Online Forensics of Win/32 System  
 
Contents
Overview
Initial Response
Forensics Steps
Appendix A - Tools
Appendix B - Normal TCP View
Appendix C - TCP with trojan
Appendix D - PSLIST Output
Appendix E - MD5 Hashes
Definitions
Revision History

Overview

You may need to check a live system to evaluate it for the initial response to a security incident.  This will be used to determine if a policy, law or other unacceptable use has occurred. The information found during this process could lead to human resource or legal actions. The following document will attempt to outline how to take volatile data from a live system before evidence is possibly lost. Many software programs are used in this evaluation these should not be installed  on the system under examination. They should be run from a "trusted file" source on the network, a CDROM or USB drive. All the files mentioned below can be downloaded from here win32forensic.zip.  It is important to limit the alteration of the system as much as possible.  If the evidence or case warrants further investigation, an in-depth forensic image may be taken for further evaluation.

Likely scenarios where this process should be followed include but are not limited to:

  • Host is infected
  • Host is compromised
  • Host has Trojan
  • Host is being maliciously used by owner or another user

Initial Response

  1. Get as much information about incident before starting any forensic work. In particular what ports where involved or any other detail that will help focus your forensic investigation.  This may come from things like netflow and network captures. Try to formulate a working theory before examination. Without a total understanding of the events leading up to the need for an examination the forensic evaluation will be hampered.
  2. Open case in your incident tracking system

    As you gather information, you should put all data in incident tracking system case notes regardless of whether Incident Manager decides the data is valuable or not. This entries should be in accordance with your incident reporting standards but at a minimum should include information like the following

    I ran nmap against 64.x.x.x to and got the following output

     

     

    C:\>nmap -sS –O 64.x.x.x

     

    Starting nmap V. 3.00 ( www.insecure.org/nmap )

    Interesting ports on AJAX (64.x.x.x):

    (The 1594 ports scanned but not shown below are in state: closed)

    Port       State       Service

    113/tcp    open        auth

    135/tcp    open        loc-srv

    139/tcp    open        netbios-ssn

    445/tcp    open        microsoft-ds

    1025/tcp   open        NFS-or-IIS

    3000/tcp   open        ppp

    3389/tcp   open        ms-term-serv

    Remote operating system guess: Microsoft Windows.NET Enterprise Server (build 3604-3615 beta)

     

     

    Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

     

    If the timestamp on incident tracking system does not reflect the date of action, you should note that in preface.
 

Forensics Steps

*Unless otherwise noted, all executables mentioned below are available in the file win32forensic.zip. It is recommended that you download and run these executables from a trusted file source so that you can view and save the output of each command.

  1. Get as much remote information from the machine as possible
    • Create an authenticated name pipe to machine if possible (net use U: \\machinename\c$ /user:Administrator)
    • Run nbtstat -a address
    • Get timestamp of machine: net time \\machinename
    • Run srvinfo \\machinename (srvinfo is resource kit utility)
    • Run winfingerprint http://winfingerprint.sourceforge.net/
    • Run nmap (nmap -sT -O <ip address>)
    • Run pslist \\machinename (see Appendix E for example of pslist output)
    • Put all information into incident tracking system case and keep updating incident tracking system with new information as it comes up  
  2. Determine host location and owner
  3. Call owner and verify he will be present if you don’t have remote access to host  
  4. If owner is available and local to IM, go over and do these steps. If owner is remote, you may be forced to go through these steps over phone with owner. If forced to do this over phone w/owner chances of discovering possible malicious intent are very limited.

  5.  Verify anti-virus product and version. Verify this is current

  6.  Download tcpview and run it <http://www.sysinternals.com/ntw2k/source/tcpview.shtml>

    Or from remote:

    • Make an administrative connection to remote machine: Net use \\machine\ipc$ /user:machine\administrator
    • Then copy fport to remote machine: xcopy /v fport.exe \\machine\c$
    • psexec \\machine cmd
    • While in shell on box type: C:\fport.exe
    • Note and save results by saving as <filename>

  7. Look for any process bound to the port used in incident (See appendix B for normal TCP view output and C for one with Trojan).  For most command and control cases it is a simple matter of linking the port used in communications with a process on the machine.

  8. Look for unlikely/anomalous processes - In the case of the mumu virus, you will see an entry for it, and with other Trojans, you will see mirc32 or real sounding files running.  This could be a false positive and more investigation will be needed.

  9. If malware is found, examine file properties.

  10. Run strings on file  (in windows use bintext.exe) http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm for further verification.

  11. Check through registry keys for common Trojan places for establishing persistence.  To make a remote connection, launch regedit on your local station and go to File -> Connect Network Registry. Put in the \\workstation -  Go to the run keys (Run, RunOnce and RunOnceEx) and check for any unusual apps being started.

    HkLocalM->Software->Microsoft->Windows->Current version->Run 

    Examples are: Explorer .exe (note the space and it should not even be here), mumu, musirc, psexec etc..

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Run

RunOnce

RunServices

RunServicesOnce

 

HKCU\Software\Microsoft\Windows\CurrentVersion\

Run

RunOnce

RunServices

RunServicesOnce

 

  1. If file is found to be a Trojan or other malware, check file creation date. 

  2. Do a search for files created at the same time. This will often discover other parts of the rootkit

  3. If no maleware is found go to the windows system direction (c:\winnt\system32 or c:\windows\system32) and sort filenames by age. Look at the *.exe files with the latest date stamps. The real windows system files that are executable will be much older than the malware. If you don't find anything searching in that directory use the Microsoft search features in explorer to find all *.exe's that are newer than one month old.

