June 5, 2008

Evidence Collector - free forensics program

Evidence Collector is a little program used to manage other utilities in order to collect some data and information you may need to investigate on some IT Incidents. Actually, it deals with Windows environment. Evidence Collector uses utilities such as SysInternals, Nirsoft, etc to collect information and all tools are stored into Utilities repository.What does it really collect?
1. System information: You should get owner, IP, MAC address before going through forensics.
2. Installed software: Unwanted software could be installed without your knowledge. See what inside your computer
3. Installed Hot fixes: Enumerating installed hot fixes. Note that a missed critical patch is a potential exploitable vulnerability
4. Enumerated Processes: List whole processes starting on system
5. Events logs: Application, system and security events logs are collected. Events logs keep traces of what happened to your system.
6. TCP / UDP mapping endpoints: See what hidden behind TCP / UDP ports. Generally, most of remote administration tools and Trojans don’t hide their activities.
7. List start-up programs: When rebooting computers, many evil codes stick into some registry keys in order to be reloaded next time.
8. Suspected modules: Scanning modules to see if they are rootkitted.
9. USB history: Reveals if any USB key has been plugged into system.
The application is still in beta stage. If you like this application you will get more information and download from here. After download just unzip it and start Evidence Collector. No installation required. It checks if you have administrative privileges. If so, upon clicking on "Start collecting data" button, it will perform all checks. You just need to wait until program finished scanning the computer. All logs are stored into LOGS repository.[source]

No comments:

Post a Comment