Last week, I learned about four security tools that I hadn't come across previously. The tools, available for free from MANDIANT and Immunity, each make a worthwhile new addition to your security toolkit.

The first tool, Web Historian, developed by MANDIANT (formerly Red Cliff Consulting), analyzes Web browsing history files from major browsers including Microsoft Internet Explorer, Mozilla Firefox, Netscape Navigator, Opera, and Apple Safari. You might already have such a tool that analyzes browser history files (there are a few available); however this is the only tool I know of that can analyze the history files of such a wide range of browsers.

The second tool, First Response, also from MANDIANT, is an incident-handling tool. The software includes an agent that can be loaded on Windows 2000, Windows XP, and Windows Server 2003 systems to collect information from a variety of sources, such as the registry, event logs, file systems, and active processes. The tool uses a centralized console to collect information from its agents, analyze the data, build reports, and coordinate incident-response activity. In addition to working over a network, the tool can collect information directly from a local system that you have physical access to.

The third tool is MANDIANT's Red Curtain. It's a new malware analysis tool that can inspect executables (including DLLs) to look for signs that the code might be dangerous. Information gathered by the tool includes signatures from development tools (commonly inserted by compilers and packagers), packaging type information, whether the code includes randomization, and more. The data is used to provide a possible threat level score. Depending on the overall score, you might decide to take a closer look at the file or quarantine it and move on to other tasks.

All three of MANDIANT's tools are available at

http://www.mandiant.com/software.htm

Red Curtain leads me to the fourth tool, Immunity Debugger. If you happen to find a suspicious executable and want to take a deeper look at what it does, then a debugger can be an essential tool.

Numerous debuggers are available today; however, unlike many other debuggers, a key feature of Immunity Debugger is that it's written specifically for security researchers. The tool includes both a GUI and a command line interface and supports Python scripting. A lot of the functionality of the debugger revolves around the Python subsystem, which lets you extend the debugger to conduct a variety of activities and lets you design custom routines that display data, accept user input, and more. Several sample scripts come with the tool to get you started. Another great feature of the tool is that it can latch onto a process via its filename, window name, process identifier (PID), process name, services, or TCP or UDP port. Overall, it's a powerful tool.

You can learn more about Immunity Debugger and download a copy at the URL below.

http://www.immunitysec.com/products-immdbg.shtml