This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors – checkout 101 Free Admin Tools for some of these. My articles on Top 10 Free Troubleshooting Tools for SysAdmins, Top 20 Free Network Monitoring and Analysis Tools for Sys Admins and Top 20 Free File Management Tools for Sys Admins might also come in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations (e.g. BackTrack and the SysInternals Suite or the NirSoft Suite of tools).

Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.

01 SANS SIFT

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.

02 ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.

When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.

03 Volatility

Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.

If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.

When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

05 FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.

When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.

06 Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.

To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.

07 CAINE

CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.

08 Oxygen Forensic Suite 2013 Standard

If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.

When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.

10 Bulk Extractor

bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).

Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.

11 DEFT

DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.

When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

12 Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.

13 LastActivityView

I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.

When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.

14 Digital Forensic Framework

The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.

When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.

15 Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.

16 PlainSight

PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.

When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.

17 HxD

HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.

From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.

18 HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.

When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.

19 NetSleuth

NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.

Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!

When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.

20 P2 eXplorer Free

P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.

When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.

Tip: In Top 20 Free Disk Tools for SysAdmins I mentioned another image mounting tool called OSFMount. OSFMount is very similar to P2 eXplorer but also supports the mounting of VMWare files and the creation of RAM disks. Part of the OSFMount family is a digital forensics suite called OSForensics – the freeware version of this application is available for personal, educational or home use to allow you to experiment and become acquainted with digital forensics concepts.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Mobile Devices

The rampant growth of smartphones provides hackers plenty of opportunity to find victims. Whether a system is running Android, iOS, Windows Phone, or BlackBerry, updating the operating systems is typically handled by the carrier, with little to no capability for the device owner to manage updates themselves, whether the owner is a consumer or an enterprise. And while the mobile platforms all do a good job of checking for updates to installed applications, it is often up to the user to actually deploy those updates, so it is not unusual to find a mobile device in need of multiple updates at any point in time. MDM (Mobile Device Management) products can help with this, but they can also be costly to implement and maintain, and challenging to use when you also want to support BYOD (Bring Your Own Device) or multiple devices and platforms. Vulnerability scanning of mobile devices connecting to your network, whether on the internal Wi-Fi or to applications over the Internet, can help sys admins identify systems requiring remediation – reducing the risk to corporate data.

CMS

Almost everyone these days has a blog, and almost no one these days manages the underlying platform that hosts their blog. WordPress and Joomla together account for the Content Management System (CMS) running on thousands of systems hosting over a million websites. Typically, blog hosts will maintain the underlying operating system, but leave updating the CMS and plugins to the customer. And since both WordPress and Joomla make it very easy to ignore your blog hasn’t been backed-up for weeks while you’re still publishing content daily, it’s very easy for a CMS to quickly fall out of spec. Since many vulnerabilities can be identified by certain basic strings, an attacker can find a new victim to exploit faster than they can order a pizza online. These CMS platforms can end up hosting spam links or malware that can then spread to site visitors. Vulnerability scanning and patching plugins should be a default addition to all sites, and CMS vendors should offer an option to automatically update for users who have “more important” things to do than check their blogs for updates.

BYOD

Bring Your Own Device initiatives are cropping up in every industry and market segment. As users want to use their platform of choice, enterprises are looking at ways to secure their infrastructure and data, while leaving BYOD device patching to the Y’s in the acronym. Unfortunately that is a short sighted approach, since compromised devices can be used to steal credential that can then be used to access more traditional systems, or to intercept data as it is accessed by the BYOD device. As with mobile devices, vulnerability scanners should be used regularly by enterprises, and IT should take a proactive role in helping users to secure and maintain their own devices. You can spend time helping a user update their tablet, or you can spend time recovering from a data breach caused by a device that has not been updated for some time. The choice is yours.

Remote Workstations

As good as most enterprises are at securing and updating their workstations and servers that are on the corporate network, most are abysmally bad at addressing machines belonging to remote users. It’s not uncommon to hear about annual meetings where everyone is required to bring in their laptop so IT can update and patch it. ANNUALLY??? With new vulnerabilities being discovered daily, I would rather just start with formatting a drive on a machine that hasn’t been cared for in almost a year, as it would be faster and more reliable to just flatten it than to try and clean it. Remote devices need attention too, and companies must leverage distributed systems, agents, or automatic updates to help ensure these devices stay secure. Rather than leaving things to chance, deploy a patch management system that can handle remote devices, or require that remote users connect to VPN regularly in order for their devices to receive updates and be scanned for vulnerabilities.

Legacy Systems

Legacy systems are the worst of the lot, as vendors have probably declared these systems to be end of life, and no longer offer updates to secure vulnerabilities. Many may have vulnerabilities for which patches were released, but because they come from an earlier time, were not updated as they should have been, and the patches are no longer readily available. Attackers regularly find ways to compromise networks and systems by first gaining a foothold on a legacy system. Companies must plan for replacing systems before they become obsolete, or sandbox them to restrict access and reduce the chance of compromise.

Call to action

There are several things that must be done to reduce the threat to users, data and systems. The responsibilities must be shared by enterprises, vendors, and end users alike. Securing data is not enough; platforms and devices must be secured as well. Companies should ensure that all devices within their reach are secure, whether owned by the company or by the end user. Vendors of mobile devices need to be sure they deploy security updates immediately, rather than waiting until they are ready to push out a major refresh to phones on their network. Apps should either automatically update, or reduce functionality until the user updates them, and systems that are not well managed, like CMS platforms and remote users’ workstations, should by default automatically update.

To better ensure administrators are aware of their exposure, they should regularly run security vulnerability scans against anything on their network. Patch management software can update and report on all systems within their administrative control, and should be a mandatory part of any infrastructure.

And non-technical end users must take active roles in securing their own devices. If they can buy them, power them on, and connect them to the Internet, then they can check for and install updates as long as vendor build in obvious and easy to use tools. Call it security’s easy button.

Securing systems is in everyone’s best interest. Do your part, and encourage others to do theirs.

I’ve been using Windows 8 since early betas and overall, I like it. It’s faster and smoother and I appreciate tools like the new Task Manager as well as its enhanced support for multiple monitors. But I know I’m not the typical user. And although I like the touch-friendly UI on my Surface tablet, I sometimes find it frustrating when I’m working with my desktop system that has three large monitors that aren’t touch-enabled. The vast majority of business computers are still desktops without touch, so I can understand why they’re hesitant to upgrade.

Now Microsoft is heavily marketing the first major update, Windows 8.1, to businesses. Many of the new features seem designed to appeal to enterprise customers. Will it be enough to win companies over?  Or will Windows 7 turn into the new XP, with companies hanging onto it for a decade?

At TechEd 2013 in New Orleans, Microsoft revealed the details about new and improved features that will come with the Windows 8.1 update (formerly known by its code name “Blue”). Some of those features are more focused on consumers while others will appeal to business users, making them more productive in the office and on the road.

By now, everyone knows that Windows 8.1 brings back the Start button on the desktop – but not the Start menu. The button will take you back to the Windows 8 Start screen, which can be configured to display the All Apps screen instead of the live tiles for those who prefer it. While this falls short of what many “8 haters” were hoping for, it should make the learning curve slightly less steep for users who are encountering the new operating system for the first time – and in the business world, that means fewer help desk calls.

Another much-asked-for addition to Windows 8.1 is the ability to configure settings so that the computer will boot directly to the desktop, without installing a third party application. Business users, especially, may prefer to bypass the Windows 8 tiled Start screen and spend most of their computing time in the more familiar Windows desktop environment, and this makes it easier to do that.

The improvements to VPN functionality will benefit business users, as now Windows 8.1 will automatically prompt them to log into the VPN if an app needs to access resources that are accessed through the VPN. That applies to third party VPNs, too.  And users who are traveling on business will appreciate the ability to easily turn their Windows 8.1 laptops/tablets into wi-fi hotspots to which they can tether their phones or additional tablets and laptops to share a single Internet connection.

IT admins will appreciate the new “workplace join” feature that gives them more fine-tuned control over resources on the company network and users will like that it allows them to work from more of their devices. It works by providing a way to register devices that aren’t full-fledged domain members so that they get access to needed resources without compromising IT’s control. In addition, devices that aren’t domain members can now sync with file shares located on the corporate network through the Work Folders feature and IT can enforce Dynamic Access Control policies and Rights Management.

For those companies deploying a Virtual Desktop Infrastructure (VDI), Windows 8.1 has made improvements to the VDI user experience. It’s now faster, RemoteApps behave more like local apps, and multiple monitor support has been improved.

Perhaps most important of all for businesses, there are a number of improvements to security features baked into Windows 8.1. The new version of IE (11) has a new antimalware scanning capability of binary extensions such as ActiveX before executing the code and Windows Defender gets network behavior monitoring to help better detect malware.

Businesses will be able to wipe corporate data from a user’s device without wiping personal data, which is important in this BYOD era. Assigned Access allows you to set up particular devices for a specific purpose and lock them down to run a single app, which can be useful in a kiosk environment and other situations. Biometric (fingerprint) support has been improved, too, to work with Windows logon, remote access, UAC and so forth).

That’s a hefty basket of goodies to attempt to lure companies into upgrading (and there are more, such as NFC printing and Wi-Fi direct printing and wireless projection). What Microsoft didn’t include, despite user pleas (the old-style Start menu) can be added with third party solutions such as Start 8 to make the upgrade transition easier for users. However, many companies have fallen into an “every other new OS” pattern of upgrading after skipping Windows Vista and going directly from XP to Windows 7.  Will they see Windows 8.1 as enough of a “new” OS to fit into that pattern?  When Windows 8.1 is released this fall, we’ll begin to find out.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them! 

1. Microsoft Fix It Solution Center

The Microsoft Fix It Solution Center is an online tool that helps you to quickly find and fix common system issues. Once you’ve entered the symptoms, you can either download an executable to automatically fix the issue or be directed to a relevant Microsoft Knowledgebase Article that explains what the cause and recommend workaround is.

To use the Microsoft Fix It Solution Center, simply open http://support.microsoft.com/fixit/ in a web browser, select a problem area from “Step 1”, choose what type of problem you are trying to fix from the list in “Step 2” and then choose which solution you’d like to execute or learn more about from “Step 3”.

2. Problem Steps Recorder

Hidden away in Windows 7 / Windows 2008 and above is a neat little utility called Problem Steps Recorder (psr.exe). The Problem Steps Recorder will record the step-by-step interactions that occur while the user replicates the problem, taking screenshots of every action. It then bundles all this into a report with detailed information and any relevant error logs.

This tool is great if you have a user in your environment who is experiencing an issue that you want to gain more information about and the steps they took to reproduce the problem, or if you want to create a report to send to a third party vendor as part of a support case.

To launch the Problem Steps Recorder, go to the Start menu and type “psr.exe”. Click “Start Record” and the tool will record every interaction from then on. You can add comments during the recording process and then click “Stop Record” to save the report as an *.mht file within a zip archive.

3. Reliability Monitor

Windows Vista / 2008 and above include a tool called Reliability Monitor. This tool provides an overview of overall system stability and details about events that can impact reliability. The idea is to pinpoint any troublesome areas and take steps to improve system reliability based on what you learn (e.g. you might identify a trend in a certain application crashing when opening a certain file type).

To run the Microsoft Reliability Monitor, go to the Start menu and type ‘Reliability’. This will bring up a “View reliability history” shortcut. Clicking on this shortcut will launch the Reliability Monitor directly. You can also launch this tool from the Performance Monitor tool by right clicking on Monitoring Tools and selecting “View system reliability”.

Start by selecting whether you want to view information by Days or Weeks, and then click on a specific area within the graph to view information in the bottom hand pane. Once you’ve viewed reliability history for a specified period, you can choose to save the information to a file, view a list of all problem reports and check for solutions to problems.

4. WELT (Windows Error Lookup Tool)

When troubleshooting issues, you may come across Win32, HRESULT, NTSTATUS or STOP error codes which are likely to mean nothing to you or I. Using WELT you can find out what the error code means in plain English and what it relates to.

To launch WELT, simply execute Windows Error Lookup Tool.exe from the folder where you extracted welt.zip to. Enter the error code in the textbox and the error details will appear automatically.

5. PowerShell Troubleshooting Packs

As I mentioned in my article entitled Windows PowerShell™: Essential Admin Scripts (Part 1) the PowerShell Troubleshooting Packs (bundled with Windows 7/2008 and above) can be really handy when troubleshooting system issues. As such, they are a collection of PowerShell scripts that you can use to diagnose different aspects of your servers, clients or network. Different packages are available to troubleshoot printers, networks, performance, power, Windows Update, etc.

