Command line tools for win32

聲明:所有工具都來自網際網路,版權歸原作者所有,請自行殺毒收集整理


名稱版本類型大小簡介Hash:md5
→→網絡(Networking)
ab.exe2.0.55.0
32,504ab是Apache超文本傳輸協議(HTTP)的性能測試工具73660367CAABA4E3FFFF73DF7D437391
blat.exe2.6.1郵件發送103,970blat是一個基於命令行的、小巧免費的郵件發送程序。5EF4F25697B0E0FA715EB7CC18652B3B
curl.exe7.12.2文件傳輸642,815curl是一個利用URL語法在命令行方式下工作的的文件傳輸工具15D274B1F2B2704DA626FF8DE2978464
dialupass.exe2.43密碼相關36,632dialupass可以讀取adsl撥號的用戶名和密碼87C734F1CA43105881214045F9F16644
Downloader.exe3.01下載137,834Downloader是一命令行下載程序147005E9AA96F5FF29EE543982B97B2D
febootimail.exe1.3收發郵件457,692febootimail 是一個強大的DOS命令行方式郵件發送程序B58AE7B79491F087BF44E56DF611F37E
hunt.exe1.2
13,562hunt是命令行查看遠程主機信息的工具0239A7D82797598CDC6A85E920CF1E91
idman.exe5.08下載工具1,905,841IDMan是命令行下的下載工具,下載速度快C52C0A5DD2D7843B975156F53FE4D58E
mt.exe未知
98,449mt是一個網絡管理方面的軟件AE5C235BA7DC13628364086CBD92B71E
NBTscanIpanto.exe1.0.3
32,955mt是一個網絡管理方面的軟件AE1ABD0FA24E3A3EAE292F555FEF63D6
ncftp.exe3.2.0ftp客戶端332,209ncftp是ftp客戶端工具,比傳統的ftp好的多8891561116992DE9A76DF6D7AA88C638
nc.exe1.10掃描28,865nc–網絡瑞士軍刀65F49922D5D0B40AA13EF4B2C406B632
nmap.exe4.11端口掃描619,690nmap是一款針對大型網絡的端口掃描工具4658640A2846AC2BF9CE274453027440
PortQry.exe2.0
80,658PortQry是一個 TCP/IP 連接測試實用工具C31747B461B3198C9E25C247B62B4A06
PortReporter.exe未知
84,186Port Reporter 工具可用於記錄TCP 和UDP 端口活動5AB2000F88455B87EE0B96DEEE0C3233
pstools.exe2.2遠程管理485,162pstools是一套網絡遠程管理軟件20A858703F35ECFAE8BB8DDDF754F1F4
smac.exe1.0
5,006Smac是命令行下更改MAC地址的小工具5A3FE78C6508D9D75E15F3A7438EBB61
sssyg.exe未知代理相關34,499sssyg是命令行下sock代理工具F27F3CE9EE004ACF3DF2046A8D53107F
t4etools.exe未知
647,737t4etools是一套集操作ssh/sql等的命令行工具ABF9099ECBF200441A38650839FDD9A9
wget.exe1.10.2文件下載328,740wget是一個從網絡上自動下載文件的自由工具62E5E4C4030F117F4FE7DE9CCB011FDD
wget.exe1.82文件下載278,802wget是一個從網絡上自動下載文件的自由工具7EF6EE62B7D2CE096277BA9051DD1E15
wol.exe1.2遠程喚醒17,532wol可遠端啟動電腦1D1FAA4A20EC10435EC728BF2584B35C
XmlSendmail.exe1.4.1郵件發送113,082XmlSendmail可以讓你可以使用一個XML 配置文件發送郵件信息95C6370706A59875C31C4737548F31E0
→→文件工作(Work with files)
CCase.exe2.5大小寫轉變18,474CCase可以將一串英文的字符轉變大小寫7C38F222F48ACB1B10AE66926286F187
ConCmd.exe1.5中文內碼轉換179,444ConCmd作用是檔案中文內碼轉換0C78B9BB810C67DAA10E4F5F10443BD8
gawk.exe3.1.3
80,922gawk可以對文字檔裡的資料做修改、比對、抽取等的處理C722EE089A207D93BD83F679954D7135
gawk.exe3.1.5
308,465gawk可以對文字檔裡的資料做修改、比對、抽取等的處理2588AF03399B96E5654DF1C59AB85C32
grep.exe2.5.1文字查找72,567grep 是文字查找抽取軟件966D140762B88FF0A50B2B2EC5FC159C
HtoX32c.exe1.73htm2txt57,981HtoX32c把htm轉換為txt,由無奈何@bbs.cn-dos.net 漢化E8B328599E68A33E2C9FC2CCB03232FE
LineX.exe2.5行篩選21,770LineX可以對屏幕的輸出以及指定的文件進去篩選操作263F1727B7710DFCA87CD35704A9B1C5
mtee.exe2.0
7,282mtee可以把輸出的文本保存成ANSI格式或者Unicod格式5AB9876CD6AF95C60E2B60B60A746EBF
sed.exe4.0.7x文字處理92,226sed 為以行為單位的流文字處理軟件57C2BEBDB0B8C817CFA1AB27CDD9D531
sed.exe4.1.4b文字處理106,858sed 為以行為單位的流文字處理軟件11E64125772D24AF1EBFACD50234432A
sed.exe4.1.5文字處理1,213,116sed 為以行為單位的流文字處理軟件ADB7931015172A3027F65E532F2DB045
split.exe未知文件分割8,777split是命令行下的文件分割工具22360BBFAA09C78DB8A18D2D1734BCD0
ssed.exe3.6.2文字處理45,046ssed (super-sed) is a customized version of GNU sed which supports4A7EBF085B752A242BE27F7A2C4E154E
Str.exe2.5
18,689Str是一個處理字符串的小工具640AC1D620517787E2655B2DE5E4B4AF
Tee.exe2.5
18,891Tee可以將鍵盤輸入的內容寫入指定的文件中010C2BA51EA23665DD1FEA8AEF5B684B
wfr.exe2.3.1.120編碼轉換618,918wfr支持批量字符集編碼轉換,支持多國語言的字符串批量查找和替換A974564CB0CD779A2A50FDAF5CB63870
xmlstarlet.exe1.0.1xml相關1,154,260XMLStarlet可以對xml進行格式化、轉換、修正和編輯87668076EF1F9231DFBC2A0BE2957151
→→系統(System )
7za.exe4.42壓縮解壓272,8677za.exe就是7-zip的命令行版本0AD553F60CBF0F8C683FE76D822FE8E5
aefdisk32.exe1.2分區工具86,642aefdisk32是純命令行分區工具175E25C8171DDD0EB7046B08306380BF
aio.exe1.0
393,811aio是一個將很多小工具功能集成一體的一個”工具”.9B13194DEF7CECCE9BFADAA0DF4FBD49
autorunsc.exe8.61啟動項相關164,241autorunsc可以查看自啟動項4546BE1CC6D9E91B5296B42F1FE4948C
BalloonTip.exe未知汽泡提示2,738
D6DFEE0FB4DDCAFD03391DCAB57AB463
base64.exe1.0編碼15,232
3896485C901123D200853F85AEA71B7B
beyondexecv.exe2.05遠程管理34,117beyondexecv是類似psexec的工具A9F31445405ED57850ADDF38466D2CBA
cdr.exe未知光驅相關25,486cdr可以用來彈出/關閉一個或多個光驅20C865630860E4B099DAFDBFF57B3289
chknic.exe未知顯示網卡信息15,836chknic可以顯示網卡的mac地址、型號、使用情況7CDE8C5DE2CD4487D0AA9A11BB968CD8
cmdow.exe1.4.3窗口相關14,048cmdow可以用來隱藏命令行窗口D6941074C7E5AD437D4DEE0FB08EABA2
ColorX.exe2.5控制台顏色相關19,117color命令的增強版D9615E4439BD30D4BD7B6D47F9D93EDD
CompInfo.exe1.01信息查詢22,678CompInfo可以查詢定制好的系統信息C9CB705271831CC77AF5B76EECC277EE
contig.exe1.53碎片整理30,901
73DEBB083AF4BE9F440446EB0B133DA3
ctext.exe2K.232
17,632ctext和echox類似,是echo的增強版BAEA2DAB9F3EA04AE9793A1079F58816
datapipe.exe未知端口映射2,663datapipe是史上最小的端口映射軟件FC4F8B7CF6F9B430D5D8A784B6FADFFE
DateX.exe2.5時間相關36,276date和time命令的增強版3DBEFE421E4A0C2BC2387F34F36D30D1
dd.exe0.3分區相關158,152
0821E21470A1D88D554CCD6E2E067E07
dd.exe0.4beta5分區相關150,134
CDB83F37633626D8934DBB5D5B95DA20
DevCon.exe未知設備管理器85,003DevCon可以啟用、禁用、重新啟動、更新、刪除和查詢單個設備或一組設備E5ABAF6FEF3D64104B7282234C72202E
dirsize.exe4.8磁盤相關218,025DirSize可以顯示使用者電腦中磁盤的使用信息4ECF722042A8DA139EBDB50739A492C4
DriveX.exe2.5驅動器相關19,218DriveX可以來判斷驅動器的類型FBC9BD60AA8D5BD54244410F8370D2E2
EchoX.exe2.5
20,683echo命令的增強版E4103664DDAF0B4F4698010D4BF206F5
EmptyRecycleBin.exe1.0回收站相關28,575EmptyRecycleBin是命令行下清理回收站的工具0468D3F42A9AAE2FADEB4436D0D0118C
filever.exe5.1.2600.0文件相關7,485filever.exe用來查看exe、dll等文件的版本E5E5E8DADC1E38219AB65656397FA0F8
FInfo.exe2.5文件信息統計37,746FInfo可以統計文件的基本信息(創建日期,大小,路徑等)1F32BFAF7B05BBD6840D69D01823CF31
forfiles.exe未知
22,776forfiles可以在多個文件上運行命令或將參數傳遞給多個文件3F31AAAD84486E279010102CB2F855D5
FPipe.exe2.1端口重定向7,346FPipe是命令行下的端口重定向工具C84C7FED1810E9775813955EAF1B330F
fsum.exe2.51文件校驗80,897fsum是命令行下的支持多種校驗的文件校驗工具8C6293063EB1AD1B0FF8AEEEE4FA9F40
hide1.exe未知GUI隱藏12,456hide1可以通過pid隱藏\顯示程序GUIC4F7A6CA2DEA49B4F824F23883B6EDE5
instsrv.exe未知服務相關23,256instsrv是命令行下添加服務的小工具BDBBD1735599D0AB8A833E79C75B9D78
inuse.exe1.4文件替換20,235inuse用來在系統重新啟動時替換操作系統使用的文件F362C49A152A9CE57073248B71655A76
ipsec.exe未知端口封鎖81,234ipsec可以屏蔽不安全的端口D89501FA90010201E0430B713DD50576
knlsc.exe1.3查找隱藏服務11,262knlsc可以顯示被hxdef100和ntrootkit122等rootkit隱藏的服務19FAA29BA574C3A853765C77B9C71164
lads.exe4.00檢測NTFS數據流30,985lads是命令行下的NTFS分區數據流檢測工具342F02805ACCA0E425032CA09D982C7B
logname.exe未知
3,814logname用來查看當前的登陸用戶名FD794E0E2D152BC29EB7FC1CBD29B890
md5.exe2.0加密解密23,534
3C3B20F48A607DBD77F620DFDE73EBBA
md5+.exe未知加密解密21,051md5+.exe 後面直接加要加密碼的密碼就可808067DF17F5C169F9A794398AF07BCD
MessageBox.exe未知消息相關16,801MessageBox用來給自己發送一消息4AA6454CBEE01210B0AD93C970065931
mirror.exe1.42數據恢復84,982MIRROR是一種災難備份性的軟件65D2D1ADC8ABDCEBEF862DEB41AF35D7
mport.exe1.3端口相關5,285mport是命令行下查看進程的端口和路徑的,類似pk -l和netstat -ano的和物F497D21ED68C2C570BB70FADEF492D18
mstsc.exeVista5744遠程連接939,862mstsc是從Vista 5744中提取中的遠程連接,有中英文版本7E98FDBCC2A939E5221E187802308D31
nircmd.exe1.83
44,614nircmd提供很多控制windows的參數8685B317A5D88798ACE734FBE81E7866
openports.exe1.0端口查看22,601Powerful TCP/UDP port-to-process mapper for Win3290F1DE55F865DFCCBF30C51D442E9B75
physdiskwrite.exe0.5
37,085physdiskwrite是一物理寫磁盤工具D055EE6ED46AC3A9099BEACEC971868E
pk.exe1.04進程相關11,119pk.exe用來顯示進程的PID和Full NameD21C76E897630ABA41CC7DB10643C251
pmon.exe未知
5,229pmon可以在命令行界面下顯示進程信息B5B97D5A99282905350AFBE825CAB6E7
procmon.exe1.12進程監視671,828一款系統進程監視軟件,總體來說相當於Filemon+Regmon43B1963EE19D281376A96B836B052428
pv.exe3.11.1.1進程相關324,357pv可以殺進程,也可以查看進程路徑2AF60BC541A538D1E82F86C933EA7CDD
qres.exe1.1調整分辨率3,994
634F34947D0C3D7F2ADB32B0898B3E3C
QueryAutoRun.exe1.0啟動項相關4,056QueryAutoRun可以查看啟動項B5A71F825E974BA1D0BBE8150A1257FD
Rar.exe3.70beta4壓縮解壓157,582winrar的命令行版本1756281AAA517C5FAD34B4589B732248
reg2inf.exe未知reg2inf4,774
D8B2072933FF76C0698906CD6B368E68
REGFONT.exe1.1字體安裝47,599REGFONT是命令行下安裝字體的工具C93398F9D0431EFA0AB31C9414CF2C71
regini.exe未知註冊表權限18,573regini可以修改註冊表權限EF84EDDECBBF10259FFA2B5C84D93DD6
regjump.exe1.01註冊表相關35,821regjump可以直接打開註冊表編輯器並跳轉到指定位置A09A82A2E10598E13E920C15F7CAA617
rinetd.exe0.61端口重定向72,430rinetd是通過配置文件來進行端口重定向的命令行工具5DE0862FBCFA479BBDCB7E40441E57AD
runassrv.exe1.0.0.3服務相關32,362runassrv是把任何可執行文件(括批處理和角本)當作系統服務運行的工具7377AE947AAC1A7274A8BF093042D140
runassrv.exe1.1.0.628服務相關119,225runassrv把任何可執行文件(包括批處理和角本)當作系統服務運行的工具AACF027DE7E0FA15BE54A37013E370DE
scanreg.exe1.05註冊表相關23,831scanreg可以搜索指定字符串,可以指定根鍵…15DAA1EE92F638CD8F70B7A1EFA60D61
setacl.exe0.87註冊表相關5,416setacl.exe是註冊表鍵植權限修改器72C17914D50062458E68A39F616FC27D
setacl.exe2.0.2.0註冊表相關113,316setacl.exe是註冊表鍵植權限修改器3C181EB1CB38665FEF9FD6928B036D47
setres.exe1.0分辨率相關17,141
6261E0347591DF9514651AE6E2139D07
sha1.exe1.0文件sha1校驗16,713
9725956D869A608C3D71BFFEA6C36BA3
shortcut.exe1.11快截方式相關21,373shortcut用來創建文件快截方式9B0DFFB96A88031F6E991287CBC0C2D8
showacls.exe未知
8,263showacls用來顯示文件的訪問控制列表(ACL),cacls也可以完成此任務8BC1EB355AC1E3B6EF3851C67E1D3EB5
SleepX.exe2.5時間延遲20,717命令sleep的增強版656797AAA1B640525578C820E4BC68D7
sox.exe12.18.1音頻轉換230,304sox是命令行下的音頻轉換工具0658106D63DEBDF1C7EEF951A4C1B887
srvinfo.exe3.00.10服務相關18,854srvinfo可以查看服務的運行狀態和一些系統信息DB3B01C1983B438EAA9BF76CA427CCC6
TrayBalloon.exe未知汽泡提示37,071
5D69D1D93D2F4121078BB03CBA3EECCD
unplug.exe0.098
17,878unplug是命令行下停止可移動的媒體設備的小工具7F4A701E67922A8009F817D81A3369E8
upx.exe2.03w文件壓縮210,035upx是命令行下終極的可執行文件壓縮工具B5B534FDA73B7E29AAA026C35881F058
VidChng.exe1.0顯示設置16,868VidChng可以從[GuiRunOnce]字段下運行並調整顯示設置5A4385A5049ED3DD20DE35A3D0839D6D
vidc.exe2.0端口映射68,469vidc是一個端口映射工具C9F1BA21CDBF3E9E4F51F68068FC60D1
wait.exe1.4時間延遲1,067wait和sleepx一樣,是時間延遲的工具,延遲時間精確7FED0863F4E52173BB5B23FFD199CF21
winclip.exe未知剪貼板相關22,875WinClip是一款功能強大的剪貼板查看、編輯和屏幕截圖軟件9AB2D1F0F53C2D7FC17DE596C1B8278F
XXCopy.exe2.93.1
226,495
E31C17C6A07ADB211444817D810F04A1
→→服務器(Server)
httpsv.exe1.6.2http server150,410httpsv支持GUI和command line62745684EE9670BE2FE8497E2BCE4184
http.exe1.1http server29,837http是命令行下http服務端F897FBF5C09A200CA01658555A85909B
shttpd.exe1.26http server15,624shttpd是windows支持多線程下載的超級小的httpd4C42610105D2873D1574D5B50FDBB42B
SlimFTPd.exe3.17ftp server43,724SlimFTPd是命令行下ftp服務端A2C758080B66103EF293B5CE92760726
SlimFTPd.exe3.181ftp server66,309SlimFTPd是命令行下ftp服務端19F9AD7EA6CC8B4F989D57646352EF10
TinyFTPD.exe1.4ftp server15,881
DDABCBA90C9037E22DBA2A86C8E8AB87
zxftpd.exe未知ftp server27,465zxftpd是命令行下ftp服務端37EBCE1235C2F0843ACC09A44D6005DD
→→多媒體()
mpg123.exe0.59r音樂播放68,819mpg123是unix下移植過來的win版本CBD49CBD9CA777F5B1F1E88AC95ECE2A
mplayerc.exe6.4.9.0音樂視頻播放1,812,218暴風影音的單文件版,支持命令行D61AC244797C37E139125D3971FFF473
mplayer.exe1.0pre8音樂視頻播放3,151,593MPlayer是本地、網絡音樂視頻播放器B197DC1CFDBD09C2D47322F3239589AD
→→其他(other)




