Phil HugginsFebruary 2004
   Volatile Data Acquisition   Windows Volatile   UNIX Volatile
   Volatile data should be taken as soon as the incident has    been detected and before the system is rebooted.   As ma...
   fport.exe List open ports and which process opened them - fport     (http://www.foundstone.com)   netstatp.exe: To l...
   lsof -n -D i: List open files and sockets by process (do    not resolve host and do not create device file)   netstat...
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
Upcoming SlideShare
Loading in...5
×

First Responder Course - Session 9 - Volatile Evidence Collection [2004]

111

Published on

The ninth session from a two day course I ran for potential first responders in a large financial services client.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
111
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

First Responder Course - Session 9 - Volatile Evidence Collection [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Volatile Data Acquisition Windows Volatile UNIX Volatile
  3. 3.  Volatile data should be taken as soon as the incident has been detected and before the system is rebooted. As many attackers will replace the system binaries with malicious versions, trusted ones must be used. An Incident Response Toolkit should contain a CD with the required binaries, statically linked Use flags so that hostnames are not resolved The easiest method of getting the data off of the system is using netcat to send the data to a trusted evidence server.  on server: # nc –l –p 4567 > ps.aux.out  on system: # ps –aux | nc 10.0.0.1 4567
  4. 4.  fport.exe List open ports and which process opened them - fport  (http://www.foundstone.com) netstatp.exe: To list open sockets handle.exe –a: To list all open files, tokens, and Keys by process pslist.exe -x: Show detailed listing of processes and threads psservice.exe: List running services listdlls.exe: List the loaded dll paths, by process psloggedon.exe: List users that are currently logged on  (http://www.sysinternals.com) date.exe /T: Get the system date time.exe /T: Get the system time
  5. 5.  lsof -n -D i: List open files and sockets by process (do not resolve host and do not create device file) netstat -nr: Routing Table netstat -nva: Open Sockets ps -el (ps -aux): Running Processes who -Thu: List of logged in users List Partitions:  fdisk -l: (Linux)  prtvtoc /dev/rdsk/c?t?d?s2: (Solaris) date: Get system time to determine clock skew
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×