To run a PowerShell Troubleshooting Pack, open a PowerShell command prompt and import the modules associated with the pack by running the “Import-Module TroubleshootingPack” command. Then, run the following command to start the desired Troubleshooting Pack:

Get-TroubleshootingPack <TroubleshootingPackLocation> | Invoke-TroubleshootingPack

6. WinAudit

As part of the troubleshooting process, it is helpful to know as much information as you can about the machine where the problem resides to assist in finding a solution more quickly. WinAudit scans your computer and gathers a whole raft of information about Installed Software, TCP/IP settings, Drives, Error Logs, etc.

Note: At the time of writing, the download link available from the developer’s website was broken. You can download the latest version of this software from a popular application download site like CNET.

To start an audit of your local machine, simply execute WinAudit.exe to start the application and then click the “Audit” icon in the top left hand corner.  Once the audit is complete, you can start to review the information from the different categories in the left hand pane, or save the information as a PDF / CSV / TXT / HTML file.

7. Joeware Utilities

Joeware Utilities are a list of free troubleshooting and system information utilities aimed at making the life of an administrator easier. These tools are built by a system administrator from his own experience of not finding a tool out there that did the job he needed for whatever he was trying to solve. The tools available include anything from tools that dump user information from Active Directory, modify a user account’s expiration flag or perform TCP/IP port connection testing.

Note: Unfortunately Joeware Utilities do not come as a bundled package and will have to be downloaded individually from the website. However, using a small add-on for the NirLauncher application mention below, you can download and categorize the tools ready to be launched from the NirLauncher application itself.

Some of the tools available from Joeware Utilities include:

SidToName

SidToName is a command line tool that resolves SIDs (Security Identifiers) to friendly display names. You provide it with a valid SID and it returns the object name associated with that SID.

AccExp

AccExp is a command line tool that you can use to modify or read the expiration date of local user accounts.

8. Nirsoft NirLauncher

NirLauncher is an application that bundles more than 170 portable freeware utilities. The tools available include password recovery tools, Internet tools, programming tools, and system tools – all of which can be used for troubleshooting and information gathering.

Some of the most popular tools bundled with NirSoft NirLauncher include:

USBDeview

USBDeview is a small application that lists all current and previously connected USB devices on a local or remote machine. USB device information includes device name/description, device type, serial number, the date/time that the device was added or last used, VendorID, etc.

CurrPorts

CurrPorts displays a list of all currently open TCP/UDP ports on the local machine. Information about which process opened the port, the time the process was created and the user that created it is displayed. Using CurrPorts you can also close open connections and export the information to a file.

LastActivityView

Using LastActivityView you can see what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer or performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file.

9. Microsoft SysInternals Suite

Microsoft SysInternals Suite is a collection of over 60 lightweight troubleshooting tools all bundled into a single download package. Whatever issue you’re trying to tackle, you are sure to find a tool in this package to help you manage, troubleshoot and diagnose your systems and applications.

Some of the most popular tools bundled in the SysInternals Suite include:

Autoruns

Autoruns allows you to view which programs and services are configured to run at system boot up or login, in the order in which Windows processes them.

Process Monitor

Using Process Monitor you can troubleshoot application and system related issues by monitoring activity related to processes, threads, DLLs, the registry and file system in real-time.

AccessEnum

Using AccessEnum you can quickly view permissions of file system directories or registry keys and then save the results to a text file and compare results with a previously saved log.

10. WSCC (Windows System Control Center)

WSCC is not a troubleshooting tool per se, but it does facilitate issue troubleshooting by acting as an inventory for various system troubleshooting tool suites (such as those from Microsoft SysInternals and NirSoft). It allows you to install, update, execute and categorize the entire collection of tools in a single location.

When you launch WSCC for the first time, you are given the option to download and install the latest versions of the entire set of over 270 tools. If you choose not to install them locally, WSCC will download each application when you first click on it and store the file in a temp folder within the WSCC directory. To launch a troubleshooting tool, choose a tool from the category within the navigation pane on the left hand side. You can also add favourite tools to the Favourites folder or search for a utility by name.

Are there any free tools not on this list that you’ve found useful and would like to share with the community?

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

To say “thank you”, here’s a list of 26 simple ways you can show your appreciation for those unsung heroes that toil away to keep the servers humming and the tubes unclogged. Some of these are low cost gestures; others might be something the boss should cover or the office should take up a collection, but all are guaranteed to put a smile on the face of that favourite SysAdmin of yours, on the one day a year where you know better than to drop a broken machine off or open a last minute helpdesk ticket.

1.      A card

When you care enough to send the very best, but you don’t have a lot of money to invest, a nice card at least shows some thought. Just make sure it is a card themed around IT, general geekiness, or otherwise shows that you didn’t pull one out of a card drawer because you forgot about it.

2.      Coffee shop gift cards

Whether your SysAdmin’s favourite brew comes from Starbucks or the local shop down the street, a gift card is the gift that keeps on giving, or at least for a couple of cups of really good Joe.

3.      Mobile store gift cards

If coffee isn’t their thing, you can bet a gift card to the iTunes Store, Google Marketplace, or Windows Store will be appreciated. Find out what kind of phone they have and get the card to right shop and you can bet that by the end of the day they will have a couple of new apps to try out.

4.      Amazon gift cards

While this may be the fallback of last resort, even people ten years in the grave can find something at Amazon that they want.

5.      Lunch

You’d be amazed at how far a nice lunch can go towards saying thank you, especially since that SysAdmin usually eats lunch at their desk because there is so much work to do. Whether it’s a one on one affair, or you make it a team event, just providing them the opportunity and excuse to see the sun at least for one day a year is a great gesture to make.

6.      Dinner

Better still, buy your SysAdmin dinner, by getting him or her a gift card at a nice restaurant so they can take their significant other out for a nice meal. Remember, every time you call your SysAdmin after hours to fix something, you are impacting their family too. Thank Yous should extend to them as well.

7.      A red Swingline stapler

The icon of geek and snarkiness, the Red Swingline Stapler is something every SysAdmin will love.

8.      TV Show or movie-themed swag

With a simple conversation, you can quickly find out what your SysAdmin’s favourite sci-fi TV show or movie is, and then a quick visit to ThinkGeek will provide you with tons of options for low cost, but very cool, thank you gifts. Very few adults will ever buy themselves a Sonic Screwdriver, but secretly, we all  want one!

9.      Poster

Use the same recon skills as above, but this time visit Amazon for cool movie posters or other theme art so your SysAdmin can pimp their cube in style.

10. A Pizza party

Here’s one the whole office can enjoy, and EVERYONE loves pizza. And since SysAdmin’s day is on a Friday, it’s a perfect fit for the day.

