C842 Cyber Defense and Countermeasures EC Council Certified Incident Handler CIH Tools and

Commands

PILAR

Risk analysis and Management tool

Pilar

Assess risk against critical assets. Qualitative and quantitative. Generate risk assessment reports

Group Policy Management console

Security policy Tools

Manageengine ... plus

Ticketing system Tools

Alien vault

Ticketing system Tools

Busk-security

Incident analysis and validation Tools

Busk-security

Collection of security checks for Linux. Identify security status.

kiwi syslog

Incident analysis and validation Tools

Splunk light

Incident analysis and validation Tools

kiwi syslog

message Management tool across servers and network devices. Syslog messages, SNMP traps, event
log, real time

Splunk light

Collecting monitoring analyzing low from servers applications and other sources.

Microsoft Baseline Security Analyzer (MBSA)

Tools for detecting missing security patches

Microsoft Baseline Security Analyzer (MBSA)

Determine security State. Scan for missing patches and misconfigs.

Magic tree

Report writing tools

Keepnote
Report writing tools

FTK...

Data Imaging Tools

FTK Imager

data preview and imaging tool that enables analysis of files and folders on local hard drives,
CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps

R-Drive...

Data Imaging Tools

R-Drive...

provides creation of disk image files for backup or duplication purposes. restores the images on the
original disks, on any other partitions, or even on a hard drive's free space. one can restore the
system after heavy data loss caused by an operating system crash, virus attack, or hardware failure

· EnCase Forensic
Data Acquisition Toolbox
· RAID Recovery for Windows
· R-Tools R-Studio
F-Response Imager

Data Imaging Tools

HashCalc

Image Integrity Tools

HashCalc

compute multiple hashes, checksums, and HMACs for files, text, and hex strings.

MD5 Calculator

Image Integrity Tools

MD5 Calculator

calculating the MD5 hash value of the selected file

HashMyFiles

Image Integrity Tools

HashMyFiles

small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. It
allows copying of the MD5/SHA1 hashes list into the clipboard or save them into text/html/xml file

PsUptime (Windows)

· Shows system uptime

Net Statistics (Windows)

· Shows system uptime

Uptime and W (Linux)

· Shows system uptime

Netstat -ab (Windows)

determine all the executable files for running processes

ListDLLs (Windows

reports the DLLs loaded into processes

Pslist.exe (Windows)

display basic information about the already running processes on a system, including the amount of
time each process has been running (in both kernel and user modes).

Top (Linux)

display system summary information as well as a list of processes or threads Linux kernel is currently
managing

w (Linux)

display the current processes for each shell of each user

ps (Linux)

display information about the root's currently running processes

pstree (Linux)

display the processes on a system in the form of a tree

Psloggedon (Windows)

· applet that displays both the locally logged on users and users logged on via resources for either the
local computer, or a remote one. If you specify a user name instead of a computer, it searches the
computers in the network neighborhood and tells you if the user is currently logged on.

net session (Windows)

helps to manage server connections. It is used without parameters and it displays information about
all logged in sessions of the local computer

Logonsessions (Windows)

lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the
information of processes running in each session.

Who (Linux: )

· user that is currently logged on locally.

Who -all/-a (Linux)

displays all currently logged on users, local and remote

Last (Linux

displays a history of logged on users, local and remote.

Lastlog (Linux

· displays the last login times for system accounts.

W (Linux

· displays summaries of system usage, currently logged on users, and logged on user activities.

Passwd (Linux

contains user account information, including one-way encrypted passwords

Nbtstat

troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS
over TCP/IP (NetBT) resolves NetBIOS names to IP addresses

nbtstat -c

· contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings.

nbtstat -n

displays the names that have been registered locally on the system by NetBIOS applications such as
the server and redirector

nbtstat -r

displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server

nbtstat -S

· list the current NetBIOS sessions and their statuses.

Netstat

collecting information about network connections operative in a Windows system.

Netstat -a

Displays all active TCP connections as well as the TCP and UDP ports on which the computer is
listening

Netstat -e

· Displays Ethernet statistics, such as the number of bytes and packets sent and received.

