Anyone who reads an information security magazine or spends time on the Internet quickly realizes that there are a myriad of security tools available. These tools range from small, simple freeware security utilities to comprehensive professional security suites of tools designed to solve all your security problems. Because there are a vast number of tools, it can be difficult for the incident response professional to select the right tools for the job. But, contrary to vendor claims, no panacea or silver bullet exists that can solve all your problems. More importantly, very few, if any, security tools are designed from the ground up to be incident response tools. There are tools for encryption, authentication, intrusion detection, and so on, but there are (arguably) no tools designed specifically for incident response. Many of the available tools are useful for incident response activities, but were not designed for that purpose. Thus, it is up to the incident response practitioner to study the available tools and their applicability to incident response operations, and then to adapt to the tools they deem appropriate for the task at hand.

This chapter describes a large percentage -- though certainly not all -- of the currently available tools and discusses each tool’s strengths and weaknesses specifically with regards to its utility and applicability as an incident response tool. The discussions about the tools are based, in almost every case, on our ...