11. Light Dims LED Light Blocker

These cool little stickers dim otherwise overly bright lights, and can be applied to TVs, monitors, UPS systems, alarm clocks, or any other status light that needs to be seen, but is just a bit too blinding for most. Check them out at: http://www.thinkgeek.com/product/eeb6/?srp=1

12. Hacking putty

Part silly putty, part play-dough, part caulk, and completely awesome – Hacking Putty can be used to fix or enhance almost anything.

13. Star Trek TOS Phaser Laser Pointer

Anyone who needs to demonstrate or point out anything needs a laser pointer, and every SysAdmin has pretended that they had a phaser when they were using one. Here’s a gift that says thank you with a nod to having fun: http://www.thinkgeek.com/product/1124/?srp=2

14. Zombies are in

Did you know that Zombies are “in” right now? Anything from the Walking Dead to World War Z to remakes of George Romero movies are selling like mad right now, and thank you gifts that play into this will bring a smile and a chuckle to any SysAdmin’s face.

15. Powerstrip with USB

Every single person that sees one of these in action wants one. Get on your SysAdmin’s special list with this as a thank you: http://www.amazon.com/Outlets-To-Power-Strip-USB/dp/B0018MEBNG/ref=sr_1_4?ie=UTF8&qid=1374538925&sr=8-4&keywords=power+strip+usb

16. Bawls

Long hours mean a need for caffeine and sometimes coffee just won’t cut it. A case of Bawls is a delicious and refreshing way to hold of sleepiness during those late night changes.

17. Caffeinated mints

And these can not only fight off fatigue, but bad breath as well. It’s a multitasker, and any SysAdmin will appreciate that!

18. Herbal Tea collection

Of course, too much caffeine can be a bad thing. Many SysAdmins have discovered the benefits and the deliciousness of a good cuppa, and herbal teas can help you relax without hyping you up. Show your SysAdmin you care without feeding their addiction.

19. Emergency battery

Everyone needs more power, and when your cell phone is dying, nothing is more helpful than some emergency power. USB batteries come in a variety of sizes and capacities, and can save the day time and again.

20. A really cool coffee mug

Can you tell coffee is a big deal to SysAdmins. A cool coffee mug makes a statement, and can also handle those herbal teas. Look for one that plays to the TV or movie tie in for bonus points.

21. Anything by Neil Stephenson

A SysAdmin’s folk hero, anything that Neil Stephenson was involved in creating will be a greatly appreciated gesture, and you will go up at least five points in the recipient’s opinion.

22. Like/Dislike stamp set

Even SysAdmins who aren’t on Facebook will love these. I bet they will even use them on their TPS reports: http://www.thinkgeek.com/product/e5f5/

23. Cable organizers set

Velcro is so over. The new hotness is cable organization using silicone polymers and oddly-shaped, brightly colored widgets to keep cables in place, bound together, or otherwise organized.

24. Paracord survival bracelet

Everyone wants one… but many people think they will look silly if they buy one for themselves. Help your SysAdmin get past that mental block. If disaster ever strikes, you know they will know how to McGyver something out of the bracelet to save you all – or at least, your email.

25. Beer

Free speech, free beer, it’s all good. Find out their favorite and get them a case. It’s the kind of gift that says…you work your #$(& off, thanks, now have a cold one!

26. Programmable LED light

The last on our list has no practical value, which is one reason no SysAdmin will ever buy it for themselves… but they are so cool! Replacing their desk lamp with this bulb will add new factors to coolness, and help them stay awake during those interminable conference calls: http://www.amazon.com/HitLights-BlueLux-Changing-Quality-Feature/dp/B005SHR2C4/ref=cm_cr_dp_asin_lnk

Twenty-six ways to say thank you to a SysAdmin that toils indefatigably for you 24/7/365. It’s one day a year that you get to really show your gratitude to them, so pick one from the list above, and remember your SysAdmin this Friday!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. TeraCopy

TeraCopy acts as an alternative to the built-in copy and move process in Windows. It is designed to copy and move files either locally or over the network at a faster rate. It allows you to pause and resume file transfer activities, it integrates into the Windows shell and has an automatic error recovery mechanism in case something goes wrong during the transfer process.

Once you’ve installed TeraCopy, you can launch the application from the Start Menu or by right clicking on a file or folder and selecting “TeraCopy…” from the context menu. When you’ve selected which files to transfer and where to transfer them to, you can then select which action to take after the process is complete (e.g. shutdown machine or close window). Finally, you kick the process of by clicking the “Copy” or “Move” buttons. TeraCopy keeps a log of all actions taken in the drop down box at the bottom of the window.

2. Steganos LockNote

Steganos LockNote allows you to securely store confidential notes such as license keys, passwords, phone numbers, etc. It uses AES-256 encryption to store your text in a self-executable container that requires a password to open it.

Steganos LockNote comes as a standalone application which does not require installation. When you launch LockNote.exe you are presented with a text editor similar to notepad.exe. Type whatever text you wish to be kept secret and go to File > Save As… to save the note as an encrypted container. You will be prompted for a password and the resulting output file will be in *.exe format.

3. Duplicate Cleaner

Duplicate Cleaner is a file de-duplication tool that removes redundant copies of files from a specified hard drive or network location. It works by generating an MD5 hash of each file and then comparing hashes for duplicates. It also gives you the option to search for files using a byte-to-byte comparison. Once the duplicate files have been found, you can choose to delete them or move them to an archive location.

When you launch Duplicate Cleaner, you first specify the search criteria from the first available tab, then you tell it where to look from the “Scan Location” tab before hitting “Scan Now”. A summary window will appear showing how many files were scanned and how many duplicates were found. The “Duplicate Files” tab highlights which files need attention.

4. Bulk Rename Utility

Bulk Rename Utility is a lightweight yet powerful application for renaming files and folders using an extensive array of criteria. Using this tool you can remove, add or change text and numbers within the file name, add date/time stamps, change case, modify file and folder attributes and preview what the changes will look like before you go ahead with them. The Bulk Rename Utility also supports regular expressions for additional flexibility.

Note: The Bulk Rename Utility comes in a command line version too. Using the command line version of the utility you can create scheduled jobs to perform a repetitive action at a specified time (e.g. rename a set of log files or backup files every day at midnight).

When you launch the Bulk Rename Utility you are presented with the navigation pane on the left hand side, the preview pane on the right hand side and a multitude of rename options at the bottom. Start by navigating to a folder that contains the files you wish to rename from the navigation pane or find the folder in Windows Explorer, right click on it and choose “Bulk Rename Here”.