Netstat -n

Displays active TCP connections However, the addresses and port numbers are expressed
numerically with no specified names

Netstat -o

Displays active TCP connections and includes the process ID (PID) for each connection. You can find
the application based on the PID on the Processes tab in Windows Task Manager.
Netstat -r

Displays the contents of the IP routing table. This is equivalent to the route print command

Netstat Interval

Redisplays the selected information after the interval of defined number of seconds. Press CTRL+C to
stop the redisplay. Omitting this parameter, will enable Netstat to print the selected information

Cyber Triage

incident response software

Cyber Triage

helps incident responders and forensic investigators to determine if a host is compromised through
simplified collection and analysis of endpoint data. It can perform a comprehensive analysis on a
system image, a memory image or over a network on a live system. This enables the incident
response teams to gather data about a system remotely without having to install an agent on the
remote system

Process Explorer

shows the information about the handles and DLLs of the processes, which have been opened or
loaded.

Forensic Explorer

Forensic Analysis Tools

Forensic Explorer

recovers and analyzes hidden and system files, deleted files, file and disk slack and unallocated
clusters

Forensic Toolkit (FTK

Forensic Analysis Tools

Forensic Toolkit (FTK

delivers cutting-edge analysis, decryption, and password cracking. It has intuitive, customizable and
user-friendly interface. It also enables to utilize a back-end database to handle large data sets

Event Log Explorer

Forensic Analysis Tools

Event Log Explorer

software solution for viewing, monitoring, and analyzing events recorded in security, system,
application, and other logs of Microsoft Windows operating systems. It helps to quickly browse, find,
and report on problems, security warnings, and all other events that are generated within Windows

OSForensics

Forensic Analysis Tools

OSForensics
helps discover relevant forensic data faster with high performance file searches and indexing as well
as restores deleted files. It identifies suspicious files and activity with hash matching, drive signature
comparisons and looks into e-mails, memory and binary data. It also manages digital investigation,
organizes information and creates reports about collected forensic data

Helix3

Forensic Analysis Tools

Helix3

· giving you visibility across your entire infrastructure revealing malicious activities such as internet
abuse, data sharing and harassment. It also allows you to isolate and respond to incidents or threats
quickly and without user detection through a central administration tool. It allows you to quickly
detect, identify, analyze, preserve and report giving you the evidence to reveal the truth and protect
your business.

Autopsy

Forensic Analysis Tools

Autopsy

digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.
This tool helps incident handlers to view the file system, retrieve deleted data, perform timeline
analysis, and web artifacts during an incident response

EnCase Forensic

Forensic Analysis Tools

EnCase Forensic

collect lot of data from many devices and extract potential evidence. It also generates an evidence
report. can help incident responders acquire large amounts of evidence, as fast as possible from
laptops and desktop computers to mobile devices

Foremost

Forensic Analysis Tools

Foremost

recover files based on their headers, footers, and internal data structures. This process is commonly
referred to as data carving

TCPView

Live System Analysis: Port Monitoring Tools

TCPView

shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote
addresses, and the state of TCP connections

Process Monitor

Live System Analysis: Process Monitoring Tools

Process Monitor

shows real-time file system, registry, and process/thread activity. It combines the features of two
legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event properties such session IDs and
user names, reliable process information, full thread stacks with integrated symbol support for each
operation, simultaneous logging to a file, and so on

jv16 Power Tools 2017

Live System Analysis: Registry Monitoring Tools

jv16 Power Tools 2017

PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows
registry, automatically fixing system errors, and applying optimization to your system

Windows Service Manager (SrvMan

Live System Analysis: Windows Services Monitoring Tools

Windows Service Manager (SrvMan

Create services
Delete services
Start/stop/restart services
Install and start a legacy driver with a single call

Startup Program Monitoring Tool: Autoruns for Windows

Live System Analysis: Startup Programs Monitoring Tools

Startup Program Monitoring Tool: Autoruns for Windows

autostart the location of any startup monitor, display what programs are configured to run during
system bootup or login, and show the entries in the order Windows processes them

Loggly

Live System Analysis: Event Logs Monitoring Tools

Loggly

automatically recognizes common log formats and gives a structured summary of all your parsed
logs. It provides real-time log monitoring, system behavior, and unusual activity. It brings logs from
the depths of an organization's infrastructure to track activity and analyze trends

Mirekusoft Install Monitor

Live System Analysis: Installation Monitoring Tools

Mirekusoft Install Monitor

automatically monitors what gets placed on your system and allows to uninstall it completely. works
by monitoring what resources such as file and registry are created when a program is installed

SIGVERIF
Live System Analysis: Files and Folder Monitoring Tools

SIGVERIF

searches for unsigned drivers on a system

DriverView

Live System Analysis: Device Drivers Monitoring Tools

DriverView

displays the list of all device drivers currently loaded on the system

Capsa Network Analyzer

Live System Analysis: Device Drivers Monitoring Tools

Capsa Network Analyzer

portable network analyzer application for both LANs and WLANs, which performs real-time packet
capturing, 24/7 network monitoring, advanced protocol analysis, in-depth packet decoding, and
automatic expert diagnosis

DNSQuerySniffer

Live System Analysis: DNS Monitoring/Resolution Tools

DNSQuerySniffer

shows the DNS queries sent on your system. For every DNS query, the following information is
displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request
Time, Response Time, Duration, Response Code, Number of records, and the content of the returned
DNS records

API Monitor

Live System Analysis: API Calls Monitoring Tools

API Monitor

allows you to monitor and display Win32 API calls made by applications. It can trace any exported
APIs and display a wide range of information, including function name, call sequence, input and
output parameters, function return value, and more

schtasks

Live System Analysis: Scheduled Task Monitoring Tools

schtasks

display a list of all the scheduled tasks on the system

Wireshark

Live System Analysis: Browser Activity Monitoring Tools

Wireshark

network protocol analyzer. It captures and intelligently browses the traffic passing through a network
HashMyFiles

Malware Detection Techniques: File Fingerprinting Tools

HashMyFiles

produces a hash value of a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms

VirusTotal

Memory Dump Analysis: Local and Online Malware Scanning Tools

VirusTotal

free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms,
Trojans, and so on

BinText

Memory Dump Analysis: Performing Strings Search Tools

BinText

· text extractor that can extract text from any kind of file and includes the ability to find plain ASCII
text, Unicode text, and Resource strings, providing useful information for each item.

PEiD

Memory Dump Analysis: Identifying Packing/Obfuscation Tools

PEiD

provide details about Windows executable files. It can identify signatures associated with over 600
different packers and compilers

PE Explorer

Memory Dump Analysis: Finding the Portable Executables (PE) Information Tools

PE Explorer

open, view, and edit a variety of different 32-bit Windows executable file types ranging from the
common, such as EXE, DLL, and ActiveX Controls, to the less familiar types, such as SCR
(Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more (including
executable files that run on MS Windows Mobile platform

Dependency Walker

Memory Dump Analysis: Identifying File Dependencies Tools

Dependency Walker

lists all the dependent modules of an executable file and builds hierarchical tree diagrams

IDA Pro

Memory Dump Analysis: Malware Disassembly Tools

IDA Pro
multiplatform disassembler and debugger that explores binary programs, for which source code is
not always available, to create maps of their execution

Volatility Framework

Memory Dump Analysis Using Volatility Framework

Volatility Framework

collecting various malware artifacts from a system that does not have power supply. helps incident
responders to conduct a deeper analysis to assess the impact, location, and propagation methods of
the malware.