  4. From a command prompt (type run cmd.exe) type net session to output open sessions (who has connected in). The below output shows user UID connecting to the machine from localhost.

C:\utils>net session

 

Computer               User name            Client Type       Opens Idle time

 

-------------------------------------------------------------------------------

\\127.0.0.1            UID             Windows Server 20     0 00:00:02

\\127.0.0.1                                 Windows Server 20     0 00:00:04

The command completed successfully.

 

  1. Type netstat to listen open connections

 

C:\>netstat

 

Active Connections

 

  Proto  Local Address          Foreign Address        State

  TCP    moo:3389              rtp-x-x.cisco.com:1071  ESTABLISHED

  TCP    moo:24029             sjc-x.cisco.com:netbios-ssn  ESTABLISHED

  TCP    moo:24959             204.x.x.x:http    CLOSE_WAIT

  TCP    moo:29987             xx.windows.com:http    ESTABLISHED

  TCP    moo:29988             xx.windows.com:http    ESTABLISHED

  TCP    moo:54616             2x.x.x.x:5190    ESTABLISHED

  TCP    moo:57334             xxx.cisco.com:1026  ESTABLISHED

  TCP    moo:57344             xxx.cisco.com:1026  ESTABLISHED

  TCP    moo:57362             xxx.cisco.com:1533  ESTABLISHED

  TCP    moo:57387             xxx.cisco.com:1394  ESTABLISHED

  TCP    moo:60034             xxx.cisco.com:1376  ESTABLISHED

  TCP    moo:60473             xxx.cisco.com:http  CLOSE_WAIT

  TCP    moo:61663             xxx.cisco.com:4023  ESTABLISHED

  TCP    moo:62258             xxx.cisco.com:1026  ESTABLISHED

  TCP    moo:62260             xxx.cisco.com:1388  ESTABLISHED

  TCP    moo:62447             xxx.cisco.com:1029  CLOSE_WAIT

  TCP    moo:62513             xxx.cisco.com:1388  ESTABLISHED

  TCP    moo:62535             xxx.cisco.com:netbios-ssn  ESTABLISHED

  TCP    moo:62543             xxx.cisco.com:netbios-ssn  TIME_WAIT

  TCP    moo:62544             xxx.cisco.com:netbios-ssn  TIME_WAIT

 

 

 

  1. Execute eventvwr. After the event viewer program executes – save the 3 logfiles (security, system, application) to text files (RMC on logfile name and chose save to remote share).

  1. List members of administrator group using NTRESKIT showmbrs check for anything unusual

 

C:\ntreskit>showmbrs administrators

 

Members of local group [\administrators]:

 

   MOOO\Administrator

   XXX\gavreid

 

 

  1. List services using NTRESKIT sclist - rootkits or other remote access programs are often executed from a service

 

C:\ntreskit>sclist

 

--------------------------------------------

- Service list for Local Machine

--------------------------------------------

running          AeXNSClient                      Altiris eXpress NS Client

running          AeXNSClientTransport             Altiris eXpress NS Client Transport

stopped          Alerter                          Alerter

stopped          ALG                              Application Layer Gateway Service

running          AppMgmt                          Application Management

running          AudioSrv                         Windows Audio

running          BITS                             Background Intelligent Transfer Service

running          Browser                          Computer Browser

running          CEPS Watch                       CEPS Watch

stopped          CiSvc                            Indexing Service

stopped          ClipSrv                          ClipBook

stopped          COMSysApp                        COM+ System Application

 

 

  1. Run Srvcheck (from NTRESKIT) to list open shares and who has access to them

 

C:\utils>SRVCHECK \\hostname

 

\\hostname\patch

                Everyone                Full Control

 

\\hostname\5

                Everyone                Read

 

 

 

  1. Run PSLogList.exe (http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml) to see who is logged on currently

 

C:\utils>psloggedon

PsLoggedOn v1.21 - Logon Session Displayer
Copyright (C) 1999-2000 Mark Russinovich
SysInternals - www.sysinternals.com

Users logged on locally:
<Unknown> NT AUTHORITY\LOCAL SERVICE
<Unknown> NT AUTHORITY\NETWORK SERVICE
11/18/2003 4:47:35 PM XXX\username
<Unknown> NT AUTHORITY\SYSTEM

No one is logged on via resource shares.

 

 

  1. Then run  NTLast.exe (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm ) to find login history

 

 C:\utils>ntlast -m \\hostname
username hostname XXX Wed Nov 12 01:06:09pm 2003
username hostname XXX Wed Nov 12 11:14:44am 2003
username hostname XXX Wed Nov 12 09:42:54am 2003
NETWORK SERVICE NT AUTHORITY Wed Nov 12 09:00:14am 2003
LOCAL SERVICE NT AUTHORITY Wed Nov 12 08:00:07am 2003
NETWORK SERVICE NT AUTHORITY Wed Nov 12 08:00:06am 2003
NETWORK SERVICE NT AUTHORITY Wed Nov 12 08:00:06am 2003
LOCAL SERVICE NT AUTHORITY Wed Nov 12 07:48:44am 2003
gavreid MOOO XXX Wed Nov 12 07:38:39am 2003
LOCAL SERVICE NT AUTHORITY Wed Nov 12 07:36:33am 2003

 

 

 

The above data gathering should be enough to capture most of the volatile data needed to make an educated decision about what the next steps for the device should be. Examples might be -  following up with a full forensic evaluation or a reload of the system. There are many other tools used in live windows forensics that may be needed -  Appendix A covers some of the more common ones.

