to accomplish.
Source URL: https://www.snort.org/
Local Source: N/A
Tool #10:
Name: argus
Description: Argus provides a flow data generator, and a set
of supporting programs that provide the basic functions needed to create argus
flow data. Here we provide basic examples of how to use argus.
Personal Review: Argus was a good tool to transform my data
into other usable information so I could further my analysis.
Notes on usage: I used Argus in its default setting to
simply convert one file into another for a different kind of analysis.
Source URL: http://qosient.com/argus/
Local Source: N/A
Tool #11:
Name: Ra
Description: Ra is the principal client program that reads
argus data sources, either files or streams, and prints the contents to the
screen, or writes the data to a file or pipe.
Personal Review: Ra was very useful in interpreting the argus
data I converted so I could visualize the sessions from a specific piece of
traffic. It has a very specific use, but for what it does its great.
Notes on usage: Similar to Argus it is a very straight forward
application that simply interprets data, but it’s great for visualizing
traffic.
Source URL: http://qosient.com/argus/ra.core.examples.shtml
Local Source: N/A
Tool #12:
Name: tcptrace
Description: tcptrace is a tool written by Shawn Ostermann
at Ohio University, for analysis of TCP dump files. It can take as input the
files produced by several popular packet-capture programs, including tcpdump,
snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several
different types of output containing information on each connection seen, such
as elapsed time, bytes and segments sent and recieved, retransmissions, round
trip times, window advertisements, throughput, and more. It can also produce a
number of graphs for further analysis.
Personal Review: tcptrace was an awesome tool to analyze
tcpdump files which are not very user friendly by default. I was impressed with
the ease of use.
Notes on usage: It has a great number of uses in interpreting
data from a variety of sources, make sure your packet-capturing program is able
to be used with tcptrace.
Source URL: http://www.tcptrace.org/
Local Source: N/A
Tool #13:
Name: tcpflow
Description: tcpflow is a program that captures data transmitted
as part of TCP connections (flows), and stores the data in a way that is
convenient for protocol analysis and debugging. Each TCP flow is stored in its
own file. Thus, the typical TCP flow will be stored in two files, one for each
direction. tcpflow can also process stored 'tcpdump' packet flows.
Personal Review: Sessions are an occasionally overlooked
property of network analysis, however they are incredibly useful for following
what an attacker is trying to accomplish. From these flows you can start to put
together the picture and understand what might have been compromised.
Notes on usage: Tcpflow can divide the files into separate
files which indicate the flow of traffic and this can be very helpful to reduce
the noise when you are looking for specific traffic patterns.
Source URL: https://github.com/simsong/tcpflow
Local Source: N/A
Tool #14:
Name: Autopsy
Description: Autopsy® is a digital forensics platform and
graphical interface to The Sleuth Kit® and other digital forensics tools. It
can be used by law enforcement, military, and corporate examiners to
investigate what happened on a computer. You can even use it to recover photos
from your camera's memory card.
Personal Review: I really liked Autopsy, I used it in both
Linux and Windows this semester and had a slight preference towards Windows. I
found it very easy to set up on both machines, however I liked that it was a
standalone application on Windows rather than being ran through the web browser
on Linux.
Notes on usage: There are some limitations when it comes to
the ability to carve inside of the Windows application, but it didn’t affect
the outcome of my analysis so I wouldn’t worry about it too much.
Source URL: http://www.sleuthkit.org/autopsy/
Local Source: N/A
Tool #15:
Name: md5sum
Description: md5sum is a command line application that
allows a user to check the hash of an application to ensure that it is an authentic
application.
Personal Review: I was pleased with the simplicity of
md5sum, it provided accurate hashes.
Notes on usage: Simply run the md5sum command and provide it
with the file you want to analyze. I used it in Linux so my command was “md5sum
<file path>.
Source URL: https://help.ubuntu.com/community/HowToMD5SUM
Local Source: N/A
No comments:
Post a Comment