Tools

The SOC does not endorse any particular product and consequences of using these products or the manner in which they are used rests solely on the agency in which it is being deployed. Any product used needs to follow the vendors’ licensing and/or purchasing agreements. Please review the individual licensing agreements to make sure they meet your agency needs.

Preparation

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)

EMET is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

Various Antivirus Utilities

Detection & Analysis

Wireshark

Wireshark a network protocol analyzer and packet capture utility. Wireshark has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols
  • Live capture and offline analysis
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

FTK Imager

FTK Imager is forensic Imaging software for hard drives or live memory capture. Installed or portable versions are available. FTK Imager can export the image in several formats including dd, Encase, or SMART.

Microsoft Sysinternals

Sysinternals utilities are made to help you manage, troubleshoot and diagnose your Windows systems and applications. These tools are broken down into several categories:

  • File and Disk utilities
  • Networking Utilities
  • Process Utilities
  • Security Utilities
  • System Information Utilities
  • Miscellaneous Utilities

The most popular Sysinternals utilities Process Explorer, AutoRuns, Process Monitor, PsTools, PageDefrag, Rootkit Revealer, and TcpView.

Microsoft Log Parser

Microsoft’s Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Post-Incident Activity

Computer Aided investigative Environment (CAINE)

CAINE is a live linux distribution which includes several tools to assist the digital investigator. The main design objectives that CAINE aims to guarantee are the following:

  • An interoperable environment that supports the digital investigator during the four phases of the digital investigation
  • A user friendly graphical interface
  • User friendly tools

CAINE has partnered with several groups that provide Microsoft Windows based tool collections. See the “Windows Side” portion of their website for further details.

Containment, Eradication, & Recovery

Darik's Boot and Nuke (DBAN)

DBAN is a self-contained boot disk that automatically deletes the contents of any hard disk that it can detect. This method can be used to remove viruses and spyware by completely erasing all data on the disk. It does not provide users with a proof of erasure, such as an audit-ready erasure report.

Windows Asessment and Deployment Kit

Windows ADK is a collection of tools that you can use to customize, assess, and deploy Windows operating systems. This tool allows you to customize and automate the large-scale installation of Windows.