資安論壇

FIRST 常用來收集鑑識資料的工具

Running Processes

Process list enumeration

TLIST.exe (Microsoft Tool )
Fport.exe ( http://www.foundstone.com/resources/ter ... =fport.zip )
Checksym.exe (Microsoft Tool developed for this toolkit )

Open Handles

· handle.exe ( http://www.sysinternals.com/ntw2k/freeware/handle.shtml )

Profilers

·Reducer.exe (Win2k3 Reskit )
·Kernrate.exe (Win2k3 Reskit )
·Pmon.exe (Win2k3 Reskit )

Installed Services

sc.exe (built-in )
net start (built-in )
sclist.exe

File System

New / Changed / Modified Files

·Dir.exe (built-in )
·Afind.exe (Foundstone )
·Filestat.exe (used to analyze individual files, from NIST )

Open Files

· handle.exe ( http://www.sysinternals.com/ntw2k/freeware/handle.shtml )

Hard Links (Windows 2000 and later )

· hLScan.exe (Win2k3 Reskit )

Offline Files (Client Side Cache )

·Cachemove.exe (Win2k3 Reskit )

Streams

·Lads.exe (best tool: http://www.heysoft.de/Frames/f_sw_la_en.htm
·streams.exe (SysInternals )
·sfind.exe (Foundstone )

Permissions

·Showacls.exe (Win2k3 Reskit )
·Cacls.exe

Checksums

·Fciv.exe
· http://toolbox/default.aspx?Page=detail ... olID=21661 )
·Md5deep.exe ( http://md5deep.sourceforge.net/ )
·Fsum.exe ( http://www.slavasoft.com/fsum/ )

Integrity

·FSUtil.exe (built-in, XP and higher )

Registry

·Reg.exe (built-in )
·Regdmp.exe (Win2k3 Reskit )
·Reglast.exe ( http://www.heysoft.de/Frames/f_sw_rt_en.htm )
·RegDACL.exe ( http://www.heysoft.de/Frames/f_sw_rt_en.htm )
·Registrar Lite ( http://www.resplendence.com/download )

Users / Groups

·Net User
·Net localgroup
·Net Globalgroup
·IFMember.exe
·DumpSec.exe ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )

Permissions

·cacls.exe
·xcacls.exe

Rights Assignment

·DumpSec.exe ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )
·showpriv.exe (Windows 2000 Resource kit )

Shares

·Srvcheck.exe (Windows 2000 Resource kit )
·Dumpsec.exe ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )

Effective Security Policy

·Auditpol.exe
·Dumpsec.exe
·secedit.exe

Networking

Current Connections

·netstat -an
·fport.exe
·arp -a

Routes

·route print

Network settings

·IPconfig
·Chknic.exe

RPC

·Rpcdump.exe

Event Log Data

·Dumpel.exe (Windows 2000 Resource kit )
·Eldump.exe ( http://www.ibt.ku.dk/jesper/ELDump/default.htm )
·PSLogList.exe ( http://www.sysinternals.com/ntw2k/freew ... list.shtml )
·NTLast.exe ( http://www.foundstone.com/index.htm?sub ... ntlast.htm )

Logged On Users

·PSLoggedOn.exe http://www.sysinternals.com/ntw2k/freew ... ools.shtml
·NTLast.exe (Foundstone )

Scheduled Tasks

·AT

Active Directory / Domain / Group Policy Information

·Domain Users
·LDP.exe
·GPEdit.exe
·GPOTool.exe (Windows 2000 Resource kit )
·GPResult.exe (Windows 2000 Resource kit )
·Secedit.exe

Shares

·Net share
·Srvcheck.exe (Windows 2000 Resource kit )
·Enum ( http://razor.bindview.com/tools/desc/enum_readme.html )

Windows Version

·PSInfo.exe ( http://www.sysinternals.com/ntw2k/freew ... ools.shtml )

Patch Status

· hFNetchk

Time

Local Time

·Now.exe (Windows 2000 Resource kit )

