Professional Documents
Culture Documents
Commands
PILAR
Pilar
Assess risk against critical assets. Qualitative and quantitative. Generate risk assessment reports
Alien vault
Busk-security
Busk-security
kiwi syslog
Splunk light
kiwi syslog
message Management tool across servers and network devices. Syslog messages, SNMP traps, event
log, real time
Splunk light
Collecting monitoring analyzing low from servers applications and other sources.
Magic tree
Keepnote
Report writing tools
FTK...
FTK Imager
data preview and imaging tool that enables analysis of files and folders on local hard drives,
CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps
R-Drive...
R-Drive...
provides creation of disk image files for backup or duplication purposes. restores the images on the
original disks, on any other partitions, or even on a hard drive's free space. one can restore the
system after heavy data loss caused by an operating system crash, virus attack, or hardware failure
· EnCase Forensic
Data Acquisition Toolbox
· RAID Recovery for Windows
· R-Tools R-Studio
F-Response Imager
HashCalc
HashCalc
compute multiple hashes, checksums, and HMACs for files, text, and hex strings.
MD5 Calculator
MD5 Calculator
HashMyFiles
HashMyFiles
small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. It
allows copying of the MD5/SHA1 hashes list into the clipboard or save them into text/html/xml file
PsUptime (Windows)
ListDLLs (Windows
Pslist.exe (Windows)
display basic information about the already running processes on a system, including the amount of
time each process has been running (in both kernel and user modes).
Top (Linux)
display system summary information as well as a list of processes or threads Linux kernel is currently
managing
w (Linux)
ps (Linux)
pstree (Linux)
Psloggedon (Windows)
· applet that displays both the locally logged on users and users logged on via resources for either the
local computer, or a remote one. If you specify a user name instead of a computer, it searches the
computers in the network neighborhood and tells you if the user is currently logged on.
helps to manage server connections. It is used without parameters and it displays information about
all logged in sessions of the local computer
Logonsessions (Windows)
lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the
information of processes running in each session.
Who (Linux: )
Lastlog (Linux
W (Linux
· displays summaries of system usage, currently logged on users, and logged on user activities.
Passwd (Linux
Nbtstat
troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS
over TCP/IP (NetBT) resolves NetBIOS names to IP addresses
nbtstat -c
· contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings.
nbtstat -n
displays the names that have been registered locally on the system by NetBIOS applications such as
the server and redirector
nbtstat -r
displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server
nbtstat -S
Netstat
Netstat -a
Displays all active TCP connections as well as the TCP and UDP ports on which the computer is
listening
Netstat -e
· Displays Ethernet statistics, such as the number of bytes and packets sent and received.
Netstat -n
Displays active TCP connections However, the addresses and port numbers are expressed
numerically with no specified names
Netstat -o
Displays active TCP connections and includes the process ID (PID) for each connection. You can find
the application based on the PID on the Processes tab in Windows Task Manager.
Netstat -r
Displays the contents of the IP routing table. This is equivalent to the route print command
Netstat Interval
Redisplays the selected information after the interval of defined number of seconds. Press CTRL+C to
stop the redisplay. Omitting this parameter, will enable Netstat to print the selected information
Cyber Triage
Cyber Triage
helps incident responders and forensic investigators to determine if a host is compromised through
simplified collection and analysis of endpoint data. It can perform a comprehensive analysis on a
system image, a memory image or over a network on a live system. This enables the incident
response teams to gather data about a system remotely without having to install an agent on the
remote system
Process Explorer
shows the information about the handles and DLLs of the processes, which have been opened or
loaded.
Forensic Explorer
Forensic Explorer
recovers and analyzes hidden and system files, deleted files, file and disk slack and unallocated
clusters
delivers cutting-edge analysis, decryption, and password cracking. It has intuitive, customizable and
user-friendly interface. It also enables to utilize a back-end database to handle large data sets
software solution for viewing, monitoring, and analyzing events recorded in security, system,
application, and other logs of Microsoft Windows operating systems. It helps to quickly browse, find,
and report on problems, security warnings, and all other events that are generated within Windows
OSForensics
OSForensics
helps discover relevant forensic data faster with high performance file searches and indexing as well
as restores deleted files. It identifies suspicious files and activity with hash matching, drive signature
comparisons and looks into e-mails, memory and binary data. It also manages digital investigation,
organizes information and creates reports about collected forensic data
Helix3
Helix3
· giving you visibility across your entire infrastructure revealing malicious activities such as internet
abuse, data sharing and harassment. It also allows you to isolate and respond to incidents or threats
quickly and without user detection through a central administration tool. It allows you to quickly
detect, identify, analyze, preserve and report giving you the evidence to reveal the truth and protect
your business.
