By "wallet", I'm referring to your CD wallet, or more specifically, your toolkit.
What tools do you use during Windows IR/CF activities?
What are your favorite/most relied upon tools for Windows Incident Response?
What tools to you use, in addition to the popular forensic suites (FTK, EnCase, PyFlag, ProDiscover, TSK, etc.) when analyzing a Windows system image, regardless of platform?
Finally, what tools would you like to see? What are some of the tools that you'd like to have that you just can't find? What are you trying to accomplish, specific to Windows IR/CF analysis, that you simply cannot find a tool to help you?
Think of this as a Windows IR/CF Top 75 Tools list. I'll accumulate responses here, and any I receive via email, and post the list.
4 comments:
Personally, I'd like to see some of the Perl scripts ported to Linux -- for those of us who have your book but lack the programming skills to do the port. For example, I would benefit greatly from a Linux port of your Offline Registry Parser. If you don't have a Linux box available, and one of your other/many readers has already done this, maybe they'de be willing to share.?.?.? Please!
Anonymous,
Could you narrow down which scripts you're referring to?
For example, the Offline Registry Parser ALREADY runs on Linux, as well as the Mac.
If you've had a problem running it on Linux, I'd love to know about it.
Also, the Windows 2000 Memory dump tools should run on Linux...there's nothing in the code that is specific to Windows.
Finally, please read the final paragraph of the previous blog entry:
http://windowsir.blogspot.com/2006/05/sf-updates-info.html
Thanks,
Harlan
My problem is that I don't know enough about debugging Perl code. For example, I assumed (I know, BAD idea!) that the following error messages related to issues with the code that were Windows-only, and that porting the code to Linux would resolve them. I'll read through the code some more.
Either way, thank you very much for all of your tools -- and your hard work. Seriously!
linux@amdbox:~> regp.pl ntuser.dat > ntuser.dat.txt
Useless use of reference constructor in void context at /home/cms/bin/regp.pl line 136
Useless use of reference constructor in void context at /home/cms/bin/regp.pl line 142
Useless use of reference constructor in void context at /home/cms/bin/regp.pl line 166
Useless use of reference constructor in void context at /home/cms/bin/regp.pl line 169
Useless use of reference constructor in void context at /home/cms/bin/regp.pl line 74
Use of uninitialized value in concatenation (.) or string at /home/cms/bin/regp.pl line 438
Use of uninitialized value in concatenation (.) or string at /home/cms/bin/regp.pl line 438
Use of uninitialized value in concatenation (.) or string at /home/cms/bin/regp.pl line 438
Use of uninitialized value in concatenation (.) or string at /home/cms/bin/regp.pl line 438
etc.
etc.
etc.
Anonymous,
Those are warnings...thanks for posting them, I can go back and clean up those little bits and pieces in the code.
Let me ask you this...what's in ntuser.dat.txt after you ran the code?
Post a Comment