Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents

Compiled by Yuri Demchenko
October 2002

As a suplementary document for the TF-CSIRT Questionnaire about Tools, Procedures and Practices used by CSIRTs to collect Incident Data/Evidence, Investigate and Track Incidents

Pilot version of the Clearinghouse of Incident Handling Tools is located at http://chiht.dfn-cert.de/

1. Incident Data/Evidence Collection
1.1. Tools for Hard Disk examining
1.2. Systems and processes examining utilities
2. Investigative tools
2.1. Extracting information from collected data/Evidence
2.2. Checking Attacker and Victim Identity
3. Support CSIRT procedures
3.1. Incident registration, tracking and Incident reporting
3.2. Extracting information from CSIRT archives
4. Tools for compromised system recovery
5. Pro-active tools
5.1. Network Auditing tools (Security Scanners)
5.2. Host-based Auditing Tools
5.3. Security Management Tools
5.4. Network monitoring and traffic analysis tools
5.5. Network IDS
6. Secure Remote Access Tools
7. Security BCP, Risk Assessment and Security Policy Management
8. Software Security Audit tools
1. Incident Data/Evidence Collection

1.1. Tools for Hard Disk examining

Functions

Category/Purpose Tool/program name System/ network state OS

16/32/64 bit

mage machine/
Attacker/ victim machine
Short description, definition, URL
Program for doing bit-to-bit copies dd        
Program for Hard Disk examining Byte Back
Version: 2.942
Tech Assist, Inc.
      http://www.toolsthatwork.com/
Selective write-protect can protect media you are analyzing. Direct physical access to IDE and SCSI drives. Awesome sector editor integrated into tool. Drive-to-drive, sector-by-sector compare utility other tools do not have. Searched every sector of a drive. Can also image drives and restore images.
http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html
  DriveSpy
Digital Intelligence, Inc.
      http://www.digitalintel.com/
Complete examination of physical HD. Uses keyword list containing mixture of ASCII, UNICODE and absolute HEX values.
http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html
  EnCase
Version: 2.15
Guidance Software, Inc.
      http://www.encase.com/
Intuitive graphical interface. Operates directly on image files instead of original evidence. Can search multiple hard drives in a single pass using keyword list containing mixture of case sensitive, UNICODE and absolute HEX values. Views media at physical level or logical level. 
http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html
  Forensic Toolkit
Beta Test
AccessData Corporation
      http://www.accessdata.com/
Email view puts email files in their logical context. Full text indexing, properly used, makes searches instantaneous. Finds and indexes contents of .ZIP and .PDF files. Views SafeBack, EnCase and SnapBack media image files. 
http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html
  Maresware Suite
Mares and Company LLC
      http://www.dmares.com/
A collection of individual command-line tools that have a wide variety of uses besides forensic analysis. Extensive help system and a host of command line options give the tools an incredible range of capabilities.
http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html


1.2. Systems and processes examining utilities

Functions

Category/Purpose Tool/program name System/ network state OS Evidence machine/image mach. Short description, definition, URL 
Programs for generating core images and for examining them gcore       Std UNIX utility
  gdb        
Process examining ps On-line     Std UNIX utility
Examining system state showrev       Std UNIX utility
  ifconfig       Std UNIX utility
  netstat       Std UNIX utility
  arp       Std UNIX utility
           

 

2. Investigative tools

Functions

2.1. Extracting information from collected data/Evidence
 
Category/Purpose Tool/program name OS Short description, definition, URL
Extended logfile analysis gross   script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed
Tcpdump file analysis       
       
Programs/scripts to automate evidence collection The Coroner’s Toolkit (TCT)   http://www.porcupine.org/forensics/
The Coroner's Toolkit (TCT) by Dan Farmer (Earthlink) and Wietse Venema (IBM) is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in.
The software was presented first during a free Computer Forensics Analysis class in August 1999.

The Incident Response Collection Report (IRCR)  MS Win http://www.incident-response.org/
The Incident Response Collection Report (IRCR) is similar to The Coroner's Toolkit (TCT) by Dan Farmer & Wietse Venema
Great tool just released that will attempt to collect information on Windows 2000/NT systems like TCT does for UNIX based operating systems. 
This program is a collection of tools that gathers and/or analyzes forensic data on a Microsoft Windows system. You can think of this as a snapshot of the system in the past. Like TCT, most of the tools are oriented towards data collection rather than analysis. 
The idea of IRCR is that anyone could run the tool and send the output to a skilled Windows forensic security  person for further analysis. 

