Evidence Collector Beta released

Evidence Collector is a free forensics program used to manage other utilities to collect useful information you may need to investigate on some IT Incidents.

Features :

  • System information : Get owner, IP, MAC address before going through forensics.
  • Shares and policies applied on shares : very handy to detect if someone gets into computer from opened shares.
  • Started and stopped services : Some services could be a wide opened doors to get unauthorized accesses.
  • Installed softwares : Unwanted softwares could be installed without your knowledge. See what inside your computer
  • Installed Hotfixes : Enumerating installed hotfixes. Note that a missed critical patch is a potential exploitable vulnerability.
  • Enumerated Processes : List whole processes starting on system.
  • Events logs : Application, system and security events logs are collected. Events logs keep traces of what happened to system.
  • TCP / UDP mapping endpoints : See what hidden behind TCP / UDP ports. Generally, most of remote administration tools and trojans don’t hide their activities.
  • Process handles tracking: See what processes did when started. From accessing Registry keys to writing into files. Useful to see if evil activities are not disguised behind some processes.
  • List start-up programs : When rebooting computers, many evil programs stick into registry keys in order to be reloaded again.
  • Suspected modules : Scanning modules to see if they are rootkitted.
  • USB history : Reveals if any USB key has been plugged into system.
  • Users policies : Collecting users and their policy. You can easily identify any unknown user.
  • And more...

In-progress features integration :

  • Files MD5 hashes generating
  • Essential files and registry keys permissions enumeration
  • More rootkit revealers support
  • Windows Events ID scanner and tracker
  • Advanced Log Viewer

How to use ?

Unzip into a temporary folder and run executable. It is a standalone version.
After collecting data, switch to Logs directory and start digging into traces files by yourself.
We are working to produce a little utility called "Windows Events ID scanner" to help you out to track some known ID events.

But keep into mind that forensics success is more related to human factor (the ability to understand and resolve incidents) than to the use of automated tools.

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Related Articles

EvidenceCollector
Forensics
Local auditing