Tool Names: 1. VISION 2. PASCO 3. GALLETA

Tool 1 VISION

UTSA IS 6353 Incident Response Overview Tool Description Where You Can Find it Applicability to Forensics Tool Use/Screen Views Observations Lessons Learned

UTSA IS 6353 Incident Response Technical Description: VISION This Tool provides the following:  Shows all of the open TCP and UDP ports on a machine.  Displays the service that is active on each port.  Maps the ports to their respective applications.  Large amount of supplementary information that is useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use

UTSA IS 6353 Incident Response Where to Find the Tools Featured in the free tools. Information about Vision provided at /vision.htm /vision.htm

UTSA IS 6353 Incident Response How The Tool Supports Forensics Vision supports live analysis on a host. Vision is a Host based forensic utility. And it allows a forensic investigator to interrogate ports and identify potential “Trojan” services. This tool supports “Incident Response” more than “Forensic Analysis”.

UTSA IS 6353 Incident Response Tool Use Vision is a windows GUI based application. After launching, the application runs in the background and is located in the system tray. Interval for “Auto-Refresh” can be specified in the options. Vision can be used to log all the entries into a CSV file.

Basic Menu Screen View

UTSA IS 6353 Incident Response Observations Easy to download Easy to Install (Windows Installer and easy configuration) Free tool Easy to use navigation menus. Sub-menus can collapse and expand. A single view can represent a LOT of information.

UTSA IS 6353 Incident Response Lessons Learned Doesn’t work on Windows 98, Me Requires ‘psapi.dll’ on Windows NT. Single comprehensive tool which performs the functions of tools like ‘fport’ and ‘pstools’. CSV log file can be a good resource for future reference.

Tool 2 PASCO

UTSA IS 6353 Incident Response Technical Description of Pasco This Tool provides the following: –Command line utility that parses information in the IE activity files (index.dat). –Index.dat files are in binary form and special tools, like Pasco, are required to view them. –Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X,Linux, and *BSD platforms.

UTSA IS 6353 Incident Response Technical Description of Pasco –Relevant Fields in index.dat header Field Length Contains the length of the index.dat file Hash Table Offset Contains the offset (in bytes) for the beginning of the HASH table Cache Directories Contains the directories where files are stored that make up the content of the cache

UTSA IS 6353 Incident Response How Pasco Supports Forensics This Tool supports off-line analysis Allows a forensic investigator to reconstruct a subject’s web browsing habit. Provide evidentiary material for abuse of internet corporate usage policies, pornographic content, other illegal activities.

UTSA IS 6353 Incident Response Where to Find Pasco On the web –Free utility – Loaded on my directory –D:\Pasco

UTSA IS 6353 Incident Response Tool Use For Windows, must first install CYGWIN – a Linux like environment for Windows. –Cygwin can be found at Download and install Pasco from Foundstone site. Search for index.dat files on system and copy into D:\pasco\bin.

UTSA IS 6353 Incident Response Tool Use For Windows XP, index.dat file can be found at these locations or do a search: TIF Index \Documents and Settings\ \Local Setting\Temporary Internet Files\Content.IE5| Cookies Index \Documents and Setting\ \Cookies\ History Index \Documents and Settings\ \Local Settings\History\History.IE5\

UTSA IS 6353 Incident Response Tool Use Pasco Usage: pasco [options] index.dat file to be parsed > output file.txt Options: -d Undelete Activity Records -t Field Delimiter (TAB by default)

UTSA IS 6353 Incident Response Tool Use Command line –Execute default mode of Pasco $./pasco tif.dat > tif.txt (Parse the index.dat file and output result to index.txt file) –Execute undeletion mode of Pasco $./pasco –d –t, tif.dat > tifdtoptions.txt

UTSA IS 6353 Incident Response Typical command line usage of Pasco.

UTSA IS 6353 Incident Response Text file output from Pasco.

UTSA IS 6353 Incident Response Text file output from Pasco exported into spreadsheet for further analysis.

UTSA IS 6353 Incident Response Observations Easy to download –Small download – 460 Kb zipped file Easy to Install –For Windows must first install CYGWIN Simple command line use –Only two options available Can be use to parse cookies and history index.dat files as well White paper available for in-depth technical approach to Pasco development –

UTSA IS 6353 Incident Response Lessons Learned Works better when index.dat file is copied into wherever Pasco directory is located. Run both default and undeletion mode to make sure no entries are missed.

Tool 3 GALLETA

UTSA IS 6353 Incident Response Technical Description: Galleta Galleta provides the following: –Internet Cookie analysis utility Parses the contents of a Windows cookie file and outputs the result to a tab delimited file –Small download (<500Kb) –Requires CYGWIN to run UNIX Bash Shell

UTSA IS 6353 Incident Response Where to Find the Tools CYGWIN installs to the root directory – –Large download (6.5MB) –Install from Internet Galleta installs in Program Files directory or wherever you put it – lleta.htmlwww.foundstone.com/resources/proddesc/ga lleta.html

UTSA IS 6353 Incident Response How The Tool Supports Forensics Galleta supports off-line analysis –Tedious, cumbersome Recovers the contents of a single Internet cookie file Allows the investigator to categorize and/or sort cookies within Excel

UTSA IS 6353 Incident Response Tool Use Start CYGWIN –START  All Programs  CYGWIN  CYGWIN Bash Shell Change directories to the location where the Internet cookies are –Put the Galleta executable file in this same directory From the UNIX prompt in CYGWIN type: –./galleta cookiename.txt > newname.txt

UTSA IS 6353 Incident Response

Observations Easy to download Easy to Install Command line use was cryptic depending on level of experience No Help support Don’t forget to download CYGWIN Very labor intensive

UTSA IS 6353 Incident Response Lessons Learned Watch out for location of Galleta executable UNIX tool that works in Windows via CYGWIN Best used in conjunction with string search utility (Pasco) to isolate questionable cookies