 

2.2. Checking Attacker and Victim Identity
 
Category/Purpose Tool/program name OS Short description, definition, URL 
Mapping/conversion  IP -> DN, DN -> IP about    Obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts
  apnic, arin, ripe   Look up details of a numeric IP address in the APNIC, ARIN or RIPE 
  internic   Script to query the InterNIC for details about some networks
  eh   Script to identify well-known portnumbers
  nameof   script to translate a numeric IP address into a name
  janic   Script to query the JANET whois server for details about .ac.uk domains
  ip2host   Public domain script to take a file of IP addresses and convert them to hostnames
       
Searching/Accessing Contact information, network data keykatch   Script to extract contact information only from RIPE, ARIN and APNIC db
  soa   Script to find the e-mail address responsible for the DNS server in a domain.
       

 

3. Support CSIRT procedures

Functions

3.1. Incident registration, tracking and Incident reporting
 
Category/Purpose Tool/program name OS Short description, definition, URL
  Remedy Action Request System from Remedy (ARS)   * Web-based user self-support
* Easy configurable
* Integration with Network Management packages
  Magic Total Service Desk (Magic TDS)   * Web-based customised interface 
* Network Oriented and scalable up to 1000 nodes 
* SNMP support (traps, etc.)
* XML built and database format customisation
* Based on MS DNA: Support VB and COM scripts
* Enables end-users to send requests via e-mail 
  Nortel Clarify    

 

3.2. Extracting information from CSIRT archives
 
Category/Purpose Tool/program name OS Short description, definition, URL
Tracking similar cases findref
Sript to search for a string in JANET-CERT mailboxes (open, closed or all)
       

 

4. Tools for compromised system recovery

Functions

Category/Purpose Tool/program name OS System/ network state File system Short description, definition, URL
 Tools for system recovery Symantec Norton Utilities        http://www.symantec.com/nu/nu_9x/
           
           

 

5. Pro-active tools

Functions

5.1. Network Auditing tools (Security Scanners)
 
Category/Purpose Tool/program name OS Short description, definition, URL 
  COPS (Computer Oracle and Password System)   COPS is a publicly available collection of programs that attempt to identify security problems in a UNIX system. COPS does not attempt to correct any discrepancies found; it simply produces a report of its findings. COPS is available from 
ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/cops/
  SAINT   ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/saint/
SAINT is the Security Administrator's Integrated Network Tool. It compiles information about remote hosts and networks by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services.
http://www.fedcirc.gov/tools/saint.html
  ISS   ISS is a program that will interrogate all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. ISS is available from many sites, including 
ftp://coast.cs.purdue.edu/pub/tools/unix/iss/
For further information about ISS, see 
http://www.cert.org/advisories/CA-93.14.Internet.Security.Scanner.html
ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/iss/
  SATAN (Security Administrator Tool for Analyzing Networks)    SATAN is a testing and reporting tool that collects a variety of information about networked hosts. 
SATAN can probe hosts at various levels of intensity. The scanning level is controlled with the configuration file, but can be overruled with command-line switches or via the graphical user interface.
SATAN (Wietse Venema / Dan Farmer) is available from many sites, including 
ftp://ftp.porcupine.org/pub/security/
For further information about SATAN:
http://www.cert.org/advisories/CA-95.06.satan.htmlhttp://www.cert.org/advisories/CA-95.07a.REVISED.satan.vul.html
ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/satan/
  SARA   http://www-arc.com/sara/
SARA is a CVE complaint, SANS Top 10 compliant network security scanner that provides detection of current vulnerabilities. It provides a comprehensive report writer and search engine to support enterprise-level auditing. It is updated, on the average twice a month
  Security Profile Inspector (SPI)   http://ciac.llnl.gov/cstc/spi/spiwnt/spiwnt.html
The Security Profile Inspector for Windows NT is distributed by CIAC and is one of the tools that should be in your toolbox if you are host to an NT platform. Distribution is limited to government agencies and approved contractors. Additional information is attainable at the CIAC web site .
  Trinoo DDoS detection tool   These tools have been developed to assist users with identifying hosts that are being used as launching sites for DDoS attacks against other targets and can be applied against most *NIX hosts. It does not work for the Windows environment.

