CaveMan Rootkit Detector v0.1

CaveMan performs rootkit detection on Windows XP by correlating results from several incident response tools. CaveMan is released under the Educational Community License version 1.0 (see license.txt).

NOTE: WE DO NOT PROVIDE SUPPORT FOR THIS SOFTWARE.

Details on the tool can be found in the article:

Molina, D., Zimmermann, M.A., Roberts, G.R., Eaddie, M.T., and Peterson, G.L., Timely Rootkit Detection During Live Response, Advances in Digital Forensics IV, S. Shenoi and I. Ray, Eds., New York, NY: Springer Science+Business Media, 2008, pp. 139-150.



Execution:
   Requires Java JRE 5.0 or higher

1) Double click the JAR file.
2) Select Scan->Poke around for rootkits
3) If you want to rerun the data collection click 'No'
4) Wait several hours, output will appear in the bottom of the window and a report in the reports directory.

   To use Caveman to perform the incident response and analysis or to use the included bat file for incident response collection, the folder structure and tools need to be as follows:

.\
| reports
| results
| scans
| tools >
          | APIHookCheck
          | Cygwin
          | Foundstone
          | NTResKit
          | Sysinternals
          | WinMisc
          | WinNative

APIHookCheck
   ApiHookCheck.exe
   http://www.security.org.sg/code/apihookcheck.html

Cygwin
    ls.exe
    ps.exe
    http:\\cygwin.org
    (also needs all dll's required to execute)
    (cygiconv-2.dll, cygintl-1.dll, cygint1-2.dll, cygint1-3.dll, cygmagic-1.dll,
     cygmagic-1.dll, cygncurses-8.dll, cygpcre-0.dll, cygpng12.dll, cygpopt-0.dll,
     cygwin1.dll)

Foundstone
    fport.exe
    hfind.exe
    sfind.exe
    sl.exe
    http://www.foundstone.com/us/resources-free-tools.asp

NTResKit
    auditpol.exe
    dumpel.exe
    pulist.exe

Sysinternals
    handle.exe
    listdlls.exe
    psfile.exe
    Psinfo.exe
    pslist.exe
    psloggedon.exe
    psservice.exe
    streams.exe
    tcpvcon.exe
    http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx

WinMisc
    procinterrogate.exe
    promiscdetect.exe

WinNative
    arp.exe
    ipconfig.exe
    mem.exe
    nbtstat.exe
    netstat.exe
    route.exe
    tasklist.exe
    (Windows distribution)


The script j_CaveMan_v0.1.bat provides an example which only runs these tools. However, it is recommended to run your own script for the data collection, and output your files in the following way and place them in the results directory:

ipconfig.exe /all          > ipconfig_OUT.txt 
MEM.exe /d                 > mem_OUT.txt 
netstat -an                > netstat_an_out.txt 
netstat -anp               > netstat_anp_out.txt
netstat -anr               > netstat_anr_out.txt 
route print                > route_out.txt 
apihookcheck.exe           > APIHookCheck.txt
arp  -a                    > arp.txt 
auditpol.exe               > auditpol.txt 
dir /s /t:a c:             > dirHiddenFiles.txt
hfind.exe systemroot       > hfind.txt		 	
fport.exe /p               > fport.txt 
handle -a                  > handle.txt
listdlls.exe               > listdlls.txt
nbtstat -c                 > nbtstat.txt 
procinterrogate" -list     > procinterrogate.txt  
PS.exe -ealW               > ps.txt
PSFILE.exe /accepteula     > psfile.txt 
psinfo /accepteula         > psinfo.txt 
pslist.exe -x /accepteula  > pslist.txt 
psloggedon /accepteula     > psloggedon.txt 
psservice /accepteula      > psservice.txt  
pulist                     > pulist.txt
dir "c:\WINDOWS\Prefetch"  > prefetch.txt
streams.exe -s /accepteula Systemroot > streams.txt
sfind.exe systemdrive/     > sfind.txt
tasklist.exe               > Tasklist.txt
tcpvcon -an /accepteula    > tcpvcon.txt
dumpel -t -l application   > dumpelAppLog.txt
dumpel -t -l security      > dumpelSecLog.txt
dumpel -t -l system        > dumpelSysLog.txt
promiscdetect.exe          > promiscDetect.txt
sl 127.0.0.1               > sl.txt
ls -R c:\                  > ls.txt


Notes:
route.exe is different between WinXP and Win7 (the output parser may not be able to parse the Win7 route.exe output)
dumpel will throw errors if logging is not on (and seems to always throw an error on the security log in Win7)
