This is my wiki for cyber forensics.  It is separated into to main sections—Windows and Linux.  I have dumped as much information as possible here to act as a quick forensics reference.  There are many free tools available that have many different kinds of uses.  Each tool is listed along with a description of what it does and how to use it.  Words shown in italics are the commands to type.

Windows

PSTools

    http://technet.microsoft.com/en-us/sysinternals/bb896682

   

    psfile

        Shows remotely opened files on the host machine.

    psgetsid

        Translates SIDs to names and vice versa.

    psinfo

        Detailed system information.

    pslist

        Detailed process information.

    psloggedon

        See everyone who is logged in.

    psloglist -m 2

        Local and remote event log viewer

        -m Display only logs from last m minutes

Process Explorer

    http://technet.microsoft.com/en-us/sysinternals/bb896653

    Shows detailed active process information.

Process Monitor

    http://technet.microsoft.com/en-us/sysinternals/bb896645

    Shows real-time file system, registry, and process/thread activity.

netstat -b -v

    -b Displays the program's name involved in creating each connection or listening port.

    -v When used with -b it displays the sequence of components involved in creating each connection or listening port.

qwinsta

    Displays information about active sessions.

tasklist /svc

    Displays active process name, PID, and related services.

Linux

netcat

    A quick and easy way to setup a pipe to push information to a remote machine.

    nc -l port >> dumpfile.txt

        Setup a simple socket server to receive incoming data on a specified port and echo to a file.

    nc ip.address port

        Connect to a netcat listener at the specified ip address and port.

    Mac script to create a continuous netcat listener:

    nohup ./t_nc.sh

#!/bin/bash

file="filename"

ipaddress="ip address"

while [ 1 ]

    do echo "Started"

    nc -v -l $ipaddress 10000 >> $file

    echo "" >> $file

    echo "************** capture**************" >> $file

    echo "" >> $file

done

md5 filename.txt > filename.md5

    A quick and easy way to prove file authenticity.

date

    Find current date and time.

netstat -anp (as root)

    List all current network connections, including what processes are opened on each port.

lsof -n

    List all executables opening TCP or UDP ports.

ps aux

    List all running processes.

service --status-all

    List running services.

crontab -l

    List scheduled jobs.

netstat -rn

    Show internal routing table.

lsmod

    Check loaded kernel modules.

mount or df

    Show mounted file systems.

uname -a

    Show system version and patch level.

find / -printf “%m;%Ax;%AT;%Tx:%TT;%Cx;%CT;%U;%G;%s;%p\n” >> output.csv (as root)

    Find all file system time and date stamps.  Use a csv file format for easy viewing in a spreadsheet editor.

w

    Show what users are logged on.

last

    Retrieve the history of logins.

cat /etc/syslog.conf

    Review system logs.

cat /etc/passwd

    Review user accounts.

cat ~/.bash_history

    Review user history.

ulimit -a

ulimit -c unlimited

ps aux | egrep ‘suspicious process name’

gdb --pid=PID

gcore

quit

file core.PID

    Run a process dump on any suspicious process.

Other forensics Tools

tcpdump -w outfile.pcap -i eth1

    Output tcpdump to a pcap file from a specified ethernet interface.

tcpdstat capture_file.lpc > capture_file.tcpdstat.txt

    Gather statistical data a the packet capture.

snort -c /etc/snort/snort.conf -r capture_file.lpc -b -l capture_file 2>&1 > snort.stats

    Use snort to find patterns of malicious activity in a packet capture.  This can include MITRE CVE vulnerabilities.

    -c Use configuration file.

    -r Read packets from pcap formatted file.

    -b Binary mode. Log packets in tcpdump format.

    -l Log packets to directory.

    2>&1 Capture all stdout and stderr.

argus -d -r capture_file.lpc -w capture_file.argus

    Use argus to reconstruct session data and analyze established connections.

tcpflow -r capture_file.lpc port 21 or port 60906 or port 1465

    Use tcpflow to reconstruct session data and analyze established connections.

tcptrace -n -r s3.lpc > s3.tcptrace.txt

    Use tcptrace to reconstruct and examine session data.

dd if=/dev/sda1 conv=sync,noerror bs=64K > disk_image.dd

    Use dd to create a disk image.

autopsy

    Once running, visit http://localhost:9999 in a browser.

bulk_extractor image_file -o output_directory

    Quickly and easily analyze all metadata throughout a disk image, directory, or file.

fsstat disk_image

    List detailed information about a disk image.  Far more comprehensive than file.

foremost -t jpeg -T -i /dev/sdb1

    Easy file recovery utility in linux.

    -t File type to recover.

    -T Timestamp the output directory.

    -i drive to analyze

These are some tools that can be used for a variety of forensic purposes.  I will update this reference as I learn more tools in the future.