5.2. Host-based Auditing Tools
 
Category/Purpose Tool/program name OS Short description, definition, URL 
Host-based Auditing Tools crack   Crack is a freely available program designed to identify, by standard guessing techniques, UNIX DES encrypted passwords that can be found in widely available dictionaries. The guessing techniques are outlined in the Crack documentation. Many system administrators run Crack as a regular system administration procedure and notify account owners who have "crackable" passwords. Crack is available from 
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack/
  L0PHTCRACK V2.52   http://www.fedcirc.gov/tools/lc252install.zip
L0PHTCrack is a password analysis tool for Windows NT and Windows 95/98. Developed by "l0pht Heavy Industries" group, this tool has been used very successfully to identify password weaknesses in NT platforms. NT platforms store passwords using a cryptographic hash algorithm. L0PHTCrack analyzes the hash in two ways, by doing a dictionary comparison or by a character substitution. This is an ideal tool for exposing poorly selected passwords. Additional information can be found on the L0PHT web site.
http://l0pht.com/loftcrack/
Integrity-Checking Tools MD5   MD5 is a cryptographic checksum program. MD5 takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is thought to be computationally infeasible to produce two messages having the same message digest or to produce any message having a given pre-specified target message digest. MD5 is found in RFC 1321. ftp://coast.cs.purdue.edu/pub/tools/unix/crypto/md5/
  tripwire   Tripwire checks file and directory integrity; it is a utility that compares a designated set of files and directories to information stored in a previously generated database. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, Tripwire enables you to spot changes in critical system files and to immediately take appropriate damage control measures. Tripwire is available from many sites, including ftp://coast.cs.purdue.edu/pub/tools/unix/Tripwire/
http://www.fedcirc.gov/tools/tripwire1_3.zip

 

5.3. Security Management Tools
 
Category/Purpose Tool/program name OS Short description, definition, URL 
Logfile utilities     ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/
  swatch   Swatch, the Simple WATCHer program, is an easily configurable log file filter/monitor. Swatch monitors log files and acts to filter out unwanted data and take one or more user-specified actions based on patterns in the log. Swatch is available from 
ftp://ftp.stanford.edu/general/security-tools/swatch/
ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/swatch/
  logcheck    ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/logcheck/
Logcheck is software package that is designed to automatically run and check system log files for security violations and unusual activity. 
  wentry   ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/sentry/
The Sentry is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community. More information can be obtained from http://www.psionic.com. 
Sentry has a number of options to detect port scans.
System utilities watcher    ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/watcher/
  tkwatcher    ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/tkwatcher/
It was inspired by the program watcher by Kenneth Inghman, but adds features lacking in the original watcher. Among those features are the ability to:
* select portions of the controlfile
* print command headers in the error messages
* select individual lines from a command output stream using absolute positions, or a regular expression
* perform and test calculations based on the input data
* specify multiple tests on a value that are anded together to determine if a warning should be issued.
* set thresholds for reports when all other tests are positive. 
  trojan    ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/trojan/
Trojan.pl is a trojan horse checking program. It examines your searchpath and looks at all of the executables in your searchpath, looking for people who can create a trojan hource you can execute.
  lsof    ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/lsof/
Lsof version 4 lists open files for running Unix processes. It is a descendent of ofiles, fstat, and lsof versions 1, 2, and 3. It has been tested on these UNIX dialects.
  ifstatus   ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ifstatus/
The ifstatus program can be run on UNIX systems to identify network interfaces that are in debug or promiscuous mode. Network interfaces in these modes may be a sign that an intruder is monitoring the network to steal passwords and other traffic (see CERT Advisory CA-94.01).
  smrsh   http://www.sendmail.org/
Beginning with sendmail version 8.7.1, smrsh is included in the sendmail distribution, in the subdirectory smrsh.
The smrsh program can help protect against a vulnerability that can allow unauthorized remote or local users to execute programs as any system user other than root. For example, smrsh can prevent an intruder from using pipes (|) to execute arbitrary commands on your system. 

 

