Sunday, May 25, 2008

More Free Tools

To continue adding to the list of free tools (earlier posts here and here), here are a couple of gems I found recently...

NetworkMiner - a free network forensic analysis tool that takes analysis of network traffic captures to another level. Very cool tool...I love how WireShark lets you reassemble streams, but NetworkMiner lets you do a bit more, and it's Windows-based. Don't have any packet captures available to try it with? Check out the HoneyNet Project's SotM #27.

Thanks goes to Claus for pointing these out...

Stinger and MVC...these are NOT full-bore AV applications, but rather free tools meant to target specific malware. Use these on a live system, or mount the acquired image as a live file system (as opposed to booting the image...) and scan the files.

OpenFilesView - Neat little tool to see which files are open on a system; GUI based but comes with command line options, making it a great tool for use in IR batch files. Say you've got a suspected intrusion and you need to know if sensitive data (pursuant to PCI, HIPAA, etc.) is being siphoned off of the system...well, grab process information w/ tools like tlist.exe and correlate that information to files opened on the system by process...

MUICacheView - The NirSoft site says, "Each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the 'MuiCache'." This is one of those things I've looked into, and I'm not able to find what the OS would use this for...but hey, who am I to complain about it, right?

By the way, RegRipper has a plugin for this key, which means that you can parse the contents of this key by either extracting the hive from an image, or by firing up F-Response. ;-)

Addendum: Claus posted some of his own bloggy goodness about Evidence Collector, and from that post I learned about USBHistory, a nice little tool that extracts historical information about USB devices connected to a live system. The author even gives a shout out to ol' watashe-wa and his book! Very cool!

1 comment:

Anonymous said...


Thanks for mentioning me in the update.

After some lawn-cutting duty I have to do an update to that post on Evidence Collector. It works 100% great after all on XP Home. Turns out (and this came to me as I was watching the "Meerkat Manor" movie last night) that I had been running it on my work machine from my second partition (not the system partition). On my home system it was sitting on my C: So I moved it to my D: and ran it. Worked perfectly. Folks running it from USB shouldn't encounter that "problem".

That's not really clear in the release notes so I plan to do an update on the post pointing that out. Makes sense however as you might not want to be dumping log data directly onto the HDD you are attempting to anyalyze ;)

I bookmarked the nabiy website myself. He has a lot of resources that look like they are worth exploring under his "links" page.

It was a bit of a challenge hunting down a few of those applications but that's part of the fun!

And in doing so, turn up more gems.