This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors – checkout 101 Free Admin Tools for some of these. My articles on Top 10 Free Troubleshooting Tools for SysAdmins, Top 20 Free Network Monitoring and Analysis Tools for Sys Admins and Top 20 Free File Management Tools for Sys Admins might also come in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations (e.g. BackTrack and the SysInternals Suite or the NirSoft Suite of tools).

Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.

01 SANS SIFT

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.

02 ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.

When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.

03 Volatility

Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.

If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.

When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

05 FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.

When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.

06 Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.

To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.

07 CAINE

CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.

08 Oxygen Forensic Suite 2013 Standard

If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.

When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.

10 Bulk Extractor

bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).

Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.

11 DEFT

DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.

When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

12 Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.

13 LastActivityView

I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.

When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.

14 Digital Forensic Framework

The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.

When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.

15 Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.

16 PlainSight

PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.

When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.

17 HxD

HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.

From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.

18 HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.

When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.

19 NetSleuth

NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.

Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!

When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.

20 P2 eXplorer Free

P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.

When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.

Tip: In Top 20 Free Disk Tools for SysAdmins I mentioned another image mounting tool called OSFMount. OSFMount is very similar to P2 eXplorer but also supports the mounting of VMWare files and the creation of RAM disks. Part of the OSFMount family is a digital forensics suite called OSForensics – the freeware version of this application is available for personal, educational or home use to allow you to experiment and become acquainted with digital forensics concepts.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. Microsoft Fix It Solution Center

The Microsoft Fix It Solution Center is an online tool that helps you to quickly find and fix common system issues. Once you’ve entered the symptoms, you can either download an executable to automatically fix the issue or be directed to a relevant Microsoft Knowledgebase Article that explains what the cause and recommend workaround is.

To use the Microsoft Fix It Solution Center, simply open http://support.microsoft.com/fixit/ in a web browser, select a problem area from “Step 1”, choose what type of problem you are trying to fix from the list in “Step 2” and then choose which solution you’d like to execute or learn more about from “Step 3”.

2. Problem Steps Recorder

Hidden away in Windows 7 / Windows 2008 and above is a neat little utility called Problem Steps Recorder (psr.exe). The Problem Steps Recorder will record the step-by-step interactions that occur while the user replicates the problem, taking screenshots of every action. It then bundles all this into a report with detailed information and any relevant error logs.

This tool is great if you have a user in your environment who is experiencing an issue that you want to gain more information about and the steps they took to reproduce the problem, or if you want to create a report to send to a third party vendor as part of a support case.

To launch the Problem Steps Recorder, go to the Start menu and type “psr.exe”. Click “Start Record” and the tool will record every interaction from then on. You can add comments during the recording process and then click “Stop Record” to save the report as an *.mht file within a zip archive.

3. Reliability Monitor

Windows Vista / 2008 and above include a tool called Reliability Monitor. This tool provides an overview of overall system stability and details about events that can impact reliability. The idea is to pinpoint any troublesome areas and take steps to improve system reliability based on what you learn (e.g. you might identify a trend in a certain application crashing when opening a certain file type).

To run the Microsoft Reliability Monitor, go to the Start menu and type ‘Reliability’. This will bring up a “View reliability history” shortcut. Clicking on this shortcut will launch the Reliability Monitor directly. You can also launch this tool from the Performance Monitor tool by right clicking on Monitoring Tools and selecting “View system reliability”.

Start by selecting whether you want to view information by Days or Weeks, and then click on a specific area within the graph to view information in the bottom hand pane. Once you’ve viewed reliability history for a specified period, you can choose to save the information to a file, view a list of all problem reports and check for solutions to problems.

4. WELT (Windows Error Lookup Tool)

When troubleshooting issues, you may come across Win32, HRESULT, NTSTATUS or STOP error codes which are likely to mean nothing to you or I. Using WELT you can find out what the error code means in plain English and what it relates to.

To launch WELT, simply execute Windows Error Lookup Tool.exe from the folder where you extracted welt.zip to. Enter the error code in the textbox and the error details will appear automatically.

5. PowerShell Troubleshooting Packs

As I mentioned in my article entitled Windows PowerShell™: Essential Admin Scripts (Part 1) the PowerShell Troubleshooting Packs (bundled with Windows 7/2008 and above) can be really handy when troubleshooting system issues. As such, they are a collection of PowerShell scripts that you can use to diagnose different aspects of your servers, clients or network. Different packages are available to troubleshoot printers, networks, performance, power, Windows Update, etc.

To run a PowerShell Troubleshooting Pack, open a PowerShell command prompt and import the modules associated with the pack by running the “Import-Module TroubleshootingPack” command. Then, run the following command to start the desired Troubleshooting Pack:

Get-TroubleshootingPack <TroubleshootingPackLocation> | Invoke-TroubleshootingPack

6. WinAudit

As part of the troubleshooting process, it is helpful to know as much information as you can about the machine where the problem resides to assist in finding a solution more quickly. WinAudit scans your computer and gathers a whole raft of information about Installed Software, TCP/IP settings, Drives, Error Logs, etc.

Note: At the time of writing, the download link available from the developer’s website was broken. You can download the latest version of this software from a popular application download site like CNET.

To start an audit of your local machine, simply execute WinAudit.exe to start the application and then click the “Audit” icon in the top left hand corner.  Once the audit is complete, you can start to review the information from the different categories in the left hand pane, or save the information as a PDF / CSV / TXT / HTML file.

7. Joeware Utilities

Joeware Utilities are a list of free troubleshooting and system information utilities aimed at making the life of an administrator easier. These tools are built by a system administrator from his own experience of not finding a tool out there that did the job he needed for whatever he was trying to solve. The tools available include anything from tools that dump user information from Active Directory, modify a user account’s expiration flag or perform TCP/IP port connection testing.

Note: Unfortunately Joeware Utilities do not come as a bundled package and will have to be downloaded individually from the website. However, using a small add-on for the NirLauncher application mention below, you can download and categorize the tools ready to be launched from the NirLauncher application itself.

Some of the tools available from Joeware Utilities include:

SidToName

SidToName is a command line tool that resolves SIDs (Security Identifiers) to friendly display names. You provide it with a valid SID and it returns the object name associated with that SID.

AccExp

AccExp is a command line tool that you can use to modify or read the expiration date of local user accounts.

8. Nirsoft NirLauncher

NirLauncher is an application that bundles more than 170 portable freeware utilities. The tools available include password recovery tools, Internet tools, programming tools, and system tools – all of which can be used for troubleshooting and information gathering.

Some of the most popular tools bundled with NirSoft NirLauncher include:

USBDeview

USBDeview is a small application that lists all current and previously connected USB devices on a local or remote machine. USB device information includes device name/description, device type, serial number, the date/time that the device was added or last used, VendorID, etc.

CurrPorts

CurrPorts displays a list of all currently open TCP/UDP ports on the local machine. Information about which process opened the port, the time the process was created and the user that created it is displayed. Using CurrPorts you can also close open connections and export the information to a file.

LastActivityView

Using LastActivityView you can see what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer or performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file.

9. Microsoft SysInternals Suite

Microsoft SysInternals Suite is a collection of over 60 lightweight troubleshooting tools all bundled into a single download package. Whatever issue you’re trying to tackle, you are sure to find a tool in this package to help you manage, troubleshoot and diagnose your systems and applications.

Some of the most popular tools bundled in the SysInternals Suite include:

Autoruns

Autoruns allows you to view which programs and services are configured to run at system boot up or login, in the order in which Windows processes them.

Process Monitor

Using Process Monitor you can troubleshoot application and system related issues by monitoring activity related to processes, threads, DLLs, the registry and file system in real-time.

AccessEnum

Using AccessEnum you can quickly view permissions of file system directories or registry keys and then save the results to a text file and compare results with a previously saved log.

10. WSCC (Windows System Control Center)

WSCC is not a troubleshooting tool per se, but it does facilitate issue troubleshooting by acting as an inventory for various system troubleshooting tool suites (such as those from Microsoft SysInternals and NirSoft). It allows you to install, update, execute and categorize the entire collection of tools in a single location.

When you launch WSCC for the first time, you are given the option to download and install the latest versions of the entire set of over 270 tools. If you choose not to install them locally, WSCC will download each application when you first click on it and store the file in a temp folder within the WSCC directory. To launch a troubleshooting tool, choose a tool from the category within the navigation pane on the left hand side. You can also add favourite tools to the Favourites folder or search for a utility by name.

Are there any free tools not on this list that you’ve found useful and would like to share with the community?

