Executive Summary:

Our latest collection of great free/open-source tools includes Active Directory Change Reporter, BotHunter, Eraser, KeyFinder, NMap, NTFS Undelete, PhotoRec, and WinAudit.

As I started researching this fourth article in my "Free Utilities" series, I knew this installment would be the most challenging yet. Finding good, reliable, useful free utilities is always a daunting task, but unearthing the tools that are relevant to IT pros' day-to-day responsibilities is even more difficult. However, the challenge can be quite rewarding. When you find a powerful, useful utility, the payoff comes in time saved, headaches reduced, and end users satisfied—always worth the effort. So, without further delay, here's a brand-new collection of 8 utilities that will help make your life easier.

Parmavex Services' WinAudit isn't the only tool on the market that provides auditing capabilities for Windows systems, but it does its job in a compact, standalone 830KB executable file and runs on every version of Windows (desktop and server) back to Windows 95. (Windows Server 2008 support isn't officially listed, but I've tested it and found that it works fine). You can easily keep WinAudit on a USB drive and use it on any system from which you need to quickly collect configuration data. The data that WinAudit pulls together is comprehensive, as you see in Figure 1, and you can save all this data to a file (text, .xml, .csv, .pdf), email it to someone, or even export it to a centralized database.

As a bonus, WinAudit also supports command-line execution, with all the output options available except email. (WinAudit doesn't include its own email client, so it relies on Microsoft Outlook.) In less than an hour, you can easily edit the logon scripts within your entire Windows network, add in WinAudit with configuration parameters to output the collected audit data to files or a database, and display an informational message to users while the audit is running. WinAudit is generally pretty quick: Execution on my Windows XP test system took a little less than 60 seconds.

With WinAudit, over the course of a single lunch hour you can have a comprehensive auditing solution deployed to your network for no cost, storing data in a file or writing it all to a central database. But something that WinAudit doesn't capture is the various license keys for OSs, and the applications that are installed on those systems.

Enter Magical Jellybean Software's KeyFinder, whose sole purpose is to capture all this data where possible and display it or store it for you. Again, acting as a standalone package (no installation required) and weighing in at just over 600KB, it's storable on a USB drive for quick auditing use whenever you need it. Keyfinder works on every version of Windows (desktop and server) back to Win95 (including Server 2008).

As you can see in Figure 2, Keyfinder found the license keys for all the Microsoft products on my test system, as well as license keys for installed third-party software. Keyfinder does this by searching a configuration file (keyfinder.cfg) for clues about where it should look in the registry for license keys for various applications. The default keyfinder.cfg file that Magical Jellybean Software provides contains the known locations of license keys for more than 160 commercial applications, and the text file is a simple delimited format, which you can easily modify for your purposes. Unfortunately, of the 160-plus applications that are preconfigured in Keyfinder's configuration file, many of them appear to be consumer applications (e.g., games, CD burners, media players), so you might need to do a little homework before Keyfinder reaches its maximum usefulness in your environment.

Like WinAudit, Keyfinder execute in command-line mode and write its data out to a custom CSV file for each system you run it on. So once again, over the course of a lunch hour, you can configure Keyfinder to execute via logon scripts for your users and write the license key data for various applications to a central repository for compliance-auditing or backup purposes. As you add new applications to your enterprise over time, you can simply edit the main keyfinder.cfg file on your network to define where the license keys are stored in the Windows registry, and each system on your network will begin to log this data the next time their logon script executes Keyfinder.

Heidi Computers' Eraser is a freeware utility that you can use to securely wipe out data on your drive so that it can never be recovered—even with advanced forensic and data-recovery utilities. With various erasing strategies available (from multiple wipes with pseudo-random data to United States Department of Defense—5220-22.M—specifications), Eraser will make sure that no one can recover data from your organization's drives after it's deleted.

Eraser's interface is simple. You can use it for On Demand deletion of various areas on the disk, or you can run a scheduled purge of certain locations of the drive. Eraser can run its data destruction on the “unused” space of a drive (which would include any deleted files), a specific set of folders, or on one specific file. By default, Eraser comes with a number of data-overwriting strategies—from one to 35 writes—or you can build custom overwriting profiles as necessary. Eraser also integrates itself into the Windows Explorer shell so that if you right-click a file or folder, you have a new Erase option with which to securely wipe data immediately.

In my testing with the data-recovery utilities later in this article (i.e., NTFSUndelete, PhotoRec), I found that after I used Eraser to securely wipe out files, I wasn't able to retrieve them at all—not even parts of the data—no matter what I tried.

