Plain-text Search Tools

Searching through tens of thousands of lines in CSV files is fun, right? Finding new malware or any malicious activity with live data is a chore, but attempting to find data from older events is even harder. The right tools can help with that. I have created a list of some of the tools used to search through many text files.
  • grepWin - It's grep, for Windows! It can perform regex and text based queries on thousands of files, and return a list of the results showing the file name and line of the result. A built-in regex tester keeps you from going insane because of a typo.
  • Log Parser Studio - Use SQL to find data in text files (or other event log file types). It comes with many SQL queries already included, and you can also export your queries as a PowerShell script.
  • PowerShell Select-String - The Select-String cmdlet will match values in any text based file. Point the command at a directory that contains the files, enter the pattern value, and hit enter. Let's say that you want to find a specific SID in your Snort rules folder, the following command will return the results you are looking for:
    • Select-String -Path c:\snort\rules\*.rules -Pattern sid:23910

PCAP Analysis

Digging through PCAP files is a blast, in my opinion, especially when you find that display filter that will return the right results.
  • Wireshark - The defacto tool, no need to get into too many details. Make sure you brush up on their display filters. The HTTP filters will help you locate web based traffic, and the frame filters will help you find packet length and numbers.
  • Network Miner - A great tool to parse PCAP file data. The site also has some other great forensic tools that you may find invaluable.

Malware Analysis

Although I am not a full blown malware analyst, I do use a few tools to help me determine if there are any useful indicators that I can use.
  • VirusTotal - An invaluable resource to help you determine if a file is malicious. There is also a great community that will comment on submissions. Download their uploader appliaction, and feel free to say hello to me!
  • PEStudio - A tool that will analyze 32 and 64 bit executeable files. It will find and rank any suspicious activity that may result from file analysis.

Other Research Tools

Miscellaneous tools that I find very useful.
  • DNS Data View - A great tool to use if you have many IP addresses or host names that you wish to query. It will also export all of the search results into a CSV file.
  • IP Net View - Find the owner of an IP address.

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.