B3 Common Tools Flashcards
tcpdump
Built into most linux distro. Lightweight, can be scripted packet capture. Can be scripted.
Wireshark
most popular, graphical. can struggle with large data and command line tshark may be needed
networkminer
graphical, multi platform. focus on network hosts ratehr than traffic.
Microsoft message analyser
used to troubleshoot network problems, can capute, view and analyse network data deciphers network protocols can import log and trace files can do charts and timelines
FTK Imager Lite
free
can image disks
can image memory
can image pagefile
Volatility
free
supports 32 and 64 bit systems
acquires and analyses live system memory
uses python
Memoryze
Mandiant’s
Memoryze is free memory forensics software that helps incident responders ‘find evil’ in live
memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the
paging file in its analysis.
It can image the full range of system memory; or a process’ entire address space, including any loaded
DLLs, EXEs, heaps and stacks.
It can also enumerate all running processes and identify all drivers loaded in memory, even those hidden
by rootkits, along with many other functions.
systeminfo
windows command. first to use.
- operating system
- hardware
- network
net user
list all local user accounts on the system
net group
list groups on a server
ipconfig /all
network connections
netstat -aon
list active connections
flags
a displays all connections and listening ports
o displays the owning process id
n displays addresses and port numbers in numeroical form
f would displays FQDN so would query DNS. On an attacked system can you trust that the TA does not own the DNS server?
tasklist
list the current processes
autoruns
part of sysinternals from microsoft
show programs, services and drivers that start up during system boot
can hid standard windows processes to conecntrate on 3rd party
OpenedFilesView
displays list of files currently open on a system. shows filename, filepath, process name, file size, MAC times