Appendix A Tools

Here is a list of other tools used in live forensics.

 

  • The Resource kit is the single most important tool

 

Windows 2003 Resource Kit

 

<http://www.microsoft.com/windowsserver2003/techinfo/reskit/resourcekit.mspx>

If you want to find out more about the tools I highly recommend that you order the resource kit manuals. For real understanding of the tools you should both read about them in the manuals and also spend some time manipulating them and seeing what they can do.  Full details on the below tools can be found in the help files for the resource kits (rktools.hlp)

 

The old NT4.0 one has many utilities the newer ones no longer contain. It is highly recommended too 

 

For listing Processes

 

  • TLIST.exe  (Microsoft Tool)

 

  

 

Open Handles

 

 

 

Profilers

  

  • Kernrate.exe (Win2003 Reskit)

  • Pmon.exe (like unix TOP - Win2003 Reskit)

 

 

Installed Services

 

  • sc.exe (built-in)

  • net start (built-in)

  • sclist.exe (NTRESKIT)

 

 

File System

 

  • New / Changed / Modified Files

Dir.exe (built-in)

Afind.exe (Foundstone)

Filestat.exe (used to analyze individual files, from NIST)

Wininteregate  http://winfingerprint.sourceforge.net/wininterrogate.php    

 

 

  • Open Files

handle.exe (http://www.sysinternals.com/ntw2k/freeware/handle.shtml)

 

  • Hard Links (Windows 2000 and later)

 HLScan.exe (Win2k3 Reskit)

 

  • Streams (for finding alternate data streams hidden in files)

Lads.exe  http://www.heysoft.de/Frames/f_sw_la_en.htm

 

C:\>c:\utils\lads /s /a

 

LADS - Freeware version 3.21

(C) Copyright 1998-2003 Frank Heyne Software (http://www.heysoft.de)

This program lists files with alternate data streams (ADS)

Use LADS on your own risk!

 

Scanning directory C:\ with subdirectories

 

      size  ADS in file

----------  ---------------------------------

        88  C:\1\emig1.exe:♣SummaryInformation

         0  C:\1\emig1.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

 

        

 

streams.exe (SysInternals)

<http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams>

 

 

C:\>c:\utils\streams -s c:\1

 

Streams v1.3 - Enumerate alternate NTFS data streams

Copyright (C) 1999-2001 Mark Russinovich

Sysinternals - www.sysinternals.com

 

c:\1\emig1.exe:

   :♣SummaryInformation:$DATA   88

   :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA        0

 

 

sfind.exe (Foundstone)

 

Part of the foundstone free forensic toolkit

<http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/forensic-toolkit.htm>

 

C:\>c:\utils\sfind c:\1

Searching...

c:\1

  emig1.exe:♣SummaryInformation Size: 88

  emig1.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} Size: 0

Finished

 

 

  • Permissions

Showacls.exe (Win2k3 Reskit)

Cacls.exe  

 

  • Checksums

Md5deep.exe (http://md5deep.sourceforge.net/)

 

C:\utils>MD5DEEP ZCAT.EXE
8777d336131bf8b4ec1c3dd38f6b6de2 C:\utils\ZCAT.EXE

 

Fsum.exe (http://www.slavasoft.com/fsum/)

 

C:\utils>FSUM ZCAT.EXE

SlavaSoft Optimizing Checksum Utility - fsum 2.5
Implemented using SlavaSoft QuickHash Library <www.slavasoft.com>
Copyright (C) SlavaSoft Inc. 1999-2003. All rights reserved.

; SlavaSoft Optimizing Checksum Utility - fsum 2.5 <www.slavasoft.com>
;
; Generated on 12/02/03 at 14:47:35
;
8777d336131bf8b4ec1c3dd38f6b6de2 *zcat.exe

  • Registry

Reg.exe  (built-in)

Reglast.exe (http://www.heysoft.de/Frames/f_sw_rt_en.htm )

RegDACL.exe (http://www.heysoft.de/Frames/f_sw_rt_en.htm)

Registrar Lite (http://www.resplendence.com/download)

 

 

Users / Groups

  • Net User (built-in)

  • Net localgroup

  • Net Globalgroup

IFMember.exe  (Win2003 Reskit)

DumpSec.exe  (http://www.systemtools.com/cgi-bin/download.pl?DumpAcl)

 

Rights Assignment

  • showpriv.exe (Windows 2000 Resource kit )

 

Shares

  • Srvcheck.exe (Windows 2000 Resource kit)

Dumpsec.exe  (http://www.systemtools.com/cgi-bin/download.pl?DumpAcl)

 

Effective Security Policy

  • Auditpol.exe

  • Dumpsec.exe

  • secedit.exe

 

Networking

  •  Current Connections

netstat -an

 

fport.exe

 

arp -a

 

  • Routes

route print

 

 

Network settings

  • IPconfig

 

  • Chknic.exe

 

 

RPC

  •  Rpcdump.exe

 

 

Event Log Data

  • Dumpel.exe (Windows 2000 Resource kit)

 

        

 

 

Logged On Users

 

C:\utils>PSLoggedOn

PsLoggedOn v1.21 - Logon Session Displayer
Copyright (C) 1999-2000 Mark Russinovich
SysInternals - www.sysinternals.com

Users logged on locally:
<Unknown> NT AUTHORITY\LOCAL SERVICE
<Unknown> NT AUTHORITY\NETWORK SERVICE
11/12/2003 7:38:43 AM XXX\gavreid
<Unknown> NT AUTHORITY\SYSTEM

         NTLast.exe (Foundstone)

 

 

 

Scheduled Tasks

  •  AT

 

