Tag Archive: forensic


Hi,

Here are list of web resources about Penetration techniques (pentest)/forensics techniques etc:

Definitions: http://en.wikipedia.org/wiki/Penetration_test  ; http://en.wikipedia.org/wiki/Computer_forensics

Tools and techniques:

Penetration toolkit for Windows: http://pentestlab.wordpress.com/2013/01/07/windows-tools-for-penetration-testing/

Penetration toolkit from Erdal Ozakaya: http://www.erdalozkaya.com/index.php/security/83-penetration-testing-framework-0-58

http://pentestlab.wordpress.com/

http://www.coresecurity.com

http://www.backtrack-linux.org/    ; http://fr.wikipedia.org/wiki/BackTrack  ; http://backtrack-fr.net/

http://www.ampliasecurity.com (with the famous wce) , http://oss.coresecurity.com/projects/pshtoolkit.html

http://sectools.org/

http://www.truesec.com

– guides:

http://www.bleepingcomputer.com/tutorials/have-i-been-hacked/

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

http://www.us-cert.gov/reading_room/forensics.pdf

– library: http://ed-diamond.com/

Advertisements

Main question is: How do I know if I have been hacked?

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html

Based on my 22 years experience as sysadmin, I recommend you the free tools for forensic analysis and systems assessment:

https://blogs.microsoft.com/microsoftsecure/

http://adsecurity.org

http://www.thehackernews.com

Tools:

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

Timeline Tools

RegRipper

FTK Imager

Volatility: http://www.volatilityfoundation.org/

http://www.crowdstrike.com/community-tools/index.html

McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://www.truesec.com/tools/

http://www.joeware.net

http://helgeklein.com/setacl/

http://www.microsoft.com/sysinternals

http://www.systemtools.com

http://www.netikus.net

http://www.insecure.org  and http://sectools.org

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html