Archive for March, 2014

Cyber Forensics Tools

2014-03-31 Leave a comment

The following is a list of tools I’ve put together for use with cyber forensics.

  1. Wireshark
    • Description: Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
    • Review:Wireshark is the swiss army knife of network capturing/analyzing. You’re able to specific rules for pcap when capturing so only the packets you’re interested in are stored thus cutting down the size and number of packets you need to analyze. It’s also has a great layout and a lot of features with the ability to create your own plugins of analying captured packets.
    • Usage:It’s difficult to define a set way to use wireshark as there are week long courses for just using it. The basics would be to pick which interface you want to start capturing packets with. After that using the filters for things such as a specific source IP as ip.src==
    • Source URL: Wireshark Home
  2. Notepad++/vim
    • Description:A simple text editor/viewer with the abilities to have plugins.
    • Review:I prefer vim when in linux as my setup for vim with it’s plugins are convenient for me to work with. vundle is a key plugin that manages all my other ones. With windows notepad++ is the best text editor as it support regex in the search feature.
    • Usage:vim [FILE], Ctrl+o for notepad++
    • Source URL: Notepad++ Home
  3. sha1sum or hashcheck
    • Description:A nice feature to calculate the sha1 hash of a file.
    • Review:sha1sum is the linux command line which is great when you’re sshed in to a system. If you need a hashing program in windows check out hashcheck for calculating different hashes of a file.
    • Usage:sha1sum [FILE], with hashcheck you just right click the file and view it’s properties, there is a tab labeled Checksums that will generate the hashes of that file.
    • Source URL: hashCheck Home (Windows) sha1sum should be default on most linux distros.
  4. networkminor
    • Description:NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
    • Review:Network miner is a little different from wireshark as it’s main focus in on forensic analysis and by default processes the captured packets to key data shown with tabs such as Credentials, Sessions, DNS, Keywords and others.
    • Usage:Start network miner and either import a pcap file or have it capture from the live data on an interface.
    • Source URL: Network Miner Home
  5. ncat
    • Description:Ncat is a feature-packed networking utility which reads and writes data across networks from the command line.
    • Review:This is a great way to record output text from the command line with out altering the disk of a system. You can pipe the output to ncat and it can write to a file on a remote system.
    • Usage:Start ncat on the remote system: ncat -v -l -k -p [PORT] >> data_cature_file.txt
      Investigating system: [COMMAND] | nc [IP] [PORT]
    • Source URL: Ncat Home
  6. sysinternals
    • Description:A suite of advanced system utilities and technical information for windows. Helps you manage, troubleshoot and diagnose your Windows systems and applications.
    • Review:This is a suite of different programs that are used for windows. Key applications would be psexec which allows you to run remote commands on a system, autoruns which has a comprehensive knowledge of locations where applications can start up.
    • Usage:psexec \\computer -u user cmd [arguments]
    • Source URL: Sysinternals Home
  7. unxutils
    • Description:Ports of common GNU utilities to native Win32. Native means the executables only depend on the Microsoft C-runtime (msvcrt.dll) and not an emulation layer like cygwin.
    • Review:This is great when you can’t install cygwin and want linux functionality with many common commands.
    • Usage:Most general linux commands you could think of are compiled with this.
    • Source URL: Unxutils Home
  8. snort
    • Description:Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection.
    • Review:A great open source IDS/IPS that is easily customized for use. Supports multiple detection methods to help limit false positives. It’s also able to process captured files and put out statics on the different packets as well as any known attack methods captured.
    • Usage: snort -r file.tcpd
    • Source URL: Snort Home
  9. argus
    • Description: A network Audit Record Generation and Utilization System. The Argus Project is focused on developing all aspects of large scale network activity audit. Argus, itself, is next-generation network flow technology, going from packets on the wire to advanced network flow data, to network forensics data; all in support of Network Operations, Performance and Security Management.
    • Review: Another tool to process pcap files in to analytic data. This will output to a argus file which will need to be proessed by RA to read the data in a standard format.
    • Usage: Argus –r file.tcpd –w file.argus; ra -r file.argus
    • Source URL: Argus Home
  10. tcpstat
    • Description: Tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.
    • Review: Another way to read pcap files created from tcpdump its output shows more statistical data on the packets captured.
    • Usage: tcpstat file.tcpd
    • Source URL: TCPstat Home
  11. tcptrace
    • Description:  tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.
    • Review: A nice way to show each session that was captured and the number of packets each session sent. There are many other options for way on how to display the packets.
    • Usage: tcptrace -n -r file.tcpd
    • Source URL: TCPtrace Home
  12. tcpflow
    • Description: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.
    • Review: tcpflow can pull out specific sessions and save those session in their own file. A session could be defined as a specific port or host in a pcap file or other attributes of a packet.
    • Usage: tcpflow -r file.tcpd [port|host]
    • Source URL: TCPflow Home
  13. autopsy
    • Description:Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
    • Review:As a free version of a digital forensics platform it’s great and the ability to carve out data files from a captured image worked relatively well. It also keep records when you create a case. I was unable to determine how the hashes were being generated on specific files within a system. If I extracted the data and ran sha1sum on the raw data the hash was different then autospy reported.
    • Usage:It’s a browser based forensic platform, create a new case and load the image in you can then navigate around the image looking at the file system.
    • Source URL: Autopsy Home
Categories: Uncategorized