New Utilities for Investigating Systems

I've come across a few interesting utilities that deserve a look. PyFlag is a Web-based forensic analysis suite written in Python. It's a complete rewrite of the original FLAG tool.

Microsoft released portrptr.exe recently. Port Reporter runs as a service on Windows 2000/XP/2003 systems, logging sockets used to the c:\winnt\system32\logfiles\portreporter directory. Here are sample records:

04/3/29,9:38:18,TCP,21,10.10.10.3,24898,192.168.50.2
04/3/29,9:38:25,TCP,1163,10.10.10.3,,0.0.0.0
04/3/29,9:38:25,TCP,1163,10.10.10.3,24899,192.168.50.2
04/3/29,9:38:50,TCP,1166,10.10.10.3,24900,192.168.50.2
04/3/29,9:38:55,TCP,1167,10.10.10.3,24901,192.168.50.2

The first is an FTP control channel. The last three are FTP data channels. I am not sure about the second entry but the source port is the same as that used for the first FTP data channel.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4