SSDT View

Intrusion Analysis: Detecting Malware by Its Covert Storage/Hiding Techniques

SSDT View

list the most significant aspects of the System Service Descriptor Table (SSDT) including service
indexes, service addresses, service names, and the module name which corresponds to the service
address

RogueKiller

Intrusion Analysis: Detecting Malware by Its Covert Storage/Hiding Techniques

RogueKiller

antimalware that is able to detect and remove generic malware and advanced threats like rootkits,
rogues, and worms. It also detects controversial programs (PUPs) as well as possible bad system
modifications/corruptions (PUMs

CapLoader

Intrusion Analysis: Detecting Malware by Its Covert Communication Techniques

CapLoader

designed to handle large amounts of captured network traffic. performs indexing of PCAP/PcapNG
files and visualizes their contents as a list of TCP and UDP flows

PRTG Network Monitor

Intrusion Analysis: Detecting Malware by Its Covert Communication Techniques

PRTG Network Monitor

network monitoring tool effectively used to monitor entire network infrastructure

ClamWin

Antivirus Tools

ClamWin

free, open-source antivirus program for Windows systems. It comes with a super-fast installer and an
easy-to-use interface, which makes it convenient to detect and clean infections from a computer
system. It provides high detection rates for viruses and spyware and a scanning scheduler.
Netcraft

Tools for Detecting Phishing/Spam Mails

Netcraft

provides updated information about the sites users visit regularly and blocks dangerous sites

PhishTank

Tools for Detecting Phishing/Spam Mails

PhishTank

collaborative clearinghouse for data and information about phishing on the internet.

MxToolbox

Tools for Analyzing Email Headers

MxToolbox

make email headers human readable by parsing them according to RFC 822. Email headers are
present on every email you receive via the internet and can provide valuable diagnostic information
like hop delays, antispam results, and so on. Incident handlers can use this tool to analyze email
headers and detect spam emails.

G Suite Toolbox

Tools for Analyzing Email Headers

Email Dossier

Tools for Checking the Email Validity

Email Dossier

· is a part of the CentralOps.net suite of online network utilities. It is a scanning tool that the incident
handler can use to check the validity of an email address. It provides information about email
address, including the mail exchange records. This tool initiates SMTP sessions to check address
acceptance, but it never actually sends email.

eMailTrackerPro

Email Tracking Tools

eMailTrackerPro

· analyzes email headers and reveals information such as sender's geographical location, IP address,
and so on. It allows an attacker to review the traces later by saving past traces.

PoliteMail

Email Tracking Tools

G-Lock Analytics

Email Tracking Tools

EventLog Analyzer
Tools for Email Log Analysis

EventLog Analyzer

provides log management with agent and agentless methods of log collection, custom log parsing,
and complete log analysis with reports and alerts

Recover My Email

Email Recovery Tools

Recover My Email

mail recovery software that can recover deleted email messages from either Microsoft Outlook PST
files or Microsoft Outlook Express DBX files

Gophish

Antiphishing Tools

Gophish

open-source phishing toolkit meant to help incident responders and businesses conduct real-world
phishing simulations

SPAMfighter

Antispamming Tools

SPAMfighter

· automatically removing the spam and phishing emails from your inbox.

Gpg4win

Email Security Tools

Gpg4win

enables users to securely transport emails and files with the help of encryption and digital signatures.

