Volatile Data Acquisition Windows Volatile UNIX Volatile
Volatile data should be taken as soon as the incident has been detected and before the system is rebooted. As many attackers will replace the system binaries with malicious versions, trusted ones must be used. An Incident Response Toolkit should contain a CD with the required binaries, statically linked Use flags so that hostnames are not resolved The easiest method of getting the data off of the system is using netcat to send the data to a trusted evidence server. on server: # nc –l –p 4567 > ps.aux.out on system: # ps –aux | nc 10.0.0.1 4567
fport.exe List open ports and which process opened them - fport (http://www.foundstone.com) netstatp.exe: To list open sockets handle.exe –a: To list all open files, tokens, and Keys by process pslist.exe -x: Show detailed listing of processes and threads psservice.exe: List running services listdlls.exe: List the loaded dll paths, by process psloggedon.exe: List users that are currently logged on (http://www.sysinternals.com) date.exe /T: Get the system date time.exe /T: Get the system time
lsof -n -D i: List open files and sockets by process (do not resolve host and do not create device file) netstat -nr: Routing Table netstat -nva: Open Sockets ps -el (ps -aux): Running Processes who -Thu: List of logged in users List Partitions: fdisk -l: (Linux) prtvtoc /dev/rdsk/c?t?d?s2: (Solaris) date: Get system time to determine clock skew
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.