Sunday, May 25, 2008

Evidence Collector - Beta: New Auditing Utility (+ some Bonus Finds)

Why does it always seem to me that the weeks that the best new utilities come out that I find myself swamped at work and not really having the time to sit down and evaluate these gems?

Case in point: Security Database Tools Watch - Evidence Collector Beta released

The fine team at Security Database has been best known (to me and many others) for their FireCAT project. FireCAT is a collection of Firefox Add-on's that help with system auditing and assessment from a security perspective. Great stuff.

So when I saw this new beta-release tool offered, I instantly had to drop what I was doing and check it out.

I would hesitate a bit to label it a "forensics" evidence collector. Instead I see its use more in line with system assessment and auditing. As such, I found it to be a great and useful tool to collect a ton of log data very quickly.

From the product description page:

Features :

- System information : Get owner, IP, MAC address before going through forensics.
- Shares and policies applied on shares : very handy to detect if someone gets into computer from opened shares.
- Started and stopped services : Some services could be a wide opened doors to get unauthorized accesses.
- Installed softwares : Unwanted softwares could be installed without your knowledge. See what inside your computer
- Installed Hotfixes : Enumerating installed hotfixes. Note that a missed critical patch is a potential exploitable vulnerability.
- Enumerated Processes : List whole processes starting on system.
- Events logs : Application, system and security events logs are collected. Events logs keep traces of what happened to system.
- TCP / UDP mapping endpoints : See what hidden behind TCP / UDP ports. Generally, most of remote administration tools and trojans don’t hide their activities.
- Process handles tracking: See what processes did when started. From accessing Registry keys to writing into files. Useful to see if evil activities are not disguised behind some processes.
- List start-up programs : When rebooting computers, many evil programs stick into registry keys in order to be reloaded again.
- Suspected modules : Scanning modules to see if they are rootkitted.
- USB history : Reveals if any USB key has been plugged into system.
- Users policies : Collecting users and their policy. You can easily identify any unknown user.
- And more...

In-progress features integration :

- Files MD5 hashes generating
- Essential files and registry keys permissions enumeration
- More rootkit revealers support
- Windows Events ID scanner and tracker
- Advanced Log Viewer

Get it and Run it

Follow the links and download the zip file. Unpack it.

Inside you will see the main exe program launcher "EvidenceCollector" along with a readme file and a system file needed to facilitate the program's operation.

There are three folders also. "GFX" contains an image used by the program. The "Logs" will become the repository of your log-files generated. Finally there is the "utilities" folder which contains the actual applications doing the back-end work.

The launcher/manager calls to the following tools, all of which are available independent of this tool: Autorunsc, Fport, Handle, ListDLLs, modGREPER, OpenedFilesView, policy (DumpWin), PsFile, PsInfo, PsList, PsLogList, Sigcheck, StartupRun, TCPVcon, USBHistory, users (Inx download at bottom of page).

Just click on the main launcher program and it will first check to see if the profile account you are running it under has sufficient privileges to execute properly (Administrator rights required).

Once loaded, just click the "Start collecting Data" bar at the bottom.

It will then go through the process of running each tool and outputting the resulting log file into the log folder. Run-times vary depending on the system and amount of activity captured. On my systems it took just under a minute to run.

On my Windows XP Pro system it collected a great number of helpful log reports. On my XP Home system it generated a single log file of minimal value. I'm not sure if it is Home/Pro thing or if some of my home security apps are giving it some grief.

Update: Late last night, I realized why the reports were not all being generated on my XP Home system when they were working find on my XP Pro system. Turns out that I had been running it on my work machine from my second partition (not the system partition). On my home system I had unpacked and ran it from my C: (system) partition. So I moved it to my D: and ran it. Worked perfectly. Lots of logs! 26 in fact. Folks running it from USB shouldn't encounter that "problem". Next time I get a chance I will have to do a followup post outlining the log report files generated and how they might be useful.

Running from a non-system partition is not really clear in the release notes. Makes sense however as you might not want to be dumping log data directly onto the HDD you are attempting to analyze.

I would also toss in Harlan Carvey's excellent RegRipper tool to run in parallel with your system information collection tools.

Bonus Material

Harlan has a new post that links to a few more neat tools: Windows Incident Response: More Free Tools

Specifically, NetworkMiner which.

...can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

Adding this one to my laptop and USB stick.

gHacks also points us to a utility which might be valuable to notebook road-warriors.

NetSetMan - (free/$) - The free version allows you to set up to six IP configurations for your laptop or portable desktop system. Just hook up to the network, run the utility and it will instantly configure your network interface for your preferred settings. Could be a real time-saver if you connect to various locations frequently. The Pro version brings unlimited number of configurations, proxy support, and browser home page configurations. Network Settings Manager - gHacks review

While tracking down the source of some of those previously mentioned utilities, I found this Tools from NII Consulting page. It contains some various free security and auditing tools.

SEEM (System Eyes & Ears Monitor) v4.5 - (freeware) - This is another "Wunder-Tool" that provides an almost holistic view of key system parameters and operations. It will warrant a post-of-it's own. I think I have mentioned it before here at GSD but this is a newer release. If you are curious, visit the linked (translated) page. Read the Description page. Then hit the "Remote loading" page which Yahoo! is not correctly translating to "Downloads". Should be fully portable to run on USB as no installer is required. Download, extract and run.

All Muy Bueno!

--Claus

No comments: