Post Incident Response Disk
From Jonsdocswiki
Below is a list of tools I keep on my Post Incident Response disk.
What is an incident?
An incident can be classed as:
- Viral outbreak on a machine.
- Malware outbreak on a machine.
- Forensic incident (in which case you'll likely need Trinity too).
Basically, anything that causes the workstation to act unexpectedly can be classed as an incident and it is important the rest of the network is not put at risk. As such, optical media is used to investigate as this is read only to the infected system.
| Memory Stick Warning |
|
Never plug a memory stick, or other writeable media, into a compromised device.
|
Disk Contents
- Microsoft Updates
- Windows XP Sp3
- Various Office Service Packs
- KB958644 (conficker protection) for XP
- .Net installs
- Microsoft Installer Cleanup Utility
- Microsoft Security Essentials
- May not scan without an Internet connection so act with extreme caution.
- Spybot Search and Destroy
- Sequoiaview
- JDisk Report
- Sysinternals tools
- Process Explorer (procexp.exe) - used to examine processes running on a machine, the files the processes are accessing etc.
- Process Monitor (procmon.exe) - monitor system processes.
- Filemon (filemon.exe) - monitors access to files.
- PS GetSid (psgetsid.exe) - gets the SID of the machine or users.
- PS Info (psinfo.exe) - Obtains information on the machine.
- PS List (pslist.exe) - gets a list of running processes.
- PS Loggedon (psloggedon.exe) - shows list of users that have logged on.
- PS Log List (psloglist.exe) - lists the various Windows logs (recommend this be piped to a file).
- Pagedefrag (pagedfrg.exe) - Defragments the page file and/or registry at next boot.
- Various others.