Active Directory / Domain / Group Policy Information

  • Domain Users

LDP.exe (Installed from support tools for Window2000)  for making queries to AD

http://support.microsoft.com/support/kb/articles/Q224/5/43.asp&NoWebContent=1

 

GPEdit.exe

 

GPOTool.exe (Windows 2000 Resource kit)

GPResult.exe (Windows 2000 Resource kit)

Secedit.exe

 

  • Shares

Net share

 

Srvcheck.exe (Windows 2000 Resource kit)

Enum (http://razor.bindview.com/tools/desc/enum_readme.html)

 

 

 

Windows Version

 

Time

  • Local Time

Now.exe (Windows 2000 Resource kit)

  • Network Time

Net Time

 

CMDTime3.exe

 

  • Log Timing

Logtime.exe (Windows 2000 Resource kit)

 

 

 

General Enumeration

  • Srvinfo.exe (Windows 2000 Resource kit)

 

Appendix B Normal Windows 2000 Standard Load TCP View

 

AeXNSAgent.exe:2392 TCP xxx12:2888 xxx12:0 LISTENING
AeXNSAgent.exe:2392 TCP xxx12.xxx.cisco.com:2888 nsa-rtp-003-s.cisco.com:http ESTABLISHED
AeXNSAgent.exe:2392 UDP xxx12:2884 *:*
conf.exe:2476 TCP xxx12:1503 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:1720 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2541 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2547 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2548 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2551 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2552 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12:2553 xxx12:0 LISTENING
conf.exe:2476 TCP xxx12.xxx.cisco.com:2541 xxx.001.cisco.com:1002 ESTABLISHED
conf.exe:2476 TCP xxx12.xxx.cisco.com:2547 xxxcisco.com:1720 ESTABLISHED
conf.exe:2476 TCP xxx12.xxx.cisco.com:2548 xxxcisco.com:3363 ESTABLISHED
conf.exe:2476 TCP xxx12.xxx.cisco.com:2551 xxxcisco.com:1503 ESTABLISHED
conf.exe:2476 TCP xxx12.xxx.cisco.com:2552 xxxcisco.com:1503 ESTABLISHED
conf.exe:2476 TCP xxx12.xxx.cisco.com:2553 xxxcisco.com:1503 ESTABLISHED
conf.exe:2476 UDP xxx12:2535 *:*
conf.exe:2476 UDP xxx12:2540 *:*
Connect.exe:1560 TCP xxx12:1260 xxx12:0 LISTENING
Connect.exe:1560 TCP xxx12.xxx.cisco.com:1260 sametime-im.cisco.com:1533 ESTABLISHED
cvpnd.exe:784 UDP xxx12:isakmp *:*
cvpnd.exe:784 UDP xxx12:4500 *:*
cvpnd.exe:784 UDP xxx12:62515 *:*
cvpnd.exe:784 UDP xxx12:62517 *:*
cvpnd.exe:784 UDP xxx12:62519 *:*
cvpnd.exe:784 UDP xxx12:62521 *:*
cvpnd.exe:784 UDP xxx12:62523 *:*
cvpnd.exe:784 UDP xxx12:62524 *:*
IEXPLORE.EXE:2032 UDP xxx12:1589 *:*
IEXPLORE.EXE:2344 TCP xxx12:2630 xxx12:0 LISTENING
IEXPLORE.EXE:2344 TCP xxx12:2632 xxx12:0 LISTENING
IEXPLORE.EXE:2344 TCP xxx12.xxx.cisco.com:2630 216.142.16.242:http ESTABLISHED
IEXPLORE.EXE:2344 TCP xxx12.xxx.cisco.com:2632 216.142.16.242:http ESTABLISHED
IEXPLORE.EXE:2344 UDP xxx12:2608 *:*
LSASS.EXE:268 UDP xxx12:1031 *:*
MM.EXE:1108 TCP xxx12:2125 xxx12:0 LISTENING
MM.EXE:1108 TCP xxx12.xxx.cisco.com:2125 scoobydoo.cisco.com:4011 ESTABLISHED
MM.EXE:1108 UDP xxx12:1634 *:*
msnmsgr.exe:1852 TCP xxx12:1221 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1229 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1234 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1242 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1243 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1244 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1245 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12:1248 xxx12:0 LISTENING
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1221 messenger.latam.msn.com:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1229 msntoday.msn.com:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1234 c.msn.com:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1242 206.24.222.190:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1243 65.200.201.55:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1244 65.200.201.55:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1245 206.24.222.190:http ESTABLISHED
msnmsgr.exe:1852 TCP xxx12.xxx.cisco.com:1248 81.2.174.2:http ESTABLISHED
msnmsgr.exe:1852 UDP xxx12:1217 *:*
mstask.exe:976 TCP xxx12:1167 xxx12:0 LISTENING
Netscp.exe:1732 TCP xxx12:1283 xxx12:0 LISTENING
Netscp.exe:1732 TCP xxx12:1282 xxx12:0 LISTENING
Netscp.exe:1732 TCP xxx12:1282 localhost:1283 ESTABLISHED
Netscp.exe:1732 TCP xxx12:1283 localhost:1282 ESTABLISHED
Netscp.exe:1732 TCP xxx12:5180 xxx12:0 LISTENING
OUTLOOK.EXE:1888 UDP xxx12:1330 *:*
OUTLOOK.EXE:1888 UDP xxx12:1331 *:*
OUTLOOK.EXE:1888 UDP xxx12:1305 *:*
svchost.exe:452 TCP xxx12:epmap xxx12:0 LISTENING
System:8 TCP xxx12:microsoft-ds xxx12:0 LISTENING
System:8 TCP xxx12:1177 xxx12:0 LISTENING
System:8 TCP xxx12:1255 xxx12:0 LISTENING
System:8 TCP xxx12:1312 xxx12:0 LISTENING
System:8 TCP xxx12:2527 xxx12:0 LISTENING
System:8 TCP xxx12:2871 xxx12:0 LISTENING
System:8 TCP xxx12.xxx.cisco.com:netbios-ssn xxx12:0 LISTENING
System:8 TCP xxx12.xxx.cisco.com:2527 xxx.cisco.com:microsoft-ds ESTABLISHED
System:8 TCP xxx12.xxx.cisco.com:2846 xxx.001.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2847 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2850 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2853 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2855 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2856 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2858 xxx-201.cisco.com:epmap TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2859 xxx-201.cisco.com:1026 TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2860 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2861 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2867 xxx-001.cisco.com:1002 TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2871 xxx-201.cisco.com:microsoft-ds ESTABLISHED
System:8 TCP xxx12.xxx.cisco.com:2881 xxx-003-s.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2885 xxx.2-203.cisco.com:ldap TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2886 xxx.2-203.cisco.com:kerberos TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2890 xxx.003-s.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2891 xxx.cisco.com:http TIME_WAIT
System:8 TCP xxx12.xxx.cisco.com:2896 xxx.cisco.com:kerberos TIME_WAIT
System:8 UDP xxx12:microsoft-ds *:*
System:8 UDP xxx12.xxx.cisco.com:netbios-ns *:*
System:8 UDP xxx12.xxx.cisco.com:netbios-dgm *:*
tgcmd.exe:1736 TCP xxx12:641 xxx12:0 LISTENING
tgshell.exe:2056 TCP xxx12:2678 xxx12:0 LISTENING
tgshell.exe:2056 TCP xxx12:2893 xxx12:0 LISTENING
tgshell.exe:2056 TCP xxx12.xxx.cisco.com:2893 xxx.cisco.com:http ESTABLISHED
WINLOGON.EXE:204 UDP xxx12:1172 *:*
 