CmdBurn.exe3.3.1CD/DVD刻錄3,049,694CmdBurn是可以從命令行批量CD/DVD刻錄的實用工具F09F43CF2C78768C76EC87E6104375A2
csv2xml.exe1.02
15,350
98D6A75BCF648C42E29A3C461F3EA3B9
epsnap.exe2.1.0.1550
292,660epsnap是命令行下的抓圖工具BBD68E75FEC180064F7B6A12DAEC94B4
Image2PDF.exe1.83aImage2PDF397,800
A973950454234D2C1C78BE95737B1D3D
ImageConsole.exe未知圖像轉換514,343ImageConsole是一個命令行圖像轉換工具FCC6BA4CD1BB5BA2046B861D89112E26
ImageMagick.exe6.3.3-3圖片處理7,041,478ImageMagick(TM)是一個免費的創建、編輯、合成圖片的軟件58F53C4905AA2E3F19F570D1A3E3B797
Notify.exe1.0文件夾監視15,648
DAF97D2B71D8EDC9536B6B8F2DFFA55E
p2wagent.exe2.1pdf2word246,094
0A1A73BF8137386E22C7FA2D029D04CE
playRTPMPEG.exe未知
185,047playRTPMPEG可以被用來接收群播的MP3廣播資訊F5057DFA14338B55F4A69D7E732595E2
PngMate.exe2.0圖像轉換133,158PngMate是一個非常實用的命令行圖像轉換工具E4C841B4B0481F5DC23FD425376F23DE
webshot.exe1.36
209,295webshot可以把網頁保存為圖片E6F0B89D0A104CB74DD7C2ACB3515702
xml2csv.exe1.31
277,432
63C6FA9EE67304782732478E4BE07465

轉自 http://oneyicn.gobaiyi.com/cmdtools/

Universal Viewer - 萬用檢視器

Universal Viewer簡稱(ATViewer),是一款萬用檢視器,它可以檢視的文件格式相當多,包含一般文字格式,圖片,影像,網頁格式,以及RTF格式。




因此,這樣的軟體,我們可以拿來檢視許多檔案,預覽檔案的內容,不管是文字檔,說明檔,影片檔,MP3,圖片檔...全都能夠完整呈現,另外它也可以單獨對這些檔案做一些基本的編輯,方便鑑識時檢視檔案。

這個軟體還可以下載套件,以便提供更多的功能,像是支援微軟的Office文件,或 OpenOffice.org文件,另外像PDF文件,ICON,Flash,SWF,CAD,字型檔,以及一堆有的沒的,支援的寬度跟深度可以說相當的 大。另外,軟體本身也可以設置呼叫其他程式的功能,這樣一來,就可以更有彈性的檢視檔案內容。

軟體支援多國語言,官方版的正體中文版本,使用的方法很簡單,下載完主程式並解壓縮,然後下載語言壓縮檔解壓縮後,把它丟進Universal Viewer下的Language資料夾內,然後打開程式,選擇Options->Configure->General ->Language,更換成Chinese Traditional(正體中文),這樣就可以更換成正體中文介面了。

以下為官方簡介:

Universal Viewer is an advanced file viewer with wide range of formats supported. Implemented view modes and corresponding file formats are:

  • Text, Binary, Hex, Unicode: any files, of unlimited size (even 4Gb+ sizes are allowed)
  • RTF, UTF-8: RTF and UTF-8 encoded texts
  • Image: all general graphics formats: BMP JPG GIF PNG TGA TIFF... plus all formats supported by IrfanView/XnView external viewers
  • Multimedia: all formats supported by MS Windows Media Player: AVI MPG WMV MP3...
  • Internet: all formats supported by MS Internet Explorer: HTML PDF XML MHT...
  • Plugins: all formats supported by Total Commander Lister plugins
  • MS Office: all file types of MS Office (if installed): DOC DOCX XLS PPT...
  • Converters: some types can be viewed as plain text: DOC DOCX PDF PPT ODT...


