Compiled by Yuri Demchenko
October 2002
As a suplementary document for the TF-CSIRT Questionnaire about Tools, Procedures and Practices used by CSIRTs to collect Incident Data/Evidence, Investigate and Track Incidents
Pilot version of the Clearinghouse of Incident Handling Tools is located at http://chiht.dfn-cert.de/
1. Incident Data/Evidence Collection1. Incident Data/Evidence Collection
1.1. Tools for Hard Disk examining
1.2. Systems and processes examining utilities
2. Investigative tools
2.1. Extracting information from collected data/Evidence
2.2. Checking Attacker and Victim Identity
3. Support CSIRT procedures
3.1. Incident registration, tracking and Incident reporting
3.2. Extracting information from CSIRT archives
4. Tools for compromised system recovery
5. Pro-active tools
5.1. Network Auditing tools (Security Scanners)
5.2. Host-based Auditing Tools
5.3. Security Management Tools
5.4. Network monitoring and traffic analysis tools
5.5. Network IDS
6. Secure Remote Access Tools
7. Security BCP, Risk Assessment and Security Policy Management
8. Software Security Audit tools
1.1. Tools for Hard Disk examining
Functions
| Category/Purpose | Tool/program name | System/ network state | OS
16/32/64 bit |
mage machine/ Attacker/ victim machine |
Short description, definition, URL |
| Program for doing bit-to-bit copies | dd | ||||
| Program for Hard Disk examining | Byte Back
Version: 2.942 Tech Assist, Inc. |
http://www.toolsthatwork.com/
Selective write-protect can protect media you are analyzing. Direct physical access to IDE and SCSI drives. Awesome sector editor integrated into tool. Drive-to-drive, sector-by-sector compare utility other tools do not have. Searched every sector of a drive. Can also image drives and restore images. http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html |
|||
| DriveSpy
Digital Intelligence, Inc. |
http://www.digitalintel.com/
Complete examination of physical HD. Uses keyword list containing mixture of ASCII, UNICODE and absolute HEX values. http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html |
||||
| EnCase
Version: 2.15 Guidance Software, Inc. |
http://www.encase.com/
Intuitive graphical interface. Operates directly on image files instead of original evidence. Can search multiple hard drives in a single pass using keyword list containing mixture of case sensitive, UNICODE and absolute HEX values. Views media at physical level or logical level. http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html |
||||
| Forensic Toolkit
Beta Test AccessData Corporation |
http://www.accessdata.com/
Email view puts email files in their logical context. Full text indexing, properly used, makes searches instantaneous. Finds and indexes contents of .ZIP and .PDF files. Views SafeBack, EnCase and SnapBack media image files. http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html |
||||
| Maresware Suite
Mares and Company LLC |
http://www.dmares.com/
A collection of individual command-line tools that have a wide variety of uses besides forensic analysis. Extensive help system and a host of command line options give the tools an incredible range of capabilities. http://www.scmagazine.com/scmagazine/2001_04/testc/prod1.html |
1.2. Systems and processes examining utilities
Functions
| Category/Purpose | Tool/program name | System/ network state | OS | Evidence machine/image mach. | Short description, definition, URL |
| Programs for generating core images and for examining them | gcore | Std UNIX utility | |||
| gdb | |||||
| Process examining | ps | On-line | Std UNIX utility | ||
| Examining system state | showrev | Std UNIX utility | |||
| ifconfig | Std UNIX utility | ||||
| netstat | Std UNIX utility | ||||
| arp | Std UNIX utility | ||||
Functions
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Extended logfile analysis | gross | script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed | |
| Tcpdump file analysis | |||
| Programs/scripts to automate evidence collection | The Coroner’s Toolkit (TCT) | http://www.porcupine.org/forensics/
The Coroner's Toolkit (TCT) by Dan Farmer (Earthlink) and Wietse Venema (IBM) is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class in August 1999. |
|
| The Incident Response Collection Report (IRCR) | MS Win | http://www.incident-response.org/
The Incident Response Collection Report (IRCR) is similar to The Coroner's Toolkit (TCT) by Dan Farmer & Wietse Venema Great tool just released that will attempt to collect information on Windows 2000/NT systems like TCT does for UNIX based operating systems. This program is a collection of tools that gathers and/or analyzes forensic data on a Microsoft Windows system. You can think of this as a snapshot of the system in the past. Like TCT, most of the tools are oriented towards data collection rather than analysis. The idea of IRCR is that anyone could run the tool and send the output to a skilled Windows forensic security person for further analysis. |
2.2. Checking Attacker and Victim Identity
