| < Day Day Up > |
|
Farmer, Dan, 698
Fast Block utility, 626
file command, 744–746, 774
file streaming, 594
file systems, 576, 664, 684, 763
File Transfer Protocol. See FTP
file transfers, 21
files. See also specific files
ASCII, 758
associated with browsers, 730–733
batch, 150, 164, 258–259
binary, 58
criminal, 773–776
Cygwin, 55–56
.dat, 319–320, 539–542, 547–549
data, 730–733
evidence, 623, 654–655, 773–776
executable, 285
hiding, 284
.htaccess, 219
local evidence, 655–658
log. See log files
perm.n, 248–249
public, 121
redirecting, 285
remote evidence, 658–659
run, 774
SAM, 229–230
securing with Tripwire, 357–358
streaming, 594
SUID, 702
transforming into devices, 660–661, 664–665
filesnarf tool, 493
filtered ports, 68
filters
BUTTSniffer, 460, 464
directional, 467–468
egress, 451
Ethereal, 479–483
ingress, 451
IP, 465
ipfilter, 403
packet. See packet filters
port, 20, 465
tcpdump, 467–470
FIN flags, 477–478
FIN packet, 65, 68
FIN scans, 68
finger daemons, 121
finger utility, 120–121
fingerprinting
operating systems, 75, 109–110, 437
Winfingerprint utility, 138–140, 161
F.I.R.E. (Forensic and Incident Response Environment), 652–653
Firewall Builder, 403
firewalls, 363–410
basics, 364–373
bypassing, 20
Checkpoint, 410
Cisco PIX, 408–410
commercial, 403–410
described, 364–365
DMZ and, 371–373
Firewall Builder, 403
freeware, 373–403
Guardian, 403
hping utility, 431–435
Internet Connection Firewall, 410
ipchains, 374–383
ipfilter, 403
IPFW, 393–403
iptables, 383–393
ISIC suite and, 557–558
Linksys SOHO, 404–405
NAT and, 368–371, 409
NetScreen, 410
packet-filtering, 366–367
parental control, 365
performance, 560
personal, 364–365
SonicWALL, 405–408
stateless vs. stateful, 367–368
UDP and, 69–70
VPNs and, 371
vs. packet filters, 365
ZoneAlarm, 410
flags
-A, 134–136
-a, 134–135
ACK, 477
command-line, 470–472, 492
FIN, 477–478
SYN, 65, 69, 433, 474–478
TCP, 65, 67, 433
Flawfinder, 290–295
FlexChecks, 338–339
Flood Pings, 421
floppy disks. See also boot disks; CD-ROMs
boot disks. See boot disks
evidence files on, 655
live response tool kit, 599
Trinux tool, 572–573
forensic analysis
The Coroner’s Toolkit (TCT), 698–710
EnCase tool, 684–698, 710
Forensic Toolkit (FTK), 672–684, 710
toolkits for, 651–698
web activity, 711–742
Forensic and Incident Response Environment (F.I.R.E.), 652–653
forensic duplication, 615–669
dd tool, 653–659
EnCase tool, 616–624, 649, 684–698, 710
format command, 625–626
Ghost utility, 641–649
hard drive duplication, 655
local evidence files, 655–658
logging and, 629–630, 654–655
losetup tool, 660–661
noncommercial toolkit, 651–669
PDBLOCK utility, 626–627
remote evidence files, 658–659
Safeback utility, 627–637, 649
SnapBack DatArrest utility, 637–641, 649
Forensic Toolkit (FTK), 672–684, 710
forensic workstation, 658
format command, 625–626
fping tool, 423–426
FPipe, 444–449, 451
fport command, 11, 578–580, 598
fragmentation, 72, 422
FreeBSD systems
cleansing evidence drives, 659
hijacked services and, 20
transforming files into devices, 664–665
vnode, 664–665
FreeBSD To Go, 652
frhed tool, 757–760
FScan tool, 160, 162. See also ScanLine tool
FTK (Forensic Toolkit), 672–684, 710
FTP (File Transfer Protocol)
datapipes, 21–23
Netcat and, 21–23
port filters and, 20
running as root, 74
wu-ftpd 2.6.0, 292–293
FTP bounce attacks, 70–72
FTP bounce scanning, 70–71
FTP clients, 70–71
FTP servers, 70–72, 105, 292–293
fwhois command, 412–416
| < Day Day Up > |
|