Monday, March 29, 2004

New Utilities for Investigating Systems

I've come across a few interesting utilities that deserve a look. PyFlag is a Web-based forensic analysis suite written in Python. It's a complete rewrite of the original FLAG tool.

Microsoft released portrptr.exe recently. Port Reporter runs as a service on Windows 2000/XP/2003 systems, logging sockets used to the c:\winnt\system32\logfiles\portreporter directory. Here are sample records:

04/3/29,9:38:18,TCP,21,10.10.10.3,24898,192.168.50.2
04/3/29,9:38:25,TCP,1163,10.10.10.3,,0.0.0.0
04/3/29,9:38:25,TCP,1163,10.10.10.3,24899,192.168.50.2
04/3/29,9:38:50,TCP,1166,10.10.10.3,24900,192.168.50.2
04/3/29,9:38:55,TCP,1167,10.10.10.3,24901,192.168.50.2

The first is an FTP control channel. The last three are FTP data channels. I am not sure about the second entry but the source port is the same as that used for the first FTP data channel.