Resources

All of the following resources are available free of charge to the general public unless noted otherwise.

Tools - Forensics & Analysis

The Sleuth Kit: One of the better-known open source forensics tools, The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. You may want to use it with Autopsy which is the GUI front-end. Those interested in these products should consult the The Sleuth Kit Informer newsletter. We discuss Sleuth Kit commands for computer forensics here.

Foremost: A Linux data-carving tool used in computer forensics. We provide some basic data carving instructions within our paper "Examination of overwritten files with The Sleuth Kit" here.

dcfldd: A computer forensics oriented version of dd developed by the U.S. Department of Defense Computer Forensics Lab. Enhancements over regular dd include progress output, built-in hashing of transmitted data, and simultaneous output to multiple files or disks. For those curious we show how you can use dd as a hex editor here.

SystemRescueCd: Linux-based bootable CD image for mounting and recovering data from a disk, including support for ext2/ext3/ext4, reiserfs, reiser4, btrfs, xfs, jfs, vfat, ntfs, iso9660 filesystems, and Windows registry editing.

The Volatility Framework: An open collection of tools for the extraction of digital artifacts from RAM.

Memoryze: Memory forensic software for Windows that can be used on live system memory or memory image files. Memory DD is another Windows tool for capturing memory images.

md5deep: A collection of programs used to compute MD5, SHA-1, SHA-256, Tiger, and Whirlpool message digests, with the ability to work recursively into directories and compare the results to a list of known hashes. Useful for computer forensics.

ssdeep: A program to compute Context Triggered Piecewise Hashes that can be used to identify files that are almost identical to one another.

National Software Reference Library Reference Data Set: Used alongside forensic tools, this is a collection of hashed signatures of known software applications. This is used to filter out "known" files (such as all the standard files that are part of MS Windows or Microsoft Office) when conducting an investigation, so that you can concentrate on what is hopefully the "user-made" content.

Microsoft Attack Surface Analyzer: Catalogues the changes made to the operating system attack surface by the installation of new software. Helps evaluate the risk/impact of installing a particular piece of software. Supports Windows Vista, 2008, and 7 only.

Regshot: Utility used to take snapshots and compare changes made to a Windows registry.

Wireshark: Arguably the best network protocol analyzer. Formally known as Ethereal.

NetworkMiner: Network forensics analysis tool that can also re-assemble files by sniffing packets or reading pcap files.

Tools - Malware & Detection of Malicious Activity

chkrootkit: A rootkit detector for Unix-based systems. Another popular alternative is Rootkit Hunter

McAfee FileInsight: Tool to analyze web sites and files for malicious code. Windows only.

Avast Free: Arguably the best free antivirus suite when compared to similar free antivirus products from AVG, Avira, and Microsoft.

Microsoft Safety Scanner: Free on-demand scanner from Microsoft to help find and remove malware on an infected Windows computer. It expires 10 days after being downloaded, at which point you'll need to download again the latest version.

Norton Power Eraser: Aggressive detection for difficult-to-remove scareware infections.

BotHunter: A network traffic monitoring system that can locate bot (botnet) activity. More suitable for corporate settings than personal home use.

Honeyd: Open source honeypot that can simulate multiple virtual hosts on a single computer with the goal of fooling attackers into attempting to compromise the virtual machines, either for research or defensive purposes.

Dionaea: A "low interaction honeypot" that is used for collecting malware.

psad: A collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect probes for various backdoor programs, DDoS tools, and advanced port scans.

EtherApe: A network monitoring program in a graphical interface. Simply letting it run in the background may reveal network activity originating from your computer that you were unaware of. Currently available for Linux only.

AIDE: An intrusion detection system meant to replace Tripwire. It can store various file attributes including: permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name, and also creates a cryptographic checksum or hash of each file using one or a combination of its many supported message digest algorithms. Also be sure to check out OSSEC (Open Source Host-based Intrusion Detection System) as well.