Autopsy
Autopsy
digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.
This tool helps incident handlers to view the file system, retrieve deleted data, perform timeline
analysis, and web artifacts during an incident response
EnCase Forensic
EnCase Forensic
collect lot of data from many devices and extract potential evidence. It also generates an evidence
report. can help incident responders acquire large amounts of evidence, as fast as possible from
laptops and desktop computers to mobile devices
Foremost
Foremost
recover files based on their headers, footers, and internal data structures. This process is commonly
referred to as data carving
TCPView
TCPView
shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote
addresses, and the state of TCP connections
Process Monitor
shows real-time file system, registry, and process/thread activity. It combines the features of two
legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event properties such session IDs and
user names, reliable process information, full thread stacks with integrated symbol support for each
operation, simultaneous logging to a file, and so on
PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows
registry, automatically fixing system errors, and applying optimization to your system
Create services
Delete services
Start/stop/restart services
Install and start a legacy driver with a single call
autostart the location of any startup monitor, display what programs are configured to run during
system bootup or login, and show the entries in the order Windows processes them
Loggly
Loggly
automatically recognizes common log formats and gives a structured summary of all your parsed
logs. It provides real-time log monitoring, system behavior, and unusual activity. It brings logs from
the depths of an organization's infrastructure to track activity and analyze trends
automatically monitors what gets placed on your system and allows to uninstall it completely. works
by monitoring what resources such as file and registry are created when a program is installed
SIGVERIF
Live System Analysis: Files and Folder Monitoring Tools
SIGVERIF
DriverView
DriverView
displays the list of all device drivers currently loaded on the system
portable network analyzer application for both LANs and WLANs, which performs real-time packet
capturing, 24/7 network monitoring, advanced protocol analysis, in-depth packet decoding, and
automatic expert diagnosis
DNSQuerySniffer
DNSQuerySniffer
shows the DNS queries sent on your system. For every DNS query, the following information is
displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request
Time, Response Time, Duration, Response Code, Number of records, and the content of the returned
DNS records
API Monitor
API Monitor
allows you to monitor and display Win32 API calls made by applications. It can trace any exported
APIs and display a wide range of information, including function name, call sequence, input and
output parameters, function return value, and more
schtasks
schtasks
Wireshark
Wireshark
network protocol analyzer. It captures and intelligently browses the traffic passing through a network
HashMyFiles
HashMyFiles
produces a hash value of a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms
VirusTotal
VirusTotal
free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms,
Trojans, and so on
BinText
BinText
· text extractor that can extract text from any kind of file and includes the ability to find plain ASCII
text, Unicode text, and Resource strings, providing useful information for each item.
PEiD
PEiD
provide details about Windows executable files. It can identify signatures associated with over 600
different packers and compilers
PE Explorer
Memory Dump Analysis: Finding the Portable Executables (PE) Information Tools
PE Explorer
open, view, and edit a variety of different 32-bit Windows executable file types ranging from the
common, such as EXE, DLL, and ActiveX Controls, to the less familiar types, such as SCR
(Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more (including
executable files that run on MS Windows Mobile platform
Dependency Walker
Dependency Walker
lists all the dependent modules of an executable file and builds hierarchical tree diagrams
IDA Pro
IDA Pro
multiplatform disassembler and debugger that explores binary programs, for which source code is
not always available, to create maps of their execution
Volatility Framework
Volatility Framework
collecting various malware artifacts from a system that does not have power supply. helps incident
responders to conduct a deeper analysis to assess the impact, location, and propagation methods of
the malware.
