Difference between pages "Helix3" and "File:2-BB9780-ScrewRemoval.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Updated some links to local pages)
 
 
Line 1: Line 1:
{{Infobox_Software |
 
  name = Helix |
 
  maintainer = [[e-fense]] |
 
  os = {{Linux}}, {{Windows}}, {{Solaris}} |
 
  genre = {{Live CD}} |
 
  license = {{GPL}}, others |
 
  website = [http://www.e-fense.com/helix/ e-fense.com/helix/] |
 
}}
 
  
'''Helix''' is a [[Live CD]] built on top of [[Knoppix]]. It focuses on [[Incident Response|incident response]] and [[computer forensics]].
 
 
== Tools included ==
 
 
===Bootable Side:===
 
 
'''2hash'''  (v. 0.2 )  [http://trog.qgl.org/show.html?id=2477783]
 
A simple GPL tool to calculate the md5 and sha1 hashes of a file in a single read.  If you're regularly checking/calculating hashes of large files this'll save you a lot of disk IO.
 
 
'''Adepto''' With AFF Support  (v. 2.0 ) [http://www.e-fense.com/helix/]
 
e-fense Imaging program utilizing dcfldd. 
 
 
'''AFF''' (aimage)  (v. 1.6.31 )  [http://www.afflib.org/]
 
The Advanced Forensic Format (AFF) is an extensible open format for the storage of disk images. It provide built in features such as compression, hash codes v erification, meta-data informations management.  The AFFLib provide special AFF assigned tools such : - aimage : creation of AFF images - afcat : generate a DD image from a AFF one - afcompare : verify a AFF his derivate DD image - afinfo : Validation of a AFF's image hash codes (md5, sha1) The AFFLib is developed by Mr. Simson L. Garfinkel.
 
 
'''Air'''  (v. 1.2.8 )  [http://air-imager.sourceforge.net/]
 
AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.  Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, splitting images, and detailed session logging.
 
 
'''Autopsy'''  (v. 2.08 )  [http://www.sleuthkit.org/index.php]
 
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.  Together, they allow you to investigate the file system and volumes of a computer. 
 
 
'''chkrootkit'''  (v. 0.46 )  [http://www.chkrootkit.org/] 
 
Shell script that checks system binaries for rootkit modification.
 
 
'''chntpw'''  (v. 0.99.2 040105 )  [http://home.eunet.no/pnordahl/ntpasswd/]
 
chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry's SAM file.  You do not need to know the old password to set a new one.  It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).  The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together.  This utility works with SYSKEY and includes the option to turn it off.  A bootdisk image is provided.
 
 
'''Clamav''' (v. 0.88.4 )  [http://www.clamav.net/stable.php]
 
Anti-Virus program. 
 
 
[[dcfldd]]  (v. 1.3.4 )  [http://dcfldd.sourceforge.net/]
 
dcfldd is an enhanced version of GNU dd with features useful for forensics and security.
 
 
'''endeavour2''' File Manager  (v. 2.7.1 )  [http://wolfpack.twu.net/Endeavour2/]
 
Endeavour Mark II is a complete file management suite with file manager; image browser, archiver, recycled objects system, and a set of file and disk management utility programs. It supports disk drive mounting, a fully customizable window appearance, a MIME Types system, and interapplication drag & drop support for KDE and GNOME compatibility (although KDE and GNOME are not required).
 
 
'''Ethereal'''  (v. 0.10.13)  [http://www.ethereal.com/]
 
Ethereal is used by professionals around the world for troubleshooting, analysis, software and protocol development, and education.  It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. 
 
 
'''e2recover'''  (v. 1.0 )  [http://www.tucows.com/preview/8192]
 
These are tools to assist in recovering deleted files from ext2 file systems.
 
 
'''e2undel'''  (v. 0.82 )  [http://e2undel.sourceforge.net/]
 
This is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux. 
 
 
'''fatback'''  (v. 1.3 )  [http://sourceforge.net/project/showfiles.php?group_id=46038]
 
A program used to recover deleted files from a FAT file system. 
 
 
[[Mozilla Firefox|Firefox]]  (v. 1.5.0.1 )  [http://www.mozilla.com/en-US/firefox/all.html]
 
Graphical Internet browser. 
 
