[Full-Disclosure] Forensics CD

From: Schmehl, Paul L (pauls@utdallas.edu)
Date: 04/23/03

  • Next message: Hotmail: "Re: [Full-Disclosure] Break-in discovery and forensics tools"
    From: "Schmehl, Paul L" <pauls@utdallas.edu>
    To: <full-disclosure@lists.netsys.com>
    Date: Wed, 23 Apr 2003 10:49:45 -0500
    

    Thanks to everyone that's emailed me privately as well as those who have
    responded to the list. I should have been more clear about what I was
    looking for. :-)

    I've downloaded and created a boot CD using FIRE. That's a really nice
    compilation of useful programs. However, I also have to create a CD
    that can be used without having to reboot. In some cases we may not
    want to take a machine offline until we're certain that it's
    compromised. Thus the need for a CD of utilities that can be used to do
    preliminary testing.

    I found a place on the web that had statically compiled programs for
    Linux 2.2 and 2.4 and Solaris 2.7. I'm probably going to end up
    compiling static copies for other OSes as well. The following is a list
    of utilities that I think would be useful.

    I invite comments, additions, subtractions from this list. Is there
    anything missing? Keep in mind, this is for a preliminary inspection
    (including md5 checksum work) without taking a machine offline for an
    in-depth forensic analysis. I'll also include chkrootkit and tct as
    well, just for completeness.

    To answer one question - at this point I don't know if this will be made
    publicly available. It *may* be, but there's a lot of work to be done
    before I get to that point.

    bindshell
    cat
    chfn
    chgrp
    chmod
    chown
    chroot
    chsh
    cp
    cpio
    cut
    date
    df
    dig
    du
    echo
    env
    file
    find
    grep
    ifconfig
    inetd
    infingerd
    less
    login
    ls
    lsof
    md5sum
    more
    netstat
    passwd
    ping
    ps
    rpcinfo
    rpm
    rshd
    strace (ktrace, etc.)
    sshd
    Strings
    syslogd
    sz
    tar
    telnetd
    top
    traceroute
    vi
    whois

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Hotmail: "Re: [Full-Disclosure] Break-in discovery and forensics tools"