Professional Documents
Culture Documents
Chapter 1
Live Incident Response Process
Start a netcat server on forensic workstation with the following
command:
nc v l p 2222>command.txt
On the victim computer you will want to run a command to collect live
response data.
The data can be sent from the victim computer with the following
command:
command | nc forensic_workstation_ip_address 2222
ip address of forensic workstation
A simple MD5 checksum of command.txt can be calculated so that you
may prove its authenticity at a later date:
md5sum b command.txt > command.md5
You will always want to use the b command-line switch. md5sum is
available in the Cygwin utilities from www.cygwin.com.
A variant of netcat is named cryptcat
(http://sourceforege.net/projects/cryptcat) should be used because it
encrypts all fo the data across the TCP channel. Because the data is
encrypted, intruders will not be able to see what you are collecting.
To learn the processes the attacker executed use the pslist tool from
the PsTools suite distributed from www.sysinternals.com.
Sample output:
CommandLine: nc d L n p 60906 e cmd.exe
This output indicates that netcat was configured to detach from the
console, listen on port 60906 and execute a command shell whenever
a connection occurred.
D:\>dd.exe if=:\\.\physicalmemory
of=z:\JBRWWW_full_memory_dump.dd bs=4096
To obtain an image of the entire physical hard drive from the live
system without requiring a shutdown, reboot or disruption of service,
use:
D:\>dd.ece if=\\.\physicaldrive0
of=z:\JBRWWW_physicaldrive0.dd bs=4096
The s switch tells psloglist to dump each event on a single line. The
x switch tells psloglist to dump the extended information for each
event.
6) User Accounts
Use pwdump which dumps the user accounts.
7) IIS Logs
You cannot block what you must allow in.
The IIS Web server writes any activity to logs in the
C:\winnt\system32\logfiles directory by default. To see what is in
the logs, type them out.
First, execute this on the forensic workstation:
nc v l p 2222 > ex030923.log
Port 515 is the port on which the printer daemon typically listens.
Doing a quick search for Redhat 7.0 and the printer daemon (lpd) on
www.securityfocus.com you see that this is a vulnerable TCP port.
3) Open TCP or UDP Ports
Run the following to see the process number that opened the port.
This only works on Linux and will not work on other flavors of UNIX:
netstat anp
The UNIX version of FPort is lsof for List Open Files. lsof is the single
most powerful tool in the Live Response toolkit for Unix systems.
Run:
lsof n
Run:
mount or df
12
13
14