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. TeraCopy

TeraCopy acts as an alternative to the built-in copy and move process in Windows. It is designed to copy and move files either locally or over the network at a faster rate. It allows you to pause and resume file transfer activities, it integrates into the Windows shell and has an automatic error recovery mechanism in case something goes wrong during the transfer process.

Once you’ve installed TeraCopy, you can launch the application from the Start Menu or by right clicking on a file or folder and selecting “TeraCopy…” from the context menu. When you’ve selected which files to transfer and where to transfer them to, you can then select which action to take after the process is complete (e.g. shutdown machine or close window). Finally, you kick the process of by clicking the “Copy” or “Move” buttons. TeraCopy keeps a log of all actions taken in the drop down box at the bottom of the window.

2. Steganos LockNote

Steganos LockNote allows you to securely store confidential notes such as license keys, passwords, phone numbers, etc. It uses AES-256 encryption to store your text in a self-executable container that requires a password to open it.

Steganos LockNote comes as a standalone application which does not require installation. When you launch LockNote.exe you are presented with a text editor similar to notepad.exe. Type whatever text you wish to be kept secret and go to File > Save As… to save the note as an encrypted container. You will be prompted for a password and the resulting output file will be in *.exe format.

3. Duplicate Cleaner

Duplicate Cleaner is a file de-duplication tool that removes redundant copies of files from a specified hard drive or network location. It works by generating an MD5 hash of each file and then comparing hashes for duplicates. It also gives you the option to search for files using a byte-to-byte comparison. Once the duplicate files have been found, you can choose to delete them or move them to an archive location.

When you launch Duplicate Cleaner, you first specify the search criteria from the first available tab, then you tell it where to look from the “Scan Location” tab before hitting “Scan Now”. A summary window will appear showing how many files were scanned and how many duplicates were found. The “Duplicate Files” tab highlights which files need attention.

4. Bulk Rename Utility

Bulk Rename Utility is a lightweight yet powerful application for renaming files and folders using an extensive array of criteria. Using this tool you can remove, add or change text and numbers within the file name, add date/time stamps, change case, modify file and folder attributes and preview what the changes will look like before you go ahead with them. The Bulk Rename Utility also supports regular expressions for additional flexibility.

Note: The Bulk Rename Utility comes in a command line version too. Using the command line version of the utility you can create scheduled jobs to perform a repetitive action at a specified time (e.g. rename a set of log files or backup files every day at midnight).

When you launch the Bulk Rename Utility you are presented with the navigation pane on the left hand side, the preview pane on the right hand side and a multitude of rename options at the bottom. Start by navigating to a folder that contains the files you wish to rename from the navigation pane or find the folder in Windows Explorer, right click on it and choose “Bulk Rename Here”.

5. Free Opener

Free Opener allows you to open over 80 different file formats from a single interface. Even if you don’t have the native application installed, you can quickly fire up Free Opener to open that file format. Free Opener supports Microsoft Office files, Archive files, Image files, Code files, Video files and Audio files, amongst others. Essentially it is just like having a Document Viewer, Image Viewer, Media Player and Archive Viewer all rolled into one!

When you launch Free Opener, the first thing you should do is go to File > File Associations to enable which file types you want to be associated with the Free Opener application. This will mean that any file that you double click to open will be opened automatically in Free Opener (if the file type is supported). Alternatively, click on the “Open” icon or go to File > Open to choose a file to open in Free Opener. When you open a file, at the bottom of the window a menu bar will appear containing some edit options (which change depending on the file type you have opened).

6. FreeFileSync

FreeFileSync is a folder comparison and synchronization tool designed with usability and performance in mind. FreeFileSync allows you to save the configuration as a “.batch” file which you can then use to schedule a task for automatic folder synchronization.

When you launch FreeFileSync, add a path to the left and right hand side of the window and hit the “Compare” button to compare both locations side-by-side. FreeFileSync will use a series of icons to highlight what’s different between both folders. You can then hit the “Synchronize” button to sync both folders. Go to Program > Save as batch job… to save the configuration as a batch job for use later when scheduling a task.

7. PeaZip

PeaZip is a cross-platform file and archive manager that supports volume spanning, high levels of compression and encryption, and support for a wide range of archiving formats. Using PeaZip you can create archive formats such as 7Z, ARC, BZ2, GZ, PAQ, PEA, QUAD/BALZ, TAR, UPX, WIM, XZ, and ZIP, and extract over 150 archive formats, including ACE, CAB, ISO, RAR, UDF, ZIPX and many more. PeaZip features include creating, converting and extracting multiple archives at once, creating self-extracting archives, secure data deletion, checksum creation and hashing.

Once PeaZip is installed, you can either open or create an archive using the “Open as archive” or “Add to archive” context menu options respectively, or launch the application and take the required action from there. Once in the PeaZip UI, simply navigate to the required file or folder from the left hand pane and then click one of the icons in the top menu to take an action.

8. WinMerge

WinMerge is a file comparison and merging tool that visually displays the differences side-by-side. This tool is useful for helping to determine what has changed between two files versions and then merging those changes. WinMerge supports Unicode and regular expressions and includes Visual SourceSafe and Windows Shell integration.

When you launch WinMerge and choose to open files to compare, you are asked to select a file for the left hand side and a file for the right hand side. Differences between these files are shown in the Location Pane and highlighted throughout both documents.

9. SearchMyFiles

SearchMyFiles aims to be an alternative to the Windows “Search For Files And Folders” process, allowing more flexible and accurate searches to be performed. You can search using wildcards, last modified/created/accessed time, file attributes, file content (text or binary search) and by file size. Search results can be saved as a text, html, csv or xml file. SearchMyFiles comes as a standalone portable application that doesn’t require installation – it can there be run straight off a USB drive.

Executing the SearchMyFiles.exe application brings up the Search Options window which allows you to specify where to search and the search criteria to use to bring back results. Simply choose the desired options and hit “Start Search” to have the application perform the search operation.

10 AxCrypt

AxCrypt is a file-level encryption tool that integrates with the Windows shell and allows you to right-click on a file to encrypt or decrypt it using AES-256 encryption. AxCrypt also offers the ability to create a self-extracting archive to securely transfer files to another location (with AxCrypt not being required for decryption on the other end).

Once installed, everything happens from the context menu when you right click on a file. You are given the option to Encrypt or Decrypt the file, manage passphrases or permanently delete the file.

11. File Splitter

File Splitter does what it says in the name. It is a super lightweight standalone application that splits files into multiple chunks and merges chunks back into a whole file.

When you launch File Splitter, use the “Split file” tab to specify the source file to split and the destination of the file chunks as well as the size of each chuck. Similarly, use the “Join files” tab to specify the chucks to merge into a whole file again and the destination of where you want the joined file to be placed.

12. Hash Tool

Hash Tool allows you to quickly and easily calculate the hash of multiple files to verify file integrity. The tool supports Unicode file names and MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32 hash types.

Start by selecting the hash type from the drop down list and then selecting the files to hash from the “Select File(s)” button. Alternatively, drag and drop the files into the “Results” window for the hash to be automatically calculated. You can then save the results to a txt or csv file or copy them to the clipboard.

13. ExamDiff

Similar to the functionality offered in WinMerge, ExamDiff offers a visual side-by-side comparison of two files, highlighting the differences in different colours and giving you the option to navigate through the changes in a number of ways (e.g. using a drop down list).  ExamDiff also comes with command line options allowing you to create a batch file to automate the process.

When you launch ExamDiff, you are presented with a dialog box asking you to specify the location of the two files to compare. Once you do this and hit “OK”, the application opens displaying a side-by-side comparison of the files and highlighting lines that have been added, deleted or changed in different colours.

14. 7-Zip

7-Zip is a powerful file archiving utility with a high compression ratio that supports a multitude of compression formats, including 7z, GZIP, TAR, ZIP, CAB, MSI, etc. Features include the ability to create self-extracting archives, adjust the compression level and add password protection. 7-Zip’s power lies in its compression ratio; it claims to provide a ZIP format compression ratio that is 2-10% better than its competitors and a 7z format compression ratio that is 30-70% better than ZIP format.

When you launch the application, navigate to the folder containing the files you wish to archive and hit the “Add” button to create an archive. Alternatively, you can create an archive directly from the context menu by right clicking on a file or folder.

15. Microsoft SyncToy

SyncToy is an application that can be used as a mini backup utility to synchronize files and folders between two locations. SyncToy allows you to ‘Synchronize’ FolderA with FolderB where the changes are replicated on both ends, ‘Echo’ FolderA to FolderB where the changes in FolderA are replicated to FolderB, and ‘Contribute’ FolderA to FolderB where the changes in FolderA (except deletions) are replicated to FolderB.