 
'''foomatic-gui'''  (v. 0.7.4.17 )  [http://freshmeat.net/projects/foomatic-gui/]
 
Foomatic is a database-driven system for integrating free software printer drivers with common spoolers under Unix.  It supports CUPS, LPRng, LPD, GNUlpr, Solaris LP, PPR, PDQ, CPS, and direct printing with every free software printer driver known to us and every printer known to work with these drivers. 
 
 
[[foremost]]  (v. 1.3 )  [http://foremost.sourceforge.net/]
 
Foremost is a console program to recover files based on their headers, footers, and internal data structures.  This process is commonly referred to as data carving.  Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.  The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types.  These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. 
 
 
'''ftimes'''  (v. 3.4.0 )  [http://ftimes.sourceforge.net/FTimes/]
 
FTimes is a system baselining and evidence collection tool.  The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.
 
 
'''galleta'''  ( v. 1.0 )  [http://www.foundstone.com/resources/proddesc/galleta.htm]
 
Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 
 
'''Gcombust''' - Graphical CD Burner (v. 0.1.55-2 ) [http://www.abo.fi/~jmunsin/gcombust/]
 
gcombust is a GTK+ frontend for mkisofs, mkhybrid, cdrecord, and cdlabelgen.  It has primitive support for controlling the directory (root) structure and size of an image without copying files/symlinking or writing 10 lines of arguments.  It can also maximize disk usage by hinting at which directories/files to use. 
 
 
'''GHex'''  (v. 2.8.1 )  [http://directory.fsf.org/ghex.html]
 
GHex is a simple binary editor.  It lets users view and edit a binary file in both hex and ascii with a multiple level undo/redo mechanism.  Features include find and replace functions, conversion between binary, octal, decimal and hexadecimal values, and use of an alternative, user-configurable MDI concept that lets users edit multiple documents with multiple views of each. 
 
 
'''GQView'''  (v. 2.0.1 )  [http://gqview.sourceforge.net/]
 
An image browser that features single click access to view images and move around the directory tree. 
 
 
'''Graveman''' - Graphical CD Burner  (v. 0.3.12-4-2.1 ) [http://graveman.tuxfamily.org/]
 
GRAVEMAN is a GUI frontend for CD-R tools (cdrecord, readcd, and mkisofs), cdrdao, DVD+RW tools (growisofs and dvd+rw-format), and sox. It allows you to burn audio CDs (from WAV, Ogg, MP3, or FLAC files) and data CDs or DVDs, and allows you to duplicate CDs.
 
 
'''grepmail'''  (v. 5.3032 )  [http://grepmail.sourceforge.net/]
 
grepmail searches a normal or compressed mailbox (gzip, bzip2, or tzip) for a given regular expression and returns those emails that match the query.  It also supports searches constrained by date and size.
 
 
'''linen'''  (v. 5.05f )  [https://www.guidancesoftware.com/]
 
EnCase also has developed a method of acquisition with Linux machines or "Linen" (EnCase for Linux), and the interface is similar to that of EnCase for DOS but of course the process is completely different from EnCase for DOS. 
 
 
'''md5deep''' Suite  (v. 1.12)  [http://md5deep.sourceforge.net/]
 
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.  The programs run on Windows, Linux, Cygwin, *BSD, OS X, Solaris, and should run on most other platforms.  md5deep is similar to the md5sum program found in the GNU Coreutils package. 
 
 
'''mac_grab'''  (v. 1.0 )  [http://www.e-fense.com/helix/]
 
e-fense created program to grab all of the MAC times from a system. 
 
 
'''Magicrescue'''  (v. 1.1.4 )  [http://jbj.rapanden.dk/magicrescue/]
 
Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.  It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition.  As long as the file data is there, it will find it.  It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file.  Practical experience (this program was not written for fun) shows, however, that chunks of 30-50MB are not uncommon. 
 
 
'''NTFS-3G'''  (v. 2006-08-22-BETA )  [http://www.ntfs-3g.org/]
 
Finally Linux has got full read-write open source NTFS support!  Preliminary benchmarks show that the still unoptimized driver already sometimes twice as fast as ext3 and 20-50 faster than the commercial Paragon NTFS.  Interestingly Captive NTFS, which uses the native Windows NTFS driver, fails all benchmarks with file loss.
 
 
'''Outguess'''  (v. 0.2 )  [http://www.outguess.org/]
 
Improved version of stegdetect released.  Stegdetect now supports linear discriminant analysis to detect any JPEG based stego system.  It also features improved detection of F5. 
 