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Mapping/conversion IP -> DN, DN -> IP | about | Obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts | |
| apnic, arin, ripe | Look up details of a numeric IP address in the APNIC, ARIN or RIPE | ||
| internic | Script to query the InterNIC for details about some networks | ||
| eh | Script to identify well-known portnumbers | ||
| nameof | script to translate a numeric IP address into a name | ||
| janic | Script to query the JANET whois server for details about .ac.uk domains | ||
| ip2host | Public domain script to take a file of IP addresses and convert them to hostnames | ||
| Searching/Accessing Contact information, network data | keykatch | Script to extract contact information only from RIPE, ARIN and APNIC db | |
| soa | Script to find the e-mail address responsible for the DNS server in a domain. | ||
Functions
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Remedy Action Request System from Remedy (ARS) | * Web-based user self-support
* Easy configurable * Integration with Network Management packages |
||
| Magic Total Service Desk (Magic TDS) | * Web-based customised interface
* Network Oriented and scalable up to 1000 nodes * SNMP support (traps, etc.) * XML built and database format customisation * Based on MS DNA: Support VB and COM scripts * Enables end-users to send requests via e-mail |
||
| Nortel Clarify |
3.2. Extracting information from CSIRT archives
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Tracking similar cases | findref | Sript to search for a string in JANET-CERT mailboxes (open, closed or all) | |
4. Tools for compromised system recovery
Functions
| Category/Purpose | Tool/program name | OS | System/ network state | File system | Short description, definition, URL |
| Tools for system recovery | Symantec Norton Utilities | http://www.symantec.com/nu/nu_9x/ | |||
Functions
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| COPS (Computer Oracle and Password System) | COPS is a publicly available collection of programs
that attempt to identify security problems in a UNIX system. COPS does
not attempt to correct any discrepancies found; it simply produces a report
of its findings. COPS is available from
ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/cops/ |
||
| SAINT | ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/saint/
SAINT is the Security Administrator's Integrated Network Tool. It compiles information about remote hosts and networks by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. http://www.fedcirc.gov/tools/saint.html |
||
| ISS | ISS is a program that will interrogate all computers
within a specified IP address range, determining the security posture of
each with respect to several common system vulnerabilities. ISS is available
from many sites, including
ftp://coast.cs.purdue.edu/pub/tools/unix/iss/ For further information about ISS, see http://www.cert.org/advisories/CA-93.14.Internet.Security.Scanner.html ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/iss/ |
||
| SATAN (Security Administrator Tool for Analyzing Networks) | SATAN is a testing and reporting tool that collects
a variety of information about networked hosts.
SATAN can probe hosts at various levels of intensity. The scanning level is controlled with the configuration file, but can be overruled with command-line switches or via the graphical user interface. SATAN (Wietse Venema / Dan Farmer) is available from many sites, including ftp://ftp.porcupine.org/pub/security/ For further information about SATAN: http://www.cert.org/advisories/CA-95.06.satan.htmlhttp://www.cert.org/advisories/CA-95.07a.REVISED.satan.vul.html ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/satan/ |
||
| SARA | http://www-arc.com/sara/
SARA is a CVE complaint, SANS Top 10 compliant network security scanner that provides detection of current vulnerabilities. It provides a comprehensive report writer and search engine to support enterprise-level auditing. It is updated, on the average twice a month |
||
| Security Profile Inspector (SPI) | http://ciac.llnl.gov/cstc/spi/spiwnt/spiwnt.html
The Security Profile Inspector for Windows NT is distributed by CIAC and is one of the tools that should be in your toolbox if you are host to an NT platform. Distribution is limited to government agencies and approved contractors. Additional information is attainable at the CIAC web site . |
||
| Trinoo DDoS detection tool | These tools have been developed to assist users with identifying hosts that are being used as launching sites for DDoS attacks against other targets and can be applied against most *NIX hosts. It does not work for the Windows environment. |
5.2. Host-based Auditing Tools
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Host-based Auditing Tools | crack | Crack is a freely available program designed
to identify, by standard guessing techniques, UNIX DES encrypted passwords
that can be found in widely available dictionaries. The guessing techniques
are outlined in the Crack documentation. Many system administrators run
Crack as a regular system administration procedure and notify account owners
