I'm trying to gather a set of tools for internet forensics (not LAN).
I've got ht-track website recover, tcpdump, netscan tools pro, Cain and Abel, ethereal, so I pretty much cover most areas.
Could someone who works in this area specifically, give me a list of other tools they use on a regular basis? I'm specifically looking for the forensic capture of websites online. I can do it ok-ish with HT-track, but not excellently.
Careful when using such tools on websites. I am not sure how much experience you have in this area (so may be teaching granny to suck eggs) but using such tools mean you are active in your analysis. Hence, you are going to have to use techniques to conceal your IP as well as using HT-Track etc. There are also simple tools such as wget which is a unix based tool.
If the live info isn't fully required then perhaps look at using something like a search engine cache or an archive site.
The number of times people just access the website directly and if the person has monitoring tools on there they know you've been (X Police visited my website……..).
wget, very useful I wasn't aware of that command.
Thanks samr.
I've sent you a PM.
Any other comments/additions welcomed.
Check out WebCase - Ovie interviewed the principal of the firm that developed it on CyberSpeak not to long ago. Also, check out some of the episodes from last year that had the websites of the week that mentioned tools and sites to use.
We actually still do a lot of "manual" investigations with domaintools.com, robtex.com, archive.org, screen caps, IP tracing, etc.
Check out WebCase - Ovie interviewed the principal of the firm that developed it on CyberSpeak not to long ago. Also, check out some of the episodes from last year that had the websites of the week that mentioned tools and sites to use.
We actually still do a lot of "manual" investigations with domaintools.com, robtex.com, archive.org, screen caps, IP tracing, etc.
Yep, same here I find that here is no substitute for a human operator trying to link all that data together. Archive.org can be a goldmine, since a lot of people don't take them into account when cleaning their online evidence.
I also highly reccomend getting a paid subscription to domaintools, their domain history feature has been really helpful on several occasions.
Having said that, I can imagine Maltego being a helpful tool, if you work a lot with online evidence.
One problem I've run into in the past is saving evidence correctly is a hashed screenshot of domaintools.com evidence? If not, than what is?
Roland
If the live info isn't fully required then perhaps look at using something like a search engine cache or an archive site.
The number of times people just access the website directly and if the person has monitoring tools on there they know you've been (X Police visited my website……..).
Good tip, and very true. I've seen a couple of investigations compromised because of that.
Also be aware that when you're using the cache function of search engines, most of the time your browser will still fetch the graphics directly from the target website.
And for the people who say "oh, I'll just disable graphics in my browser" the same goes for video, flash, and audio content..
Good luck,
Roland