When you launch SyncToy, the first thing you need to do is create a New Folder Pair, specifying the left and right folders you wish to synchronize. You can then choose the Synchronization action (i.e. Synchronize, Echo, and Contribute) and which options you wish to use before running the synchronization session.

16. My LockBox

My Lockbox is an easy to use application that allows you to hide, lock and password protect a Windows folder on a FAT, FAT32 or NTFS volume so that it’s only accessible to you.

When you launch My Lockbox and choose which folder to protect, it automatically disappears from view within Windows Explorer or from the command line. The only way to access the folder is to launch My Lockbox, enter the password and Unlock the folder.

17. Advanced Renamer Portable

Advanced Remaner Portable is a standalone lightweight and easy to use application that can be used to quickly add, remove, replace, or append file or folder names in bulk.

Select the “Rename Files” or “Rename Folders” tab to rename files or folders respectively. Add files or folders to the list and create a new method from the left hand pane – here you create the renaming rules you want to apply to the list of files or folders. When you’re ready, hit “START BATCH” to initiate the process.

18. Locate32

Locate32 is a search utility that finds files or folders based on their names. Locate32 works by indexing file and folder names in a database and then using the database to quickly return results. Locate32 comes packaged with a command line version that can be used to update and access the databases without any user interaction.

When you first launch Locate32, go Tools > Settings > Databases tab to set up your databases. Databases are essentially index locations – any files contained within a location specified in the database will be searchable more quickly. Once you’ve set your databases, use the “Name & Location”, “Size and Date” and “Advanced” tabs to perform your search.

19. Universal Extractor        

Universal Extractor is designed to decompress and extract files from virtually any type of archive, regardless of source, file format or compression method. It supports anything from EXE format to ZIP, CAB, ACE, TAR.GZ, ISO, MSI, RAR, PEA and RPM format, amongst many others. It is handy because it saves you from needing different applications to open different archive formats.

Note: Universal Extractor does not create archives; it is used only to extract data.

Once you open Universal Extractor, specify the location of the archive file and a destination folder where the contents will be extracted to. Press “OK” to start the extraction process. Once installed, Universal Extractor will also be available via the context menu, allowing you to easily right click on an archive and select “UnExtract”.

20. Better Explorer

Better Explorer aims to be a replacement for Windows Explorer. It offers greater functionality and a streamlined UI with Ribbons (much like Microsoft Office) and Tabs. It includes the ability to manage favourites, conditional select, sizing charts (giving a visual representation of the size of a folder), in-built image editing tools, an enhanced search feature, and archive support.

Note: At the time of writing, this application is still in BETA. It is not recommended that this be installed on a production machine but rather that you use it in a testing environment or on a personal machine at home to try it out before the full version is launched. It made this list because of its potential; if the BETA is anything to go by, Better Explorer certainly looks like one to watch!

Are there any free tools not on this list that you’ve found useful and would like to share with the community? Then leave us a comment below and let us know!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. Microsoft Network Monitor

Microsoft Network Monitor is a packet analyser that allows you to capture, view and analyse network traffic. This tool is handy for troubleshooting network problems and applications on the network. Main features include support for over 300 public and Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.

When you launch Microsoft Network Monitor, choose which adapter to bind to from the main window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click “Capture Settings” to change filter options, adapter options, or global settings accordingly and then hit “Start” to initiate the packet capture process.

2. Nagios

Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling and reporting. The Nagios Core is the heart of the application that contains the core monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as well as add-ons for data visualisation, graphs, load distribution, and MySQL database support, amongst others.

Tip: If you want to try out Nagios without needing to install and configure it from scratch, download Nagios XI and enable the free version. Nagios XI is the pre-configured enterprise class version built upon Nagios Core and is backed by a commercial company that offers support and additional features such as more plugins and advanced reporting.

Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven nodes.

Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host groups and service groups. Once Nagios has had some time to monitor the status of the specified hosts and services, it can start to paint a picture of what the health of your systems look like.

3. BandwidthD

BandwidthD monitors TCP/IP network usage and displays the data it has gathered in the form of graphs and tables over different time periods. Each protocol (HTTP, UDP, ICMP, etc) is color-coded for easier reading. BandwidthD runs discretely as a background service.

Installation is easy. Download and install Winpcap version 3.0 or above (you’ll already have this installed if you have Wireshark on the same box), unzip BandwidthD to a specified folder, edit the ../etc/bandwidthd.conf file accordingly, double click on the “Install Service” batch file and then start the BandwidthD services from the services.msc console. Once the service is running, give it some time to monitor network traffic and load the index.html page to start viewing bandwidth statistics.

4. EasyNetMonitor

EasyNetMonitor is a super lightweight tool for monitoring local and remote hosts to determine if they are alive or not. It is useful for monitoring critical servers from your desktop, allowing you to get immediate notification (via a balloon popup and/or log file) if a host does not respond to a periodic ping.

Once you launch EasyNetMonitor, it will appear as an icon in the notification area on your desktop where the IP addresses / host names of the machines you want to monitor can be added. Once you’ve added the machines you wish to monitor, be sure to configure the ping delay time and notification setting.

5. Capsa Free

Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network issues and analyze packets. Features include support for over 300 network protocols (including the ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable reports and dashboards.

When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as packet analysis.

6. Fiddler

Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and responses before they hit the browser. Fiddler gives you extremely detailed information about HTTP traffic and can be used for testing the performance of your websites or security testing of your web applications (e.g. Fiddler can decrypt HTTPS traffic).

When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from the top menu bar onto an open application.

7. NetworkMiner

NetworkMiner captures network packets and then parses the data to extract files and images, helping you to reconstruct events that a user has taken on the network – it can also do this by parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can obtain information such as hostname, operating system and open ports from hosts.

In the example above, I set NetworkMiner to capture packets, opened a web browser and searched for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I saw during my browser session.

When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to initiate the packet capture process.

8. Pandora FMS

Pandora FMS is a performance monitoring, network monitoring and availability management tool that keeps an eye on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalates.

When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’ node from the left hand navigation pane. From here, you can configure monitoring agents and services.

9. Zenoss Core

Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. It also has a high performance event handling system and an advanced notification system.

Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard that asks you to create user accounts and add your first few devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key features include:

(1) Comprehensive Network Monitoring which offers more than 170 sensor types for application monitoring, virtual server monitoring, SLA monitoring, QoS monitoring

(2) Flexible Alerting, including 9 different notification methods, status alerts, limit alerts, threshold alerts, conditional alerts, and alert scheduling

(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.

Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

When you launch PRTG Network Monitor, head straight to the configuration wizard to get started. This wizard will run you through the main configuration settings required to get the application up and running, including the adding of servers to monitors and which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when there is a problem. It can also automatically scan all devices on a given subnet and then draw and layout a map of your network.

When you launch The Dude, you first choose to connect to a local or remote network and specify credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and Reports.

12 Splunk

Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search, reporting and dashboard features to make the most of the collected data. Splunk also allows you to install ‘Apps’ to extend system functionality.

Note: When you first download and install Splunk, it automatically installs the Enterprise version for you to trial for 60 days before switching to the Free version. To switch to the Free version straight away, go to Manager > Licensing.

When you login to the Splunk web UI for the first time, add a data source and configure your indexes to get started. Once you do this you can then create reports, build dashboards, and search and analyze data.

13. Angry IP Scanner

Angry IP Scanner is standalone application that facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that are alive and obtain information about them (including MAC address, open ports, hostname, ping time, NetBios information, etc).

When you execute the application, go to Tools > Preferences to configure Scanning and Port options, then go to Tools > Fetchers to choose what information to gather from each scanned IP address.

14 ntopng

ntopng (‘ng’ meaning ‘next generation’) is the latest version of the popular network traffic analyzer called ntop. ntopng will sit in the background and gather network traffic, then display network usage information and statistics within a Web UI.

Note: Although originally aimed for use on Unix-based systems, there is a Windows version available for a small fee, or a demo version limited to 2000 packets. If you are comfortable running ntopng on a Unix-based box then you can get the full version for free.

The image above shows the ntopng dashboard after a few minutes of network traffic collection. In this example, I am using the Windows version. After installation, I simply executed the redis-server.exe file from ..\Program Files (x86)\Redis and fired up the Web UI (http://127.0.0.1:3000).

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network, notifying you of any issues that require attention via a detailed report of the problem. The result of each probe is classified using green, red, or black colors to quickly show whether the probe was successful, had a negative result or wasn’t able to complete.

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a specified network range automatically and assign the discovered hosts to a group. Alternatively, create a new group manually to start adding devices/hosts individually.

16. NetXMS

NetXMS is a multi-platform network management and monitoring system that offers event management, performance monitoring, alerting, reporting and graphing for the entire IT infrastructure model. NetXMS’s main features include support for multiple operating systems and database engines, distributed network monitoring, auto-discovery, and business impact analysis tools, amongst others. NetXMS gives you the option to run a web-based interface or a management console.