5.4. Network monitoring and traffic analysis tools
 
Category/Purpose Tool/program name OS Short description, definition, URL to download, manual
Network monitoring tools argus   Argus is a network monitoring tool that uses a client-server model to capture data and associate it into "transactions." The tool provides network-level auditing; it can verify compliance to a router configuration file, and information can be easily adapted to protocol analysis, intrusion detections, and other security needs. Argus is available from many sites, including 
ftp://ftp.andrew.cmu.edu/pub/argus/
  review   ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/review/
Review is a set of perl/tk scripts that make it easier to view the contents of tcpdump packet logs. 
  tcpdump   ftp://ftp.ee.lbl.gov/libpcap.tar.Z
ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/tcpdump/
tcpdump, a tool for network monitoring and data acquisition.
Network traffic analysis tools TCP/IP wrapper   The TCP/IP wrapper program provides additional network logging information and gives a system administrator the ability to deny or allow access from certain systems or domains to the host on which the program is installed. Installation of this software does not require any modification to existing network software. This program is available from 
ftp://ftp.porcupine.org/pub/security/
ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/
  cyberkit   Cyberkit is a simple but effective multipurpose tools offering Ping, Traceroute, NS Lookup, Finger and Whois functions in a single application. Runs on Windows 95 and NT platforms.
http://www.fedcirc.gov/tools/cyberkit.zip
  netinfo   NetInfo is also multipurpose tools offering Query, Ping and Scanning functions. Runs on Windows 95 and NT platforms.
http://www.fedcirc.gov/tools/netinfo.zip
  NETLAB95   Netlab95 runs on Windows 95 and NT platforms. It provides a variety of functions including Ping, Traceroute, DNS Lookup, Finger, WhoIs and Port Scan .
http://www.fedcirc.gov/tools/netlab95.zip

5.5. Network IDS
 
Category/Purpose Tool/program name OS Short description, definition, URL 
  Snort   ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/snort/
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. 
  NID   NID is a suite of software tools that helps detect, analyze, and gather evidence of intrusive behavior occurring on an Ethernet or Fiber Distributed Data Interface (FDDI) network using the Internet Protocol (IP). NID operates passively on a stand-alone host (rather than residing on the hosts it is monitoring), and is responsible for collecting data and/or statistics about network traffic.
NID operates within a security domain-a collection of hosts and/or sub-networks you wish to monitor. The security domain can be further refined by only looking at traffic from particular Internet services.
http://ciac.llnl.gov/cstc/nid/intro.html
       

6. Secure Remote Access Tools
 
Category/Purpose Tool/program name OS Short description, definition, URL to download, manual
  RADIUS    
  tacacs+    
  SSL    
  SSH    
  STEL    
  Kerberos    
       

7. Security BCP, Risk Assessment and Security Policy Management

The ISO 17799 Service & Software Directory - http://www.iso17799software.com/

Internet Security Auditing Class - http://www.porcupine.org/auditing/
On April 30th, 1996, Dan Farmer (Sun Microsystems) and Wietse Venema (Eindhoven University) presented a full-day free class on security auditing before an audience of 200 in Santa Clara (CA).

RUSecure™ - Information Security Officer's Manual - the ISO Manual
http://www.eon-commerce.com/rusecure
Evaluation download - http://www.computer-security-policies.com/download.htm

The Security Audit and Internal Audit Shop - http://www.security-audit-internal-audit.com/

IBM Security Solutions -  http://www-3.ibm.com/security/index.shtml
IBM Security Planner for  AIX, Linux, OS/400, Windows 2000, z/OS or OS/390 - http://www-1.ibm.com/servers/security/planner/

IBM Tivoli Risk Manager - http://www.tivoli.com/products/index/risk-mgr/

Microsoft Security webpage - http://www.microsoft.com/technet/security/
Microsoft Security BCP -  http://www.microsoft.com/technet/security/bestprac/bpent/

Cisco Security components - http://www.cisco.com/warp/public/44/jump/secure.shtml
Security Technical Tips - http://www.cisco.com/warp/public/707/

@stake Security Vulnerability Reporting Policy - http://www.atstake.com/research/policy/index.html

8. Software Security Audit tools

Linux Security Audit Project - http://lsap.org/
Security-Audit's FAQ - http://lsap.org/faq.txt

@Stake Secureity Tools archive - http://www.atstake.com/research/tools/index.html
@Stake LC4 - The Password Auditing and Recovery Application - http://www.atstake.com/research/lc/index.html

Security Code Review Guidelines - http://www.homeport.org/~adam/review.html

How to Find Security Holes - http://www.canonical.org/~kragen/security-holes.html

Dmalloc - Debug Malloc Library - http://dmalloc.com/
The debug memory allocation or dmalloc library has been designed as a drop in replacement for the system's malloc, realloc, calloc, free and other memory management routines while providing powerful debugging facilities configurable at runtime. These facilities include such things as memory-leak tracking, fence-post write detection, file/line number reporting, and general logging of statistics.

Sun Software Security Audit page - http://wwws.sun.com/software/security/audit/

Microsoft .NET Framework Security - http://msdn.microsoft.com/vstudio/techinfo/articles/developerproductivity/frameworksec.asp