 

Appendix C TCP View with trojan (Spread.exe)

3CTftpSvc.exe:740	UDP	xxx1-1:tftp	*:*		
Apache.exe:2920	TCP	xxx1-1:http	xxx1-1:0	LISTENING	
Apache.exe:2920	TCP	xxx1-1:http	xxx1-1:0	LISTENING	
Apache.exe:2920	TCP	xxx1-1:https	xxx1-1:0	LISTENING	
Apache.exe:2920	TCP	xxx1-1:https	xxx1-1:0	LISTENING	
certsrv.exe:2072	TCP	xxx1-1:1049	xxx1-1:0	LISTENING	
CSAdmin.exe:816	TCP	xxx1-1:1038	xxx1-1:0	LISTENING	
CSAdmin.exe:816	TCP	xxx1-1:2002	xxx1-1:0	LISTENING	
CSAdmin.exe:816	TCP	xxx1-1:1038	localhost:2000	CLOSE_WAIT	
CSAuth.exe:832	TCP	xxx1-1:2000	xxx1-1:0	LISTENING	
CSAuth.exe:832	TCP	xxx1-1:2000	localhost:1054	ESTABLISHED	
CSAuth.exe:832	TCP	xxx1-1:2000	localhost:2399	ESTABLISHED	
CSAuth.exe:832	TCP	xxx1-1:2000	localhost:2211	FIN_WAIT2	
CSAuth.exe:832	TCP	xxx1-1:2000	localhost:2209	FIN_WAIT2	
CSAuth.exe:832	TCP	xxx1-1:2000	localhost:2396	ESTABLISHED	
CSLog.exe:880	TCP	xxx1-1:2001	xxx1-1:0	LISTENING	
CSMon.exe:928	TCP	xxx1-1:1054	xxx1-1:0	LISTENING	
CSMon.exe:928	TCP	xxx1-1:4589	xxx1-1:0	LISTENING	
CSMon.exe:928	TCP	xxx1-1:1054	localhost:2000	ESTABLISHED	
CSRadius.exe:1084	TCP	xxx1-1:2209	xxx1-1:0	LISTENING	
CSRadius.exe:1084	TCP	xxx1-1:2211	xxx1-1:0	LISTENING	
CSRadius.exe:1084	TCP	xxx1-1:2209	localhost:2000	CLOSE_WAIT	
CSRadius.exe:1084	TCP	xxx1-1:2211	localhost:2000	CLOSE_WAIT	
CSRadius.exe:1084	UDP	xxx1-1:1030	*:*		
CSRadius.exe:1084	UDP	xxx1-1:1645	*:*		
CSRadius.exe:1084	UDP	xxx1-1:1646	*:*		
CSRadius.exe:1084	UDP	xxx1-1:radius	*:*		
CSRadius.exe:1084	UDP	xxx1-1:radacct	*:*		
CSRadius.exe:1084	TCP	xxx1-1:2396	xxx1-1:0	LISTENING	
CSRadius.exe:1084	TCP	xxx1-1:2396	localhost:2000	ESTABLISHED	
CSTacacs.exe:1104	TCP	xxx1-1:49	xxx1-1:0	LISTENING	
CSTacacs.exe:1104	UDP	xxx1-1:1031	*:*		
CSTacacs.exe:1104	TCP	xxx1-1:2399	xxx1-1:0	LISTENING	
CSTacacs.exe:1104	TCP	xxx1-1:2399	localhost:2000	ESTABLISHED	
IEXPLORE.EXE:8424	UDP	xxx1-1:2068	*:*		
inetinfo.exe:2172	TCP	xxx1-1:ftp	xxx1-1:0	LISTENING	
inetinfo.exe:2172	TCP	xxx1-1:smtp	xxx1-1:0	LISTENING	
inetinfo.exe:2172	TCP	xxx1-1:nntp	xxx1-1:0	LISTENING	
inetinfo.exe:2172	TCP	xxx1-1:563	xxx1-1:0	LISTENING	
inetinfo.exe:2172	TCP	xxx1-1:1052	xxx1-1:0	LISTENING	
inetinfo.exe:2172	TCP	xxx1-1:6891	xxx1-1:0	LISTENING	
inetinfo.exe:2172	UDP	xxx1-1:1053	*:*		
inetinfo.exe:2172	UDP	xxx1-1:3456	*:*		
LSASS.EXE:296	UDP	xxx-68.cisco.com:isakmp	*:*		
msdtc.exe:332	TCP	xxx1-1:1025	xxx1-1:0	LISTENING	
msdtc.exe:332	TCP	xxx1-1:3372	xxx1-1:0	LISTENING	
mstask.exe:1648	TCP	xxx1-1:1039	xxx1-1:0	LISTENING	
pageserver.exe:1492	TCP	xxx1-1:1035	xxx1-1:0	LISTENING	
pageserver.exe:1492	TCP	xxx1-1:6403	xxx1-1:0	LISTENING	
pageserver.exe:1492	TCP	xxx1-1:6405	xxx1-1:0	LISTENING	
perl.exe:1436	UDP	xxx1-1:1034	*:*		
spread.exe:3500	TCP	xxx1-1:auth	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:3573	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx-68.cisco.com:3573	unknown.sagonet.net:6667	ESTABLISHED	
spread.exe:3500	UDP	xxx1-1:1859	*:*		
spread.exe:3500	UDP	xxx1-1:1860	*:*		
spread.exe:3500	UDP	xxx1-1:1872	*:*		
spread.exe:3500	UDP	xxx1-1:1890	*:*		
spread.exe:3500	UDP	xxx1-1:1897	*:*		
spread.exe:3500	UDP	xxx1-1:2346	*:*		
spread.exe:3500	UDP	xxx1-1:2363	*:*		
spread.exe:3500	UDP	xxx1-1:2364	*:*		
spread.exe:3500	UDP	xxx1-1:2365	*:*		
spread.exe:3500	UDP	xxx1-1:2366	*:*		
spread.exe:3500	UDP	xxx1-1:2373	*:*		
spread.exe:3500	UDP	xxx1-1:2374	*:*		
spread.exe:3500	UDP	xxx1-1:2375	*:*		
spread.exe:3500	UDP	xxx1-1:2376	*:*		
spread.exe:3500	UDP	xxx1-1:2377	*:*		
spread.exe:3500	UDP	xxx1-1:2378	*:*		
spread.exe:3500	UDP	xxx1-1:2379	*:*		
spread.exe:3500	UDP	xxx1-1:2380	*:*		
spread.exe:3500	UDP	xxx1-1:2392	*:*		
spread.exe:3500	UDP	xxx1-1:2411	*:*		
spread.exe:3500	UDP	xxx1-1:2431	*:*		
spread.exe:3500	TCP	xxx1-1:2489	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2493	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2494	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2495	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2497	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2498	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2499	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2500	xxx1-1:0	LISTENING	
spread.exe:3500	TCP	xxx1-1:2503	xxx1-1:0	LISTENING	