Once you login to NetXMS you need to first go to the “Server Configuration” window to change a few settings that are dependent on your network requirements (e.g. changing the number of data collection handlers or enabling network discovery). You can then run the Network Discovery option for NetXMS to automatically discover devices on your network, or add new nodes by right clicking on “Infrastructure Services” and selecting Tools > Create Node.

17. Xymon

Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive deep into the configuration, performance and real-time statistics of your networking environment. It offers monitoring capabilities with historical data, reporting and performance graphs.

Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts that you are going to monitor. Here, you add information such as the host IP address, the network services to be monitored, what URLs to check, and so on.

When you launch the Xymon Web UI, the main page lists the systems and services being monitored by Xymon. Clicking on each system or service allows you to bring up status information about a particular host and then drill down to view specific information such as CPU utilization, memory consumption, RAID status, etc.

18. WirelessNetView

WirelessNetView is a lightweight utility (available as a standalone executable or installation package) that monitors the activity of reachable wireless networks and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.

As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi networks in the area and displays information relevant to them (all columns are enabled by default).

Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView. It scans your wireless network and displays a list of all computers and devices that are currently connected, showing information such as IP adddress, MAC address, computer name and NIC card manufacturer – all of which can be exported to a html/xml/csv/txt file.

19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality and speed tests.

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can run a test, change the layout, edit settings, refresh connections, etc.

20. WireShark

This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the green shark fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what you need, you can export the data to a file for analysis in another application or use the in-built filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.

Are there any free tools not on this list that you’ve found useful and would like to share with the community? Then leave us a comment below and let us know!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. Hiren Boot CD

The tagline for Hiren Boot CD reads “a first aid kit for your computer” – and that it is! Hiren Boot CD is one of the more popular Rescue CDs out there and contains a wealth of tools including defrag tools, driver tools, backup tools, anti-virus and anti-malware tools, rootkit detection tools, secure data wiping tools, and partitioning tools, amongst others.

Hiren Boot CD is available to download as an ISO for easy installation to a USB or burning to a CD.

The boot menu allows you to boot into the MiniXP environment, the Linux-based rescue environment, run a series of tools or boot directly from a specified partition.

The MiniXP environment, as shown in the image below, is much like a Windows XP desktop. Everything pretty much happens from the HBCD Launcher (a standalone application with a drop down menu containing shortcuts to the packaged applications).

2. FalconFour’s Ultimate Boot CD

FalconFour’s Ultimate Boot CD is based upon the Hiren Boot CD with a customized boot menu and a whole bunch of updated tools thrown in. F4’s UBCD contains tools that provide system information, tools that recover/repair broken partitions, tools that recover data, as well as file utilities, password recovery tools, network tools, malware removal tools and much more.

F4’s UBCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

Similar to Hiren Boot CD, when you boot F4’s UBCD you are presented with a menu giving you the option to boot into a Linux environment, the MiniXP environment or run a series of standalone tools. As you scroll through the menu, a description of each item is given at the bottom of the screen.

Similar to that of Hiren Boot CD, the MiniXP environment is much like a Windows XP desktop environment, only it’s really lightweight and is pre-packed with a host of diagnostic and repair tools.

Once the desktop has loaded up, choose from one of the available application shortcuts, launch the HBCD Menu or go to the Start menu to get going.

3. SystemRescueCD

SystemRescueCD is a Linux-based package for troubleshooting Linux and Windows systems. The disc contains antivirus, malware removal, and rootkit removal tools as well as tools to help manage or repair partitions, recover your data, back up your data or clone your drives. SystemRescueCD supports ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, and ntfs file systems, as well as network file systems like samba and nfs. It also comes with network troubleshooting, file editing, and bootloader restoration tools.

SystemRescueCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

When you boot the SystemRescueCD, the pre-boot menu gives you a multitude of options, allowing you to boot directly into the graphical environment or the command line.

In the image below, I have booted into the graphical environment and started the chkrootkit application from the Terminal window which searches for rootkits installed on the system. Other applications can be run directly from the terminal in a similar fashion, using arguments and parameters as necessary.

4. Ultimate Boot CD

Ultimate Boot CD is designed to help you troubleshoot Windows and Linux systems using a series of diagnostic and repair tools. It contains anything from data recovery and drive cloning tools to BIOS management, memory and CPU testing tools.

UBCD is downloadable in ISO format for easy installation to a USB or burning to a CD.

Note: UBCD4Win (http://www.ubcd4win.com/) is UBCD’s brother built specifically for Windows systems.

When you boot with UBCD you are presented with a DOS-based interface that you navigate depending on which system component you wish to troubleshoot.

5. Trinity Rescue Kit

The Trinity Rescue Kit is a Linux-based Rescue CD aimed specifically at recovery and repair of Windows or Linux machines. It contains a range of tools allowing you to run AV scans, reset lost Windows passwords, backup data, recover data, clone drives, modify partitions and run rootkit detection tools.

The Trinity Rescue Kit is downloadable in ISO format for easy installation to a USB or burning to a CD.

The boot menu gives you the option to start TRK is different modes (useful if you’re having trouble loading in default mode).

Once you get to the Trinity Rescue Kit ‘easy menu’, simply navigate through the list to choose which tool to execute. You can also switch to the command line if you want more flexibility and feel comfortable with Linux-based commands.

You may also wish to consider…

Boot-Repair-Disk

Boot-Repair-Disk is a Rescue CD primarily designed for repairing Linux distributions but can also be used to fix some Windows systems. It automatically launches the Boot-Repair application (a one-click repair system) which is used to repair access to operating systems; providing GRUB reinstallation, MBR restoration, file system repair and UEFI, SecureBoot, RAID, LVM, and Wubi support.

Parted Magic

Parted Magic is a Linux-based bootable disc whose main focus is helping to repair/diagnose drive specific issues. It contains a series of drive management tools such as GParted, GSmartControl, CloneZilla and ms-sys for creating/editing partitions, retrieving drive status information, cloning a drive or managing bootloaders.

Windows System Repair Disc

The Windows System Repair Disc lets you boot into the Windows Recovery Environment, giving you the option to detect and fix startup and booting issues, restore to a workable restore point (if you had System Restore enabled), restore the entire machine from a backup image, conduct a memory diagnostics test and use the command line to run utilities like chkdsk.

Additionally, Linux distributions such as PuppyLinux, Ubuntu LiveCD or Knoppix are lightweight bootable versions of Linux that contain a host of handy tools to fix common problems, recover data, transfer data, scan for viruses, manage partitions, etc.

Finally, you could also try a Rescue Disc from a popular Anti-Virus vendor , such as AVG Rescue CD, F-Secure Rescue CD, or Avira AntiVir Rescue System. Although primarily targeted to help with system’s that are infected with Malware, they are worth adding to your arsenal.

Create your own!

If you want more flexibility, why not create or customize your own bootable rescue disc?

You have a couple of options here:

1)      Create your own bootable Live USB

Using applications such as YUMI (Your Universal Multiboot Installer) or UNetBootin, you can create a multi-boot USB drive containing several operating systems, antivirus utilities, disc cloning, diagnostic tools, and more.

2)      Modify a Linux distribution

If you are using a Linux-based Rescue CD / Live CD, you can use an application like Live-Magic (for Debian-based Linux distributions) or Remastersys to create a bootable ISO of an already installed Linux OS. The idea would be to install a clean build of Linux, add or remove applications and make any customizations as necessary and then run the above mentioned applications to capture the build into an ISO.

Alternatively, instead of using an application, you can use a series of shell scripts to do the same thing. Check out http://www.linux-live.org/ for more information.

So which is your favourite? Have you come across any Rescue CDs not on this list that you’ve found useful and would like to share with the rest of the community?

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. TestDisk

TestDisk allows you to repair boot sectors, recover deleted partitions, fix damaged partition tables, and recover deleted data, as well as copy files from deleted/inaccessible partitions. It works on a number of different file systems including FAT/NTFS/exFAT/ext2.

Note: Bundled with TestDisk is a companion application called PhotoRec. PhotoRec recovers photos, videos and documents from different storage media by going beyond the file system and looking for specific data blocks (i.e. clusters) belonging to the missing file(s).