Application is fully Unicode-compatible and can be integrated into Windows Explorer's context menu, so there is no problem to call it from anywhere in Explorer: right-click a file and select the "Universal Viewer" item. It can also be integrated into other popular file managers.
Generally, Universal Viewer is an application similar to Total Commander Lister. But comparing to Lister, it has the following highlights:
  • Built-in functions of several plugins: images, multimedia, webpages view
  • Support for multiple codepages: ANSI, OEM, EBCDIC, ISO etc.
  • Support for text converters for DOC, DOCX, ODT, PDF etc.
  • Support for user tools
  • Toolbar, status bar, other interface improvements
  • Auto-reloading of file on changing, "Follow tail" option
  • Displaying of line numbers
  • Displaying of non-printable characters
  • Combined Unicode/Hex mode (call Unicode mode twice)
  • Modern RegEx search library
  • Print preview
  • EXIF viewer
In the Lister plugins section you will find the list of rather good Lister plugins to use in conjunction with UV. These plugins are developed by 3rd parties and are not included into UV installation.

支援的套件下載:


Office files viewers




Graphic viewers


  • Imagine - All major graphic formats (JPG GIF BMP PNG TGA ...)
  • SGViewer - All major graphic formats (JPG GIF BMP PNG TGA ...)
  • ICLView - Icon files (ICO ICL EXE DLL ...)
  • FlashView - Flash clips (SWF)
  • SWF Lister - Flash clips (SWF FLV)
  • 2D CAD View - Vector graphics: AutoCAD etc (DXF DWG HPGL SVG CGM ...)

    Text editors with syntax highlighting



Font viewers


  • TTFViewer - TrueType fonts (TTF)
  • Font - All major font formats (TTF TTC OTF FON PFM)


Miscellaneous viewers


  • xBaseView - All major database formats (DBF DB MDB MDF XLS CSV ...)
  • Wise Tracker - Mod music formats (MOD S3M IT XM ...)
  • LinkInfo - Windows link files (LNK)
  • FileInfo - Applications and DLLs (EXE DLL SCR ...)
  • PE Viewer - Applications and DLLs (EXE DLL SCR ...)
  • AnyTag - Audio clips (AAC APE FLAC MP3 MP4 MPC OFR OGG WMA ...)
  • TxQuickView - Multi-purpose: images, media, internet, executables, fonts (AVI MPG MP3 RA RM MOV HTML EXE DLL TTF ...)
  • NFO Viewer - Small text files (NFO DIZ)



The latest release is 5.2.1 (mar 2010).



參考資料:
http://portable.easylife.tw/
http://www.uvviewsoft.com/


Tcpdump簡單教學

TCPdump有者可攜、高性能、檔案小等特點,想試試看command line底下側錄封包可以來試試看......

簡易使用法: (為了抓到隱藏在 Code 裡的語法, 直接看port有傳什麼資料進來)

  • sudo tcpdump -nnnX -s 1500 port 3306
  • sudo tcpdump -aXXX port 3306 | grep denied

-s : 抓比較長的 data 做一筆記錄

tcpdump採用命令行方式,它的命令格式為:
tcpdump [ -adeflnNOpqStvx ] [ -c 數量 ] [ -F 檔案名 ]
[ -i 網路介面 ] [ -r 檔案名] [ -s snaplen ]
[ -T 類型 ] [ -w 檔案名 ] [運算式 ]


1. tcpdump的選項介紹
  • -a 將網路位址和廣播地址轉變成名字;
  • -d 將匹配資訊包的代碼以人們能夠理解的彙編格式給出;
  • -dd 將匹配資訊包的代碼以c語言程式段的格式給出;
  • -ddd 將匹配資訊包的代碼以十進位的形式給出;
  • -e 在輸出行列印出資料連結層的頭部資訊;
  • -f 將外部的Internet位址以數位的形式列印出來;
  • -l 使標準輸出變為緩衝行形式;
  • -n 不把網路位址轉換成名字;
  • -t 在輸出的每一行不列印時間戳;
  • -v 輸出一個稍微詳細的資訊,例如在ip包中可以包括ttl和服務類型的資訊;
  • -vv 輸出詳細的報文資訊;
  • -c 在收到指定的包的數目後,tcpdump就會停止;
  • -F 從指定的文件中讀取運算式,忽略其他的運算式;
  • -i 指定監聽的網路介面;
  • -r 從指定的檔中讀取包(這些包一般通過-w選項產生);
  • -w 直接將包寫入檔中,並不分析和列印出來;
  • -T 將監聽到的包直接解釋為指定的類型的報文,常見的類型有rpc (遠程過程調用)和snmp(簡單網路管理協定;)

2. tcpdump的運算式介紹
運算式是一個正則運算式,tcpdump利用它作為過濾報文的條件,如果一個報文滿足表達式的條件,則這個報文將會被捕獲。如果沒有給出任何條件,則網路 上所有的資訊包將會被截獲。

在運算式中一般如下幾種類型的關鍵字,一種是關於類型的關鍵字,主要包括host,net,port, 例如 host 210.27.48.2,指明 210.27.48.2是一台主機,net 202.0.0.0 指明202.0.0.0是一個網路位址,port 23 指明埠號是23。如果沒有指定類型,缺省的類型是host。

第二種是確定傳輸方向的關鍵字,主要包括src , dst ,dst or src, dst and src, 這些關鍵字指明了傳輸的方向。舉例說明,src 210.27.48.2 ,指明ip包中源地址是210.27.48.2 , dst net 202.0.0.0 指明目的網路位址是202.0.0.0 。如果沒有指明方向關鍵字,則缺省是src or dst關鍵字。

第三種是協議的關鍵字,主要包括fddi,ip ,arp,rarp,tcp,udp等類型。Fddi指明是在FDDI(分散式光纖資料介面網路)上的特定的網路協定,實際上它是"ether"的別 名,fddi和ether具有類似的源位址和目的地址,所以可以將fddi協議包當作ether的包進行處理和分析。其他的幾個關鍵字就是指明了監聽的包 的協定內容。如果沒有指定任何協議,則tcpdump將會監聽所有協定的資訊包。

除了這三種類型的關鍵字之外,其他重要的關鍵字如下:gateway, broadcast,less,greater,還有三種邏輯運算,取非運算是 'not ' '! ', 與運算是'and','&&';或運算 是'or' ,'||';
這些關鍵字可以組合起來構成強大的組合條件來滿足人們的需要,下面舉幾個例子來說明。

(1) 想要截獲所有210.27.48.1 的主機收到的和發出的所有的資料包:
#tcpdump host 210.27.48.1
(2) 想要截獲主機210.27.48.1 和主機210.27.48.2 或210.27.48.3的通信,使用命令:(在命令行中適用括弧時,一定要
#tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3)
(3) 如果想要獲取主機210.27.48.1除了和主機210.27.48.2之外所有主機通信的ip包,使用命令:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
(4)如果想要獲取主機210.27.48.1接收或發出的telnet包,使用如下命令:
#tcpdump tcp port 23 and host 210.27.48.1

3. tcpdump 的輸出結果介紹
下面我們介紹幾種典型的tcpdump命令的輸出資訊

(1) 資料連結層頭信息
使用命令#tcpdump --e host ice
ice 是一台裝有linux的主機,她的MAC位址是0:90:27:58:AF:1A
H219是一台裝有SOLARIC的SUN工作站,它的MAC位址是8:0:20:79:5B:46;上一條命令的輸出結果如下所示:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a ip 60: h219.33357 > ice.
telnet 0:0(0) ack 22535 win 8760 (DF)
分析:21:50:12是顯示的時間, 847509是ID號,eth0 <表示從網路介面eth0 接受該資料包,eth0 >表示從網路周邊設備發送資料包, 8:0:20:79:5b:46是主機H219的MAC位址,它表明是從源位址H219發來的資料包. 0:90:27:58:af:1a是主機ICE的MAC位址,表示該資料包的目的地址是ICE . ip 是表明該資料包是IP資料包,60 是數據包的長度, h219.33357 > ice.telnet 表明該資料包是從主機H219的33357埠發往主機ICE的TELNET(23)埠. ack 22535表明對序列號是222535的包進行回應. win 8760表明發送窗口的大小是8760.
 
