< Prev 1 2 3 4 5 6 Next >
Category: Auditing » Forensics
A file change monitor. Used with BlackICE Defender. FileWatch (originally called ICEWatch 1.x) is a small utility that can monitor a given file for changes. Monitoring can detect file size changes or simply file writes, both with minimal impact on system resources (no polling is performed). The primary use of this utility is for monitoring changes in the log file of a personal firewall program and being able to spawn a separate application when changes are detected, but the tool can be applied to any number of other uses.
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports Apache (both branches) today, with support for Java-based servers coming soon.
IDA Pro - Freeware Edition
The freeware version of the Interactive Disassembler Pro. Supports 80x86 binaries and FLIRT, a unique Fast Library Identification and Recognition Technology that automagically recognizes standard compiler library calls. Widely used in COTS validation and hostile code analysis.
Autopsy Forensic Browser
The Autopsy Forensic Browser is an HTML-based graphical interface to The @stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are an open source alternative to the common Windows-based digital forensic tools. Autopsy provides an investigator with an HTML-based graphical interface that allows one to browse images from compromised systems in a "File Manager"-like interface. Windows and UNIX file systems can be analyzed to view deleted files, create time lines of file activity, and perform key word searches.
The @stake Sleuth Kit (TASK)
The @stake Sleuth Kit (TASK) is the only open source forensic toolkit for a complete analysis of Microsoft and UNIX file systems. TASK enables investigators to identify and recover evidence from images acquired during incident response or from live systems. TASK is also open source, allowing investigators to verify the actions of the tool or customize it to specific needs.
FIRE, the Forensic and Incident Response Environment, (formerly known as Biatchux) is a portable, bootable CD-ROM-based distribution providing an immediate environment for performing forensics analysis, data recovery, virus scanning, and pen-testing. It also provides the necessary tools for live forensics/analysis/incident response.
Vision, Foundstone's newest forensic product, is an essential part of a computer security professional's tool-kit. Vision maps all of a host's executables to corresponding ports, allowing you to identify and investigate suspicious services. Vision enables you to interrogate suspect services to identify backdoors and Trojan applications. If a malicious service is identified, Vision allows you to immediately kill it.
The Forensic ToolKit
The Forensic ToolKit contains several Win32 Command line tools that help you examine the files on a NTFS disk partition for unauthorized activity. This tool is a file properties analyzer. It performs numerous functions such as examine the files on a disk drive for unauthorized activity, lists files by their last access time, search for access times between certain time frames, scan the disk for hidden files and data streams. The Forensic toolkit will also dump file and security attributes, report on audited files, discover altered ACL's and see if a server reveals too much info via NULL sessions.
A binary file byte-patching utility. This is driven by a simple scripting language. It can patch sequences of bytes in any file, search for byte patterns (with wildcards) and also extract and utilize DLL exported function addresses as source positions in files to be patched.
ListModules lists the modules (EXE's and DLL's) that are loaded into a process. This can for example be useful in a forensic investigation. More information can be found in the ListModules FAQ located here: http://www.ntsecurity.nu/toolbox/listmodules/faq.shtml
Browse by category