5. Free Opener

Free Opener allows you to open over 80 different file formats from a single interface. Even if you don’t have the native application installed, you can quickly fire up Free Opener to open that file format. Free Opener supports Microsoft Office files, Archive files, Image files, Code files, Video files and Audio files, amongst others. Essentially it is just like having a Document Viewer, Image Viewer, Media Player and Archive Viewer all rolled into one!

When you launch Free Opener, the first thing you should do is go to File > File Associations to enable which file types you want to be associated with the Free Opener application. This will mean that any file that you double click to open will be opened automatically in Free Opener (if the file type is supported). Alternatively, click on the “Open” icon or go to File > Open to choose a file to open in Free Opener. When you open a file, at the bottom of the window a menu bar will appear containing some edit options (which change depending on the file type you have opened).

6. FreeFileSync

FreeFileSync is a folder comparison and synchronization tool designed with usability and performance in mind. FreeFileSync allows you to save the configuration as a “.batch” file which you can then use to schedule a task for automatic folder synchronization.

When you launch FreeFileSync, add a path to the left and right hand side of the window and hit the “Compare” button to compare both locations side-by-side. FreeFileSync will use a series of icons to highlight what’s different between both folders. You can then hit the “Synchronize” button to sync both folders. Go to Program > Save as batch job… to save the configuration as a batch job for use later when scheduling a task.

7. PeaZip

PeaZip is a cross-platform file and archive manager that supports volume spanning, high levels of compression and encryption, and support for a wide range of archiving formats. Using PeaZip you can create archive formats such as 7Z, ARC, BZ2, GZ, PAQ, PEA, QUAD/BALZ, TAR, UPX, WIM, XZ, and ZIP, and extract over 150 archive formats, including ACE, CAB, ISO, RAR, UDF, ZIPX and many more. PeaZip features include creating, converting and extracting multiple archives at once, creating self-extracting archives, secure data deletion, checksum creation and hashing.

Once PeaZip is installed, you can either open or create an archive using the “Open as archive” or “Add to archive” context menu options respectively, or launch the application and take the required action from there. Once in the PeaZip UI, simply navigate to the required file or folder from the left hand pane and then click one of the icons in the top menu to take an action.

8. WinMerge

WinMerge is a file comparison and merging tool that visually displays the differences side-by-side. This tool is useful for helping to determine what has changed between two files versions and then merging those changes. WinMerge supports Unicode and regular expressions and includes Visual SourceSafe and Windows Shell integration.

When you launch WinMerge and choose to open files to compare, you are asked to select a file for the left hand side and a file for the right hand side. Differences between these files are shown in the Location Pane and highlighted throughout both documents.

9. SearchMyFiles

SearchMyFiles aims to be an alternative to the Windows “Search For Files And Folders” process, allowing more flexible and accurate searches to be performed. You can search using wildcards, last modified/created/accessed time, file attributes, file content (text or binary search) and by file size. Search results can be saved as a text, html, csv or xml file. SearchMyFiles comes as a standalone portable application that doesn’t require installation – it can there be run straight off a USB drive.

Executing the SearchMyFiles.exe application brings up the Search Options window which allows you to specify where to search and the search criteria to use to bring back results. Simply choose the desired options and hit “Start Search” to have the application perform the search operation.

10 AxCrypt

AxCrypt is a file-level encryption tool that integrates with the Windows shell and allows you to right-click on a file to encrypt or decrypt it using AES-256 encryption. AxCrypt also offers the ability to create a self-extracting archive to securely transfer files to another location (with AxCrypt not being required for decryption on the other end).

Once installed, everything happens from the context menu when you right click on a file. You are given the option to Encrypt or Decrypt the file, manage passphrases or permanently delete the file.

11. File Splitter

File Splitter does what it says in the name. It is a super lightweight standalone application that splits files into multiple chunks and merges chunks back into a whole file.

When you launch File Splitter, use the “Split file” tab to specify the source file to split and the destination of the file chunks as well as the size of each chuck. Similarly, use the “Join files” tab to specify the chucks to merge into a whole file again and the destination of where you want the joined file to be placed.

12. Hash Tool

Hash Tool allows you to quickly and easily calculate the hash of multiple files to verify file integrity. The tool supports Unicode file names and MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32 hash types.

Start by selecting the hash type from the drop down list and then selecting the files to hash from the “Select File(s)” button. Alternatively, drag and drop the files into the “Results” window for the hash to be automatically calculated. You can then save the results to a txt or csv file or copy them to the clipboard.

13. ExamDiff

Similar to the functionality offered in WinMerge, ExamDiff offers a visual side-by-side comparison of two files, highlighting the differences in different colours and giving you the option to navigate through the changes in a number of ways (e.g. using a drop down list).  ExamDiff also comes with command line options allowing you to create a batch file to automate the process.

When you launch ExamDiff, you are presented with a dialog box asking you to specify the location of the two files to compare. Once you do this and hit “OK”, the application opens displaying a side-by-side comparison of the files and highlighting lines that have been added, deleted or changed in different colours.

14. 7-Zip

7-Zip is a powerful file archiving utility with a high compression ratio that supports a multitude of compression formats, including 7z, GZIP, TAR, ZIP, CAB, MSI, etc. Features include the ability to create self-extracting archives, adjust the compression level and add password protection. 7-Zip’s power lies in its compression ratio; it claims to provide a ZIP format compression ratio that is 2-10% better than its competitors and a 7z format compression ratio that is 30-70% better than ZIP format.

When you launch the application, navigate to the folder containing the files you wish to archive and hit the “Add” button to create an archive. Alternatively, you can create an archive directly from the context menu by right clicking on a file or folder.

15. Microsoft SyncToy

SyncToy is an application that can be used as a mini backup utility to synchronize files and folders between two locations. SyncToy allows you to ‘Synchronize’ FolderA with FolderB where the changes are replicated on both ends, ‘Echo’ FolderA to FolderB where the changes in FolderA are replicated to FolderB, and ‘Contribute’ FolderA to FolderB where the changes in FolderA (except deletions) are replicated to FolderB.

When you launch SyncToy, the first thing you need to do is create a New Folder Pair, specifying the left and right folders you wish to synchronize. You can then choose the Synchronization action (i.e. Synchronize, Echo, and Contribute) and which options you wish to use before running the synchronization session.

16. My LockBox

My Lockbox is an easy to use application that allows you to hide, lock and password protect a Windows folder on a FAT, FAT32 or NTFS volume so that it’s only accessible to you.

When you launch My Lockbox and choose which folder to protect, it automatically disappears from view within Windows Explorer or from the command line. The only way to access the folder is to launch My Lockbox, enter the password and Unlock the folder.

