Re: Break-in discovery and forensics tools

[Volker Kindermann <fulldisclosure () secspace de>]

Hi Paul,


> I've been tasked with putting together a CD of tools that can be used
> for analysis of hacked machines.  These would be both tools that can
> determine if a program is trojaned or a file has been altered as well as
> tools that could be used to save forensics data for possible
> prosecution.
>
> Other than Dan and Wietse's TCT, what tools do you think should be
> included?

besides the already mentioned fire and snarl (which I personaly like
more than fire) there are many tools around.

Perhaps you take a look at the listarchive of
forensics () securityfocus com and incidents () securityfocus com. There were
discussions about tools.

Concerning Windows Tools there was a multipart story at
securityfocus.com: "no stone unturned". Search for it and you will find
many hints to tools, mainly from atstake.com and foundstone.com.

atstake.com has autopsy and task which both (autopsy is a frontend to
task) are included in snarl and (perhaps) in fire.

hth

 -volker

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html