(2) ARP包的TCPDUMP輸出資訊
使用命令#tcpdump arp
得到的輸出結果是:
22:32:42.802509 eth0 > arp who-has route tell ice (0:90:27:58:af:1a)
22:32:42.802902 eth0 < arp reply route is-at 0:90:27:12:10:66 (0:90:27:58:af:1a)
分析: 22:32:42是時間戳, 802509是ID號, eth0 >表明從主機發出該資料包, arp表明是ARP請求包, who-has route tell ice表明是主機ICE請求主機ROUTE的MAC位址。 0:90:27:58:af:1a是主機ICE的MAC位址。
 
(3) TCP包的輸出資訊
用TCPDUMP捕獲的TCP包的一般輸出資訊是:
src > dst: flags data-seqno ack window urgent options
src > dst:表明從源位址到目的地址,
flags是TCP包中的標誌資訊,
S 是SYN標誌,
F (FIN),
P (PUSH),
R (RST) "." (沒有標記);
data-seqno是資料包中的資料的順序號,
ack是下次期望的順序號,
window是接收緩存的視窗大小,
urgent表明資料包中是否有緊急指針.
Options是選項.
 
(4) UDP包的輸出資訊
用TCPDUMP捕獲的UDP包的一般輸出資訊是:
route.port1 > ice.port2: udp lenth
UDP十分簡單,上面的輸出行表明從主機ROUTE的port1埠發出的一個UDP資料包到主機ICE的port2埠,類型是UDP, 包的長度是lenth





參考:
http://www.xfocus.net/articles/200105/172.html
http://plog.longwin.com.tw/post/1/374


Man-in-the-middle

Man-in-the-middle


簡單的說就是駭客扮演中間人角色,冒充伺服器接收你傳送的訊息,再冒充你把訊息傳給真正的伺服器,因此可以在通訊兩端不知情的情況下竊取或更改傳遞的訊息。例如軟體「Cain & Abel」鑽的是ARP協定的漏洞,透過「ARP Spoofing」的技巧,欺騙特定電腦,假冒自己成中間人。

講到網路竊聽,許多人可能還是不太清楚實際上是怎麼運作的。聽到這個名詞的瞬間,腦中所聯想到的畫面,可能還是動作片裡偵探在房 間裡偷裝竊聽器的模樣。事實上,的確有一些網路竊聽的概念是源自這種模式:駭客在你電腦裡面裝木馬軟體,再把你打過的每一個字透過網路偷偷傳送出來。不過 這種模式有個缺點,就是容易留下證據,畢竟竊聽器〈木馬程式〉還留在對方電腦裡。但是,今天要介紹的這種攻擊卻完全不同;這種攻擊不需要在你電腦上裝病毒 或木馬,也不會在你電腦上留下任何紀錄,卻能紀錄到你在網路上的任何一舉一動,的是來無影去無蹤。它的名字叫做:Man-in-the-middle attack,簡稱MITM〈中間人攻擊〉。


網路訊息的傳輸過程,大體上可以用傳統的信件收送機制來模擬:首先把你要寄送的信件〈封包〉,寫上目的地地址後,投送到最近的郵局〈網路閘道;Gateway〉,郵局就會根據目的地地址,把訊息送給他所知道最接近的另一間郵局去。不過,真實世界的送信機制與虛擬網路傳輸,有一個很根本的差 異:中間幫忙傳輸的人,到底是誰?在現實生活裡,各地的郵局都是由政府中央機關管理,但網路上幫忙傳輸封包的閘道卻沒有一個統一的管理機制。難以驗證每個網路元件的身分,是網際網路當年發展時沒有嚴加設計導致的原罪;這也導致網路上的各種傳輸協定,多半是直接建立在「我相信其他人傳過來的訊息」的假設上: 有人說他的IP是10.0.0.1,我就相信;有人告訴我走這條路比較近,我就相信。熟悉網路傳輸架構的人,對於這樣的假設,應該都不陌生才是。然而這樣 容易相信他人的設計,卻為資訊安全投下了不確定的變數。

什麼變數?我們今天要介紹的Man-in-the-middle中間人攻擊,就是非常巧妙的利用了Internet的這個盲點。Man in the middle,指的是在網路傳輸過程中,協助傳送封包的網路元件。有心竊聽的駭客,透過網路協定容易相信他人的特點,將自己偽裝成協助傳訊的網路元件,實則把網路上的流量通通紀錄下來。不懂?看看以下的圖吧!
原本的傳輸機制:

mitm1

而遭到駭客以中間人攻擊的網路傳輸則像下圖所示:
mitm2

嚴格說起來,中間人攻擊算是一種「概念」,也就是說有很多實作方式。進行攻擊的駭客,首先要找到網路協定的漏洞,對中間的網路設備進行偷天換日,神不知鬼不覺的把自己替換成網路傳輸必經的中途站,再紀錄下特定網段的一舉一動。
中間人攻擊難以防禦的地方在於:

1. 駭客在進行竊聽時,一般網路活動仍能正常運作不會斷線,故鮮少有人會主動發現。
2. 使用者電腦上不會被安裝木馬或惡意軟體,也難以被防毒軟體發現。
3. 駭客在欺騙網路協定時,雖然可能會留下一些蛛絲馬跡,但基於效能與磁碟空間考量,網路裝置一般而言都不會保留太多紀錄檔,造成事後追蹤極為困難。
4. 絕大多數的網路協定,仍然是基於「我相信其他人傳過來的訊息」的假設在運作的,這導致駭客有太多漏洞可以鑽,藉以欺騙網路設備、偽裝成中間人。
關於第四點,這絕對是MITM攻擊至今仍層出不窮的原因。網際網路能通,是建立在眾多的TCP/IP協定合作的結果,但只要有一個協定被發現有漏洞可鑽,就可能被駭客趁虛而入。而現在的狀況是,幾乎每一個協定或多或少都有漏洞,導致MITM攻擊幾乎是防不勝防…!接下來,我們就直接來看一個範 例:Cain and Abel。

Cain & Abel是從oxid.it這個 網站發佈的軟體。原文音譯是「該隱與亞伯」,是聖經裡亞當和夏娃兒子的名字。不過,聖經故事跟這個軟體所作的事顯然沒什麼關係…
mitm3 Cain-and-Abel

從網站上的簡介可以得知,Cain & Abel是針對微軟作業系統而設計的密碼竊取軟體〈他們宣稱是密碼「復原」軟體〉。Cain & Abel要怎麼使用呢?youtube上有很完整的影片教學:
另一個影片禁止網頁嵌入,大家得自己點過去看:
限於篇幅,這裡並不會細細說明軟體的操作細節,運作原理才是本文的重點。Cain & Abel鑽的是ARP這個協定的漏洞,透過一種叫做「ARP Spoofing」的技巧,欺騙特定電腦,假冒自己成中間人。
ARP原本的作用是解析IP與網卡實際位置的對應關係,是網路運作不可或缺的協定。以下是ARP的運作原理圖解:

正牌Gateway
mitm4
mitm5

乍看之下,上面的運作好像沒什麼問題?不,問題可大了。ARP Spoofing是這樣做的:
mitm6
mitm7

看懂了吧?這就是所謂的ARP Spoofing〈ARP欺騙〉,透過ARP協議的弱點,神不知鬼不覺地冒充為Gateway。Cain & Abel就是利用ARP Spoofing所設計出來的MITM攻擊軟體,同時欺騙傳訊中的兩端,把自己冒充為中間人。對於一般人網友來說,Cain & Abel算是相當方便的工具,提供了GUI介面,只要指定竊聽的對象,就會幫你進行竊聽。其實從Cain & Abel的log檔裡,可以看到它能記下竊聽對象的網路活動,如果竊聽的對象是一台Windows的機器,它還能自動把帳號密碼擷取出來,難怪自稱是「密碼復原軟體」!