Tools - System Hardening

Microsoft Enhanced Mitigation Experience Toolkit: EMET is a free toolkit by Microsoft designed to make your Windows systems more resilient to exploits. It allows for enabling security measures such as Data Execution Prevention (DEP), Structure Exception Handler Overwrite Protection (SEHOP), Heap Spray & Null Page Allocation, Export Address Table Access Filtering, Address Space Layout Randomization (ASLR), and Bottom-up Randomization. We provide instructions for protecting your Windows PC through Microsoft EMET here.

Microsoft Office File Validation: Already built-into MS Office 2010, you can download this add-on for Office 2003 and 2007 to help detect exploits that are delivered through maliciously crafted MS Office files.

RHEL6 Security-Enhanced Linux: Rather than provide a link to a new tool, this is a link to a user guide for properly managing SELinux which comes bundled with various Linux distributions including Red Hat.

Tools - Vulnerability Assessment & Penetration Testing

Nessus: Excellent, comprehensive vulnerability scanner. Although there is a free version, the commercial version offers updates for the latest security vulnerabilities. However this program ultimately needs to be registered in order to get the most benefits. OpenVAS is its free counterpart.

Microsoft Web Application Configuration Analyzer: This tool which was updated in May 2011 is used to analyze Microsoft server configurations and compare them to security best practices for Windows, IIS , ASP.NET and SQL Server.

w3af: Web Application Attack and Audit Framework (w3af). A web application scanner that can discover and exploit web application vulnerabilities.

ratproxy: Google's passive web application security audit tool, used to detect problems such as cross-site scripting, information leakage, caching issues, and other security flaws.

Burp Proxy: An intercepting proxy used for testing web application vulnerabilities by manipulating transmitted parameters.

Nmap: Network security scanner that provides network exploration and security auditing. Unicornscan is also a similar port scanner used for its speed.

Hping: Often considered a complementary tool to Nmap, hping is used for network scanning, as well as crafting TCP/IP packets. We provide some hping usage examples here.

cURL: A command-line scriptable web browser, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. Also provides upload capabilities (HTTP PUT, POST), authentication, and cookie handling. Click here to see the differences between cURL and Wget (also an excellent tool). We discuss how cURL helps overcome certain limitations of spoofing user-agent strings to download malware here, and provide Wget usage examples here.

Master Reconnaissance Tool: Online script that shows just how much information your browser may be leaking: browser plugins (and version) that can be exploited for existing vulnerabilities, your public and NAT'd (if applicable) IP address, previous pages you visited (not just the referrer), whether you have a web server running locally, etc.

Firefox Plugin Check: A quick way to verify whether your Firefox web browser has any vulnerable versions of plugins enabled.

Microsoft Threat Analysis & Modeling Tool: Modeling tool used in application development to assess possible vulnerable points within your application and the appropriate controls to mitigate the risk.

Tools - Encryption & Confidentiality / Privacy

Truecrypt: Excellent open-source disk encryption software for Windows and Linux. Easy to use, and offers ridiculously powerful encryption algorithms.

KeePass Password Safe: An open-source AES encrypted password manager for storing passwords.

CryptCat: A Twofish encryption enabled version of Netcat, also known as the "Swiss army knife" for network administrators. CryptCat uses all of the same command-line switches as Netcat. Can be used as a "Poor man's FTP". Also examine Socat for another netcat implementation that supports various other data channels. Netcat usage examples are shown here.

Stunnel: Creates a SSL tunnel to secure non-encrypted TCP protocols and applications.

Passware Kit Enterprise: This is actually a non-free commercial product but is included here as the password recovery page serves as a quick acid test for gauging the strength of password protection and encryption schemes for various file types. The words "Brute-force Recovery - Slow" within the recovery option column implies strong encryption for that file type.

Tor: Tor provides anonymous Internet usage. Note however that like for any web anonymizer service, people using it from a workplace environment should ask their organizations what is their usage policy towards this type of tool. Furthermore, Tor exit nodes can eavesdrop on the communications given that the last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination, so it should NOT be used for transferring any confidential information unless you use end-to-end encryption such as SSL.