sqlservr.exe:1392	TCP	xxx1-1:ms-sql-s	xxx1-1:0	LISTENING	
sqlservr.exe:1392	UDP	xxx1-1:ms-sql-m	*:*		
svchost.exe:2052	TCP	xxx1-1:4240	xxx1-1:0	LISTENING	
svchost.exe:2052	TCP	xxx-68.cisco.com:4240	208.254.0.80:https	CLOSE_WAIT	
svchost.exe:536	TCP	xxx1-1:epmap	xxx1-1:0	LISTENING	
svchost.exe:536	UDP	xxx1-1:epmap	*:*		
System:8	TCP	xxx1-1:2490	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2488	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2487	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2486	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2485	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:828	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2480	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:sunrpc	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:microsoft-ds	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:1047	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:1048	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:1059	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:1064	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:1298	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:2049	xxx1-1:0	LISTENING	
System:8	TCP	xxx1-1:4877	xxx1-1:0	LISTENING	
System:8	TCP	xxx-68.cisco.com:netbios-ssn	xxx1-1:0	LISTENING	
System:8	TCP	xxx-68.cisco.com:microsoft-ds	dhcp-10-24-4-4.cisco.com:16781	ESTABLISHED	
System:8	TCP	xxx-68.cisco.com:1298	dxxx.cisco.com:microsoft-ds	ESTABLISHED	
System:8	TCP	xxx-68.cisco.com:4877	dxxx.cisco.com:microsoft-ds	ESTABLISHED	
System:8	TCP	xxx1-1:2004	localhost:49	TIME_WAIT	
System:8	TCP	xxx1-1:2214	localhost:49	TIME_WAIT	
System:8	TCP	xxx1-1:2219	localhost:49	TIME_WAIT	
System:8	TCP	xxx1-1:2221	localhost:49	TIME_WAIT	
System:8	UDP	xxx1-1:sunrpc	*:*		
System:8	UDP	xxx1-1:microsoft-ds	*:*		
System:8	UDP	xxx1-1:943	*:*		
System:8	UDP	xxx1-1:1047	*:*		
System:8	UDP	xxx1-1:1048	*:*		
System:8	UDP	xxx1-1:1059	*:*		
System:8	UDP	xxx1-1:nfsd	*:*		
System:8	UDP	xxx-68.cisco.com:netbios-ns	*:*		
System:8	UDP	xxx-68.cisco.com:netbios-dgm	*:*		
System:8	TCP	xxx-68.cisco.com:2346	xxx1-1:0	LISTENING	
System:8	TCP	xxx-68.cisco.com:2346	64.100.130.17:netbios-ssn	ESTABLISHED	
System:8	TCP	xxx1-1:2398	localhost:49	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2460	64.100.226.169:microsoft-ds	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2461	64.100.226.169:microsoft-ds	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2464	64.100.226.169:microsoft-ds	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2480	64.100.175.205:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2481	64.100.226.169:microsoft-ds	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2485	64.100.136.107:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2486	64.100.111.136:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2487	64.100.75.117:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2488	64.100.79.120:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2489	64.100.93.233:microsoft-ds	SYN_SENT	
System:8	TCP	xxx1-1:2491	xxx1-1:0	LISTENING	
System:8	TCP	xxx-68.cisco.com:2490	64.100.185.93:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2491	64.100.226.169:microsoft-ds	TIME_WAIT	
System:8	TCP	xxx-68.cisco.com:2493	64.100.31.1:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2494	64.100.182.45:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:828	64.100.226.169:sunrpc	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2495	64.100.122.33:microsoft-ds	SYN_SENT	
System:8	TCP	xxx1-1:2501	xxx1-1:0	LISTENING	
System:8	TCP	xxx-68.cisco.com:2497	64.100.15.88:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2498	64.100.32.14:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2500	64.100.20.145:microsoft-ds	SYN_SENT	
System:8	TCP	xxx-68.cisco.com:2501	64.100.226.169:microsoft-ds	ESTABLISHED	
System:8	TCP	xxx-68.cisco.com:2503	64.100.86.96:microsoft-ds	SYN_SENT	
termsrv.exe:412	TCP	xxx1-1:3389	xxx1-1:0	LISTENING	
termsrv.exe:412	TCP	xxx-68.cisco.com:3389	xxx4.cisco.com:17033	ESTABLISHED	
tlntsvr.exe:1912	TCP	xxx1-1:telnet	xxx1-1:0	LISTENING	
WebCompServer.e:1960	TCP	xxx1-1:1041	xxx1-1:0	LISTENING	
WebCompServer.e:1960	TCP	xxx1-1:6401	xxx1-1:0	LISTENING