不過,像Cain & Abel這樣的中間人攻擊軟體是有其極限的。因為ARP是在區域網路內使用的協定,所以駭客必須要被攻擊的對象處在同一個網段裡,這限制了ARP Spoofing的攻擊範圍;而且相較於其他的漏洞,ARP Spoofing算是比較知名的,所以市面上的知名網路設備廠商,也逐漸提供防堵ARP Spoofing的功能。但是除了透過ARP Spoofing,網路上仍有為數不少的漏洞,讓駭客有了攻擊的機會。

約莫三個月前,在拉斯維加斯,一場名為DefCon的電腦駭客聚會的最後一天最後一刻,臨時插進了一個主題。這段演說主講人是Anton Kapela與Alex Pilosov,而他們接下來的話讓全場大為震驚:他們已經成功的破解了BGP〈Border Gateway Protocol〉,透過BGP的安全性漏洞,他們將可以竊聽網際網路上的任何網路活動。就在發表演說的當下,全場94%的網路傳輸已被他們在紐約設立的監聽中心,而當下完全沒有人能察覺得出來。

Anton Kapela與Alex Pilosov所用的方法,雖然暫時還沒有很詳細的解析,但是原理一樣是透過網路漏洞進行中間人攻擊,唯一不同的是,這次他們所鑽的漏洞來自於BGP。 BGP是整個Internet最被廣泛使用的routing協定,若被發現漏洞,影響的層面可不只是區域網路而已。然而,BGP畢竟也是建立在「相信他人」為前提建造出來的網路通訊協定,國外已有不少相關研究指出這樣的設計並不安全,相關研究至少可以追溯到1980年 代。而事實上,BGP也不是第一次被發現有漏洞了。

為了有效防範中間人攻擊,一些大型公司機關〈尤其是銀行〉的內部網路開始採取用加密連線,例如HTTPS、SSH、SFTP等等(S指的是 Secure,安全之意),把網路的傳輸內容通通進行加密,如此一來就算駭客能用中間人攻擊進行竊聽,看到的也只會是一群無意義的亂碼。唔,那這樣就算安全了嗎?其實,這些軟體本身也不見得沒有弱點,但若只論中間人攻擊的話,還是能提供一定程度的防範。

所謂「道高一尺,魔高一丈」,當年Internet被發明之後,或許大家太過專注在網路協定的功能與效能面,卻忽略了安全性部分,導致今日網路漏洞 層出不窮,讓駭客有機可乘。因此在前年美國的Stanford大學一個團隊提出了Clean Slate Design for the Internet計畫,也就是要「重新發明網際網路」。不過現在的Internet實在太過普遍了,要取而代之,恐怕還要等上十幾年呢。

MITM是網路上相當常見的竊聽技巧,然而大多數網友對它的認識卻太少。或許會有人認為本文所寫的解說太過詳盡,連軟體都有教學影片,容易導致更多 的網路攻擊事件。但我認為清楚的教學說明是必要的,每個人都會上網,但是對基本的網路安全認識與防範卻太過缺乏,甚至連電腦被竊聽、裝木馬、被癱瘓之後, 只曉得要重灌,但重灌好了之後仍不知道如何防範。希望這篇文章,除了讓大家認識駭客的竊聽手法之外,也能讓大家對網路安原,能有更深一層的認識與防範。



參考文章:
Wikipedia上對於中間人攻擊的解釋:
http://mmdays.com/2008/11/10/mitm/

FixEvt repairs corrupted Windows event logs

FixEvt repairs corrupted Windows event logs.


FixEvt is a tool for automating the recovery and analysis of Windows NT5 (XP and 2003) event logs, primarily for computer forensics. It is described in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007. It is based in part on manual method described by Stephen Bunting. The article discusses forensic procedures and discusses log analysis methods in the context of a case study that illustrates the motivation for the tool.

This tool was initially developed to meet immediate needs of computer forensic engagements. It was developed to fill a gap between capabilities of other freely available tools that can be used to recover and correlate large volumes of log events, and thus be used to enhance the search for correlations with various other kinds of Windows artifacts.

Automating recovery, repair, and correlation of multiple logs is intended to make these methods more feasible for consideration in both a wider range of cases and earlier phases of cases, and hopefully, in turn, standard procedures.
The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis. In addition, the author is available for consultation and testimony regarding such issues.


Download FixEvt Version 1.09

Fixevt.exe is a native Windows console (command line) application for Windows 98, NT, 2K, XP, 2003, and Vista that repairs a common form of corruption of Windows event logs that occurs when the event logging service stops without properly closing the log file.


    Fixevt.exe requires no other files, and no installation. Simply download the executable and run it from the command line as shown below. To see this documentation, invoke it with no command line arguments.

    How FixEvt Works

    Note that this utility directly modifies the log file. It does so for performance. If a corrupt log file must also be preserved unmodified, one may make a copy of the log and repair the copy.

    FixEvt does not modify the log file except when the log's flag indicates that the log is 'dirty', in which case it searches for duplicate information, and if found, repairs the header.

    This utility will repair multiple log files. The event log filenames are the only arguments.
    FixEvt returns a numerical status code to the shell that indicates whether the resulting log is 'clean'.
    • zero (0) indicates either that the log file was already 'clean' and did not need repair, or that FixEvt successfully repaired the log file.
    • non-zero indicates FixEvt failed. FixEvt can fail when the specified log file does not exist, or the file needs repair but the up-to-date copy of the offsets cannot not be found.

     

    Using FixEvt

    To repair all of the log files in a given directory, they may be specified by a wild-card argument on the command line:
    % fixevt *.evt
    To see a copy of this documentation, run FixEvt with no arguments:
    % fixevt

    Error Messages

    FixEvt writes error and status messages to standard output as follows.

    usage: fixevt SysEvent.evt
    ...all of this documentation....
    The message above means that there was more or less than one argument on the command line.

    Repair not needed: SysEvent.evt
    The message above means that the flag in the header showed that the log was already 'clean' and did not need repair.

    No trailer found in: SysEvent.evt
    The message above means that the search for the up-to-date copy of the offsets failed, so the header could not be repaired.

    Repaired: SysEvent.evt
    The message above means that the header was successfully repaired.




    參考:
    http://murphey.org/fixevt.html

    CEH(Certificated Ethical Hacker) - 道德駭客

    「美國國防部採用EC-Council國際認證系列CEH課程為防駭訓練指標」





    CEH(Certificated Ethical Hacker)道德駭客是一個中立型資安技術認證,延自美國聯邦調查局(FBI)訓練人才的課程。參加CEH訓練課程的臺灣學員,目前以SOC(資安監控中心)、政府部門和銀行這3個產業最多。通過CEH認證,意味著對於應用程式的安全、稽核、網路管理具有整合性的了解與認知。



    「要參加CEH訓練課程和考試,都必須先簽署保密協定(NDA)。」這主要是避免參加CEH訓練課程的學員,非法使用所學的入侵手法。簽署保密協定是對學員的 一種提醒,若學員有不法舉動,必需自負責任。
    CEH的考試方式,主要是150題單、複選題,考試時間4小時,滿分100分,70分以上 才合格。CEH的考試會有許多情境題,例如詢問一些MIS平常在工作上會遇到的資安問題,也會問發生原因和解決方式。


    CEH的認證永久有效,若要從舊版考試升級到最新版,如果通過CEH 5.0之前版本,只要上網自修新版課程即可,不必參加訓練課程即可參加考試。或者是第二種升級方式,對於曾取得CEH認證,可以透過參加各種資安會議、累積足夠的CEC,便可以自動升級到最新版的CEH認證。



    CISSP與CEH認證比較
    CISSPCEH
    重視資安理論框架 偏重駭客攻防實務技巧課程
    很少改版每一 個作業系統改版、新攻擊手法增加,就會推出新版訓練
    臺灣考過人數不到300人 臺灣考過人數不到300人
    資料來源:iThome整理,2008年3月



    SANS Papers


    一些來自SANS有關鑑識白皮書.....