17. Advanced Renamer Portable

Advanced Remaner Portable is a standalone lightweight and easy to use application that can be used to quickly add, remove, replace, or append file or folder names in bulk.

Select the “Rename Files” or “Rename Folders” tab to rename files or folders respectively. Add files or folders to the list and create a new method from the left hand pane – here you create the renaming rules you want to apply to the list of files or folders. When you’re ready, hit “START BATCH” to initiate the process.

18. Locate32

Locate32 is a search utility that finds files or folders based on their names. Locate32 works by indexing file and folder names in a database and then using the database to quickly return results. Locate32 comes packaged with a command line version that can be used to update and access the databases without any user interaction.

When you first launch Locate32, go Tools > Settings > Databases tab to set up your databases. Databases are essentially index locations – any files contained within a location specified in the database will be searchable more quickly. Once you’ve set your databases, use the “Name & Location”, “Size and Date” and “Advanced” tabs to perform your search.

19. Universal Extractor        

Universal Extractor is designed to decompress and extract files from virtually any type of archive, regardless of source, file format or compression method. It supports anything from EXE format to ZIP, CAB, ACE, TAR.GZ, ISO, MSI, RAR, PEA and RPM format, amongst many others. It is handy because it saves you from needing different applications to open different archive formats.

Note: Universal Extractor does not create archives; it is used only to extract data.

Once you open Universal Extractor, specify the location of the archive file and a destination folder where the contents will be extracted to. Press “OK” to start the extraction process. Once installed, Universal Extractor will also be available via the context menu, allowing you to easily right click on an archive and select “UnExtract”.

20. Better Explorer

Better Explorer aims to be a replacement for Windows Explorer. It offers greater functionality and a streamlined UI with Ribbons (much like Microsoft Office) and Tabs. It includes the ability to manage favourites, conditional select, sizing charts (giving a visual representation of the size of a folder), in-built image editing tools, an enhanced search feature, and archive support.

Note: At the time of writing, this application is still in BETA. It is not recommended that this be installed on a production machine but rather that you use it in a testing environment or on a personal machine at home to try it out before the full version is launched. It made this list because of its potential; if the BETA is anything to go by, Better Explorer certainly looks like one to watch!

Are there any free tools not on this list that you’ve found useful and would like to share with the community? Then leave us a comment below and let us know!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

1. Microsoft Network Monitor

Microsoft Network Monitor is a packet analyser that allows you to capture, view and analyse network traffic. This tool is handy for troubleshooting network problems and applications on the network. Main features include support for over 300 public and Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.

When you launch Microsoft Network Monitor, choose which adapter to bind to from the main window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click “Capture Settings” to change filter options, adapter options, or global settings accordingly and then hit “Start” to initiate the packet capture process.

2. Nagios

Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling and reporting. The Nagios Core is the heart of the application that contains the core monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as well as add-ons for data visualisation, graphs, load distribution, and MySQL database support, amongst others.

Tip: If you want to try out Nagios without needing to install and configure it from scratch, download Nagios XI and enable the free version. Nagios XI is the pre-configured enterprise class version built upon Nagios Core and is backed by a commercial company that offers support and additional features such as more plugins and advanced reporting.

Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven nodes.

Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host groups and service groups. Once Nagios has had some time to monitor the status of the specified hosts and services, it can start to paint a picture of what the health of your systems look like.

3. BandwidthD

BandwidthD monitors TCP/IP network usage and displays the data it has gathered in the form of graphs and tables over different time periods. Each protocol (HTTP, UDP, ICMP, etc) is color-coded for easier reading. BandwidthD runs discretely as a background service.

Installation is easy. Download and install Winpcap version 3.0 or above (you’ll already have this installed if you have Wireshark on the same box), unzip BandwidthD to a specified folder, edit the ../etc/bandwidthd.conf file accordingly, double click on the “Install Service” batch file and then start the BandwidthD services from the services.msc console. Once the service is running, give it some time to monitor network traffic and load the index.html page to start viewing bandwidth statistics.

4. EasyNetMonitor

EasyNetMonitor is a super lightweight tool for monitoring local and remote hosts to determine if they are alive or not. It is useful for monitoring critical servers from your desktop, allowing you to get immediate notification (via a balloon popup and/or log file) if a host does not respond to a periodic ping.

Once you launch EasyNetMonitor, it will appear as an icon in the notification area on your desktop where the IP addresses / host names of the machines you want to monitor can be added. Once you’ve added the machines you wish to monitor, be sure to configure the ping delay time and notification setting.

5. Capsa Free

Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network issues and analyze packets. Features include support for over 300 network protocols (including the ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable reports and dashboards.

When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as packet analysis.

6. Fiddler

Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and responses before they hit the browser. Fiddler gives you extremely detailed information about HTTP traffic and can be used for testing the performance of your websites or security testing of your web applications (e.g. Fiddler can decrypt HTTPS traffic).

When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from the top menu bar onto an open application.

7. NetworkMiner

NetworkMiner captures network packets and then parses the data to extract files and images, helping you to reconstruct events that a user has taken on the network – it can also do this by parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can obtain information such as hostname, operating system and open ports from hosts.

In the example above, I set NetworkMiner to capture packets, opened a web browser and searched for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I saw during my browser session.

When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to initiate the packet capture process.

8. Pandora FMS

Pandora FMS is a performance monitoring, network monitoring and availability management tool that keeps an eye on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalates.

When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’ node from the left hand navigation pane. From here, you can configure monitoring agents and services.

9. Zenoss Core

Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. It also has a high performance event handling system and an advanced notification system.

Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard that asks you to create user accounts and add your first few devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key features include:

(1) Comprehensive Network Monitoring which offers more than 170 sensor types for application monitoring, virtual server monitoring, SLA monitoring, QoS monitoring

(2) Flexible Alerting, including 9 different notification methods, status alerts, limit alerts, threshold alerts, conditional alerts, and alert scheduling

(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.

Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

When you launch PRTG Network Monitor, head straight to the configuration wizard to get started. This wizard will run you through the main configuration settings required to get the application up and running, including the adding of servers to monitors and which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when there is a problem. It can also automatically scan all devices on a given subnet and then draw and layout a map of your network.

When you launch The Dude, you first choose to connect to a local or remote network and specify credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and Reports.

12 Splunk

Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search, reporting and dashboard features to make the most of the collected data. Splunk also allows you to install ‘Apps’ to extend system functionality.

Note: When you first download and install Splunk, it automatically installs the Enterprise version for you to trial for 60 days before switching to the Free version. To switch to the Free version straight away, go to Manager > Licensing.