jv16 Power Tools 2017

Registry Analysis Tools

regshot

Registry Analysis Tools

Reg Organizer

Registry Analysis Tools

Registry Viewer

Registry Analysis Tools

RegScanner

Registry Analysis Tools

Nmap

Network Analysis Tools

Wireshark

Network Analysis Tools

TCPView

Network Analysis Tools

Netstat

Network Analysis Tools

Nbtstat

Network Analysis Tools

Tracert

Network Analysis Tools

Packet Capture

Network Analysis Tools

Real-Time NetFlow Analyzer

Network Analysis Tools

ManageEngine NetFlow Analyzer

Network Analysis Tools

PE Explorer

File System Analysis Tools

Pescan

File System Analysis Tools

PEView

File System Analysis Tools

Resource Hacker

File System Analysis Tools

WinDirStat

File System Analysis Tools

DiskSavvy

File System Analysis Tools

MD5sums
File System Analysis Tools

md5deep

File System Analysis Tools

Hashtab

File System Analysis Tools

IDA Pro

Malware Analysis Tools

VirusTotal

Malware Analysis Tools

Process Monitor

Process Analysis Tools

Process Explorer

Process Analysis Tools

nmap

Network Analysis Tools

netstat

Network Analysis Tools

wireshark

Network Analysis Tools

VirusTotal

Malware Analysis Tools

IDA Pro

Malware Analysis Tools

Suricata

Tools for Detection and Validation of Suspicious Network Events

Suricata

real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring
(NSM), and offline pcap processing. inspects the network traffic using a powerful and extensive rules
and signature language, and has powerful Lua scripting support for detection of complex threats

Ntopng

Tools for Detection and Validation of Suspicious Network Events

Ntopng
web-based network traffic monitoring application released under GPLv3

Wireshark

Tools for Detection and Validation of Suspicious Network Events

Wireshark

· captures and intelligently browses the traffic passing through a network.

PromqryUI

Promiscuous Detection Tools

PromqryUI

detects which network interface card is running in promiscuous mode. It can determine accurately if
a Windows system has network interfaces in promiscuous mode

Nmap

Promiscuous Detection Tools

Nmap

allows you to check if a target on a local Ethernet has its network card in promiscuous mode

Nmap

[tool name] --script=sniffer-detect [Target IP Address/Range of IP addresses]

Snort

Detecting the Inappropriate Usage Incidents: Firewall and IDS Evasion Detection Tools

Snort

open source network intrusion detection system, capable of performing real-time traffic analysis and
packet logging on IP networks. It can perform protocol analysis and content searching/matching, and
is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and OS
fingerprinting attempts. flexible rules language

AIDA64 Extreme

Detecting the Inappropriate Usage Incidents: Tools for Detecting High Resource Utilization

AIDA64 Extreme

monitors the sensors within the server in real-time and helps in analyzing the performance of the
server

Kiwi Log Viewer

Detecting the Inappropriate Usage Incidents: Accessing Malware in the Network

Kiwi Log Viewer

monitor log files for changes. It can display changes in real-time and lets you automatically monitor
for specific keywords, phrases, or patterns
High Orbit Ion Cannon (HOIC)

DoS/DDos Attack Tools

High Orbit Ion Cannon (HOIC)

network stress testing. designed to attack up to 256 target URLs simultaneously. It sends HTTP POST
and GET requests at a computer that uses lulz inspired GUIs

Low Orbit Ion Cannon (LOIC

DoS/DDos Attack Tools

Low Orbit Ion Cannon (LOIC

network stress testing. mostly targets web applications. flood the server with TCP packets, UDP
packets, or HTTP requests with the intention of disrupting the service of a particular host

Metasploit

DoS/DDos Attack Tools

Nmap

DoS/DDos Attack Tools

KFSensor

Tools for Detecting DoS/DDoS Incidents

KFSensor

acts as a honeypot, designed to attract and detect hackers and worms by simulating vulnerable
system services and Trojans

Anti ... Guardian

DoS/DDoS Protection Tools

D-Guard Anti-...Firewall

DoS/DDoS Protection Tools

D-Guard Anti-...Firewall

provides DDoS protection for online enterprises, public and media services, essential infrastructure,
and internet service providers

Incapsula ... Protection

DoS/DDoS Protection Tools

Incapsula ... Protection

quickly mitigates any size attack without getting in the way of legitimate traffic or increasing latency.
It is designed to provide multiple DDoS protection options

dotDefender

Web Application Firewalls

dotDefender

Web Application Firewall that protects your website from malicious attacks such as SQL injection,
path traversal, cross-site scripting, and others that result in web site defacement

AlienVault OSSIM

Web Application Firewall that protects your website from malicious attacks such as SQL injection,
path traversal, cross-site scripting, and others that result in web site defacement
SIEM Solutions

AlienVault OSSIM

feature-rich open source SIEM complete with event collection, normalization, and correlation. It
addresses this reality by providing one unified platform with many of the essential security
capabilities