    Featured Papers


    PaperAuthor
    Techniques and Tools for Recovering and Analyzing Data from Volatile MemoryAmari, Kristine
    Mobile Device ForensicsMartin, Andrew
    A Forensic Primer for Usenet EvidenceLachniet, Mark
    Mac OS X Malware AnalysisYonts, Joel
    Data carving ConceptsMerola, Antonio
    Ex-Tip: An Extensible Timeline Analysis Framework in PerlCloppert, Michael
    Reverse Engineering the Microsoft exFAT File SystemShullich, Robert
    Logic Models for Computer ForensicsGarrett, Jim
    Google Desktop Search as an Analysis ToolPoldervaart, Chris
    Taking advantage of Ext3 journaling file system in a forensic investigationNarvaez, Gregorio
    A Forensic Investigation Plan and CookbookKing, Gerald
    Analysis of a serial based digital voice recorderWright, Craig
    Analysis of a seized USB FlashdriveYuen, Cheuk Wai
    Unspoken Truths - Forensic Analysis of an Unknown BinaryVelocci, Louie
    Forensic Analysis of a SQL Server 2005 Database ServerFowler, Kevvie
    Forensic Analysis of a Compromised Intranet ServerObialero, Roberto
    Discovery Of A Rootkit: A simple scan leads to a complex solutionMelvin, John
    Lessons from a Linux CompromiseRitchie, John
    CC Terminals, Inc.Forensic Examination Report: Examination of a USB Hard DriveDuckworth, Brent
    Forensic Analysis of a Compromised NT Server(Phishing)Velazquez, Andres
    CC Terminals Computer Forensics Analysis ReportDo, George
    Analysis of a USB FlashdriveChablais, Christian
    Forensic Analysis of a USB Flash DriveBennie, Norrie
    Examining an Unknown Image & Analysis of a compromised HoneypotRamli, Farina
    Forensic Examination of USB Data storage artifactReardon, Ben
    Forensic analysis of a provided imagePereira, Rudolph
    Analysis of an unknown USB JumpDrive imageHiew, Roger
    Forensic Analysis on a compromised Windows 2000 systemNg, George
    Forensic Analysis: Leila Conlay versus Robert Lawrence, Harassment CaseCarpenter, Matthew
    Forensic Investigation of USB Flashdrive Image for CC TerminalsDiggs, Rhonda
    Forensic Analysis of a Misused SystemShettler, David
    Forensic analysis of a Fedora Core 3 NotebookHalm, Michael
    Steganography for spies and spybots for hackersChristensen, Andrew
    ANALYSIS OF AN IMAGE PROVIDED FROM THE GIAC WEBSITEReyes Mu�oz, Juan Carlos
    Forensic with Open-Source Tools and Platform: USB Flash Drive Image Forensic AnalysisOng, Leonard
    CC Terminals Harassment CaseFarrington, Dean
    Computer forensics investigation - Image file analysisSpellane, Michael
    Careless Crackers kill ComputersO'Brien, Conall
    Camouflaged and Attacked?Marasky, Bertha
    Analysis of WinHexDillinger, Jessica
    Analyze an Unknown Image and Perform Forensic Tool ValidationWatson, Patricia
    Forensic Analysis of Camouflage and Validation of X-Ways Forensics ToolAylor, Michael
    Forensic Image Analysis of a USB FlashdriveHeerwagen, Howard
    Forensic analysis of a seized USB Flashdrive imageDoyle, Ben
    Analysis of an unknown diskSimsic, Jure
    Report on the Forensic Analysis of a recovered Floppy DiskArmstrong, Steve
    Analysis of a FAT16 formatted image using Linux, TSK and AutopsyHansen, Ove
    Oracle Database Forensics using LogMinerWright, Paul
    Infected or Owned?Chuvakin, Anton
    Analysis of a 64MB Lexar Media USB JumpDriveChen, Joseph
    Spanish-Forensic Analysis of a Windows 98b systemRuiz, Oscar
    Forensic Analysis on a Windows 2000 ServerCassidy, Regis
    Forensic Analysis of an Apple iBook G4Partida, Alberto
    NTLast as a Forensic ToolGrime, Richard
    Analyze an image and Perform ForensicPecorella, Francisco
    Evaluaton of a Zero-Day Worm Variant at a Health ClinicTaylor, Jonathan
    Analyze an Unknown Image and Forensic Tool Validation: SterilizeBecker, Steven
    Analysis of a Windows XP Professional compromised systemSantander, Manuel
    Analysis of a Commercial Keylogger installed on multiple systemsNamuth, Merlin
    HONORS-Analysis of a USB Flashdrive ImageSiles, Raul
    Analysis of a USB Flashdrive ImageWenchel, Kevin
    A Touch of Superiority in LinuxGriffin, Slade
    Forensic Analysis of a Windows 2000 ServerGhavalas, Byrne
    Forensic analysis of a Windows XP SP1Ferrill, Rob
    Forensic analysis of a honeypot RedHat Linux 6.2Read, Mark
    Compromise analysis of a University SGI Indy workstation running IRIXRussel, Chris
    Forensic analysis of a compromised Solaris serverShepherd, Russell
    Analysis on a compromised RedHat 8.0 machineDeline, Jessica
    Analysis on a compromised Linux RedHat 8.0 HoneypotBryner, Jeff
    Forensic analysis of a Windows 98 systemShenk, Jerry
    Forensic Analysis on a Windows 2000 systemHayday, John
    Forensic Investigation of a Hacked Redhat 7.1 SystemKhedekar, Nihar
    Perform Forensic Analysis on a Red Hat Linux release 7.1.2 ServerPawar, Pramod
    Forensic Analysis of a Red Hat Linux release 7.1 ServerVK, Vijaykumar
    Use of SSH as a forensic toolBro, Layne
    Forensic Analysis on a compromised Windows 2000 HoneypotHewitt, Peter
    Forensic Tool Validation of Compromised Computer Inventory SystemPerry, James
    How not to use a rootkitWilson, Michael
    Analysis of a Red Hat HoneypotShewmaker, James
    Forensic Analysis on a compromised Linux Web ServerMalone, Jeri
    Forensic Analysis of a Sun Ultra SystemChmielarski, Tom
    Forensic Validity of NetcatWorman, Michael
    Forensic Analysis on a Windows 2000 Pro WorkstationCragg, David
    Forensic Analysis on acquired EBay Hard DrivesBunnell, Richard
    Forensic Analysis on a Linux IPNET challenge systeRinaldi, Alfredo
    Forensic Analysis of a Windows 2000 Web ServerLiu, Yi-Chung
    Evaluation of The Forensic ToolkitKamoshida, Akiteru
    Forensic Analysis of an EBay acquired DriveWesemann, Daniel
    Analysis of a Compromised Honeypot-VMware/Linux7.3Hall, Stephen
    Becoming a Forensic Investigator/Use of Forensic ToolkitMaher, Mark
    Forensic analysis of a Windows 2000 computer literacy training and software development deviceRichard, Golden
    Sys Admins and Hackers/Analysis of a hacked systemFresen, Lars
    Forensic Analysis of a Windows 2000 server with IIS and OracleBinde, Beth
    Romanian Winter-Forensic Analysis of a Linux systemLadstaetter, Garnot
    Forensic Analysis of a compromised Sun Ultra 5 workstationMadzelan, Carl
    Forensic analysis of a compromised Linux RedHat 7.3 systemMiller, Kevin
    Analysis of a Linux HoneypotHudak, Tyler
    Forensic Analysis Procedures of a Compromised system using EncaseMcGurk, Jeffrey
    Analysis of tar2d2 as a Forensic ToolAdelstein, Frank