Network Time

·Net Time

·CMDTime3.exe

Log Timing

·Logtime.exe (Windows 2000 Resource kit )

General Enumeration

·Srvinfo.exe (Windows 2000 Resource kit )
·PSInfo.exe ( http://www.sysinternals.com/ntw2k/freew ... ools.shtml )

· handle.exe ( http://www.sysinternals.com/ntw2k/freeware/handle.shtml )

執行結果

Handle v2.01
Copyright (C) 1997-2001 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
System pid: 8 NT AUTHORITY\SYSTEM
d8: File C:\pagefile.sys
1c4: File C:\WINNT\CSC\00000001
------------------------------------------------------------------------------
System Idle Process pid: 0 \<unable to open process>
------------------------------------------------------------------------------
SMSS.EXE pid: 148 NT AUTHORITY\SYSTEM
14: File C:\WINNT
2c: File C:\WINNT\system32
------------------------------------------------------------------------------
CSRSS.EXE pid: 172 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
34: Section \NLS\NlsSectionUnicode
3c: Section \NLS\NlsSectionLocale
40: Section \NLS\NlsSectionCType
44: Section \NLS\NlsSectionSortkey
48: Section \NLS\NlsSectionSortTbls
2ac: File C:\WINNT\system32\ega.cpi
------------------------------------------------------------------------------
WINLOGON.EXE pid: 168 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
b4: File C:\WINNT\twain_32\fjscan\fcpa
164: Section \BaseNamedObjects\mmGlobalPnpInfo
17c: Section \BaseNamedObjects\WDMAUD_Callbacks
1b0: File C:\WINNT\system32\dllcache
1d4: File C:\WINNT\system32\IME\CINTLGNT
1d8: File C:\WINNT\system32\inetsrv
1dc: File C:\Program Files\Windows NT\Games
1e0: File C:\WINNT\system32
1e4: File C:\WINNT\twain_32\miitwain
1e8: File C:\WINNT\system32\drivers
1f8: File C:\Program Files\Common Files\Microsoft Shared\Triedit
33c: File C:\Program Files\Windows NT\Accessories
340: File C:\Program Files\Internet Explorer
344: File C:\Program Files\Common Files\Microsoft Shared\MSInfo
348: File C:\WINNT\twain_32\logiscan
34c: File C:\Program Files\NetMeeting
350: File C:\Program Files\Windows NT\Pinball
354: File C:\WINNT\system32\rpcproxy
358: File C:\WINNT\system32\IME\TINTLGNT
35c: File C:\WINNT\Speech
360: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
364: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
368: File C:\WINNT\msagent
36c: File C:\WINNT\msagent\intl
370: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
374: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
378: File C:\WINNT\system
37c: File C:\WINNT\Help
380: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
384: File C:\WINNT\system32\wbem
388: File C:\WINNT\system32\Com
38c: File C:\WINNT\system32\Setup
390: File C:\Program Files\Outlook Express
394: File C:\Program Files\Common Files\Microsoft Shared\DAO
398: File C:\WINNT
39c: File C:\Program Files\Windows NT
3a0: File C:\WINNT\system32\drivers\disdn
3a4: File C:\Program Files\Common Files\System
3c0: File C:\WINNT\Fonts
40c: File C:\WINNT\system32\os2\dll
454: File C:\WINNT\inf
458: File C:\WINNT\system32\export
45c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
460: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
464: File C:\Program Files\microsoft frontpage\version3.0\bin
468: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
46c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
470: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
474: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1028
478: File C:\WINNT\system32\mui\0804
47c: File C:\Program Files\Internet Explorer\Connection Wizard
480: File C:\WINNT\ime\imejp
484: File C:\Program Files\Windows Media Player
488: File C:\WINNT\mww32\manager
48c: File C:\Program Files\Common Files\System\msadc
490: File C:\Program Files\Common Files\System\ado
494: File C:\Program Files\Common Files\System\Ole DB
498: File C:\WINNT\system32\rocket
4a4: File C:\WINNT\system32\npp
52c: File C:\WINNT\mww32\modem
530: File C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
53c: File C:\Program Files\Common Files\Microsoft Shared\SpeechEngines\TTS
540: File C:\Program Files\Windows NT\Accessories\ImageVue
544: File C:\WINNT\system32\spool\drivers\color
