Orion Incident Response Live CD
following and more: argus, chaosreader, dnstop, dsniff, ettercap, snort, tcpflow, tcpick, tshark. These tools were chosen from a combination of personal analyst experience and tips from other researchers gleaned from the web (“Tshark examples”, 2010). The output of those tools quickly provides the analyst with TCP session info, DNS lookup statistics, HTTP headers, extracted files, and other valuable information. Since this is done by a script, the same commands are run each time, and junior members can do the work without a lot of guidance by more senior team members.