ClamAV

Web Server Anti-Virus Tools

ClamAV

anti-virus engine used in a variety of situations including email scanning, web scanning, and end point
security

OSSEC

Log Analysis Tools

OSSEC

centrally collect and examine security logs from systems, network devices, and applications. It
performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time
alerting, and active response

Apache Logs Viewer (ALV

Log Analysis Tools

Apache Logs Viewer (ALV

monitor, view, and analyze Apache/IIS/nginx logs with more ease

Apility.io

Containment Tools - Whitelisting/Blacklisting Tools

Apility.io

anti-abuse API that helps incident responders or security personnel to know if the IP address,
domain, or email of a user is blacklisted

OpenDNS

Web Content Filtering Tools

OpenDNS
manage the internet experience on and off your network with the acceptable use or compliance
policies, putting you in control. It aims at making your internet faster, safer, and more reliable

Proxy Switcher

Web Proxy Tools

Proxy Switcher

allows you to surf the internet anonymously without disclosing your IP address

ApexSQL

Tools to Recover from Web Application Incidents

ApexSQL

auditing and recovery tool for SQL Server databases which reads transaction logs, transaction log
backups, detached transaction logs and database backups, and audits, reverts or replays data and
object changes that have affected the database, including the ones that have occurred before the
product was installed

CrowdStrike FalconTM Orchestrator

Tools to Recover from Web Application Incidents

CrowdStrike FalconTM Orchestrator

includes powerful workflow automation and case management capabilities, as well as extendable
wide range of security forensics and remediation actions

Loggly

Cloud-based Log Analysis Tools

Loggly

Cloud based. automatically recognizes common log formats and gives a structured summary of all
your parsed logs. It provides real-time log monitoring, system behavior, and unusual activity

Tripwire

MITC Attack Detection Tools

Tripwire

used in the monitoring of user and network activities, change in files, registry entries, and so on. This
real time monitoring of the network can assist incident responders in the detection of attacks such as
Man-in-the-Cloud attack

CloudPassage Halo

Cloud Security Tools

CloudPassage Halo

software-defined security (SDSec) platform was purpose-built to protect private clouds, public IaaS,
and hybrid/multi-cloud infrastructure
Wireshark

Tools for Detecting Malicious Telnet and FTP Connections

Nuix Adaptive Security

Tools for Detecting Data Exfiltration

Nuix Adaptive Security

set up certain rules to monitor the network and the number of events and activities associated with
user accounts within the organization. These rules provide responders the ability to detect malicious
events and to intervene automatically in order to prevent the network against threats

Database Consistency Checker (DBCC)

Database Analysis

Database Consistency Checker (DBCC)

may give the incident responder valuable insight into what is happening within the server system.
allows incident handler to view and retrieve the active transaction log files for a specific database

ObserveIT

Insider Threat Detection Tools

ObserveIT

quickly identify and eliminate insider threats. insider threat management solution that provides
organizations with "eyes on the endpoint" and the ability to continuously monitor user behavior

DataRobot

Insider Threat Detection Tools

DataRobot

automated machine learning platform for detecting insider threats that combines predictive
modeling expertise, best practices of data science, and experience to deliver accurate, actionable
predictions with full transparency and rapid deployment

Ekran System

Insider Threat Detection Tools

Ekran System

incident handlers to monitor, detect, and analyze user-based insider threats. It is a specialized
enterprise insider threat detection software that meets the security needs of enterprises of any size

SIEM

Insider Threat Prevention Tools

SIEM
provide the ability to build custom queries, generate alerts, retrieve data from multiple data sources,
and enhance the potential analytical capability to prevent, detect, and respond to various insider
threats

Data Loss Prevention (DLP) Tools

scan the network traffic to find exfiltration of sensitive data and alert the administrators

UBA/UEBA Tools

collect user activity details from multiple sources and use artificial intelligence and machine learning
algorithms to perform user behavior analysis to prevent and detect insider threats before the fraud is
perpetrated

Activity Monitoring Tools

record all the user activity on the organizational networks, systems, and other IT resources