DBAN: Darik's Boot And Nuke CD. A live CD for wiping data on hard drives.

Tools - Browser Plugins

Adblock Plus: Block web advertisements including the phenomenon known as "malvertising."

Ghostery: Detect and disable third party web bugs and trackers that are used to track you online.

HTTPS-Everywhere: Force web sites that support HTTPS to not revert back to HTTP.

Refcontrol: Control what gets sent as the HTTP referer when you click on a link.

Tools - Educational

Damn Vulnerable Linux: A Linux distribution designed to be as insecure as possible. It has a strong focus on buffer overflow attacks.

OWASP WebGoat Project: A deliberately insecure web application designed to teach security issues by allowing users to exploit vulnerabilities in the web application.

Tools - Other

SmoothWall Express: An easy to use Linux-based open source network firewall that also includes a web proxy, intrusion detection system, e-mail antivirus, and bandwidth management. If looking for a Linux-based firewall, you may also wish to examine IPCop which was a code fork of SmoothWall.

PacketFence: An open source Network Access Control (NAC) solution for enterprise and academic environments. Commercial support is also available.

Maltego: A data mining tool that helps identify relationships between different objects within a very easy-to-use GUI. The Community Edition is free although it has limitations imposed.

OSSIM: Open Source Security Information Management - a security information and event management system used to provide a security overview of a system environment.

VirtualBox: A GNU licensed virtualization system that is currently developed by Oracle and is comparable to products by VMware. Supports Windows, Linux, Macintosh, and Solaris hosts. Excellent for security research purposes.

VMware Player: Allows you to run virtual machines on your computer. You'll want to download Virtual Appliances for it over here.

Courses & Training

Ethical Hacking and Network Defense (CNIT 123): This course is lectured at the City College of San Francisco by Sam Bowne. He has also put the course online for anybody to download. An excellent introduction to the basics of ethical hacking, network, and computer security.

Advanced Ethical Hacking (CNIT 124): Same as above but this is the advanced class (CNIT 123 is the prerequisite).

Metasploit Unleashed - Mastering the Framework: Offense Security's online course for using the Metasploit Framework.

Google Code University - Web Security: Course material related to designing secure web applications.

Cryptography: Course on cryptography taught by Dan Boneh of the applied cryptography group at the Computer Science department at Stanford University.

Introduction to Incident Command System (IS-100): Geared for the Business Continuity Planning and Disaster Recovery people, this course by FEMA is designed to provide incident management skills. Describes the history, features and principles, and organizational structure of the Incident Command System.

Reference

2011 CWE/SANS Top 25 Most Dangerous Programming Errors: CWE/SANS. The top 25 most common errors made by programmers and developers that have security implications. Includes prevention and mitigation strategies.

20 Critical Security Controls: Consensus Audit Guide. The most important baseline security controls for due care of cybersecurity.

List of TCP and UDP port numbers: Comprehensive list provided by the Internet Assigned Numbers Authority. Useful to reference when detecting unexpected network activity. Updated frequently.

Protocol Numbers: List of protocol numbers.

TCP/IP and tcpdump Pocket Reference Guide: SANS Institute. Great reference guide for TCP / UDP / ICMP headers, as well as tcpdump switches. There is also a IPv6 TCP/IP and tcpdump pocket reference guide. We provide further examples for using tcpdump here.

List of USB IDs: List of USB IDs by vendor and product.

Books

TCP/IP Tutorial and Technical Overview: IBM. Extensive, up-to-date guide and reference book on the TCP/IP protocol. IBM also offers a hardcopy version of the book for about $100 (USD), so it is good bargain to be able to get the PDF version for free. 1004 pages.

Cisco SAFE Reference Guide: Cisco Systems. Design and implementation guidelines for building secure and reliable networks. 342 pages.

The Second Internet: InfoWeapons. A book about IPv6. 314 pages.

Handbook of Applied Cryptographyy: CRC Press. Intended as a reference for novice and professional cryptographers. 816 pages.

