So, when you're doing incident response, some of the first information you're looking for is volatile information, such as running processes, network connections, etc. So, here are some tools:
- Tlist.exe (part of the debugging tools) - run it successively with the '-c', '-t', and '-s' switches
- cmdline.exe from DiamondCS - getting just the name of a process is next to useless...what you really want to get is the path to the executable image and the command line used to launch it
- Listdlls.exe from SysInternals - get the modules (ie, DLLs) loaded by each process...may show you some DLLs that have hooked other processes
- handle.exe from SysInternals - get all of the handles accessed by a process; may indicate suspicious activity, or at least show you which process has a file open
- If you're running XP SP2, use 'netstat -bnao'; if you're using the FRU within an environment that's not homogenous with regards to XP SP2, you can use Perl to write a wrapper around it to do some checking for you.
- PortQry v2.0 from Microsoft - while this tool can be used remotely, it can also be used locally (ie, 'portqry -l -v')
- Openports.exe from DiamondCS - use 'openports -fport' to get output in fport-style format; doesn't require an admin account to run, the way fport.exe does
- Tcpvcon.exe from SysInternals - use 'tcpvcon -a -n -c' (see the SysInternals page)
- PSFile.exe from the SysInternals PSToolkit - lists all files on the local system that are open as a result of remote connections
- Psloggedon.exe from SysInternals -see who's logged on locally and remotely (via Windows logon)
- LogonSessions.exe from SysInternals - lists currently active logon sessions, and with the '-p' switch, processes used by each session.
- NetUser from SomarSoft.com - utility to show all users who have ever logged on to the local system
- Sigcheck.exe from SysInternals - determines if images are signed, and dumps version information (ie, 'sigcheck -i -q -u -v c:\windows\system32')
- Psloglist.exe from SysInternals - dump the contents of the Event Log (ie, 'psloglist -s -t ; appsyssec')
- PSInfo.exe from SysInternals - get system information (ie, 'psinfo -h -s -d -c')
- GPlist.exe from NTSecurity.nu - get info on the applied Group Policies
- Promiscdetect.exe from NTSecurity.nu - see if a NIC is in promiscuous mode (also, promqry.exe from MS)
- PStoreView.exe from NTSecurity.nu - get information from the Protected Storage service, such as passwords, etc. - this may develop leads more than it will evidence
- Autorunsc.exe from SysInternals - dump the contents of autostart locations within the Registry and file system (ie, 'autorunsc.exe -a -c -d -e -m -s -w')
- Rifuiti.exe from FoundStone.com - dump the contents of the Recycle Bin; this utility will require a wrapper to get the SID, then pass the correct path information to the tool.
So, how's that for a start?
What tools would you recommend?