When you first run TestDisk you are asked to choose whether you want a log file to be created. You are then given a list of partition table types to choose from (this will allow the application to use the correct signature when reading the partitions on all available disks), before being presented with a list of available hard drive partitions to perform a selected action on. The choice of actions you can perform on each partition include:

(1)    analysing the partition for the correct structure (and repairing it accordingly if a problem is found)

(2)    changing the disk geometry

(3)    deleting all data in the partition table

(4)    recovering the boot sector

(5)    listing and copying files

(6)    recovering deleted files

(7)    creating an image of the partition

2. Parted Magic

Parted Magic is a Linux-based bootable CD/USB that contains a series of HDD/SSD disk management tools such as GParted, GSmartControl, Disk Eraser and CloneZilla.

When you boot the machine using Parted Magic you are presented with a menu asking which GUI version you’d like to load (xvesa or xorg), as well as whether you want to load Parted Magic directly from RAM. Once Parted Magic has loaded, the UI is much like a Linux operating system – all you need to do is select which tool to run and go from there.

3. WinDirStat

WinDirStat is a disk usage and clean-up utility that allows you to visualize how data is distributed across a disk and what types of data or which locations are hogging up most space.

Once you’ve loaded WinDirStat and chosen which drives you’d like to analyse, you are presented with a tree view of the files and folders contained on each drive as well as a graphical representation showing which files are taking up most space. Clicking on a box within the graphic will display the file in question within the tree view on the left hand pane of the window.

4. CloneZilla

CloneZilla is a disk imaging and cloning tool that is also packaged with Parted Magic but originally available as a standalone tool in two versions; CloneZilla Live and CloneZilla SE (Server Edition). CloneZilla Live is a bootable Linux distribution that allows you to clone individual machines and CloneZilla SE is a package that you install and configure on a Linux distribution that allows you to push images to multiple clients simultaneously over the network.

5. OSFMount

Using this utility you can mount image files as drive letters and then browse the data directly. OSFMount supports image files such as DD, ISO, BIN, as well as VMWare Images (*.VMDK) and Nero Burning ROM Images (*.NRG). A neat additional feature of OSFMount is its ability to create RAM disks, useful if you want additional security (since everything within RAM will be flushed when the machine is shutdown) or need to store data that requires fast access times (such as browser cache, database files, etc.).

After you run OSFMount, go to File > Mount new virtual disk… to get started. Remember to leave “Read-only drive” checked, otherwise you risk overwriting data within the image you’ve just mounted.

6. Defraggler

Defraggler is a lightweight yet powerful defragmentation tool that allows you to defrag whole drives or selected files/folders. It has an intuitive interface that helps you to quickly visualize how much of the drive is fragmented and which files are causing most fragmentation.

Once you’ve performed an Analysis of the drive, you can use the Drive map to see which files are fragmented. Hover your mouse over a particular square on the map and click on it to display the files associated with that particular colour (e.g. fragmented, not fragmented, etc.).

7. SSDLife

SSDLife displays information about your SSD drive, its health status and estimated lifetime – all useful for helping you to plan ahead and take action accordingly.

SSDLife automatically detects the model of your SSD drive and displays information about it instantly upon loading the application.

Tip: Each SSD manufacturer should have their own SSD drive management software which gives information similar to SSDLife Free. For example, the “Intel SSD Toolbox” can be used with the SSD shown in the screenshot above to display health status, detailed device information, and estimated life remaining.

8. Darik’s Boot And Nuke (DBAN)

DBAN is a bootable application that forensically wipes hard drives to prevent identity theft. This tool is useful when you are recycling or decommissioning a server/workstation.

The two main options in DBAN are Interactive mode and Automatic mode. Interactive mode allows you to select which drives to wipe and which options to use when wiping them. Automatic mode will automatically wipe all discovered drives – no questions asked!

9. HD Tune

HD Tune can measure the read/write performance of your HDD/SSD, scan for errors, check the health status and display drive information.

Once you start the application, select the drive from the drop down list and navigate to the appropriate tab to view the information you need or start a scan accordingly.

10. TrueCrypt

TrueCrypt is an open-source encryption application that can encrypt entire drives/partitions. It can also create an encrypted volume that appears as a normal file but is only accessible when mounted via TrueCrypt using the provided password. TrueCrypt allows you to select from a list of encryption algorithms that all use a 256-bit key size.

When you open the TrueCrypt application, select a drive letter and click the “Create Volume” button to get started. This will launch the TrueCrypt Volume Creation Wizard which walks you through the process of encrypting a partition or creating an encrypted container file.

11. CrystalDiskInfo

CrystalDiskInfo is a hard drive health monitoring tool that displays drive information, disk temperature and monitors S.M.A.R.T attributes. CrystalDiskInfo can be configured to trigger an alert (i.e. write to the event log, send an e-mail or make a sound) when a certain threshold is reached, so it can be left to actively monitor the HDD and notify you automatically.

The bar at the top displays all active hard drives. Clicking on each one will display the information for that drive. The Health Status and Temperature icons change colour depending on their value.

12. Recuva

In a few simple clicks, Recuva allows you to recover files from your computer that were accidentally deleted or that have become damaged or corrupt. The Quick-Start Wizard walks you through the recovery process by asking a couple of simple questions about what you want to recover and where you want to recover it from and then initiating a quick scan. You can skip the wizard and go straight to the application if you wish.

From the Recuva interface, select the drive to scan from the drop down box on the left hand side, choose a pre-defined file type filter from the drop down box on the right hand side and then click “Scan” to get started. The filters can be edited to add or remove file types by extension. The Options button allows you to modify options such as enabling a Deep Scan (instead of a Quick Scan), changing the viewing mode, as well as increasing the secure overwriting method (how many times to overwrite a block of data).

13. TreeSize

An alternative to WinDirStat is a lightweight application called TreeSize. TreeSize quickly scans drives or folders and displays the folder sizes in descending order (by default) to help you pinpoint which folders are taking up most space. The NTFS Compression flag can be enabled directly from within the application.

Once installed, TreeSize can also be started from the context menu by right clicking on a drive or folder and selecting “TreeSize Free” which will automatically open an instance of the application and display the details for that drive or folder.

Note: When you have Defraggler, Recuva and TreeSize installed at the same time, you can initiate the Defraggler and Recuva features directly from within TreeSize for a given folder – all three applications integrate seamlessly.

Using the menu bar or the icons across the taskbar you can select options such as sorting by size or name, showing values in GB/MB/KB, displaying the percentage/file size/file count of the listed folders, and choosing which drives you wish to display details for.

14. HDDScan

HDDScan is a hard drive diagnostic utility used to test for disk errors, show S.M.A.R.T attributes, monitor disk temperature and perform a read/write benchmark.

When you launch HDDScan, select the drive you wish to perform an action on from the drop down box on the left. Once selected, click the icon in the middle to get started.

15. Disk2vhd

Disk2vhd allows you to create a Virtual Hard Disk (VHD) of a live machine for use with Microsoft Virtual PC or Microsoft Hyper-V. This is a great tool for simulating your live environment within a virtual environment for testing purposes or if you wish to have a virtualized backup of your live environment for redundancy purposes.

Use of this tool is simple. Choose a name and location for the VHD file to be stored, select which volumes to include and click “Create”. Disk2vhd also has some command line options, allowing you to script the creation of VHD files.

16. NTFSWalker

NTFSWalker allows you to perform a low-level analysis of all records (included deleted data) within the MFT table of an NTFS drive. You can examine the properties of each record and extract its contents out to a file.

When you load NTFSWalker, you are first asked to select a disk to scan. Once you select the disk and confirm which partition you wish to view, the MFT records are displayed on the left hand pane and the details are displayed on the right hand pane. From the right hand pane, you can view the record properties, preview the file or review the contents in raw format (Hex Data).

17. GParted

GParted is an open-source application for managing partitions. Using GParted you can manipulate partitions (i.e. create, delete, resize, move, copy) and attempt to recover data from lost partitions on a vast amount of file systems.

GParted comes as a bootable CD which loads a Linux distribution containing the GParted application. When you download the ISO file you will need to burn the image onto a CD or follow the instructions to install it onto a bootable USB drive. When you launch GParted, you are presented with a list of partitions to choose from. Select the desired partition and choose an option to perform by right clicking on it, pressing an icon on the taskbar or navigating to an option on the menu bar.

18. SpeedFan

SpeedFan is a useful diagnostic utility that allows you to view details about the health of your machine, including hard disk temperatures and S.M.A.R.T (Self-Monitoring, Analysis and Reporting Technology) attributes.

When you launch SpeedFan, the main tabs you will use for hard drive information are the Readings tab and the S.M.A.R.T tab. The Clocks tab can be used to compare temperature, voltage or fan speeds between two or more objects.

19. MyDefrag

MyDefrag is a disk defragmentation and optimization utility that offers fast performance with little overhead and a number of actions tailored towards different disk uses (e.g. an action specifically for defragging the system disk, an action specifically for defragging flash memory drives, or the ability to only analyse the disk). MyDefrag also allows you to create or customize your own scripts and has a command line version so you can schedule the running of the application at given times.