    Forensic analysis of a Compromised Red Hat 7.2 Web ServerWalker, Martin
    Forensic analysis of a Compromised Windows 2000 workstationFraser, Charles
    Forensic Examination of a home firewall and network services systemCarlson, Brian
    Evaluation of Crocwareis Mount Image Pro as a Forensic ToolTower-Pierce, Hugh
    Forensic Tool Evaluation-PascoLarabee, Rick
    Forensic Tool Evaluation-MiTeC Registry File ViewerFiscus, Kevin
    Hidden Data Is Evidence Too/Metadata Assistant tool EvaluationPelcher, Bob
    Compromised Redhat Linux 7.2 Honeypot AnalysisAnderson, Jason
    Forensic analysis/process for a Windows 2000 SP2 Pro with IIS installedCallahan, Jennie
    Trash and Treasure-Computer Forensics and Public Domain Data (Bmap Tool Analysis)Scott, Michael
    Evaluation of Forensics SF-5000u as forensic HardwareHickey, Steven
    Hackers and Trackers(Linux Forensic Analysis)Scott, Andy
    Review of Foundstone Vision as a forensic toolBingham, Bil
    Forensic Analysis of a RedHat 7.1 Server with Apache Web ServerSierra, Aaron
    Analysis of a Suspect Red Hat 6.2 Linux ServerVenere, Guilherme
    Forensics under Brazilian Legislation(HoneyPot evaluation)Piccolini, Jacomo
    Piping a Shell in a ICMP Tunnel-A Forensic Study of Malicious CodeNoakes, Robert
    Analysis of an IRC-bot compromised Microsoft Windows systemKolde, Jennifer
    Eavaluation of Linux ext2 file system debugger/debugfs for forensic useHarvey, Michael
    Evaluation of Windows Forensic ToolchestMcDougal, Monty
    An Endeavor Down the Forensic Highway(Windows 2000 Professional)Westphal, Kristy
    Forensic Analysis of a Honeypot Redhat 6.2 systemOlensky, Sven
    Forensic Analysis of a Compromised Windows NT4 workstationHammill, Adrian
    Analysis of a Windows 2000 corporate web serverCordeschi, Carlo
    Forensic event with a Microsoft Windows 2000 ServerNolin, Norbert
    Validaton of icat and ils for Forensic UseGabler, David
    Safe at Home?Perez, David
    Evaluation of a Honeypot Windows 2000 Server with an IIS Web/FTP ServerPearlstein, Kenneth
    Forensic Tool Validation, and Legal Issues of Incident HandlingVera, Christopher
    Forensic Analysis and process of a Mandrake Linux 9.1 systemDa Cruz, Dennis
    Binary Analysis, Forensics and Legal IssuesWyman, Michael
    Analyses of Italian Malware, Romanian Rootkits, and United States Computer LawFord, Michael
    Forensic Analysis of a Compromised SystemLee, Richard
    Analysis of a compromised RedHat 6.2 web server running ApacheFilmer, Bradley
    If it quacks like a duck, is it really a duck?Hall, Andrew
    Forensic Analysis of Shared WorkstationKerr, Michael
    Ironically , Some Targets Are Harder Than OthersClarkson, Michael
    Legal Issues of Computer Incident HandlingPsaila, Helen
    Forensics and Incident Response : Three InvestigationsHutson, Brian
    Digging covert tunnels Analysis of an unknown binaryMurr, Michael
    Computer Forensic Analysis of an Unknown Binary and The Complete Computer Forensic Investigation of a Hard DriveCapellini, Brian
    An Exercise In Practical Computer Forensic AnalysisCampaign, Adam
    Forensic Analysis of a MUD Gaming/Development ServerBanghart, John
    Forensic Investigation, Analysis, Documentation, and LawPrentner, Karl
    Forensic Analysis of Suplused system hard drivesBellamy, Jr., William
    Analyzing a Binary File and File Partitions for Forensic EvidenceButler, James
    Open Source Forensic Analysis - Windows 2000 Server -Arnes, Andre
    Forensic Analysis of Another HoneypotLisman, Jarrad
    Forensic Analysis Think pad 600 laptop running Windows 2000 serverBowers, Brad
    Analysis of a Suspect Red Hat Linux 7.2 System Running Apache v1.3.22Lee, Christopher
    EasyRecovery Professional (ER Pro)Khalid, Kamarul Baharin
    A Proposal for a Binary Comparison TechniqueLamastra, Gerardo
    Forensic Analysis of dual bootable Operating System (OS) running a default Red Hat 6.2 Linux server installation and Windows 98Othman, Mohd Shukri
    Analysis of a Software Write Blocker - That Works?Chevalier, Suzanne
    Forensic Analysis of an unfamiliar Windows 2000 systemKurasiewicz, Jeff
    An Examination of a Compromised Solaris Honeypot, an Unknown Binary, and the Legal Issues Surrounding Incident InvestigationsMccauley, Robert
    Analysis of LOKI2, Using mtree as a Forensic Tool, and Sharing Data with Law EnforcementKorty, Andrew
    Forensic Studies in the Digital Worldde Jong, Mark
    System Analysis of a Compromised Windows 2000 Professional SystemStuart, Robin
    Loki & the Honeypot: Forensic AnalysesGeiger, Matthew
    Use of sg_dd for Computer ForensicsStone, Michael
    Forensic Analysis of a Discarded University Computer SystemCraiger, Philip
    Analysis of a Suspect Windows 2000 Server SP3 Running IISFaber, Sid
    Forensic analysis of a compromised RedHat Linux 7.0 systemCunningham, Jacob
    Analysis of a Compromised Honeypot on a Cable ModemSchlereth, Matthew
    Validation of Norton Ghost 2003Brozycki, John
    Validation of NTLast v3.0Dolak, John
    Analysis of a Suspect Red Hat Linux 6.2 SystemStrubinger, Ray
    Analysis of a Suspect Windows 95 SR2 SystemFiliberto, James
    Validation of TASK v1.50 fsstat and dstatGinski, Richard
    A Search for the Origin of a September 2001 Bomb ThreatCurd, Bill
    Validation of The Coroner's Toolkit v1.11 mactimeDalton, Matthew
    Validation of GNU tar v1.13.19 & v1.13.25 and GNU cpio v2.4.2 & v2.5Calabrese, Chris
    Analysis of a Compromised Windows NT 4.0 Server Running MS SQL Server 7.0Lukacs, Steven
    Validation of GNU strings v2.11.90.0.8Desai, Neil
    Validation of Process Accounting RecordsClausing, Jim
    Analysis of a Honeypot running Red Hat Linux 6.2Murphy, Keven
    Analysis and Comparison of Red Hat Linux 6.2 Honeypots With & Without LIDS-enabled KernelsOwen, Greg
    Analysis of a Suspect Red Hat Linux 6.2 SystemVan Riper, Ryan
    Analysis of a Compromised Red Hat Linux 7.2 SystemPierce, Jerry
    Analysis of an Unknown Red Hat Linux 7.3 SystemPedersen, Stephen
    Analysis of an Unknown Mac OS X Public Beta System Using Mac OS X 10.2Miller, Roland
    Validation of ISObuster v1.0Dietz, Steven
    Analysis of a Suspect Windows XP Professional SystemWagner, Dave
    Analysis of a Potentially Misused Windows 95 SystemLeibolt, Gregory
    Validation of Restorer 2000 Pro v1.1 (Build 110621)Brooker, Denis
    Validation of a Modified UNIX "script" Command to Monitor Shell SessionsBarnett, Ryan
    Analysis of a Suspect Red Hat Linux 6.1 SystemFung, James
    Analysis of a Virus Infected Windows 98 SE SystemHayler, Richard



    轉自:SANS