| Command-Line General Purpose Tools | ||
|---|---|---|
| md5deep.exe | md5deep is a recursive utility to compute MD5, SHA-1, SHA-256, Tiger or Whirlpool message digests on an arbitrary number of files. Since it supports more than MD5, it is a better alternative to md5sum. (wiki) | download |
| cmd.exe | the command line shell for Win2K and WinNT; you should have a trusted version of this executable in your toolset - never run cmd.exe off the suspect machine since it may be infected; create a checksum and keep with the file; to copy and paste click on the Console icon in upper left corner, Select Properties, click the Quick Edit Mode (left click to select, right click to store in buffer, right click to paste) | C:\Windows\System32 |
| netcat | netcat is an open source command-line network utility that provides features unsupported in FTP: the ability to find an open port, to connect on any port, to connect via TCP or UDP. The link provided will take you to the Forensic Acquisition Utilities site. Netcat is included in the ZIP archive (scroll down to the link under Program Binaries). You will need install all the utilities (which will also get you the Windows version of dd). | download (part of FAU) |
| PsInfo | psinfo is a command-line utility from SysInternals that displays information about a Windows NT/2000 system such as kernel build, registered organization and owner, number of processors and type, amount of physical memory, and the install date of the system. This download also gets you PsKill, PsLoggedOn and PsList utilities. | download (part of PSTools) |
| Strings v2.41 | a sysinternal miscellaneous utility that searches for and displays UNICODE (or ASCII) strings in a binary file; (this utility is not part of the PsTools package) | download |
| PsKill v1.12 | a sysinternal utility from PsTools that kills a process (this utility is part of the PsTools package - so it is already downloaded as long as you downloaded PsInfo above) | reference page (part of PSTools) |
| Sdelete v1.51 | a sysinternal disk utility that wipes a disk (this utility is not part of the PsTools package) | download |
| Command-line Tools for Collecting Live Data | ||
|---|---|---|
| ipconfig | a utility that lists information associated with the IP protocol - IP address, MAC address, connection type, etc. | c:\windows\system32 |
| diskpart | a command-line utility that gives you partition table information of all fixed disks; type 'help' at prompt | c:\windows\system32 |
| chkdsk | a utility that checks the integrity of a file system and displays the size of a hard disk; DON'T use with the /f flag; this information is useful when you later investigate the disk ; a safer tool in XP is diskmgmt.msc | c:\windows\system32 |
| systeminfo | will display information about the hardware and OS, including service pack | c:\windows\system32 |
| diskmgmt.msc | (WinXp) will display partition and file system info about all disks (mounted or unmounted) - similar to fdisk.exe in earlier versions of Windows | c:\windows\system32 |
| netstat | a utility that lists network connections over the IP protocol | c:\windows\system32 |
| nbtstat | a utility that lists network connections over the NetBios protocol | c:\windows\system32 |
| doskey | a utility that lists the command history for the cmd.exe shell | c:\windows\system32 |
| fport v2.0 | a portmapper utility that lists all open ports that are listening for connections and their associated applications | download |
| PsLoggedOn v1.33 | a sysinternal utility from the PsTools package that will list all user connections to a system. You should have already downloaded PsTools from the PsInfo link above. | reference page (part of PSTools) |
| PsList v1.28 | a sysinternal utility from the PsTools package that lists all processes running on the system. You should have already downloaded PsTools from the PsInfo link above. | reference page (part of PSTools) |
| Handle v3.41 | a sysinternal process utility that lists all open files that are connected to a process; (this utility is not part of the PsTools package) | download |
| Tools for Dumping Volatile Memory | ||
|---|---|---|
| userdump.exe | The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly, without attaching a debugger, or terminating target processes. | download |
| MDD.exe | mdd is an open source bit-by-bit duplication utility that can be used to harvest up to 4GB of memory from a live system and dump it to a binary file; file can be later analyzed with WinHex | download |
A checksum is an electronic fingerprint for a file based on a hash function. A simple checksum works as follows. Break the input binary stream into fixed width words, padding the end as needed. Apply exclusive or to all words. The result string is the checksum. Example:
Original stream: 101100 100111 011000 000111
101100 100111 011000 000111
XOR 100111 001011 101100 110100
====== ====== ====== ======
001011 101100 110100 110011 <= checksum
Flipping a single bit or an odd number of bits in the original input stream
will produce a different checksum. Flipping an even number of bits at
random positions will also be detected. However, swapping two bits from the
same position in two words will produce the same checksum. Example:
original last 2-bits flipped random 2-bits flipped
101100 101101 101000
XOR 100111 100110 100110
====== ====== =======
001011 001011 <= undetected 001110 <= detected
Let n be the length of the word.
Assuming errors are random and there is
one error in the first word at position p, then the
probability that the second error is going to be at position p
in the second word is 1/n.
Thus, the probability of a two-bit undetected error is 1/n.
The XP Microsoft Management Console has a number of useful system utilities (.msc) in C:\windows\system32 that are started from the command-line and leave a small foot print:
certmgr.msc
ciadv.msc
compmgmt.msc
devmgmt.msc
dfrg.msc
diskmgmt.msc
eventvwr.msc
fsmgmt.msc
gpedit.msc
lusrmgr.msc
ntmsmgr.msc
ntmsoprq.msc
perfmon.msc
rsop.msc
secpol.msc
services.msc
wmimgmt.msc
A forensic workstation is a computer located in a trusted environment
containing the software and hardware tools necessary to read and gather
evidence from forensic copies.
Netcat (nc) is a GNU network utility that reads and writes across network over TCP/IP. The official netcat for Unix homepage is at sourceforge and netcat for windows is at Security Focus (Symantic). Some antivirus software (e.g. Symantec) detects netcat as a Hack Tool and deletes it.
A Private Area Network (PAN) is a network that uses IP addresses from the RFC 1918 address space. Choices are
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Machines inside a PAN require a NAT (network address translation table)
device to communicate with the outside Internet.
NAT (Network Address Translation) is an Internet standard (RFC 1631) that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT router on the internal LAN makes all necessary IP address translations to the outside Internet. The internal addresses are private IP addresses established by RFC 1918. NAT provides a type of firewall by hiding internal IP addresses and also enables a single IP address to serve multiple machines (this helps since there are not enough IP addresses to go around).