Computer Forensics Application

[Ehtyar]

Does anyone have a suggestion on an application for gleaning as much information from a Windows computer as possible? Thanks to April and Lash man who suggested regedit, but I'm looking for something a little more comprehensive. Any suggestions would be appreciated, though open source/free is preferred.

Thanks, Ehtyar.

[Veign]

Try this tool suite:
http://www.e-fense.com/helix/

[PhilB66]

Info from your own machine or a third-party one? What kind of info are you after?

Are you looking for tools like ESET SysInspector, SIV, SIW, WITS (Windows Inspection Tool Set), WinAudit, HWiNFO?

[Ehtyar]

My apologies for being unclear, I didn't think the question through as well as i should have. An acquaintance has given me their computer, and I'm looking for a virus or malicious program running on the machine. Things I'm interested in are details about modules in memory, internet history, most recently accessed files etc. Currently I'm making use of autoruns, process explorer, spybot, clamwin etc, but basically i'm just looking for the easiest way to get the most information about the usage of this computer as i possibly can. The people I'm doing this for will need instructions on how to prevent a recurrence of the infection, as they're not exactly power users. I hope this clears things up a little bit.

Ehtyar.

[PhilB66]

Windows Incident Response forensic analysis on the cheap is a good starting point.

NirSoft has quite a few utilities... OpenedFilesView, ProcessActivityView, and RegFromApp, the browser history and Cache viewers, etc.

A good read is the Web Browser Forensics article by SecurityFocus.

[tranglos]

Are you looking for tools like ESET SysInspector, SIV, SIW, WITS (Windows Inspection Tool Set), WinAudit, HWiNFO?

-PhilB66 (August 28, 2008, 07:02 PM)

So this isn't what Ehtyar needs, but for anyone who may come across this thread looking for actual computer forensics apps, another one to add to your list is WinHex: http://www.x-ways.net/winhex/ . Quite pricey, but has an awesome featureset. (Though I don't know the ones you listed, so I can't compare).

Ehtyar - it seems you have what you need, though you didn't mention a good AV program. Avira (http://free-av.com/) is pretty good and free. Your users will need that, and a firewall as well, if they don't have one yet. I'm using ESET Smart Security, which is a firewall and an AV (a repackaged nod32), but for AV alone I think Avira was better (certainly its scanner is faster).

For other tasks, I don't think you can do much better than Process Explorer. WinHex and the other forensics apps will do all PE does and more, but they are complex and really expensive, and probably won't do much for weeding out spyware and such. WinHex is intended for post-mortem analysis; I'm not sure it will monitor processes/files in real time (it may though, I wouldn't be surprised).

For real-time spyware (and suspicious-ware) monitoring I thougt ThreatFire was pretty neat (www.threatfire.com). It used to be free, but now costs 30 Euro for 3 machines. I used to run it on my laptop, but it never detected anything so I decided I didn't need it and can't really comment on its efficacy

(correction: Threatfire is still free for personal use, but you need to check the feature matrix to see that. The 30 Euro license is for commercial use and apparently easier updates)

[PhilB66]

Lists of Freeware analysis tools

[Ehtyar]

Windows Incident Response forensic analysis on the cheap is a good starting point.

NirSoft has quite a few utilities... OpenedFilesView, ProcessActivityView, and RegFromApp, the browser history and Cache viewers, etc.

A good read is the Web Browser Forensics article by SecurityFocus.

-PhilB66 (August 28, 2008, 08:27 PM)

What excellent reads, thank you Phil.
Unfortunately I'm not really in a position to modify this machine too much (many of you may know that end users get a little upset when IT guys go around changing their perfectly setup system). This prohibits my installing anti viruses and such, though I have run scans with Clam and Spybot. I have already got the NirSoft tools you mentioned, though have not gotten to them yet.
Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users. As I mentioned above I've been using ClamAV to keep from installing anything, and unfortunately your other suggestions would require me to do so.

Ehtyar.

[tranglos]

Tranglos, I've used WinHex before, and I have to say I seem to miss what all the fuss is about. IMO, as a hex editor there are plenty better alternatives, and I can't seem to see what features are so coveted by its users.

-Ehtyar (August 28, 2008, 09:07 PM)

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it

[Ehtyar]

Lists of Freeware analysis tools

-PhilB66 (August 28, 2008, 08:41 PM)

Should have thought of CastleCops, thank you again!

I don't use it, never bought it, because it's too expensive for something I don't really need. But the geeky side of me finds a couple of things very neat. Like the ability to dump a program's memory space to disk - for example, I'd use it to see if my own and other apps "leak" passwords (in my password manager Oubliette I tried to erase the typed password as soon as possible, and only keep the hashed value in memory - but I'd like to make sure it works that way). I would also use it to dump a dictionary I use daily - which has no expoer feature - to convert it to another format, omcpatible with some other tools I use. I don't know if this feature is unique to WinHex - probably not, but it's where I found it

-tranglos (August 28, 2008, 09:18 PM)

I see. I'm fairly sure you could find those features in other applications, but for your purposes I certainly see the appeal. Thanks for the suggestions.

Ehtyar.

[PhilB66]

Avast Virus Cleaner, McAfee AVERT Stinger, and Trend Micro System Cleaner all free and portable (does not require installation).

[Ehtyar]

Thanks again for the info PhilB, please excuse my further ignorance 
For those of you that were interested in this thread, here are the applications that made the final cut for my novice collection:

• ProcessExplorer - A very comprehensive process viewer from SysInternals.
• Autoruns - A very comprehensive start-up examiner, also from SysInternals.
• CCleaner - A general system cleaning application (temp files, browser cache etc etc).
• ClamWin - A free scan-only antivirus, also available for Linux.
• HijackThis - System settings scanner.
• Spybot - Malware and spyware remover.
• Avast - Free antivirus.
• gmer - Rootkit detector.
• IECacheView/MozillaCacheView - Cache viewers for their respective browsers.
• IECookiesView/MozillaCookiesView - Cookie viewers for their respective browsers.
• IEHistoryView/MozillaHistoryView - History viewers for their respective browsers.
• OpenedFilesView - Lists open files on your system.
• ProcessActivityView - Displays file activity for a specific process.
• RegView - Registry hive mounter.
• Stinger - Removal of particular nasties.
• SysClean - Malware and spyware cleanup.

Hope this helps, Ehtyar.