 
'''pasco'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/pasco.htm]
 
Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 
'''
 
PyFlag'''  (v. 0.80.1 )  [http://pyflag.sourceforge.net/] 
 
FLAG (Forensic and Log Analysis GUI) was designed to simplify the process of log file analysis and forensic investigations.  Often, when investigating a large case, a great deal of data needs to be analyzed and correlated.  PyFlag uses a database as a backend to assist in managing the large volumes of data.  This allows PyFlag to remain responsive and expedite data manipulation operations. 
 
 
'''qtparted'''  (v. 0.4.5-cvs )  [http://qtparted.sourceforge.net/]
 
QTParted is a Partition Magic clone written in C++ using the Qt toolkit. 
 
 
'''Retriever'''  (v. 2.0 )  [http://www.e-fense.com/helix/]
 
e-fense created program to give a quick look at a “live” system and identify graphic images, word documents and other file types. 
 
 
'''rkhunter'''  (v. 1.2.7 )  [http://rkhunter.sourceforge.net/] 
 
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers.  The package contains one shell script, a few text-based databases, and optional Perl modules.  It should run on almost every Unix clone. 
 
 
'''regviewer'''  (v. 0.1 )  [http://sourceforge.net/projects/regviewer/] 
 
RegViewer is GTK 2.2 based GUI Windows’s registry file navigator.  It is platform independent allowing for examination of Windows registry files from any platform.  Particularly useful when conducting forensics of Windows files from *nix systems.
 
 
'''rifiuti'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/rifiuti.htm]
 
Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 
 
'''Scalpel'''  (v. 1.54 )  [http://www.digitalforensicssolutions.com/Scalpel/]
 
A digital forensics tool used for carving data from image files based upon the configuration file requirements.  This program replaces foremost. 
 
 
'''Sleuthkit'''  (v. 2.06 )  [http://www.sleuthkit.org/index.php]
 
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer.  The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems. 
 
 
'''ssdeep'''  (v. 1.1 )  [http://ssdeep.sourceforge.net/]
 
Computes a checksum based on context triggered piecewise hashes for each input file.  If requested, the program matches those checksums against a file of known checksums and reports any possible matches.  Output is written to standard out and errors to standard error.  Input from standard input is not supported. 
 
 
'''stegdetect'''  (v. 0.6 )  [http://www.outguess.org/detection.php]
 
An automated tool for detecting steganographic content in images.  It is capable of detecting several different steganographic methods to embed hidden information in JPEG images.  Currently, the detectable schemes are: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage.  Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.
 
 
'''Totem'''  (v. 1.2.1-3 )  [http://www.gnome.org/projects/totem/] 
 
A simple video media player for the Gnome desktop. 
 
 
'''Xfprot'''  (v. 1.13 )  [http://web.tiscali.it/sharp/xfprot/] 
 
XFPROT is a graphical front end to the F-Prot Antivirus(TM) for Linux Small Business Edition from version 3.12b up to version 4.6.x. F-Prot Antivirus(TM) for Linux is Copyrighted by Frisk Software International and is free of charge for personal use and downloadable at www.f-prot.com. 
 
 
'''xhfs'''  (v. 3.2.6 )  [http://www.mars.org/home/rob/proj/hfs/] 
 
xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.  This is a Macintosh HFS File Browser. 
 
 
'''Xine-ui'''  (v. 0.99.3 )  [http://xinehq.de/] 
 
xine is a free multimedia player.  It plays back CDs, DVDs, and VCDs.  It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet.  It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too. 
 
 
'''Xmms'''  (v. 1.2.10 )  [http://freshmeat.net/projects/xmms/] 
 
XMMS is a multimedia player based on the look of WinAmp. XMMS plays MPEG layer 1/2/3, Ogg Vorbis, WAV, all formats supported by libmikmod, and CD audio. XMMS has a plugin system for Input / Output / Effects / Visualization, and through plugins it can play a lot more sound and video formats. 
 
'''
 
xpdf'''  (v. 3.01 )  [http://www.foolabs.com/xpdf/]
 
Xpdf is a viewer for Portable Document Format (PDF) files. (These are also sometimes also called 'Acrobat' files, from the name of Adobe's PDF software.) The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. It runs under the X Window System on UNIX, VMS, and OS/2.
 
