E | Honeypots for Windows (Books for Professionals by Professionals)

Index
Honeypots for Windows
by Roger A. Grimes
Apress 2005

F

Faketelnet.pl script

website address, 179

false-negatives

as number one reason for using honeypots, 5–7

false-positives

as number one reason for using honeypots, 5–7

Fc.exe

using to compare two sets of files on command line, 272

feature packs

for specific applications, 101

Febotti Command Line utility

website address, 299

File and Printing Service

NetBIOS services as the heart of, 73–74

file extensions

learning which are associated with which programs, 314

file handle

defined, 344

file hashing programs

website addresses for, 312

File Investigator

for determining a files real content, 314

File menu options

using in Ethereal protocol analyzer utility, 244

file properties analyzer

Forensic Toolkit as, 281

file system

analyzing for malicious activity, 311–317

looking for hidden files and alternate data streams in, 313

file types

confirming in network traffic analysis, 314

FileCheckMD5

website address, 312

Filemon monitoring utility

function of, 279

FileStat

analyzing file systems with, 312

filters

needed by network analysis tools, 238

FIN (Finish) flag

in TCP, 234

FIN port scans

keywords for allowing and disallowing, 156–157

FIN scan

use of by hackers, 236

FINALeMail tool

for recovering Outlook Express and Eudora e-mail, 315

fingerprinting

active, 27–28

as part of manual hacking attacks, 26–30

passive, 29

firewalls

as honeypot network system devices, 51

importance of in stopping hackers, 8

forensic analysis

in action, 325–332

beginning by taking the honeypot offline, 305

of honeypot data, 301–336

making copies of the hard drive, 306–309

recovering RAM data in Windows honeypots, 305–306

reviewing log files for logon/logoff activity, 319–322

steps for a structured approach, 304–305

a structured approach, 304–325

forensic analysis toolkits

website address for overview of all major, 324

forensic analysis tools

bootable forensic distributions, 324

for documenting and analyzing honeypot systems, 280

needed for operating a honeypot, 12

web sites for, 335

Forensic and Incident Response Environment

website address for bootable forensic distribution, 324

Forensic Toolkit

file properties analyzer, 281

Foundstone utilities

website address, 276, 280, 335

Foundstone’s Bin Text utility

for finding text and Unicode strings in a file, 318

Foundstone’s Galleta tool

for examining contents of Internet Explorer cookies, 316

Foundstone’s NTLast utility

for keeping track of logon information, 321

Foundstone’s Pasco tool

for tracking Internet Explorer hacker activity, 316

Foundstone’s Rifiuti utility

for examining Recycle Bin activity, 315

Fport and Vision utilities

for collecting network traffic baseline data, 276

looking for new network ports and services with, 319

frag attack

defined, 124

reasons for using, 233

Frag2 preprocessor

in Snort, 259

FRAGMENT instruction

in Honeyd templates, 157

Fragment Offset field

in IP packet, 232

fragmentation attack. See frag attack

freeware

defined, 122

FTP login session

Windows event log message generated by, 211

FTP server daemon