No subject


Sat Oct 14 20:46:50 EDT 2006 

commputer forensics course, I'd be glad to talk
more about forensics if you would like.
=20
Andy


-----Original Message-----
From: gnhlug-discuss-admin at mail.gnhlug.org on behalf of Paul Lussier
Sent: Thu 2/23/2006 2:30 PM
To: gnhlug-discuss at mail.gnhlug.org
Subject: forensic evidence collection tools?
=20

Hi all,

I'm trying to debug a problem on a set of systems.  Is there something
I run, say from a usb key or a Knoppix CD which will collect "all
interesting information" and deposit it somewhere else?=20
--=20

Seeya,
Paul
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss


------_=_NextPart_001_01C638B6.271A1792
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7233.28">
<TITLE>RE: forensic evidence collection tools?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>Paul,<BR>
<BR>
I work on and contribute to the ftimes project<BR>
which does very well to collect all file system<BR>
information.&nbsp; It can also search for a unique<BR>
pattern (pcre) across a file system, which I've<BR>
used to identify trojan files. It can be found<BR>
here:<BR>
<BR>
&nbsp; <A =
HREF=3D"http://ftimes.sourceforge.net/FTimes/index.shtml">http://ftimes.s=
ourceforge.net/FTimes/index.shtml</A><BR>
<BR>
If you're trying to do incident response, I would<BR>
recommend webjob.&nbsp; I presented it at the ghnlug<BR>
last week ... not sure if you were there, but<BR>
webjob was designed to perform incident response<BR>
on a large number of systems.&nbsp; I've used it quite<BR>
effectively to harvest information from a bunch of<BR>
windows machines.&nbsp; WebJob has many advantages<BR>
including aggregating the data at a central<BR>
server.&nbsp; It can be found here:<BR>
<BR>
&nbsp; <A =
HREF=3D"http://webjob.sourceforge.net/WebJob/index.shtml">http://webjob.s=
ourceforge.net/WebJob/index.shtml</A><BR>
<BR>
If you're looking for a quick list of forensic<BR>
tools, this is a good spot:<BR>
<BR>
&nbsp; <A =
HREF=3D"http://www.opensourceforensics.org/">http://www.opensourceforensi=
cs.org/</A><BR>
<BR>

More information about the gnhlug-discuss mailing list