Re: Why using fport if netstat -b does much more ?

Hello,

Recall that Service Pack 2 was released mid 2004 (or so..) That  
particular flag is unavailable in pre-SP2 installations. Both of  
those books that you mentioned were published before that date. Given  
that new binary, I would use 'netstat -anvb' ( especially -n if you  
do not want to generate DNS traffic).  Once systems are deployed with  
the new monad shell, the scripting will become easier.

There are a number of tools that we use in place of what was  
originally published. I would suggest using the books as a guide for  
the less ephemeral topics, focusing on the principles behind tool  
choice and validation. When a newer application is written that  
replaces or improves upon the functionality of a particular tool  
check it's validity, know its limits and use it.  By all means, share  
what you find as well.

-- Matt

On Dec 1, 2005, at 1:27 PM, contrera@eig.unige.ech wrote:

> hi,
>
> i've just noticed that netstat as an option (-b) that allow to list  
> port and the processes which are binded to.
> fport  (-foundstone free utility-) allow just to see processes and  
> local ports.
>
> Netstat -b allow to see processes (and dlls involved in the TCP/IP  
> connection), local ports and remote ports and remote IP address !
> Remote IP address and remote ports could be useful  when  
> investigating.
>
> Why any of the famous books related to windows forensics (Incident  
> responsw & computer forensics -FOundstone-, Windows Forensics - 
> Carvey-, ...) doesn't talk about the -b option ?
>
> i'm going to update my Automated response script with netstat -b !
>
> Greetings.

smime.p7s
Description: S/MIME cryptographic signature