When you login to the Splunk web UI for the first time, add a data source and configure your indexes to get started. Once you do this you can then create reports, build dashboards, and search and analyze data.

13. Angry IP Scanner

Angry IP Scanner is standalone application that facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that are alive and obtain information about them (including MAC address, open ports, hostname, ping time, NetBios information, etc).

When you execute the application, go to Tools > Preferences to configure Scanning and Port options, then go to Tools > Fetchers to choose what information to gather from each scanned IP address.

14 ntopng

ntopng (‘ng’ meaning ‘next generation’) is the latest version of the popular network traffic analyzer called ntop. ntopng will sit in the background and gather network traffic, then display network usage information and statistics within a Web UI.

Note: Although originally aimed for use on Unix-based systems, there is a Windows version available for a small fee, or a demo version limited to 2000 packets. If you are comfortable running ntopng on a Unix-based box then you can get the full version for free.

The image above shows the ntopng dashboard after a few minutes of network traffic collection. In this example, I am using the Windows version. After installation, I simply executed the redis-server.exe file from ..\Program Files (x86)\Redis and fired up the Web UI (http://127.0.0.1:3000).

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network, notifying you of any issues that require attention via a detailed report of the problem. The result of each probe is classified using green, red, or black colors to quickly show whether the probe was successful, had a negative result or wasn’t able to complete.

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a specified network range automatically and assign the discovered hosts to a group. Alternatively, create a new group manually to start adding devices/hosts individually.

16. NetXMS

NetXMS is a multi-platform network management and monitoring system that offers event management, performance monitoring, alerting, reporting and graphing for the entire IT infrastructure model. NetXMS’s main features include support for multiple operating systems and database engines, distributed network monitoring, auto-discovery, and business impact analysis tools, amongst others. NetXMS gives you the option to run a web-based interface or a management console.

Once you login to NetXMS you need to first go to the “Server Configuration” window to change a few settings that are dependent on your network requirements (e.g. changing the number of data collection handlers or enabling network discovery). You can then run the Network Discovery option for NetXMS to automatically discover devices on your network, or add new nodes by right clicking on “Infrastructure Services” and selecting Tools > Create Node.

17. Xymon

Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive deep into the configuration, performance and real-time statistics of your networking environment. It offers monitoring capabilities with historical data, reporting and performance graphs.

Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts that you are going to monitor. Here, you add information such as the host IP address, the network services to be monitored, what URLs to check, and so on.

When you launch the Xymon Web UI, the main page lists the systems and services being monitored by Xymon. Clicking on each system or service allows you to bring up status information about a particular host and then drill down to view specific information such as CPU utilization, memory consumption, RAID status, etc.

18. WirelessNetView

WirelessNetView is a lightweight utility (available as a standalone executable or installation package) that monitors the activity of reachable wireless networks and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.

As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi networks in the area and displays information relevant to them (all columns are enabled by default).

Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView. It scans your wireless network and displays a list of all computers and devices that are currently connected, showing information such as IP adddress, MAC address, computer name and NIC card manufacturer – all of which can be exported to a html/xml/csv/txt file.

19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality and speed tests.

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can run a test, change the layout, edit settings, refresh connections, etc.

20. WireShark

This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the green shark fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what you need, you can export the data to a file for analysis in another application or use the in-built filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.

Are there any free tools not on this list that you’ve found useful and would like to share with the community? Then leave us a comment below and let us know!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

In case it wasn’t clear enough last year, we love sys admins and SysAdmin Day is very important to us.

So we decided to turn SysAdmin Day into SysAdmin Week – because one day is really not enough! Throughout this week, we’ll be publishing a daily post designed specifically for you – from free tools, to tips, tricks of the trade and more (but we can’t divulge any secrets yet).

Stay tuned on our social media pages and TalkTechToMe!

1. Hiren Boot CD

The tagline for Hiren Boot CD reads “a first aid kit for your computer” – and that it is! Hiren Boot CD is one of the more popular Rescue CDs out there and contains a wealth of tools including defrag tools, driver tools, backup tools, anti-virus and anti-malware tools, rootkit detection tools, secure data wiping tools, and partitioning tools, amongst others.

Hiren Boot CD is available to download as an ISO for easy installation to a USB or burning to a CD.

The boot menu allows you to boot into the MiniXP environment, the Linux-based rescue environment, run a series of tools or boot directly from a specified partition.

The MiniXP environment, as shown in the image below, is much like a Windows XP desktop. Everything pretty much happens from the HBCD Launcher (a standalone application with a drop down menu containing shortcuts to the packaged applications).

2. FalconFour’s Ultimate Boot CD

FalconFour’s Ultimate Boot CD is based upon the Hiren Boot CD with a customized boot menu and a whole bunch of updated tools thrown in. F4’s UBCD contains tools that provide system information, tools that recover/repair broken partitions, tools that recover data, as well as file utilities, password recovery tools, network tools, malware removal tools and much more.

F4’s UBCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

Similar to Hiren Boot CD, when you boot F4’s UBCD you are presented with a menu giving you the option to boot into a Linux environment, the MiniXP environment or run a series of standalone tools. As you scroll through the menu, a description of each item is given at the bottom of the screen.

Similar to that of Hiren Boot CD, the MiniXP environment is much like a Windows XP desktop environment, only it’s really lightweight and is pre-packed with a host of diagnostic and repair tools.

Once the desktop has loaded up, choose from one of the available application shortcuts, launch the HBCD Menu or go to the Start menu to get going.

3. SystemRescueCD

SystemRescueCD is a Linux-based package for troubleshooting Linux and Windows systems. The disc contains antivirus, malware removal, and rootkit removal tools as well as tools to help manage or repair partitions, recover your data, back up your data or clone your drives. SystemRescueCD supports ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, and ntfs file systems, as well as network file systems like samba and nfs. It also comes with network troubleshooting, file editing, and bootloader restoration tools.

SystemRescueCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

When you boot the SystemRescueCD, the pre-boot menu gives you a multitude of options, allowing you to boot directly into the graphical environment or the command line.

In the image below, I have booted into the graphical environment and started the chkrootkit application from the Terminal window which searches for rootkits installed on the system. Other applications can be run directly from the terminal in a similar fashion, using arguments and parameters as necessary.

4. Ultimate Boot CD

Ultimate Boot CD is designed to help you troubleshoot Windows and Linux systems using a series of diagnostic and repair tools. It contains anything from data recovery and drive cloning tools to BIOS management, memory and CPU testing tools.