When you launch MyDefrag, you are presented with a series of scripts to choose from. Each script performs a given action against the disk(s) chosen from the bottom pane. Once you’ve selected a script and checked the desired disk(s), hit “Run” to initiate the action.

20. DiskCryptor

An alternative to TrueCrypt is DiskCryptor. DiskCryptor is an easy-to-use open-source application that allows you to encrypt whole partitions using the TwoFish / AES / Serpent algorithms, or a combination of any of the three. DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file systems, allowing encryption of internal or external drives.

When you launch DiskCryptor, select a partition and click “Encrypt” to get started. You will then need to select which encryption algorithm to use and will be asked to enter a password. The encryption process will begin as soon as you press “OK”.

Any free tools you know of that are missing from this list? Leave us a comment!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

It is thought that the term Advanced Persistent Threat (APT) was first coined by the US Air Force in 2006 to describe complex (i.e. Advanced) cyber-attacks against specific targets over a long period of time (i.e. Persistent).

An APT is a highly organized, well-funded attack against a specific target usually involving a large group of people working together and each bringing their own specialized skills to the table. The word ‘specific’ is important here because the people behind an APT have an intended purpose for wanting to target a particular entity. Using different methods (either internal or external), the attacker will relentlessly attempt to gain access to the network and stay there until they have achieved their objective.

The main targets of an APT attack are commonly those organizations with a large amount of sensitive information (e.g. source code, trade secrets, personally identifiable information (PII), etc.) that will usually help the attacker gain a competitive advantage, identify a weakness or somehow gain an upper hand over the victim of the attack. Such organizations include the following:

1)    Healthcare firms

2)    Universities

3)    Financial institutions

4)    Government entities.

The APT Lifecycle

Whilst each APT attack is tailored by the attacker depending on the intended target, the lifecycle of every APT attack typically consists of at least the following phases:

1)    Investigate – research the organization, its employees, its policies, the applications and systems it uses, and so on

2)    Infiltrate – exploit a vulnerability, use an insider, etc. to gain access to the network and escalate privileges

3)    Explore – once inside, collect information about the infrastructure, domain hierarchy, trust relationships, security structure, etc. that will allow you to exploit the system even further

4)    Retrieve – move across the network to harvest data from the organization over a sustained period of time

5)    Clean up – cover your tracks to ensure minimal attention and maintained presence within the network.

The attacker will normally use a variety of attack vectors as part of the APT lifecycle. The tools and techniques they use are those commonly associated with everyday cyber-attacks, such as social engineering (spear phishing or targeted phone calls), infected media, zero-day exploits, as well as a rogue employee or contractor inside the organization.

APT Examples

Probably one of the most widely publicized APTs was a highly sophisticated piece of malware called Stuxnet that was first discovered in June 2010 and has been intensely scrutinized by security researchers worldwide ever since. Stuxnet exploited four zero-day vulnerabilities and spread via USB devices. Its intention was to search for industrial control systems and siphon off source code and project data over time. With the majority of Stuxnet activity coming from Iran, it is believed that one of Iran’s nuclear power plants was the main target.

Other examples of APTs include:

(1) Operation Aurora in 2010 where a zero-day vulnerability in IE 6.0 was used in an attempt to steal intellectual property and gain access to user accounts in Google, Adobe, Symantec and many other high profile organizations.

(2) An attack on RSA in 2011 where the APT started from a spear phishing email that was sent to a small group of employees at the well-respected security firm. The email contained an Excel file with an attachment that installed a backdoor via an Adobe Flash vulnerability (which Adobe has since patched).

In all of these cases, it is clear that the attackers had substantial financial backing, did a fair amount of reconnaissance and had specific targets in mind.

Reducing the APT Risk

Assuming you have a sound information security strategy in place that caters for areas like IDS/IPS, strong passwords, user awareness and training, an email and social networking usage policy, change management process, end point security solutions, gateway and host-based AV, and incident response plans to name but a few, there are specific methods you can take to reduce the APT risk. These include:

1)    A Security Information Event Management (SIEM) system for the collection, review and notification of security alerts, as well as the collection and review of audit information pertinent to sensitive data access.

2)    Scanning for security vulnerabilities on a regular basis.

3)    Maintaining a solid patch management process.

4)    Implementing Data Leakage Prevention (DLP) technologies to:

• Increase traffic monitoring for malicious outbound activity such as requests to malicious websites, dynamic DNS servers and sensitive file transfer.
• Scan outbound email and web traffic against a dynamic set of rules to prevent data leaving the organization.

5)    Using behavioural threat analytics to flag subtle yet suspicious outbound traffic that might be indicative of APT activity. Such a system would take a baseline of typical activity and then look for anomalies that are not true to everyday “normal” behaviour (e.g. FTP traffic from a department that never uses FTP or network traffic being sent to servers in a country where the organization has absolutely no affiliation).

According to Gartner research, going forward, we will begin to see more content and context aware security solutions to help with the fight against the Advanced Persistent Threat. Such solutions will be able to make more accurate decisions, automatically fine-tune configurations, provide recommendations on what areas of the network should be given attention, as well as perform proactive checks against suspicious content before it becomes a threat.

Conclusion

Going back to the original question I asked at the beginning, should we be concerned? Yes! It is better to be cautious rather than be naive and think you are unlikely to be targeted. Although victims of an APT attack typically belong to a handful of industries, even if you are not the specific target, your organization might be one piece of the attacker’s puzzle because of information you have that is deemed valuable to them.

As we saw above, there is no such thing as an all-in-one solution to APT attacks. Because different attack vectors are used, a multi-layered approach to preventing (or at least minimizing the impact of an APT) is required. Marketing or advertising agencies that state APT is a big problem and action is needed are right, but I would question those that claim to be a one-stop shop for APT prevention.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Ping and Notify

Of primary importance to any network admin is server availability. Being able to regularly monitor if a group of hosts are alive and then give you a ‘heads up’ when they aren’t is a useful tool to have. The idea behind this script is to use the ping command to verify the availability of a destination host(s) at specified intervals and take action based on the response that is received; if the response is positive then do nothing, if the response is negative, send a notification email.

To construct this script, we need the following main elements:

1)     The SMTP details for sending the email

2)     An Array to store the hosts to ping

3)     The Get-WmiObject cmdlet that uses the Win32_PingStatus class

4)     A ForEach loop to perform an operation on each element in the Array

5)     An If statement to perform a conditional action based on the result.

The first part of the script sets the email properties and stores each of them in a variable; $smtpServer holds the SMTP Server Name/IP Address, $smtpFrom stores the FROM address and $smtpTo stores the TO address.

An Array called $PingHosts is used to store the destination hosts to ping. The ForEach-Object cmdlet is used to execute the Get-WmiObject Win32_PingStatus command stored in $WmiPingStatus against the hosts stored in $PingHosts to the left of the pipe. The Select-Object cmdlet is used to obtain the Address and StatusCode property of each ping result.

A ForEach loop and If statement is then used to circle through each ping result and check if the status code is equal to 0. If it is equal to 0, no action is taken. If it is not equal to 0 then the email subject and body are set using the details of the non-responsive host and a message is sent using the Net.Mail.SmtpClient class. The image below shows a sample of the notification email that will be sent out to the address stored in $smtpTo.

Script:

# Set e-mail properties

$smtpServer  = “192.168.0.5″;
$smtpFrom = “pinger@yourdomain.com”;
$smtpTo = “admin@domain.local”;

# Create an Array to store the destination hosts to ping

[Array] $PingHosts = “192.168.0.105″, “mailsrv01″, “www.google.com”

# Run Get-WmiObject using the Win32_PingStatus class against every host in the Array
$WmiPingStatus = {Get-WmiObject -Class Win32_PingStatus -Filter (“Address=’” + $_ + “‘”) -ComputerName .}
$PingHosts | ForEach-Object -Process $WmiPingStatus | Select-Object -Property Address,StatusCode |
foreach {
# If StatusCode is equal to 0 then do nothing (since 0 = success)
If ($_.StatusCode -eq 0)

    {
# Write-Host “Do nothing for:” $_.Address
}
# Else, if StatusCode is NOT equal to 0 then do something
Else
{
# Set e-mail subject and body using details of non-responsive host

        $subject = “Attention: ” + $_.Address + ” is down!”;
$body =  $_.Address + ” is not responding to a ping request. Please take action.`n”

        # Set e-mail objects and send e-mail

        $smtpClient = New-Object Net.Mail.SmtpClient($smtpServer);
$emailFrom  = New-Object Net.Mail.MailAddress $smtpFrom, $smtpFrom;
$emailTo    = New-Object Net.Mail.MailAddress $smtpTo, $smtpTo;
$mailMsg    = New-Object Net.Mail.MailMessage($emailFrom, $emailTo, $subject, $body);
$smtpClient.Send($mailMsg)

    }
}

Disk Space Checker

Hand in hand with my previous script to check whether a host is alive or not, it is important to keep an eye on disk space as low storage could result in performance issues or, at its worst, the system grinding to a halt. The idea behind this script is to use a WMI object to check, at specified intervals, if storage space for each drive on a given machine is less than xGB (5GB in this example) and take action based on this condition; if free space is less than the threshold then perform an action (e.g. delete all files in a given folder – an application log folder for example) and send a notification email, if free space is greater than the threshold then do nothing.