 
 
===Live Windows Side:===
 
 
'''Access PassView'''  (v. 1.12 )  [http://www.nirsoft.net/utils/accesspv.html]
 
This utility reveals the database password of every password-protected mdb file that created with Microsoft Access 95/97/2000/XP or with Jet Database Engine 3.0/4.0 . It can be very useful if you forgot your Access Database password and you want to recover it.
 
'''
 
Astrick Logger'''  (v. 1.02 )  [http://www.nirsoft.net/utils/astlog.html]
 
Many applications, like CuteFTP, CoffeeCup Free FTP, VNC, IncrediMail, Outlook Express, and others, allows you to type a password for using it in the application. The typed password is not displayed on the screen, and instead of the real password, you see a sequence of asterisk ('****') characters. This utility can reveal the passwords stored behind the asterisks in standard password text-boxes.
 
'''
 
Drive Manager'''  (v. 3.23 )  [http://www.alexnolan.net/software/driveman.htm]
 
Drive Manager has been written to help you easily identify drives which are of the same type.  As well as displaying the volume label it also displays vendor information so that multiply CD/DVD drives and removable drives such as USB thumb drives can be differentiated by their manufacturer’s name, version and revision date.  Also the serial number can be seen as a unique ID for each drives. 
 
 
'''FAU'''  (v. 1035 )  [http://users.erols.com/gmgarner/forensics/]
 
Incident Response tool that can be used to image a system’s memory as well as any attached devices. 
 
 
'''Forensic Server Project'''  (v. 1.0 )  [http://www.windows-ir.com/fsp.html]
 
The Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems.  The FSP consists of several Perl scripts and third-party utilities.  The server component of the FSP is run on an investigator or administrator's system, and handles all data storage and activity logging.  The client components (i.e., FRU.pl and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system.  Data is copied to the server component via TCP/IP.
 
 
'''FTK Imager'''  (v. 2.5.1 )  [http://www.accessdata.com/support/downloads/] 
 
FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3 as well as HFS and HFS+ file systems.  Additionally, FTK Imager allows you to truly multi-task by creating multiple images from a single source and / or multiple images simultaneously. FTK Imager generates DD, SMART and Encase® images and reads several other industry standard formats.  With Isobuster technology built in, FTK Imager provides ready access to CDFS and DVD file systems - to include multi and open session CDs.
 
 
'''galleta ''' ( v. 1.0 )  [http://www.foundstone.com/resources/proddesc/galleta.htm]
 
Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 
 
'''HoverSnap'''  (v. 0.8 )  [http://www.hoverdesk.net/freeware.htm]
 
HoverSnap is a free handy snapshot tool with jpg, png, bmp and gif support.  HoverSnap can take snapshots of the full screen, active window or a selected area.  It can even capture layered windows (alphablended ones under 2K / XP).  You can even FTP upload your screenshots!  You can set up the capture folder / filename and format.  You can reduce the capture size.  Auto-generate filename option will add the time stamp (date/time) to your filename in order to be able to take several captures without having to change the filename.  Optional sound when capture is done.
 
 
'''IECookiesView'''  (v. 1.70 )  [http://www.nirsoft.net/utils/iecookies.html]
 
IECookiesView is a small and handy utility that displays the details of all cookies that IE stores on your computer.  In addition, it allows you to sort the cookies, delete selected ones, and view detailed information about each one and even save the cookies to a readable text file.  If you are connected to a network, you can watch the cookies of other computers, as long as you have a read permission on the cookies folder and under Windows 2000, you can view the cookies of other users (admin rights).  IECookiesView also allows you to view references to deleted cookies that are still stored in the index.dat file. 
 
 
'''IEHistoryView'''  (v. 1.32 )  [http://www.nirsoft.net/utils/iehv.html]
 
IEHistoryView allows you to view and modify the history of visited websites in Internet Explorer.  In addition, you can also export all or selected items to HTML reports, view detailed properties for selected entries, sort them and more.  The program allows you to access the history of other user accounts or network computers as well, provided that you have the proper access rights. 
 
 
'''IRCR'''  (v. 2.3 )  [http://tools.phantombyte.com/]
 
The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system.  You can think of this as a snapshot of the system in the past. Most of the tools are oriented towards data collection rather than analysis. 
 
