Tuesday, February 08, 2005

Tools of the Trade

I figured I'd get started by listing some tools that you can use with the FRU/FSP, their use, etc.

So, when you're doing incident response, some of the first information you're looking for is volatile information, such as running processes, network connections, etc. So, here are some tools:

  • Tlist.exe (part of the debugging tools) - run it successively with the '-c', '-t', and '-s' switches
  • cmdline.exe from DiamondCS - getting just the name of a process is next to useless...what you really want to get is the path to the executable image and the command line used to launch it
  • Listdlls.exe from SysInternals - get the modules (ie, DLLs) loaded by each process...may show you some DLLs that have hooked other processes
  • handle.exe from SysInternals - get all of the handles accessed by a process; may indicate suspicious activity, or at least show you which process has a file open

Network Connections

  • If you're running XP SP2, use 'netstat -bnao'; if you're using the FRU within an environment that's not homogenous with regards to XP SP2, you can use Perl to write a wrapper around it to do some checking for you.
  • PortQry v2.0 from Microsoft - while this tool can be used remotely, it can also be used locally (ie, 'portqry -l -v')
  • Openports.exe from DiamondCS - use 'openports -fport' to get output in fport-style format; doesn't require an admin account to run, the way fport.exe does
  • Tcpvcon.exe from SysInternals - use 'tcpvcon -a -n -c' (see the SysInternals page)
  • PSFile.exe from the SysInternals PSToolkit - lists all files on the local system that are open as a result of remote connections

User info

  • Psloggedon.exe from SysInternals -see who's logged on locally and remotely (via Windows logon)
  • LogonSessions.exe from SysInternals - lists currently active logon sessions, and with the '-p' switch, processes used by each session.
  • NetUser from SomarSoft.com - utility to show all users who have ever logged on to the local system


  • Sigcheck.exe from SysInternals - determines if images are signed, and dumps version information (ie, 'sigcheck -i -q -u -v c:\windows\system32')
  • Psloglist.exe from SysInternals - dump the contents of the Event Log (ie, 'psloglist -s -t ; appsyssec')
  • PSInfo.exe from SysInternals - get system information (ie, 'psinfo -h -s -d -c')
  • GPlist.exe from NTSecurity.nu - get info on the applied Group Policies
  • Promiscdetect.exe from NTSecurity.nu - see if a NIC is in promiscuous mode (also, promqry.exe from MS)
  • PStoreView.exe from NTSecurity.nu - get information from the Protected Storage service, such as passwords, etc. - this may develop leads more than it will evidence
  • Autorunsc.exe from SysInternals - dump the contents of autostart locations within the Registry and file system (ie, 'autorunsc.exe -a -c -d -e -m -s -w')
  • Rifuiti.exe from FoundStone.com - dump the contents of the Recycle Bin; this utility will require a wrapper to get the SID, then pass the correct path information to the tool.

So, how's that for a start?

What tools would you recommend?


Anonymous said...

Check out the tools (some already mentioned) listed on

Anonymous said...

I'm reading your book right now, so I'm curious why you didn't mention lads.exe? (BTW, I find the book very useful so far in developing our own particular procedures, and it definitely passes the technical-content litmus test of putting my wife to sleep whenever I read it aloud.) Thanks!

Anonymous said...

pmdump.exe and strings.exe that were referenced in an earlier blog and I have used them already.

Also for NTFS ADS, I use lads.exe (http://www.heysoft.de/nt/lads.zip ). Although I can honestly say that I have never come accross any, better to have the tools available when I do need them.

H. Carvey said...


Thanks for the comments. Like the blog entry said, these are "some" tools...it's not meant to be an all inclusive list...my thought in writing the entry was that it would be spoon-feeding, and not leaving a lot of room for input from others.

Also, the tools I mentioned are for volatile data...LADS.exe is my favorite tool for looking for ADSs, but ADSs aren't very volatile...they're still there when you shut the system down. I know that not all the tools are that way, but again...there's no reason to shut down opportunities for discussion.

Finally, thanks for the comments about the book...I really learned a lot during the process of writing it, and even more since then. With regards to the technical-content litmus test...I hear ya! My MSEE thesis still puts me to sleep, so I can only imagine that it would put someone else in a coma! ;-)