To construct this script, we need the following main elements:

1)     The SMTP details for sending the email

2)     An Array to store machines to check

3)     The Get-WmiObject cmdlet that uses the Win32_LogicalDisk class

4)     A ForEach loop to perform an operation on each element in the Array

5)     An If statement to perform a conditional action based on the result.

The first part of the script sets the email properties and stores them in a variable; $smtpServer holds the SMTP Server Name/IP Address, $smtpFrom stores the FROM address and $smtpTo stores the TO address.

An Array called $machines is used to store the machines we want to check disk space on. The Win32_LogicalDisk class in the Get-WmiObject cmdlet is used to obtain the drive information for each machine in the $machines variable. The ‘-Authentication PacketPrivacy’ property is used to specify the authentication method, which encrypts all the data that is transferred between the client and the script that is authenticating. The ‘-Impersonation Impersonate’ property is used to specify the impersonation level to use, which allows the objects to use the credentials of the caller. The Where-Object cmdlet is used to retrieve local disk drives only (i.e. DriveType -eq 3), and Select-Object specifies to pull back the SystemName, VolumeName, FreeSpace, and Size information related to each drive.

A ForEach loop and If statement is used to circle through the FreeSpace information of each drive and check if it is greater than 5GB. If it is greater than 5GB then no action is taken. If it is less than 5GB then the Remove-Item cmdlet handles deleting all data in the folder specified within the $cleanDir variable and the email subject and body are set using the details of each machine and drive being checked. Finally, an email message is sent using the Net.Mail.SmtpClient class. The image below shows a sample of the notification email that will be sent out to the address stored in $smtpTo.

Note: The Remove-Item cmdlet can be removed from the script altogether, if you wish for no action to be taken and only an email notification sent out. Alternatively, edit the folder location to be a directory from where you wish files to be removed (e.g. a log files folder).

Script:

# Set e-mail properties

$smtpServer  = “192.168.0.5″;

$smtpFrom = “notify@yourdomain.com”;

$smtpTo = “admin@domain.local”;

# Create an Array to store the destination hosts to ping

[Array] $machines = “192.168.0.5″, “localhost”

# Execute the Get-WmiObject win32_logicaldisk class against the array of machines

Get-WmiObject Win32_LogicalDisk -computername $machines -Authentication PacketPrivacy -Impersonation Impersonate | Where-Object { $_.DriveType -eq 3 } | Select-Object SystemName,VolumeName,FreeSpace,Size | foreach {

# If FreeSpace is greater than 5GB then do nothing

If ($_.FreeSpace -gt 5GB)

    {

        #do nothing

    }

# Else, if FreeSpace is less than 5GB then do something

Else

    {

        # Delete all items from the C:\Temp folder

        $cleanDir = “C:\Temp\*”

        Remove-Item $cleanDir -Recurse -ea SilentlyContinue

        # Set e-mail subject and body using disk volume and machine name info

        $subject = “Attention: Disk space is running low on ” + $_.SystemName + “”;

        $body = $_.VolumeName + ” drive has less than 5GB. Files from the ” + $cleanDir + ” folder have been deleted.`n”

        # Send e-mail

        $smtpClient = New-Object Net.Mail.SmtpClient($smtpServer);

        $emailFrom  = New-Object Net.Mail.MailAddress $smtpFrom, $smtpFrom;

        $emailTo    = New-Object Net.Mail.MailAddress $smtpTo, $smtpTo;

        $mailMsg    = New-Object Net.Mail.MailMessage($emailFrom, $emailTo, $subject, $body);

        $smtpClient.Send($mailMsg)

    }

       }

When discussing both scripts, I mentioned automating them by having them run at scheduled intervals. To do this, you need to make use of the Windows Task Scheduler. Open the Task Scheduler from Start > All Programs > Accessories > System Tools (or type taskschd.msc in the Run box). Right click on Task Scheduler (Local) and choose “Create Basic Task…”. Follow the wizard and at the ‘Action’ page, choose “Start a Program” and type “PowerShell” as the Program/Script and specify the full path to the .ps1 script as an argument (see screenshot below). Press Next and Finish to close the wizard.

Now, from the Task Scheduler Library, choose the task you just created and right click > Properties to bring up the properties window. Go to the “Triggers” tab, select the Daily trigger and click Edit. In Advanced Settings, select “Repeat task every:” and choose the number of minutes you wish to have the task run. Click OK and OK again to close the task window. The Ping & Notify or Disk Space Checker PowerShell script should now automatically run every X minutes.

Both these articles have covered some of the most popular Network Admin responsibilities; storage, network availability, permissions and troubleshooting. As I alluded to earlier, the beauty of PowerShell scripts is their intuitive and customizable nature. I’m sure you will find a use for the scripts covered in these two articles – you can also tweak them even further and incorporate them into your own scripting toolkit.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Microsoft Troubleshooting Packs

I thought it would be worth starting off by mentioning the Microsoft Troubleshooting Packs that are bundled with Windows 7, Windows Server 2008 and above. The Microsoft Troubleshooting Packs are a series of detection, resolution and verification PowerShell scripts that you can use to diagnose different aspects of your servers, clients or network. Different packages are available to troubleshoot printers, networks, performance, power, Windows Update, etc.

To see which components are available for troubleshooting, simply run the dir command against the directory that holds the scripts. You will get a list like the one shown in the image below:

dir C:\Windows\diagnostics\system

To run a Troubleshooting Pack, you will first need to import the modules associated with the pack by running the following command from the Windows PowerShell command window:

Import-Module TroubleshootingPack

You then specify the Get-TroubleshootingPack cmdlet along with the desired pack location and pipe it to the Invoke-TroubleshootingPack cmdlet as follows:

Get-TroubleshootingPack <TroubleshootingPackLocation> | Invoke-TroubleshootingPack

The image below shows the options available when the Network Troubleshooting Pack is invoked:

It is likely that you will want to run these scripts on a remote machine (e.g. a Windows 7 client). To do so, you will first need to connect to the remote machine from PowerShell using the “Enter-PSSession” cmdlet, as shown below:

Enter-PSSession -ComputerName remotehost -Credential domain\adminaccount

Replace ‘remotehost’ with the name or IP address of the remote machine and ‘domain\adminaccount’ with an admin level account on the domain. A dialog box will appear asking you to enter the password for the ‘domain\adminaccount’, following which you will have initiated a remote management session within PowerShell to execute commands on the remote machine.

Note: Ensure that the Windows Remote Management service is running and that you have configured the remote machine to allow Remote Management connections (using the winrm quickconfig command).

Checking ACL Permissions on Files and Folders

Whether for troubleshooting or simply for verification purposes, you will often find the need to check ACL permissions on files or folders. In larger environments where permissions are granted on files and folders on a regular basis, a permissions review may take place every quarter for example, and having an ACL report to compare with would come in handy.

To construct this script, you need the following main elements:

1) The path to check permissions on

2) The output path to create the report file

3) An Array to store each enumerated path

4) A ForEach loop to perform an operation on each object in the Array

5) The Get-Acl cmdlet.

The first part of the script asks the user for the path to check permissions on, as well as the path for the output file, and stores the results in a variable called $Path and $OutFilePath respectively. The Get-Date cmdlet is used twice; once to hold the current date and time in the $ReportDate variable and another to store the current date and time in a custom format within the $FileTS variable (which is used to create a timestamp for the output filename). The $ReportUser variable holds the name of the currently logged on user in the domain\username format.

An if statement is used to check if the path stored in the $OutFilePath variable exists. If it doesn’t exist, it will be created automatically using the New-Item (abbreviated to ni) cmdlet. The filename of the report is then appended to the output path and stored in the $FullOutFile variable.

Various variables, such as $RptNameInfo, $DateInfo and $PathInfo, are used to add the main pieces of information to the report. The $NumFolders and $NumFiles variables store the count of folders and files respectively, and uses the Get-ChildItem (or gci for short) cmdlet to pull back all the files and folders that fall under the location stored in $Path.