UBCD is downloadable in ISO format for easy installation to a USB or burning to a CD.

Note: UBCD4Win (http://www.ubcd4win.com/) is UBCD’s brother built specifically for Windows systems.

When you boot with UBCD you are presented with a DOS-based interface that you navigate depending on which system component you wish to troubleshoot.

5. Trinity Rescue Kit

The Trinity Rescue Kit is a Linux-based Rescue CD aimed specifically at recovery and repair of Windows or Linux machines. It contains a range of tools allowing you to run AV scans, reset lost Windows passwords, backup data, recover data, clone drives, modify partitions and run rootkit detection tools.

The Trinity Rescue Kit is downloadable in ISO format for easy installation to a USB or burning to a CD.

The boot menu gives you the option to start TRK is different modes (useful if you’re having trouble loading in default mode).

Once you get to the Trinity Rescue Kit ‘easy menu’, simply navigate through the list to choose which tool to execute. You can also switch to the command line if you want more flexibility and feel comfortable with Linux-based commands.

You may also wish to consider…

Boot-Repair-Disk

Boot-Repair-Disk is a Rescue CD primarily designed for repairing Linux distributions but can also be used to fix some Windows systems. It automatically launches the Boot-Repair application (a one-click repair system) which is used to repair access to operating systems; providing GRUB reinstallation, MBR restoration, file system repair and UEFI, SecureBoot, RAID, LVM, and Wubi support.

Parted Magic

Parted Magic is a Linux-based bootable disc whose main focus is helping to repair/diagnose drive specific issues. It contains a series of drive management tools such as GParted, GSmartControl, CloneZilla and ms-sys for creating/editing partitions, retrieving drive status information, cloning a drive or managing bootloaders.

Windows System Repair Disc

The Windows System Repair Disc lets you boot into the Windows Recovery Environment, giving you the option to detect and fix startup and booting issues, restore to a workable restore point (if you had System Restore enabled), restore the entire machine from a backup image, conduct a memory diagnostics test and use the command line to run utilities like chkdsk.

Additionally, Linux distributions such as PuppyLinux, Ubuntu LiveCD or Knoppix are lightweight bootable versions of Linux that contain a host of handy tools to fix common problems, recover data, transfer data, scan for viruses, manage partitions, etc.

Finally, you could also try a Rescue Disc from a popular Anti-Virus vendor , such as AVG Rescue CD, F-Secure Rescue CD, or Avira AntiVir Rescue System. Although primarily targeted to help with system’s that are infected with Malware, they are worth adding to your arsenal.

Create your own!

If you want more flexibility, why not create or customize your own bootable rescue disc?

You have a couple of options here:

1)      Create your own bootable Live USB

Using applications such as YUMI (Your Universal Multiboot Installer) or UNetBootin, you can create a multi-boot USB drive containing several operating systems, antivirus utilities, disc cloning, diagnostic tools, and more.

2)      Modify a Linux distribution

If you are using a Linux-based Rescue CD / Live CD, you can use an application like Live-Magic (for Debian-based Linux distributions) or Remastersys to create a bootable ISO of an already installed Linux OS. The idea would be to install a clean build of Linux, add or remove applications and make any customizations as necessary and then run the above mentioned applications to capture the build into an ISO.

Alternatively, instead of using an application, you can use a series of shell scripts to do the same thing. Check out http://www.linux-live.org/ for more information.

So which is your favourite? Have you come across any Rescue CDs not on this list that you’ve found useful and would like to share with the rest of the community?

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

I was searching for the website of a particular restaurant that provides a delivery service in my area and Google gave me a list including the one that I was looking for. However, the search engine warned me that the website may have been compromised or infected with malware. Now, what would a hungry person working in IT security do in such a situation? Exactly! Forget about food for a little while and look into the matter.

Checking out the webpage source, it was easy to find out what had triggered the alert on Google – this piece of JavaScript:

“function xViewState()

{

var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,

’877886888787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];

t=z=”;

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t=”;}}x[l-a]=z;} document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}

xViewState();

</script>”

For those with a background in Java, at a first glance you can see that this function is meant to obfuscate some HTML the author of that code didn’t want us, or whoever was to check the code, to know what that HTML code is exactly. Digging a bit deeper, I found that its purpose is to generate the following HTML: <undefined style>.nemonn{position:absolute;top:-9999px}</style>

The purpose of that HTML is to position a class called .nemonn outside of the screen, making it invisible to anyone visiting the webpage.  What did class nemonn contain? Class nemonn contained adverts and links to sites that sell stuff like medicines, low cost loans and other suspicious offers and deals.

But why?

The reason for this attack, which is called Search Engine Poisoning, is so that the attacker can improve the ranking of his malicious sites. Anyone visiting the website will not notice anything out of place, while search engines going through the victim’s website will find all the links that class nemonn is linking to. The search engine will then raise the ranking of those links based on the fact they seem quite popular since other sites are linking back to them.

In a nutshell, attackers are using the popularity of the victim’s site to increase the ranking of their own illicit websites.

This episode highlighted another issue. The attackers were able to gain access to and modify the HTML. The modifications were harmless to people legitimately visiting the webpage but they could also have been used for malware drive by downloads, or to use the website as a platform to launch phishing attacks or include exploits that compromise the user’s machine when visiting the website.

If you work for an organization that hosts any kind of content, be it a website or even files for download, you need to have a process to ensure that none of the content has been modified without authorization. It’s easy to upload data to your website and then forget about it so long as it’s working fine. However, you are taking a number of risks if that data is not protected.

Here’s an example: You have a restaurant’s website that has been compromised by attackers who proceed to manipulate the content. Let’s say that the restaurant had an online shopping cart and facilitated the use of credit cards. All an attacker has to do to steal the credit card details is to write a script that takes the same input as the legitimate form.

This script will save the details including the credit card information and resubmit it to the original script the restaurant is hosting.  This might trigger a warning if the site is hosted on HTTP Secure, but unless the user is tech savvy they are very likely to dismiss the warning especially since everything else will work as expected. Even tech savvy and security conscious users might dismiss the warning as nothing more than a redirect to an unsecure site after the order has been completed, which is something that we often see happen legitimately.

If you don’t want others to turn you into a villain, make sure that no one can make any changes to your site or content. Also, ensure the software products you are using are patched, up-to-date and secure. I was curious to know how the website I was looking for was compromised in the first place. It turned out that they were using an old version of a popular content management system with known vulnerabilities. This is the most likely route the attackers took. The moral of the story is that you should never set up a website and forget about it.