 
'''Mail PassView'''  (v. 1.36 )  [http://www.nirsoft.net/utils/mailpv.html]
 
Mail PassView is a small password-recovery tool that reveals the passwords and other account details for the following email clients:
 
Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape 6.x/7.x, Mozilla Thunderbird, Group Mail Free, Yahoo! Mail - If the password is saved in Yahoo! Messenger application, Hotmail/MSN mail - If the password is saved in MSN Messenger application and Gmail - If the password is saved by Gmail Notifier application.
 
 
'''memdump'''  (v. 2.0 )  [http://www.tssc.de/index.htm]
 
The MEMDump utility is designed to dump or copy any part of 4GB linear memory address space under MS-DOS and Windows 9x DOS to a console, text or binary file.
 
 
'''MessenPass'''  (v. 1.08 )  [http://www.nirsoft.net/utils/mspass.html]
 
MessenPass allows you to recover your password(s) from a wide variety of popular Instant Messenger programs, including MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger, AOL Instant Messenger/Netscape 7, Trillian, Miranda and GAIM.  Just run the program and it will present you with a list of all accounts found on your PC, including the username and passwords.  The list can be exported to HTML or saved as text file.  MessenPass can only be used to recover the passwords for the current logged-on user on your local computer. You cannot use it for grabbing the passwords of other users. 
 
 
'''Mozilla Cookie View'''  (v. 1.11 )  [http://www.nirsoft.net/utils/mzcv.html]
 
MozillaCookiesView is an alternative to the standard 'Cookie Manager' provided by Netscape and Mozilla browsers. It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file.
 
 
'''Network Password Recovery'''  (v. 1.03 )  [http://www.nirsoft.net/utils/network_password_recovery.html]
 
Network Password Recovery can retrieve all network passwords stored on your system for the current logged-on user.  In addition, it can also recover any .NET Passport accounts that are stored locally. 
 
 
'''pasco'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/pasco.htm]
 
Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
 
 
'''PC Inspector File Recovery'''  (v. 4.0 )  [http://www.pcinspector.de/] 
 
PC Inspector File Recovery is a data recovery program that supports the FAT 12/16/32 and NTFS file systems.  Finds partitions automatically, even if the boot sector or FAT has been erased or damaged (does not work with the NTFS file system).  Recovers files with the original time and date stamp.  Supports saving of recovered files to network drives. 
 
 
'''PC On/Off Time'''  (v. 2.0)  [http://www.snapfiles.com/get/pconoff.html]
 
This free time tracking tool shows the times your computer has been active during the last 3 weeks, with no previous setup required.  The software doesn't need to run in the background, because Windows OS tracks login and logoff times (working hours) by default, and the program analyses it. 
 
 
'''Process Explorer'''  (v. 10.2 )  [http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx]
 
The Process Explorer display consists of two sub-windows.  The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.  Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. 
 
 
'''Protected Storage PassView'''  (v. 1.63 )  [http://www.nirsoft.net/utils/pspv.html]
 
Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer and Outlook Express.  The passwords are revealed by reading the information from the Protected Storage.  These include all email and web site passwords where you chose "remember password" (not cookie passwords) as well as auto-complete passwords.  This utility can only show the passwords of the current logged-on user, it cannot reveal the passwords of other users.
 
 
'''PsTools Suite'''  (v. 2.34 )  [http://www.microsoft.com/technet/sysinternals/utilities/pstools.mspx]
 
What sets these tools apart is that they all allow you to manage remote systems as well as the local one.  The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing.  The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.  The tools included in the PsTools suite, which are downloadable individually or as a package, are: 
 
PsExec - execute processes remotely
 
PsFile - shows files opened remotely
 
PsGetSid - display the SID of a computer or a user
 
PsKill - kill processes by name or process ID
 
PsInfo - list information about a system
 
PsList - list detailed information about processes
 
PsLoggedOn - see who's logged on locally and via resource sharing
 
PsLogList - dump event log records
 
PsPasswd - changes account passwords
 
PsService - view and control services
 
PsShutdown - shuts down and optionally reboots a computer
 
PsSuspend - suspends processes
 
All of the utilities in the PsTools suite work on Windows NT, Windows 2000 and Windows XP.
 