An Array is then created to store each of the enumerated file and folder paths and a ForEach loop handles the processing of the data within the Array. For each object in the Array, the path is converted from the PowerShell path to a standard system path. The size of each folder and file is obtained using the Measure-Object cmdlet and stored in a variable called $PathSizeCount. $PathSizeCountKB and $PathSizeCountMB store the size in KB and MB respectively. The path and size information for each folder or file is then added to the report.

Finally, the Get-Acl cmdlet is run against all the enumerated paths within $PSPath and formatted using the format-list (or fl for short) command. All this is added to the file specified in the $FullOutFile variable.

Script:

# set variables

$Path = Read-Host “Enter path to check permissions on”

$OutFilePath = Read-Host “Enter path to store output file”

$ReportDate = Get-Date -format F

$ReportUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

$FileTS = Get-Date -format “yyyy.M.dd.hh.mm.ss”

$ReportFileTS = $FileTS.replace(‘.’,”)

# check if path to output file exists, if not create it

if(!(Test-Path -Path $OutFilePath))

{

    ni -Path $OutFilePath –ItemType Directory -Force

}

# construct full path to output file

$FullOutFile = “$outfilepath\ACLCheckReport.$reportfilets.txt”

# add main report info

$RptNameInfo = “==============================`r`n    ACL Permissions Report    `r`n==============================”

$RptNameInfo | ft | Out-File $FullOutFile

$DateInfo = “Created on: $reportdate `r`nCreated by: $reportuser`r`n`==============================`r`n”

$DateInfo | ft | Out-File -append $FullOutFile

$NumFolders = (gci $Path -recurse | where {$_.PsIsContainer}).Count

$NumFiles = (gci $Path -recurse | where {$_.GetType() -match “fileInfo”} | measure-object).Count

$PathInfo = “Listing permissions for: $path ( Folders: $numfolders | Files: $numfiles )`r`n”

$PathInfo | ft | Out-File -append $FullOutFile

# fill array with folders and files

[Array] $Objects = gci -path $Path -force -recurse

# fill array with folders only

#[Array] $Objects = gci -path $path -force -recurse | Where {$_.PSIsContainer}

# process data in array

ForEach ($Object in [Array] $Objects)

{

# convert pspath to full system path

$PSPath = (Convert-Path $Object.PSPath)

# get the size of each folder/file

$PathSizeCount = (gci $PSPath -recurse | Measure-Object -property length -sum).Sum

$PathSizeCountKB = “{0:N2}” -f ($PathSizeCount / 1KB)

$PathSizeCountMB = “{0:N2}” -f ($PathSizeCount / 1MB)

# add path and size info for each folder/file to the report

$PathSizeInfo = (“Path: $PSPath `r`nSize (KBytes): $PathSizeCountKB | Size (MBytes): $PathSizeCountMB”)

$PathSizeInfo | ft | Out-File -append $FullOutFile

# run the get-acl command using the list of enumerated paths and format accordingly

Get-Acl -path $PSPath | fl -property Owner,AccessToString | Out-File -append $FullOutFile

}

Uncomment the following code within the script to change it so that only folders and sub-folders are enumerated as part of the permissions list:

#[Array] $folders = gci -path $path -force -recurse | Where {$_.PSIsContainer}

Then, add a comment tag to the following code within the script to disable files from being enumerated as part of the permissions list:

[Array] $objects = gci -path $path -force –recurse

The following shows a sample ACL Permissions Report.

Note: The format of the report can be modified by changing the “ft” and “fl” portions of the script accordingly.

In Part 2, we will look at two more scripts, one to check if a host is alive and trigger a notification event, and another to check for storage space and take action accordingly if a certain threshold is reached.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

BYOD is a growing trend. It is being talked about at all levels inside and out of the organization, including up to board level. It’s a hot topic, one which many organizations are embracing and others are not. If you’re sitting on the fence and not sure which direction to take, you should be aware that there are many aspects to consider.

This article will highlight some of the pros and cons from a business perspective, as well as the security considerations that this trend brings.

First, let’s look at some of the benefits of BYOD. These include:

Productivity:

The idea behind BYOD is that employees can access organizational data anytime, anywhere, from their own personal device, which naturally encourages increased productivity. If you have access to work e-mails for example, there is always going to be that temptation to “see what’s new” or “just answer this one e-mail” every now and then.

Convenience:

Rather than having to carry around two devices (the employee’s own personal device and a firm owned device) employees are able to use their own device to carry out both functions.

Organization Appeal:

In such a competitive market, it’s sometimes not only the pay packet that counts, but the little perks and privileges that attract the best talent and make them want to stay. Promoting the fact that your organization has embraced BYOD only adds to its appeal for prospective employees.

Cost Savings:

Rather than the organization paying for an additional device and a service contract, they can shift the cost to the user. Organizations might choose to pay nothing, only pay for the service contract, or perhaps provide an allowance to employees who wish to use their personal device for work purposes. Whatever you choose, aim for a simplified cost model. Trying to differentiate between personal and business usage for costing purposes can be a nightmare.

Despite the benefits, there are some things to consider, as emphasized below.

Firstly, nothing new should be implemented into the organization without a formal risk assessment. A risk assessment should be carried out to:

1. Identify the associated BYOD risks that are applicable to your organization

2. Help you to draw up a mitigation strategy for any identified risks

3. Decide if the identified risks are something you are willing to accept

A risk assessment should pinpoint areas within the environment that need to be looked at when adopting BYOD. Some things to consider are:

1. Which software are you going to use?

From a security perspective, implementation of the right software at both the server level and end user device level are highly important.

2. Which resources are you going to allow access to?

Are you only going to allow calendar, contacts and e-mail access? Will employees be able to access the client database?

3. Will you segregate ‘mobile access’ data?

Ideally, once you have classified the types of data you are going to allow mobile access to, you will then segregate that data from the rest of the firm’s resources, limiting unnecessary exposure. Hand in hand with this is the need to decide how to serve that data. Will it be available only via a secure page? Do you have an in-house or third party application that will allow access?

4. How will you deliver ‘mobile access’ data?

As I alluded to earlier, choosing the right data delivery method is critical. Whichever solution you choose, you will want it to contain encryption at the device, server and data transport level. Some solutions allow you to install an application on the iPhone or iPad which acts as a secure, encrypted, container for accessing firm data. Users would authenticate, and data would be transferred to and from the firm’s resources and viewed within the secure container.

5. Who does liability fall with?

Another, often forgotten, aspect to consider is liability. If users are using their own device for work purposes and something happens to that device, who is liable for the cost of repairing or replacing it?

6. If a device is lost, how do you ensure the protection of company data on the device?

Some organizations have a mitigation strategy in place that allows them to trigger a remote wipe of the device as soon as they receive word of it being lost. However, remote wipe functionality is only good if the device still has battery power and signal. If someone were to obtain the device and remove the SIM card or put the device into “Aeroplane Mode”, then this feature is pretty much useless.

 7. Which devices will you support?

One of the biggest BYOD security problems is that it is impossible for IT to have an understanding of each and every mobile device and mobile platform available on the market today. This means managing the installation and updating of AV on the mobile devices becomes difficult, as does support for all these devices.

8. Employee acceptance of data ownership and usage policy

Even if, as an organization, you decide to embrace BYOD, your users may not. Because the organization owns the data that resides on the device, it will want to enforce some control over its use and protection. A lot of users will not feel comfortable with the organization analyzing their phone if they leave the firm, or performing a remote wipe of the device if it is lost or stolen. It is important to have clearly defined security policies and usage guidelines that outline the firm’s expectations. Cover yourself legally by ensuring that employees read, understand and sign these documents.

9. Are we going to control which devices can connect to the network?

BYOD shouldn’t just be a “free for all”. There needs to be a device specific control in place that ensures only known devices are allowed to connect to the network.

As such, there really isn’t an all-in-one BYOD security strategy. The best approach would be to use a combination of several security factors to help reduce risk.

All things considered, it will come down to trying to balance productivity and security. Are you comfortable with the security risks involved when adopting the BYOD model versus the potential increase in productivity across the firm? Do the productivity gains outweigh the security risks? Are you going to get a return on investment (ROI) if you implement BYOD across the firm, or will the cost of dealing with a security incident offset the benefits? What controls do you have in place if a security leakage or data loss incident had to occur? What data are you allowing access to, and who are you allowing to access it? Will your BYOD model comply with existing industry regulations for data protection?

These are all questions you need to think about when deciding whether to jump on the BYOD bandwagon. With the right security measures in place, it is only a case of questioning whether you are willing to accept the additional risk, and then getting sign off from the right people!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!