Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

First Responder Course - Session 9 - Volatile Evidence Collection [2004]


Published on

The ninth session from a two day course I ran for potential first responders in a large financial services client.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

First Responder Course - Session 9 - Volatile Evidence Collection [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Volatile Data Acquisition Windows Volatile UNIX Volatile
  3. 3.  Volatile data should be taken as soon as the incident has been detected and before the system is rebooted. As many attackers will replace the system binaries with malicious versions, trusted ones must be used. An Incident Response Toolkit should contain a CD with the required binaries, statically linked Use flags so that hostnames are not resolved The easiest method of getting the data off of the system is using netcat to send the data to a trusted evidence server.  on server: # nc –l –p 4567 > ps.aux.out  on system: # ps –aux | nc 4567
  4. 4.  fport.exe List open ports and which process opened them - fport  ( netstatp.exe: To list open sockets handle.exe –a: To list all open files, tokens, and Keys by process pslist.exe -x: Show detailed listing of processes and threads psservice.exe: List running services listdlls.exe: List the loaded dll paths, by process psloggedon.exe: List users that are currently logged on  ( date.exe /T: Get the system date time.exe /T: Get the system time
  5. 5.  lsof -n -D i: List open files and sockets by process (do not resolve host and do not create device file) netstat -nr: Routing Table netstat -nva: Open Sockets ps -el (ps -aux): Running Processes who -Thu: List of logged in users List Partitions:  fdisk -l: (Linux)  prtvtoc /dev/rdsk/c?t?d?s2: (Solaris) date: Get system time to determine clock skew