who have "crackable" passwords. Crack is available from
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack/ |
|
| L0PHTCRACK V2.52 | http://www.fedcirc.gov/tools/lc252install.zip
L0PHTCrack is a password analysis tool for Windows NT and Windows 95/98. Developed by "l0pht Heavy Industries" group, this tool has been used very successfully to identify password weaknesses in NT platforms. NT platforms store passwords using a cryptographic hash algorithm. L0PHTCrack analyzes the hash in two ways, by doing a dictionary comparison or by a character substitution. This is an ideal tool for exposing poorly selected passwords. Additional information can be found on the L0PHT web site. http://l0pht.com/loftcrack/ |
||
| Integrity-Checking Tools | MD5 | MD5 is a cryptographic checksum program. MD5 takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is thought to be computationally infeasible to produce two messages having the same message digest or to produce any message having a given pre-specified target message digest. MD5 is found in RFC 1321. ftp://coast.cs.purdue.edu/pub/tools/unix/crypto/md5/ | |
| tripwire | Tripwire checks file and directory integrity;
it is a utility that compares a designated set of files and directories
to information stored in a previously generated database. Any differences
are flagged and logged, including added or deleted entries. When run against
system files on a regular basis, Tripwire enables you to spot changes in
critical system files and to immediately take appropriate damage control
measures. Tripwire is available from many sites, including ftp://coast.cs.purdue.edu/pub/tools/unix/Tripwire/
http://www.fedcirc.gov/tools/tripwire1_3.zip |
5.3. Security Management Tools
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Logfile utilities | ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/ | ||
| swatch | Swatch, the Simple WATCHer program, is an easily
configurable log file filter/monitor. Swatch monitors log files and acts
to filter out unwanted data and take one or more user-specified actions
based on patterns in the log. Swatch is available from
ftp://ftp.stanford.edu/general/security-tools/swatch/ ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/swatch/ |
||
| logcheck | ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/logcheck/
Logcheck is software package that is designed to automatically run and check system log files for security violations and unusual activity. |
||
| wentry | ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/sentry/
The Sentry is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community. More information can be obtained from http://www.psionic.com. Sentry has a number of options to detect port scans. |
||
| System utilities | watcher | ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/watcher/ | |
| tkwatcher | ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/tkwatcher/
It was inspired by the program watcher by Kenneth Inghman, but adds features lacking in the original watcher. Among those features are the ability to: * select portions of the controlfile * print command headers in the error messages * select individual lines from a command output stream using absolute positions, or a regular expression * perform and test calculations based on the input data * specify multiple tests on a value that are anded together to determine if a warning should be issued. * set thresholds for reports when all other tests are positive. |
||
| trojan | ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/trojan/
Trojan.pl is a trojan horse checking program. It examines your searchpath and looks at all of the executables in your searchpath, looking for people who can create a trojan hource you can execute. |
||
| lsof | ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/lsof/
Lsof version 4 lists open files for running Unix processes. It is a descendent of ofiles, fstat, and lsof versions 1, 2, and 3. It has been tested on these UNIX dialects. |
||
| ifstatus | ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ifstatus/
The ifstatus program can be run on UNIX systems to identify network interfaces that are in debug or promiscuous mode. Network interfaces in these modes may be a sign that an intruder is monitoring the network to steal passwords and other traffic (see CERT Advisory CA-94.01). |
||
| smrsh | http://www.sendmail.org/
Beginning with sendmail version 8.7.1, smrsh is included in the sendmail distribution, in the subdirectory smrsh. The smrsh program can help protect against a vulnerability that can allow unauthorized remote or local users to execute programs as any system user other than root. For example, smrsh can prevent an intruder from using pipes (|) to execute arbitrary commands on your system. |
5.4. Network monitoring and traffic analysis tools
| Category/Purpose | Tool/program name | OS | Short description, definition, URL to download, manual |
| Network monitoring tools | argus | Argus is a network monitoring tool that uses
a client-server model to capture data and associate it into "transactions."