In keeping with the data-recovery theme, A-FF Data Recovery's NTFSUndelete is an easy-to-use, freeware data-recovery utility that recovers deleted files from NTFS file systems. Available as an installable Windows application or a bootable ISO image, NTFSUndelete might be able to help you retrieve data that's been deleted from a NTFS volume.

When you delete a file from NTFS—whether you completely delete it or put it in the Recycle Bin and empty it—the file hasn't actually been deleted. All that has taken place, as far as the file system is concerned, is that the directory entry for the file is marked as deleted, thereby making that space available to the system to write something else on top of it. Therefore, recovering a file moments after it has been deleted is often a trivial exercise. As long as no other write requests from the system have taken up the same space, the original file is still intact.

The Windows interface for NTFSUndelete is straightforward: Simply launch the application, select the drive you're trying to recover files from, and NTFSUndelete begins searching the drive for deleted files to recover. When the scanning process is complete, a directory tree listing appears on the left side of the NTFSUndelete window. Some of the directory names in this window are grayed out, and others aren't; the folders that aren't grayed out are the ones that NTFSUndelete sees as having files that it might be able to recover. The Recycle Bin is typically stored in the C:\RECYCLER directory, and in Figure 4 you can see that it was able to find 10 picture files that I had deleted from my Recycle Bin moments beforehand. Simply selecting the files and clicking the Recover Marked Files tab begins the recovery process and lets you select a target directory to which to write the restored files. NTFSUndelete successfully retrieved all 10 files that I had deleted, with no trouble whatsoever.

There are times when NTFSUndelete might not work for you. What if the data is still on the drive, and yet there no directory entries remain to use as a starting point for NTFSUndelete's recovery approach? If a portion of the data is available on the drive, a technique called “data carving” might be able to recover it. PhotoRec is the leading freeware utility for attempting a data-carving recovery on a drive.

Data carving is a method of data recovery that can retrieve data for which no reliable file system allocation information can be detected. Data carving requires searching through the raw sectors on a drive, looking for specific file signatures to identify sectors and clusters that make up a known file type. Think of it as a recovery method that completely ignores the entire directory/file structure on the drive and looks for fingerprints of common file types—for example, pictures, documents—to reassemble what it can.

PhotoRec (created by Christophe Grenier at CGSecurity) performs data-carving recovery from EXT2/EXT3/FAT, NTFS, and HFS+ file systems, and can recover data from more than 180 known file types, including various multimedia files, archives, Microsoft Office documents (including .doc, .ppt, .xls, and their Office 2007 counterparts), .pst files, and all sorts of other interesting file types, such as Microsoft Money, Quickbooks, and Quicken, and Turbo Tax. Just launch the utility and walk through the menus to begin data-carving recovery on your hard disk. PhotoRec's DOS-like UI is somewhat basic, so you'll probably want to refer to CGSecurity's website for details about how to use the utility. But once you start the tool, it will look through the drive and recover the files that it can. The process can take a while—as you see in Figure 5, a scan of my test system's 30GB drive would take several hours—but considering that the data is otherwise unrecoverable, the time PhotoRec needs is often worth the effort.

Data carving usually requires that the files to be recovered be located in sequential sectors (rather than fragmented across the drive) because there's often no reliable mechanism to map a way through the fragmented file portions. PhotoRec claims that it can deal with some situations of “low data fragmentation,” but sometimes it just won't be able to recover a fragmented file. However, when it can recover a file, PhotoRec works extremely well.

Active Directory Change Reporter
As AD becomes an increasingly critical component of enterprise networks, keeping tabs on what's going on inside AD is an important task for any network administrator trying to keep his or her network healthy. Unfortunately, Microsoft doesn't include many ready-to-use tools for this purpose. Sure, you can use tools such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and search for things manually, but a way to track changes over time would have been a nice addition. The folks at NetWrix have written the Active Directory Change Reporter utility for just this reason, and they've offered a free version to anyone who wants it.

Active Directory Change Reporter is a simple utility that you can download and install on any system in your network. Essentially, it takes a snapshot of your AD environment every day and compares it with the previous day's snapshot, making note of differences. In its most basic mode, you can simply have it email you a daily HTML report of the changes, but the freeware version of Active Directory Change Reporter can also perform some more advanced operations such as “rolling back” unwanted changes.