Documents

Investigations Involving the Internet and Computer Network: US Department of Justice. Guide which discusses the investigative process for Internet related crimes, starting from the first responder, to the laboratory, to the courtroom. 137 pages.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants: Jason Franklin, Carnegie Mellon University. Paper which studies the underground economy that specializes in the commoditization of activities such as credit card fraud, identity theft, etc. Provides insight into how these transactions take place, and proposes a method of offensive attacks on the reputation of buyers and sellers in order to disrupt these underground activities. 14 pages.

Studying Malicious Websites and the Underground Economy on the Chinese Web: Peking University & University of Mannheim. A detailed overview of the underground black market in China as well as the interaction between the different actors within this underground economy. 18 pages.

Characterizing the IRC-based Botnet Phenomenon: Peking University & University of Mannheim. A 12 month study of 3,290 unique IRC-based botnets (with uniqueness defined as a unique combination of DNS name, port number and channel name.) The paper examines botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size, commands issued by botherders, and location of victims. 16 pages.

An Analysis of Conficker C: SRI International. Excellent analysis of the behavior and mechanisms of the Conficker C malware. 17 pages.

W32.Stuxnet Dossier: Symantec. Symantec's lengthy analysis on the Stuxnet threat, which at the time of its discovery was largely toted as the most sophisticated malware to date. 69 pages.

Tracking GhostNet: Information Warfare Monitor. A paper that hints at the possibility of Chinese government involvement in a botnet used for cyber espionage. 53 pages.

Shadows in the Cloud: Information Warfare Monitor & Shadowserver Foundation. A continuation of Tracking GhostNet, this report uncovers a system of espionage that compromised and exfiltrated sensitive data from government, business, and academic targets, often by using free online services such as Yahoo Mail, Twitter, Google Groups, Blogspot, etc. as command and control channels. 58 pages.

Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation: Northrop Grumman. Self-explanatory title. 88 pages.

The Command Structure of the Aurora Botnet: Damballa. Analysis of the Aurora botnet operators behind the high-profile attack against Google in 2009. 31 pages.

An Analysis of the iKee.B (Duh) iphone Botnet: SRI International. Analysis of the iKee.B botnet which targeted jailbroken iPhones. iKee.B was based on the nearly identical iKee.A worm, but included command and control logic to render infected iPhones under control of a bot master. 9 pages.

Analyzing the SS8 Interceptor Application for the BlackBerry Handheld: Chirashi Security. An analysis of the spyware software that was rolled out as an update to Blackberry subscribers of the UAE Telecommunications operator, Etisalat. 4 pages.

The Anatomy of Clickbot.A: Google. Analyzes the anatomy and architecture of the "Clickbot.A" botnet that was used to perform click fraud. 11 pages.

A Picture's Worth - Digital Image Analysis and Forensics: Dr. Neal Krawetz. Describes common and uncommon forensic methods used to distinguish real images from computer generated ones, and to identify pictures that have been digitally manipulated. 31 pages.

Thwarting Virtual Machine Detection: Tom Liston, Ed Skoudis. Discusses methods used by malware to detect whether they are running inside a virtual machine, and how to make this detection more difficult. 27 pages.

The TCP Split Handshake: Practical Effects on Modern Network Equipment: Macrothink Institute. An examination on the behaviour of systems in which a TCP connection is established via a method that blends the "traditional" three-way handshake and simultaneous-open methods. 21 pages.

Side-Channel Leaks in Web Applications: Indiana University. Researchers reveal how an attacker can determine the input/output being submitted/retrieved through an encrypted web application simply by examining the packet sizes and flow. 16 pages.

Peter Gutmann's Godzilla Crypto Tutorial: University of Auckland. Covers a large list of subjects related to encryption. 900+ slides saved in PDF format.

Harmonized TRA: Royal Canadian Mounted Police. The Harmonized Threat and Risk Assessment Methodology is a set of instructions for conducting security assessments. 290 pages.

Radio Spectrum Allocations: Industry Canada. Excellent chart showing radio frequency allocations between 9 Hz and 275 GHz.

rationallyPARANOID

yes, that is an oxymoron...