Monday, March 29, 2004

New Utilities for Investigating Systems

I've come across a few interesting utilities that deserve a look. PyFlag is a Web-based forensic analysis suite written in Python. It's a complete rewrite of the original FLAG tool.

Microsoft released portrptr.exe recently. Port Reporter runs as a service on Windows 2000/XP/2003 systems, logging sockets used to the c:\winnt\system32\logfiles\portreporter directory. Here are sample records:


The first is an FTP control channel. The last three are FTP data channels. I am not sure about the second entry but the source port is the same as that used for the first FTP data channel.