Welcome Guest.   Make a donation to an author on the site December 20, 2014, 12:41:04 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2014! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Computer Forensics Application  (Read 3597 times)
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« on: August 28, 2008, 06:35:05 PM »

Does anyone have a suggestion on an application for gleaning as much information from a Windows computer as possible? Thanks to April and Lash man who suggested regedit, but I'm looking for something a little more comprehensive. Any suggestions would be appreciated, though open source/free is preferred.

Thanks, Ehtyar.
« Last Edit: August 29, 2008, 07:11:11 AM by Ehtyar » Logged
Veign
Charter Honorary Member
***
Posts: 993



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: August 28, 2008, 06:48:59 PM »

Try this tool suite:
http://www.e-fense.com/helix/
Logged

PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #2 on: August 28, 2008, 07:02:56 PM »

Info from your own machine or a third-party one? What kind of info are you after?

Are you looking for tools like ESET SysInspector, SIV, SIW, WITS (Windows Inspection Tool Set), WinAudit, HWiNFO?
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: August 28, 2008, 07:10:51 PM »

My apologies for being unclear, I didn't think the question through as well as i should have. An acquaintance has given me their computer, and I'm looking for a virus or malicious program running on the machine. Things I'm interested in are details about modules in memory, internet history, most recently accessed files etc. Currently I'm making use of autoruns, process explorer, spybot, clamwin etc, but basically i'm just looking for the easiest way to get the most information about the usage of this computer as i possibly can. The people I'm doing this for will need instructions on how to prevent a recurrence of the infection, as they're not exactly power users. I hope this clears things up a little bit.

Ehtyar.
Logged
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #4 on: August 28, 2008, 08:27:58 PM »

Windows Incident Response forensic analysis on the cheap is a good starting point.

NirSoft has quite a few utilities... OpenedFilesView, ProcessActivityView, and RegFromApp, the browser history and Cache viewers, etc.

A good read is the Web Browser Forensics article by SecurityFocus.
Logged
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: August 28, 2008, 08:34:12 PM »

Are you looking for tools like ESET SysInspector, SIV, SIW, WITS (Windows Inspection Tool Set), WinAudit, HWiNFO?

So this isn't what Ehtyar needs, but for anyone who may come across this thread looking for actual computer forensics apps, another one to add to your list is WinHex: http://www.x-ways.net/winhex/ . Quite pricey, but has an awesome featureset. (Though I don't know the ones you listed, so I can't compare).

Ehtyar - it seems you have what you need, though you didn't mention a good AV program. Avira (http://free-av.com/) is pretty good and free. Your users will need that, and a firewall as well, if they don't have one yet. I'm using ESET Smart Security, which is a firewall and an AV (a repackaged nod32), but for AV alone I think Avira was better (certainly its scanner is faster).

For other tasks, I don't think you can do much better than Process Explorer. WinHex and the other forensics apps will do all PE does and more, but they are complex and really expensive, and probably won't do much for weeding out spyware and such. WinHex is intended for post-mortem analysis; I'm not sure it will monitor processes/files in real time (it may though, I wouldn't be surprised).

For real-time spyware (and suspicious-ware) monitoring I thougt ThreatFire was pretty neat (www.threatfire.com). It used to be free, but now costs 30 Euro for 3 machines. I used to run it on my laptop, but it never detected anything so I decided I didn't need it and can't really comment on its efficacy smiley

(correction: Threatfire is still free for personal use, but you need to check the feature matrix to see that. The 30 Euro license is for commercial use and apparently easier updates)
« Last Edit: August 28, 2008, 09:11:57 PM by tranglos » Logged

PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #6 on: August 28, 2008, 08:41:16 PM »

Lists of Freeware analysis tools
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: August 28, 2008, 09:07:20 PM »

Windows Incident Response forensic analysis on the cheap is a good starting point.

NirSoft has quite a few utilities... OpenedFilesView, ProcessActivityView, and RegFromApp, the browser history and Cache viewers, etc.

A good read is the Web Browser Forensics article by SecurityFocus.
What excellent reads, thank you Phil.
Unfortunately I'm not really in a position to modify this machine too much (many of you may know that end users get a little upset when IT guys go around changing their perfectly setup system). This prohibits my installing anti viruses and such, though I have run scans with Clam and Spybot. I have already got the NirSoft tools you mentioned, though have not gotten to them yet.
Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users. As I mentioned above I've been using ClamAV to keep from installing anything, and unfortunately your other suggestions would require me to do so.

Ehtyar.
Logged
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: August 28, 2008, 09:18:45 PM »

Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users.

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it smiley
Logged

Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: August 28, 2008, 09:23:18 PM »

Should have thought of CastleCops, thank you again!

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it smiley
I see. I'm fairly sure you could find those features in other applications, but for your purposes I certainly see the appeal. Thanks for the suggestions.

Ehtyar.
Logged
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #10 on: August 28, 2008, 09:30:40 PM »

Avast Virus Cleaner, McAfee AVERT Stinger, and Trend Micro System Cleaner all free and portable (does not require installation).
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: August 29, 2008, 06:59:00 AM »

Thanks again for the info PhilB, please excuse my further ignorance  embarassed
For those of you that were interested in this thread, here are the applications that made the final cut for my novice collection:

Hope this helps, Ehtyar.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.042s | Server load: 0.08 ]