 
'''Pst Password Viewer'''  (v. 1.00 ) [http://www.nirsoft.net/utils/pst_password.html] 
 
The password encryption in the PST file is very weak, and for each password-protected PST file, there are many passwords that can open it.  PstPassword provides 3 different passwords for each password-protected PST file.  It's possible that one of them will be the original password that you typed, and it's also possible that none of these passwords will be identical to the original one.  However, all 3 passwords provided by PstPassword will open the PST file without problems. 
 
 
'''ptfinder'''  (v. 2.0 )  [http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html]
 
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads.  Some functional checks are also applied.
 
'''
 
PuTTY SSH Client'''  (v. 0.58 )  [http://www.chiark.greenend.org.uk/~sgtatham/putty/]
 
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.
 
 
'''reg'''  (v.  )  [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true]
 
Adds, changes, and displays registry subkey information and values in registry entries, for the Local User. 
 
 
'''RegScanner'''  (v. 1.30 )  [http://www.nirsoft.net/utils/regscanner.html]
 
RegScanner is a small utility that allows you to scan the Registry, find the desired Registry values that match to the specified search criteria, and display them in one list.  After finding the Registry values, you can easily jump to the right value in RegEdit, simply by double-clicking the desired Registry item.  You can also export the found Registry values into a .reg file that can be used in RegEdit. 
 
 
'''ReSysInfo'''  (v. 2.1 )  [http://www.dominik-reichl.de/freeware.shtml] 
 
ReSysInfo is a system information viewer for Windows.  The tool has 25 total information modules: BIOS information, CMOS, desktop, DirectX, drives, environment, fonts, keyboard, locale, machine & APM, mainboard, MCI, memory, mouse, multimedia, network, OpenGL, passwords, ports, printers & fax, processes, processor, video system, general information about Windows and a summary.  ReSysInfo has a Report Wizard which can export the information to 3 different formats: plain text, HTML and XML. 
 
 
'''rifiuti'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/rifiuti.htm]
 
Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 
 
'''Rootkit Revealer'''  (v. 1.7 )  [http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx]
 
Rootkit Revealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.  Rootkit Revealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: Rootkit Revealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).  If you use it to identify the presence of a rootkit please let us know!
 
 
'''Secreport'''  (v. 3.27.07 )  [http://members.verizon.net/~vze3vkmg/index.htm]
 
It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from same system after some time (Delta).  I use these tools to quickly assess level of securing of Windows system and to compare results to baseline.  The tools are useful both in daily security administration and during incident responce - for fast collection of information.  Tools do not need to be installed on system and can be run directly from hard or CD-R disk or network drive (mapped or UNC).  Format of reports - XML.  Reports can be viewed with IE 6.0 browser. MD5 hash file for report automatically created.
 
 
'''WFT'''  (v. 2.0 )  [http://www.foolmoon.net/security/wft/]
 
The Windows Forensic Toolchest (WFT) was written to provide an automated incident response [or even an audit] on a Windows system and collect security-relevant information from the system.  It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.  A knowledgeable security person can use it to help look for signs of an incident (when used in conjunction with the appropriate tools).  WFT is designed to produce output that is useful to the user, but is also appropriate for use in court proceedings.  It provides extensive logging of all its actions along with computing the MD5 checksums along the way to ensure that its output is verifiable.  The primary benefit of using WFT to perform incident responses is that it provides a simplified way of scripting such responses using a sound methodology for data collection. 
 
 
 
'''Winaudit'''  (v. 2.15 )  [http://www.pxserver.com/WinAudit.htm]
 
WinAudit is easy to use; no special knowledge is required to use the program.  It is a self-contained single file that needs no installation or configuration.  It can be run from a floppy disk or USB stick. Simply download the program and double click on it.  User interface translations have been kindly contributed by several people; if possible WinAudit will automatically start in your language.  The program reports on virtually every aspect of computer inventory and configuration.  Results are displayed in web-page format, categorized for ease of viewing and text searching.  Whether your interest is in software compliance, hardware inventory, technical support, security or just plain curiosity, WinAudit has it all.  The program has advanced features such as service tag detection, hard-drive failure diagnosis, network port to process mapping, network connection speed, system availability statistics as well as Windows® update and firewall settings.
 
 
 
'''Cygwin Tools'''
 
 
== External Links ==
 
 
* [http://www.e-fense.com/helix/faq.php Helix FAQ]
 
* [http://www.e-fense.com/helix/downloads.php Helix CD image download]
 

Latest revision as of 02:31, 8 August 2013