There are a few limitations to the freeware version of Active Directory Change Reporter. You can't store a long-term archive of changes made to AD, and the utility won't log who (or what) made the change in your environment. Given these two limitations, the freeware version probably isn't going to meet stringent compliance-reporting requirements that many organizations now face. However, it's still a useful utility to have in your environment, and it maintains a small footprint. Just install it, run the configuration utility (which sets up a scheduled task in your environment) and you're done.

My best suggestion is that if you stick with the free version, make a special email account (e.g., adchanges@mycompany.com) in your environment to receive the daily reports and store them there over time. Reading through change reports every day might get boring after a while, but if you have a log of all your changes over time, you can always search that account for the reports you want if you ever need to track down a change.

I've written three previous articles about free utilities for Windows IT Pro magazine, and I can't believe I've overlooked NMap until now. NMap is a network security scanner that originally came from the UNIX world over a decade ago, but to describe NMap as “just a port scanner” would be like describing the Hummer as “just a truck.” NMap is, by far, one of the most in-depth network security scanning tools available on any platform, at any price.

Available as a Windows executable, NMap scans the IP addresses and subnets you instruct it to and gives you a wealth of information about any hosts it finds: running services, responses received on various TCP ports, versions of applications that are listening on those ports, and more. Through a series of advanced TCP/IP fingerprinting techniques, it will even try to guess the target host's OS. As you see in Figure 7, in which I've run a test against Wikipedia, NMap has guessed that there's a 93 percent chance that the OS in use is Ubuntu Linux. A quick look at Wikipedia's own technical FAQ confirms that it is, in fact, running Linux—although the FAQ claims that the site is running Fedora's distribution.

For your IP network security needs, NMap is a must-have tool. The GUI is a great way to get familiar with the tool at first, but once you've learned the various command-line switches to run NMap, you can simply run the nmap.exe application directly and skip the GUI. The command-line flexibility provides many possibilities for batching and scripting NMap's operation.

Five years ago, in "Sniff with Snort" (InstantDoc ID 42606), I wrote an article about implementing Snort—the world's leading open-source intrusion-detection suite—in a Windows environment. Snort is a terrific utility, and to this day I still recommend it to anyone who needs a good, reliable intrusion-detection tool to protect their networks. But Snort takes some time to get working just right, and it still relies solely on a “signature matching” algorithm within single data packets to detect intrusion attempts.

That's still an effective (and necessary) approach for intrusion detection in an enterprise network, but SRI International's BotHunter takes matters a step further, adding a higher level of intelligence to the process. By correlating a number of packets over time and watching for the signature communication sequences that bot software typically utilizes—exploit usage, payload downloading, outbound bot coordination dialogs, outbound attack propagations, and so on—BotHunter can detect problems that simple intrusion detection can't. Although any individual packet might or might not be picked up by an intrusion-detection engine such as Snort, BotHunter's intelligent correlation engine can watch a system's communications over time and try to tie all the individual events together to determine whether a bot is operating in your network.

The most impressive aspect of BotHunter isn't just its advanced approaches to solving this type of security problem but the flexibility that SRI International provides—freely—to individual users and corporate users alike. If you're a freelance professional who wants to make sure your individual workstation isn't infected by a bot the next time you use free WiFi at your favorite coffee shop, BotHunter can help. If you're an enterprise network administrator who wants to keep track of traffic going throughout your entire network and have access to a Switched Port Analyzer (SPAN) port or some similar means of watching all your traffic, BotHunter can help you out, too.

BotHunter's installation is relatively straightforward: Simply launch the installer executable and follow through the prompts. To operate properly, BotHunter requires the Java Standard Edition Runtime Engine and WinPcap—a promiscuous mode packet capture driver. The installer determines whether you already have these installed, and it downloads and installs them for you if you don't. The only other thing BotHunter asks you to provide is your network's IP address particulars—what subnets you have, where your DNS servers are, where your mail servers are, and so on. After that, BotHunter is ready to run.

If you see an alert come up in the GUI, which Figure 8 shows, you can then investigate it within your network and determine the problem. There aren't any alerts that BotHunter can send out right now, so you'll have to check the GUI from time to time, but posts in SRI International's user forums indicate that email notifications are coming in a future release.

We're Up to 32
So, now you have eight more free utilities to add to your toolbelt. This batch will help you inventory your systems, recover lost data, and help keep your network secure. Of all the tools here, my favorite is PhotoRec, but I hope that you find all of them useful and that they can make your job a little bit easier.