Appendix D PSLIST output with trojan infwin

PsList 1.23 - Process Information Lister
Copyright (C) 1999-2002 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for hfarsi-w2k:

Name          Pid Pri Thd  Hnd    Mem    User Time   Kernel Time   Elapsed Time
Idle            0   0   1    0     16  0:00:00.000   2:57:13.820    4:15:50.162
System          8   8  39  158    212  0:00:00.000   0:00:51.273    4:15:50.162
SMSS          160  11   6   33    376  0:00:00.010   0:00:01.502    4:15:50.162
CSRSS         184  13  13  463   2584  0:00:01.932   0:00:44.233    4:15:26.578
WINLOGON      204  13  21  431   6484  0:00:00.761   0:00:04.856    4:15:24.104
SERVICES      232   9  33  662  14084  0:00:08.311   0:00:15.291    4:15:21.991
LSASS         244   9  14  268   2084  0:00:00.530   0:00:01.572    4:15:21.961
cvpnd         380   8   4  100   3636  0:00:00.090   0:00:00.811    4:15:15.582
svchost       424   8  11  306   5120  0:00:00.831   0:00:02.433    4:15:12.468
svchost       468   8  39  542   8184  0:00:01.161   0:00:03.364    4:15:11.526
spoolsv       516   8  11  152   1768  0:00:00.110   0:00:00.721    4:15:11.266
AeXNSClient   560   8  29  486   3592  0:01:28.276   0:00:16.954    4:15:09.383
AeXNSClient   576   8   5  198   2316  0:00:00.320   0:00:01.311    4:15:08.282
avsynmgr      612   8   4   99   2768  0:00:03.464   0:00:00.811    4:15:07.000
CBRegCap      640   8   3   76    936  0:00:00.010   0:00:00.190    4:15:05.698
CEPSWatch     672   8   2   49   1680  0:00:00.030   0:00:00.150    4:15:04.957
mcshield      744  13  12   99   6948  0:00:48.009   0:00:09.293    4:15:00.080
regsvc        800   8   2   29   1016  0:00:00.020   0:00:00.190    4:14:56.665
mstask        816   8   6  115   3152  0:00:00.060   0:00:00.901    4:14:55.573
thotkey       896   8   3   33   1404  0:00:00.020   0:00:00.220    4:14:51.508
TMESRV        936   8   3   88   2492  0:00:00.030   0:00:00.360    4:14:50.406
WinMgmt       960   8   5  128    724  0:00:07.681   0:00:01.972    4:14:48.563
mspmspsv      976   8   2   53   1708  0:00:00.030   0:00:00.260    4:14:45.469
vsstat       1040   8   2   69   2812  0:00:01.201   0:00:02.223    4:14:38.769
vshwin32     1108   8   7  144   5316  0:00:02.453   0:00:00.961    4:14:34.884
explorer     1136   8  20  510   7256  0:00:28.841   0:00:58.534    4:14:33.151
avconsol     1148   8   2  101   3296  0:00:01.091   0:00:03.615    4:14:33.041
progman       664  13   2   43   1928  0:00:00.060   0:00:00.060    4:12:26.179
TPWRTRAY      860   8   1   41   1568  0:00:00.140   0:00:00.590    4:12:04.457
S3TRAY       1336   8   1   22   1224  0:00:00.030   0:00:00.060    4:12:02.575
AeXSWDUsr    1116   8   6  114   1124  0:00:00.801   0:00:01.772    4:12:01.653
TDEVDETECT   1380   8   2   40   1444  0:00:00.040   0:00:00.100    4:12:00.962
infwin       1428   8   5  131   4480  0:42:53.200   0:00:46.396    4:11:59.831
wcmdmgr      1436   4   5  118   4848  0:00:00.160   0:00:00.941    4:11:59.791
TFUNCKEY     1448   8   1   24   1692  0:00:00.010   0:00:00.020    4:11:56.296
TPWRICON     1468   8   1   21   1176  0:00:00.060   0:00:00.100    4:11:56.085
TSPDICON     1476   8   1   22   1236  0:00:00.030   0:00:00.090    4:11:55.985
explorer      600   8   9  339   5592  0:00:16.163   0:01:04.693    4:09:46.679
Tcpview      1568   8   5  113   5720  0:01:09.079   0:16:55.730    4:09:33.190
msiexec      1216   8   6  168  13380  0:00:04.476   0:00:03.705    4:07:16.734
CMD          1616   8   1   23   1140  0:00:00.050   0:00:00.180    4:04:02.324
msiexec      1772   8   2  103   2868  0:00:00.350   0:00:00.340    3:10:55.842
msiexec      2016   8   2   84   2804  0:00:00.030   0:00:00.150    3:10:33.430
rundll32     1988   8   1   43   1908  0:00:00.060   0:00:00.150    2:27:27.201
scan32       1604   8   8  242  13168  0:00:35.571   0:00:11.917    2:00:30.807
rundll32     1752   8   1   55   2856  0:00:00.610   0:00:00.931    1:06:59.269
pslist       1744  13   2   76   1452  0:00:00.020   0:00:00.020    0:00:00.150
 

