1. HDD: Data stored on a hard disk drive (HDD) is permanent in nature. It remains on the hard drive even after the system is powered down and rebooted. However, a normal hard disk drive is prone to errors and may crash because of non-availability of redundancy.
2. Logs stored on remote systems: Any data stored on a remote system is less vulnerable than data stored on the target system. For this reason, many servers send log data to a remote system for centralized collection. Even if the server is completely destroyed, the centralized logs still have valuable data for problem analysis.
3. Archive media: This includes any types of backups or copies of data captured for either recovery or archive purposes. They are generally offline and less likely to be destroyed or corrupted. Examples of archive media include backup tapes and DVDs.
Honeypot: Honeypots are designed such that they appear to be real targets to hackers. That is a hacker can not distinguish between a real system and a decoy. This enables lawful action to be taken against the hacker, and securing the systems at the same time.
Netstumbler: Netstumbler can be used to sniff wireless networks during wardriving. The software tool provides several details of a wireless network such as SSID.
To reduce vulnerabilities on a web server , you need to apply the latest service packs and patches to a web server or any operating system as a preventive measure. Audit logs may help detect any attempts to hack the web server, and not a preventive measure.
Network Mapper: A network mapper is a tool that identifies what the devices connected to the network and the operating systems being used, if any. Firewall, proxy server, and web security gateway are used for network/host security. System mapper is given to divert the attention from the basic question.
Sniffer: A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. A sniffer may be used in an IDS, and a sniffer by itself doesn't identify any suspicious traffic.
Proxy Server: A proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers.
Command line tools:
NBTSTAT: This utility displays current NetBIOS over TCP/IP connections, and display NetBIOS name cache.
NETSTAT: Displays current TCP/IP connections since the server was last booted.
Data Dump (dd): is a Linux command-line utility used to convert and copy files. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, obtaining a fixed amount of random data, or copying (backing up) entire disks
Memdump:Linux has a utility program called memory dumper, or memdump. This program dumps system memory to the standard output stream, skipping over any holes in memory maps. By default, the program dumps the contents of physical memory (/dev/mem). The output from memdump is in the form of a raw dump.
TRACERT: Used to determine which route a packet takes to reach its destination from source.
IPCONFIG: Used to display Windows IP configuration information.
NSLOOKUP : This utility enables users to interact with a DNS server and display resource records.
ROUTE: Used to display and edit static routing tables.
WinHex:WinHex is a hexadecimal file editor. This tool is very useful in forensically investigating files, and it provides a whole host of forensic functions such as the ability to read almost any file, display contents of the file, convert between character sets and encoding, perform hash verification functions,and compare files
FTK imager:FTK imager is designed to capture an image of a hard drive (or other device) in a forensic fashion. FTK Imager retains the file system metadata (and the file path) and creates a log of the files copied.
Autopsy: Autopsy is the open source answer for digital forensic tool suites. Can perform virtually all digital forensic functions. It runs on Windows and offers a comprehensive set of tools that can enable network-based collaboration and automated,intuitive workflows. It has tools to support hard drives, removable devices,and smartphones.
Packet capture and replay
TCPreplay: Open source utilities for editing and replaying previously captured network traffic. As a tool, it specifically replays a packet captures, called PCAP files on a network.
TCPdump: The tcpdump utility is designed to analyze network packets either from a network connection or a recorded file. You can use tcpdump to create files of packet captures, called PCAP files, and perform filtering between input and output.
Wireshark: Wireshark is a network protocol analyzer, or an application that captures packets from a network connection, such as from your computer to your home office or the internet.
Arp: The arp command is designed to view and modify the ARP table entries on the local computer
Head: Head is a utility designed to return the first lines of a file. A common option is the number of lines one wishes to return. For example, head -5 returns the first five lines of a file.
Tail: Tail is a utility designed to return the last lines of a file. A common option is the number of lines one wishes to return. For example, tail - 5 returns the last five lines of a file.
Cat:Cat is a Linux command, short for concatenate, that can be used to create and manipulate files. It can display the contents of a file, handle multiple files,and can be used to input data from stdin, which is a stream of input, to a file if the file does not exist. Here is an example:# cat textfile.txt
The cat command can be piped through more or less to limit scrolling of long files: # cat textfile.txt | more
Grep: Grep is a Linux utility that can perform pattern-matching searches on file contents. The name grep comes from "Globally search for Regular Expression and Print the matching lines."
Chmod: Chmod is the Linux command used to change access permissions of a file. The general form of the command is chmod <options> <permissions> <filename>
Permissions can be entered either in symbols or octal numbers
logger: The Linux command logger is how you can add log file information to /var/log/syslog. The logger command works from the command line, from scripts, or from other files, thus providing a versatile means of making log entries. The syntax is simple:
logger <message to put in the log>
This command will put the text in the option into the syslog file.