Friday, March 22, 2013

Tool Kit Essentials

Every intrusion analyst has to have a toolkit. It's not just the essential Linux programs you need to install on each machine you do analysis from, but it entails all those web sites you use to check sites, to help you deobfuscate malicious code, research exploits and the like, not to mention some of the good Windows-only tools you might be using (like NetWitness Investigator or Malzilla). I used to keep a flat file of all the tools I needed, but it quickly gets out of date. How do you determine what should be on that list?

I've received a flurry of emails lately from recruiters for IDS related posts they need to fill. As I was reading one, it struck me: If I took this job and needed to get up and running doing intrusion analysis on Day One, what would I need to make that happen? I realized that scenario defines what should be in my essential toolkit. Not those rarely used apps or sites that that duplicate things I can cmd line from the packet boxes, but what I HAVE to have.

So rather than create another list, I've decided I need (yet another) flash drive to keep with me at all times (at least when I'm working) that has current copies of essential tools, Windows and Linux, exported bookmarks, copies of notes I've taken and such so that I'm fairly comfortable that I could walk in the door of a new job and within a couple of hours be ready to start looking at alerts.

If you have a better method, please share. I don't have any plans to change jobs, but keeping this info close by and updated is also a way to keep up with version checking and making sure I always have the latest improvements in my tools.


Glen Kurtz said...

I don't have any advice on my methodology (as a novice analyst), but I would like to know what you have in your "Barebones" toolkit.

JeffSoh said...

I use Spondulas for site investigation, hexedit for examining binaries, ngrep, dsniff, and built-ins like grep, base64 (to decode) and awk. On Windows I use Wireshark a lot (my IDS allows sending packets it captures to another program), Malzilla a lot, but not as much since I found Spondulas. I also use Network Miner sometimes. But a lot of what I do now just involves using scripts to iterate through captures and pull out time ranges or specific IP's into new captures and look at them through tcpdump or push to my Windows box for Wireshark. Using the Find Packets function in Wireshark, as opposed to how I used to do it with ngrep, is really powerful as I can see the packets that preceded or followed it and do TCP stream assembly and look at the session. Since so much of what I look at (like everyone else) is client side, I also have some sites like jsunpack and Wepawet that help with the debofuscation. I'd found a great new site called that did a really nice job, but it's unfortunately no longer around. Speaking of web sites as part of your toolbox, the xlate site at does a great job with base64, hex and other encodings.

Blog Archive