550: File C:\WINNT\system32\spool\prtprocs\w32x86
558: File C:\Program Files\Common Files\Microsoft Shared\VGX
55c: File C:\WINNT\AppPatch
560: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
794: File \Dfs
7d4: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
SERVICES.EXE pid: 220 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
178: File C:\WINNT\security\logs\scepol.log
29c: File C:\WINNT\system32\config\AppEvent.Evt
2ac: File C:\WINNT\system32\config\SecEvent.Evt
2bc: File C:\WINNT\system32\config\SysEvent.Evt
428: File C:\WINNT\system32\drivers\etc
724: File C:\$Extend\$ObjId
754: File C:
780: File C:\System Volume Information\tracking.log
------------------------------------------------------------------------------
LSASS.EXE pid: 232 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
164: File C:\WINNT\Debug\PASSWD.LOG
2e8: File C:\WINNT\Debug\Netlogon.log
434: File C:\WINNT\Debug\ipsecpa.log
48c: File C:\WINNT\Debug\oakley.log
------------------------------------------------------------------------------
svchost.exe pid: 396 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
1b4: Section \BaseNamedObjects\RotHintTable
1b8: File \Dfs
25c: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
svchost.exe pid: 440 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
224: File C:\WINNT\Registration\R0000000000cd.clb
228: Section \BaseNamedObjects\__R_0000000000cd_SMem__
240: Section \BaseNamedObjects\SENS Information Cache
------------------------------------------------------------------------------
spoolsv.exe pid: 488 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
2f4: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
DefWatch.exe pid: 560 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
mdm.exe pid: 588 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
138: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
Rtvscan.exe pid: 696 NT AUTHORITY\SYSTEM
254: Section \BaseNamedObjects\LDVP_LPC_BLOCKS
2d0: Section \BaseNamedObjects\PscanStatBlock
394: File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
4c0: Section \BaseNamedObjects\LNExtMapFile
4f8: File C:\Program Files\Symantec_Client_Security\Symantec AntiVirus
504: Section \BaseNamedObjects\LANDesk VPMEC MemFile
618: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
PGPsdkServ.exe pid: 724 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
regsvc.exe pid: 772 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
mstask.exe pid: 788 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
6c: File C:\WINNT\SchedLgU.Txt
1bc: File C:\WINNT\Tasks
------------------------------------------------------------------------------
vmware-authd.ex pid: 840 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
VMnetDHCP.exe pid: 860 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
7c: File C:\WINNT\system32\vmnetdhcp.leases
------------------------------------------------------------------------------
vmnat.exe pid: 872 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
WinMgmt.exe pid: 892 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
8c: File C:\WINNT\system32\wbem\mof
14c: Section \BaseNamedObjects\__R_0000000000cd_SMem__
------------------------------------------------------------------------------
MsPMSPSv.exe pid: 904 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
------------------------------------------------------------------------------
svchost.exe pid: 916 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
168: Section \BaseNamedObjects\__R_0000000000cd_SMem__
1ec: File C:\WINNT\system32\sens.dll
26c: File C:\WINNT\system32\STDOLE2.TLB
------------------------------------------------------------------------------

是否可以再說明這些工具使用時機，

and 得到的資料分析結果所代表的意義呢？

謝謝~

_________________
beagra =================
正在努力往資安領域邁進的小卒
@pchome.com.tw
======================

建議可以參考以下網頁....

應該是一個不錯的Solution....

http://www.niksun.com/Solutions_Forensics.htm

http://www.niksun.com/NetDetectorLive.htm

http://rickjychen.blogspot.com/

^^

有中文版嗎？

http://rickjychen.googlepages.com/niksunwinsinfoworld%27s2006technologyoftheyearaward
http://rickjychen.googlepages.com/niksuncasestudy