Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Forensics best practices - data location and cryptcat.

Posted on 2007-10-11
17
Medium Priority
?
375 Views
Last Modified: 2009-03-31
I'm creating a forensics CD and I'm trying to decide on the best way to accomplish my goal as I am stuck between a rock and a hard place.  The output from my forensics disk is more than the 1.44 mb that fits on a floppy.  I cannout output the data there.  I cannot use a USB stick in many cases as the USB is turned off.  I need to store the data before I use Cryptcat to send the information to the forensics server.  If I save the information to a local hard drive, I am altering the hard drive and I want to avoid that.  Network drives do not work as I would have to alter the local image.  I wanted to get someone's opinion on the best practices concerning forensics in these situation.

Thanks,

Awakenings

P.S.  If you know a way for me to program the output to send to Cryptcat without creating a local file, it would be an acceptable option.  I know I'll need to create a local hash on a floppy for output to hash the file as well and that is a consideration.
0
Comment
Question by:awakenings
  • 9
  • 7
16 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20059670
Which forensic tool are you using? Maybe it has the ability built in to split it's output over multiple floppies, or to directly feed cryptcat?

J.
0
 

Author Comment

by:awakenings
ID: 20059804
J,

    This is a basic windows forensic boot disk.  It does the netstat, etc. etc. etc.  It collects the information about the system before it is shunted elsewhere.  I am writing it using a batch file so I can run it quickly and a human is not doing the work thus potentially altering the system.

----

    Maybe the issue is not knowing how to directly feed it to cryptcat.  The thing is, if I fed Cryptcat line by line, I'd have to access the security server again and again as Cryptcat turns off after it has been used once so you have to shunt a whole file at once to it.  It would take 10+ floppies for me to copy the information.  I'm hoping to find another way.  My batch file has commands like;

netstat -ano >> cryptcat ServerIP

    But of course I can't do that for each line.  Without creating a file, is there a way to shunt it to cryptcat?  Of course if I do that, I'd just have to create a hash of the file separately while on the server instead of letting the batch file create the hash for me.

Thoughts?  Opinions?

Awakenings
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 2000 total points
ID: 20063482
Some thoughts yes: if this is a boot disk, how can USB be disabled?
If it's with physical locks, then someone responsible should be able to provide you with the keys.
If it's in the bios then you should be able to enable the USB ports without altering the system content. Just mention it in your report that it was disabled and only enabled for forensic access, in case questions are asked about leaking data or entering data that way.
If that's not an option then you can create a ramdisk, write your logs to the ramdisk and then use backup utility which can split. You then copy the content of the ramdisk with the splitter to several floppies. Also hash the ramdisk and store it on - probably the last - floppy.

J.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:awakenings
ID: 20065446
PowerIT,

        This portion of the forensics deals with live data collection.  USB is disabled in the BIOS on many of our stations.  If I turned off the machine to turn on the BIOS then live data collection would be invalid because one should muck with the computer as little as possible.

    So how does one write information to RAM?  Also, I had another thought.  What if my disk did something like this;

forensicbat.bat | cryptcat SomeIP -p SomePort

    I'm running through some errors getting this going though trying this...

SomePort: inverse host lookup failed: h_errno 11004: NO_Data
no port[s] tp cpmmect tp: NO_DATA

    I'm just in the testing phase right now.  Of course the drawback is that I'll have to do the hash on the server.

Awakenings
0
 

Author Comment

by:awakenings
ID: 20065480
When I do a cryptcat -v SomeIP SomePort

I ge tthe connection open (which is good), then I see;
farm9crypt_write 2
farm9crypt_write 32
etc. until
farm9crypt: ** 0 result **

then the application stops...  On the server side, cryptcat is still running and no file is output.  Cryptcat usually stops.  Any suggestions are appreciated.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20066171
It's a running machine? You were talking about a 'basic forensic BOOT disk'.
Oh well, OK.  Then you should not use a RAM-disk.
I think your are missing the -p in the cryptcat verbose command you just showed.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20066181
BTW, have you tried with netcat?

J.
0
 

Author Comment

by:awakenings
ID: 20066275
J,

     Well I am in the process of making a live data collection CD to run on a live machine (hopefully never, but possibly in the future) to collect all the information I can about the machine.  The boot disk was my fault.  I was going to have a batch file that does all the work for me in a minimal amount of time so I am not mucking around with the machine during live data collection.  The data will be sent, via cryptcat, to the forensic server.  I chose cryptcat over netcat because of the encryption and no one else could theoretically take the information if they were on the wire (unless the forensics machine is owned in which case game over).

Awakenings
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20066308
I agree with the choice of cryptcat but are asking about using netcat just for trial and debugging purposses.

J.
0
 

Author Comment

by:awakenings
ID: 20066357
J,

     We have a freeze on the production forensics server due to an audit so I'm not installing anything new.  Cryptcat was already present so I'm testing with that.

Awakenings
0
 

Author Comment

by:awakenings
ID: 20066663
Ok...  I just need this to work...  I have netstat within the batch file.  Piping the batch file in Windows works, but I am having problems when piping it into cryptcat. Here is what I type (santized) on the client;

c:\temp\test.bat | cryptcat -v SomeIP SomePort

I hit enter

    It seems to do stuff as I am seeing the farm 9 messages posted above (and it clearly connects to the server), but it just sits there and waits....  I've been waiting for a half hour for it to finish.

Any thoughts?

Awakenings
0
 

Author Comment

by:awakenings
ID: 20201204
Hey!  I'm back on this project again.  I'm still running into the errors and it is very frustrating.  Any thoughts?

Again, I am trying

Client
forensic.bat | cryptcat -vvn 1.1.1.1 9999

Server;
cryptcat -l -p 9999 > /tmp/test.txt

Thanks!
0
 

Author Comment

by:awakenings
ID: 20227603
I have it working. I'll give you points.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20230531
Nice! What solved it then?

J.
0
 

Author Comment

by:awakenings
ID: 20231710
PowerIT,  it had to do with my inexperience with Cryptcat an not knowing what to expect.  It was working properly and I just needed to modify the batch file to exit properly.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20231741
No problem, we have all been there - novices - and still are everytime something new arives ;-)

J.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question