Main Area and Open Discussion > General Software Discussion

Computer Forensics Application

<< < (2/3) > >>

tranglos:
Are you looking for tools like ESET SysInspector, SIV, SIW, WITS (Windows Inspection Tool Set), WinAudit, HWiNFO?
-PhilB66 (August 28, 2008, 07:02 PM)
--- End quote ---

So this isn't what Ehtyar needs, but for anyone who may come across this thread looking for actual computer forensics apps, another one to add to your list is WinHex: http://www.x-ways.net/winhex/ . Quite pricey, but has an awesome featureset. (Though I don't know the ones you listed, so I can't compare).

Ehtyar - it seems you have what you need, though you didn't mention a good AV program. Avira (http://free-av.com/) is pretty good and free. Your users will need that, and a firewall as well, if they don't have one yet. I'm using ESET Smart Security, which is a firewall and an AV (a repackaged nod32), but for AV alone I think Avira was better (certainly its scanner is faster).

For other tasks, I don't think you can do much better than Process Explorer. WinHex and the other forensics apps will do all PE does and more, but they are complex and really expensive, and probably won't do much for weeding out spyware and such. WinHex is intended for post-mortem analysis; I'm not sure it will monitor processes/files in real time (it may though, I wouldn't be surprised).

For real-time spyware (and suspicious-ware) monitoring I thougt ThreatFire was pretty neat (www.threatfire.com). It used to be free, but now costs 30 Euro for 3 machines. I used to run it on my laptop, but it never detected anything so I decided I didn't need it and can't really comment on its efficacy :)

(correction: Threatfire is still free for personal use, but you need to check the feature matrix to see that. The 30 Euro license is for commercial use and apparently easier updates)

PhilB66:
Lists of Freeware analysis tools

Ehtyar:
Windows Incident Response forensic analysis on the cheap is a good starting point.

NirSoft has quite a few utilities... OpenedFilesView, ProcessActivityView, and RegFromApp, the browser history and Cache viewers, etc.

A good read is the Web Browser Forensics article by SecurityFocus.
-PhilB66 (August 28, 2008, 08:27 PM)
--- End quote ---
What excellent reads, thank you Phil.
Unfortunately I'm not really in a position to modify this machine too much (many of you may know that end users get a little upset when IT guys go around changing their perfectly setup system). This prohibits my installing anti viruses and such, though I have run scans with Clam and Spybot. I have already got the NirSoft tools you mentioned, though have not gotten to them yet.
Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users. As I mentioned above I've been using ClamAV to keep from installing anything, and unfortunately your other suggestions would require me to do so.

Ehtyar.

tranglos:
Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users.
-Ehtyar (August 28, 2008, 09:07 PM)
--- End quote ---

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it :)

Ehtyar:
Lists of Freeware analysis tools
-PhilB66 (August 28, 2008, 08:41 PM)
--- End quote ---
Should have thought of CastleCops, thank you again!

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it :)
-tranglos (August 28, 2008, 09:18 PM)
--- End quote ---
I see. I'm fairly sure you could find those features in other applications, but for your purposes I certainly see the appeal. Thanks for the suggestions.

Ehtyar.

Navigation

[0] Message Index

[#] Next page

[*] Previous page