Appendix E MD5 Hashes of forensics toolkit

d0efc042ba4a6b207cf8f5b6760799d8 *SRVINFO.EXE
 f9a0eef6e9b67d91284032df81a68c1c *cmd.exe
 a17f7cb1c85ef86c0acf3cea7bf6b9e7 *nbtstat.exe
 8d1a5309ecc25e78bbd3411684b6012e *psfile.exe
 548e950b4fa240c8b173cec429d35854 *psgetsid.exe
 91e7e1eb47698ccd1874698f59345e28 *Psinfo.exe
 2b9b2b540caad8b5db64eadb058904e1 *pslist.exe
 c8bf5dbe8be1e9100ad937e1f525edfb *psloggedon.exe
 814732ddffc0a6ca28302cf9f8f55e8c *psloglist.exe
 1ec63eb8fea65fa08ed7f019566a246a *pspasswd.exe
 9c6d6542908a8fec64063489344722c5 *psservice.exe
 211d2bc81511b13a5d11afdebf97161a *psshutdown.exe
 1a4843ea8cc6ef7406836f3be5be2303 *pssuspend.exe
 d431832de90cb994b41fe30b0543910f *psuptime.exe
 ac36011ae0b06250f58fba89711b58c7 *tcpview.GID
 c64c70ba2725788394cca1e10738577b *tcpview.exe
 e2d152b18786cdd19119f585a407a8b7 *bintext.exe
 6e9303ccbc3a6a3b955d43c34b1875fe *net.exe
 1128a558328023f6006327570c4d201f *NTLast.exe
 51b0e420ba57d4fc0542642787f48385 *netstat.exe
 e0fb946c00b140693e3cf5de258c22a1 *nc.exe
 7d4272cd1660ba23033c0f385ba37005 *eventvwr.exe
 0b06f79c2004ef3a06da6842e22b50f3 *SHOWMBRS.EXE
 8710db4dc58928363e5b43ea264ab4ed *SHOWGRPS.EXE
 d7421a15d8922b369bab69cd10291713 *SCLIST.EXE
 d8a3b54d10be532c329194c54438687d *SRVCHECK.EXE
 54aabc8779f91fead56e8a4df7311c23 *TLIST.EXE
 544e746b267808ec0f76d904c739bd0d *fport.exe
 6303df5299400c4c3acba5b044a81a15 *handle.exe
 dc608f2519491b7f7caece0ae052c41c *winfingerprint.exe
 54b5158b5a841cbc92d007eadde47a23 *AFind.exe
 5f107b4c67152032bbe61668f99191f0 *hlscan.exe
 766f390446d65251e5b5d2dde4f60276 *kernrate.exe
 4844fd851088a11e240cfe5b54096209 *lads.exe
 b256ffa6286ef598bf204d9bdf3fb8e4 *streams.exe
 c16ea9cadc953125b86fff45505dbaa6 *SFind.exe
 380e73aabc3f9147c5115a49083e7dd1 *showacls.exe
 f6f875a036f500370e485b1ea965377f *md5deep.exe
 41f2f00fb132003607bdb1ad18e892a0 *fsum.exe
 e0c1e9864509555b0d58acbe5a6fd485 *ifmember.exe
 682cf8ddf2124fc2024c77157e289677 *RegDACL.exe
 8321580ed4db9490e6a9adba0beb71f6 *DUMPSEC.exe
 2e20f00c37d102ccfa3772a4855234d2 *showpriv.exe
 
.

 
Google