SSDT View
SSDT View
list the most significant aspects of the System Service Descriptor Table (SSDT) including service
indexes, service addresses, service names, and the module name which corresponds to the service
address
RogueKiller
RogueKiller
antimalware that is able to detect and remove generic malware and advanced threats like rootkits,
rogues, and worms. It also detects controversial programs (PUPs) as well as possible bad system
modifications/corruptions (PUMs
CapLoader
CapLoader
designed to handle large amounts of captured network traffic. performs indexing of PCAP/PcapNG
files and visualizes their contents as a list of TCP and UDP flows
ClamWin
Antivirus Tools
ClamWin
free, open-source antivirus program for Windows systems. It comes with a super-fast installer and an
easy-to-use interface, which makes it convenient to detect and clean infections from a computer
system. It provides high detection rates for viruses and spyware and a scanning scheduler.
Netcraft
Netcraft
provides updated information about the sites users visit regularly and blocks dangerous sites
PhishTank
PhishTank
collaborative clearinghouse for data and information about phishing on the internet.
MxToolbox
MxToolbox
make email headers human readable by parsing them according to RFC 822. Email headers are
present on every email you receive via the internet and can provide valuable diagnostic information
like hop delays, antispam results, and so on. Incident handlers can use this tool to analyze email
headers and detect spam emails.
G Suite Toolbox
Email Dossier
Email Dossier
· is a part of the CentralOps.net suite of online network utilities. It is a scanning tool that the incident
handler can use to check the validity of an email address. It provides information about email
address, including the mail exchange records. This tool initiates SMTP sessions to check address
acceptance, but it never actually sends email.
eMailTrackerPro
eMailTrackerPro
· analyzes email headers and reveals information such as sender's geographical location, IP address,
and so on. It allows an attacker to review the traces later by saving past traces.
PoliteMail
G-Lock Analytics
EventLog Analyzer
Tools for Email Log Analysis
EventLog Analyzer
provides log management with agent and agentless methods of log collection, custom log parsing,
and complete log analysis with reports and alerts
Recover My Email
Recover My Email
mail recovery software that can recover deleted email messages from either Microsoft Outlook PST
files or Microsoft Outlook Express DBX files
Gophish
Antiphishing Tools
Gophish
open-source phishing toolkit meant to help incident responders and businesses conduct real-world
phishing simulations
SPAMfighter
Antispamming Tools
SPAMfighter
· automatically removing the spam and phishing emails from your inbox.
Gpg4win
Gpg4win
enables users to securely transport emails and files with the help of encryption and digital signatures.
regshot
Reg Organizer
Registry Viewer
RegScanner
Wireshark
TCPView
Netstat
Nbtstat
Tracert
Packet Capture
PE Explorer
Pescan
PEView
Resource Hacker
WinDirStat
DiskSavvy
MD5sums
File System Analysis Tools
md5deep
Hashtab
IDA Pro
VirusTotal
Process Monitor
Process Explorer
nmap
netstat
wireshark
VirusTotal
IDA Pro
Suricata
Suricata
real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring
(NSM), and offline pcap processing. inspects the network traffic using a powerful and extensive rules
and signature language, and has powerful Lua scripting support for detection of complex threats
Ntopng
Ntopng
web-based network traffic monitoring application released under GPLv3
Wireshark
Wireshark
PromqryUI
PromqryUI
detects which network interface card is running in promiscuous mode. It can determine accurately if
a Windows system has network interfaces in promiscuous mode
Nmap
Nmap
allows you to check if a target on a local Ethernet has its network card in promiscuous mode
Nmap
Snort
Detecting the Inappropriate Usage Incidents: Firewall and IDS Evasion Detection Tools
Snort
open source network intrusion detection system, capable of performing real-time traffic analysis and
packet logging on IP networks. It can perform protocol analysis and content searching/matching, and
is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and OS
fingerprinting attempts. flexible rules language
AIDA64 Extreme
Detecting the Inappropriate Usage Incidents: Tools for Detecting High Resource Utilization
AIDA64 Extreme
monitors the sensors within the server in real-time and helps in analyzing the performance of the
server
monitor log files for changes. It can display changes in real-time and lets you automatically monitor
for specific keywords, phrases, or patterns
High Orbit Ion Cannon (HOIC)
network stress testing. designed to attack up to 256 target URLs simultaneously. It sends HTTP POST
and GET requests at a computer that uses lulz inspired GUIs
network stress testing. mostly targets web applications. flood the server with TCP packets, UDP
packets, or HTTP requests with the intention of disrupting the service of a particular host
Metasploit
Nmap
KFSensor
KFSensor
acts as a honeypot, designed to attract and detect hackers and worms by simulating vulnerable
system services and Trojans
D-Guard Anti-...Firewall
D-Guard Anti-...Firewall
provides DDoS protection for online enterprises, public and media services, essential infrastructure,
and internet service providers
quickly mitigates any size attack without getting in the way of legitimate traffic or increasing latency.