The tool provides network-level auditing; it can verify compliance to a
router configuration file, and information can be easily adapted to protocol
analysis, intrusion detections, and other security needs. Argus is available
from many sites, including
ftp://ftp.andrew.cmu.edu/pub/argus/ |
|
| review | ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/review/
Review is a set of perl/tk scripts that make it easier to view the contents of tcpdump packet logs. |
||
| tcpdump | ftp://ftp.ee.lbl.gov/libpcap.tar.Z
ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/tcpdump/ tcpdump, a tool for network monitoring and data acquisition. |
||
| Network traffic analysis tools | TCP/IP wrapper | The TCP/IP wrapper program provides additional
network logging information and gives a system administrator the ability
to deny or allow access from certain systems or domains to the host on
which the program is installed. Installation of this software does not
require any modification to existing network software. This program is
available from
ftp://ftp.porcupine.org/pub/security/ ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/ |
|
| cyberkit | Cyberkit is a simple but effective multipurpose
tools offering Ping, Traceroute, NS Lookup, Finger and Whois functions
in a single application. Runs on Windows 95 and NT platforms.
http://www.fedcirc.gov/tools/cyberkit.zip |
||
| netinfo | NetInfo is also multipurpose tools offering
Query, Ping and Scanning functions. Runs on Windows 95 and NT platforms.
http://www.fedcirc.gov/tools/netinfo.zip |
||
| NETLAB95 | Netlab95 runs on Windows 95 and NT platforms.
It provides a variety of functions including Ping, Traceroute, DNS Lookup,
Finger, WhoIs and Port Scan .
http://www.fedcirc.gov/tools/netlab95.zip |
| Category/Purpose | Tool/program name | OS | Short description, definition, URL |
| Snort | ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/snort/
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. |
||
| NID | NID is a suite of software tools that helps
detect, analyze, and gather evidence of intrusive behavior occurring on
an Ethernet or Fiber Distributed Data Interface (FDDI) network using the
Internet Protocol (IP). NID operates passively on a stand-alone host (rather
than residing on the hosts it is monitoring), and is responsible for collecting
data and/or statistics about network traffic.
NID operates within a security domain-a collection of hosts and/or sub-networks you wish to monitor. The security domain can be further refined by only looking at traffic from particular Internet services. http://ciac.llnl.gov/cstc/nid/intro.html |
||
| Category/Purpose | Tool/program name | OS | Short description, definition, URL to download, manual |
| RADIUS | |||
| tacacs+ | |||
| SSL | |||
| SSH | |||
| STEL | |||
| Kerberos | |||
7. Security BCP, Risk Assessment and Security Policy Management
The ISO 17799 Service & Software Directory - http://www.iso17799software.com/
Internet Security Auditing Class - http://www.porcupine.org/auditing/
On April 30th, 1996, Dan Farmer (Sun Microsystems) and Wietse Venema
(Eindhoven University) presented a full-day free class on security auditing
before an audience of 200 in Santa Clara (CA).
RUSecure™ - Information Security Officer's Manual - the ISO Manual
http://www.eon-commerce.com/rusecure
Evaluation download - http://www.computer-security-policies.com/down.htm
The Security Audit and Internal Audit Shop - http://www.security-audit-internal-audit.com/
IBM Security Solutions - http://www-3.ibm.com/security/index.shtml
IBM Security Planner for AIX, Linux, OS/400, Windows 2000, z/OS
or OS/390 - http://www-1.ibm.com/servers/security/planner/
IBM Tivoli Risk Manager - http://www.tivoli.com/products/index/risk-mgr/
Cisco Security components - http://www.cisco.com/warp/public/44/jump/secure.shtml
Security Technical Tips - http://www.cisco.com/warp/public/707/
@stake Security Vulnerability Reporting Policy - http://www.atstake.com/research/policy/index.html
8. Software Security Audit tools
Linux Security Audit Project - http://lsap.org/
Security-Audit's FAQ - http://lsap.org/faq.txt
@Stake Secureity Tools archive - http://www.atstake.com/research/tools/index.html
@Stake LC4 - The Password Auditing and Recovery Application - http://www.atstake.com/research/lc/index.html
How to Find Security Holes - http://www.canonical.org/~kragen/security-holes.html
Dmalloc - Debug Malloc Library - http://dmalloc.com/
The debug memory allocation or dmalloc library has been designed as
a drop in replacement for the system's malloc, realloc, calloc, free and
other memory management routines while providing powerful debugging facilities
configurable at runtime. These facilities include such things as memory-leak
tracking, fence-post write detection, file/line number reporting, and general
logging of statistics.
Sun Software Security Audit page - http://wwws.sun.com/software/security/audit/
Microsoft .NET Framework Security - http://msdn.microsoft.com/vstudio/techinfo/articles/developerproductivity/frameworksec.asp