It is designed to provide multiple DDoS protection options
dotDefender
Web Application Firewall that protects your website from malicious attacks such as SQL injection,
path traversal, cross-site scripting, and others that result in web site defacement
AlienVault OSSIM
Web Application Firewall that protects your website from malicious attacks such as SQL injection,
path traversal, cross-site scripting, and others that result in web site defacement
SIEM Solutions
AlienVault OSSIM
feature-rich open source SIEM complete with event collection, normalization, and correlation. It
addresses this reality by providing one unified platform with many of the essential security
capabilities
ClamAV
ClamAV
anti-virus engine used in a variety of situations including email scanning, web scanning, and end point
security
OSSEC
OSSEC
centrally collect and examine security logs from systems, network devices, and applications. It
performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time
alerting, and active response
Apility.io
Apility.io
anti-abuse API that helps incident responders or security personnel to know if the IP address,
domain, or email of a user is blacklisted
OpenDNS
OpenDNS
manage the internet experience on and off your network with the acceptable use or compliance
policies, putting you in control. It aims at making your internet faster, safer, and more reliable
Proxy Switcher
Proxy Switcher
allows you to surf the internet anonymously without disclosing your IP address
ApexSQL
ApexSQL
auditing and recovery tool for SQL Server databases which reads transaction logs, transaction log
backups, detached transaction logs and database backups, and audits, reverts or replays data and
object changes that have affected the database, including the ones that have occurred before the
product was installed
includes powerful workflow automation and case management capabilities, as well as extendable
wide range of security forensics and remediation actions
Loggly
Loggly
Cloud based. automatically recognizes common log formats and gives a structured summary of all
your parsed logs. It provides real-time log monitoring, system behavior, and unusual activity
Tripwire
Tripwire
used in the monitoring of user and network activities, change in files, registry entries, and so on. This
real time monitoring of the network can assist incident responders in the detection of attacks such as
Man-in-the-Cloud attack
CloudPassage Halo
CloudPassage Halo
software-defined security (SDSec) platform was purpose-built to protect private clouds, public IaaS,
and hybrid/multi-cloud infrastructure
Wireshark
set up certain rules to monitor the network and the number of events and activities associated with
user accounts within the organization. These rules provide responders the ability to detect malicious
events and to intervene automatically in order to prevent the network against threats
Database Analysis
may give the incident responder valuable insight into what is happening within the server system.
allows incident handler to view and retrieve the active transaction log files for a specific database
ObserveIT
ObserveIT
quickly identify and eliminate insider threats. insider threat management solution that provides
organizations with "eyes on the endpoint" and the ability to continuously monitor user behavior
DataRobot
DataRobot
automated machine learning platform for detecting insider threats that combines predictive
modeling expertise, best practices of data science, and experience to deliver accurate, actionable
predictions with full transparency and rapid deployment
Ekran System
Ekran System
incident handlers to monitor, detect, and analyze user-based insider threats. It is a specialized
enterprise insider threat detection software that meets the security needs of enterprises of any size
SIEM
SIEM
provide the ability to build custom queries, generate alerts, retrieve data from multiple data sources,
and enhance the potential analytical capability to prevent, detect, and respond to various insider
threats
scan the network traffic to find exfiltration of sensitive data and alert the administrators
UBA/UEBA Tools
collect user activity details from multiple sources and use artificial intelligence and machine learning
algorithms to perform user behavior analysis to prevent and detect insider threats before the fraud is
perpetrated
record all the user activity on the organizational networks, systems, and other IT resources