awakenings
asked on
Forensics best practices - data location and cryptcat.
I'm creating a forensics CD and I'm trying to decide on the best way to accomplish my goal as I am stuck between a rock and a hard place. The output from my forensics disk is more than the 1.44 mb that fits on a floppy. I cannout output the data there. I cannot use a USB stick in many cases as the USB is turned off. I need to store the data before I use Cryptcat to send the information to the forensics server. If I save the information to a local hard drive, I am altering the hard drive and I want to avoid that. Network drives do not work as I would have to alter the local image. I wanted to get someone's opinion on the best practices concerning forensics in these situation.
Thanks,
Awakenings
P.S. If you know a way for me to program the output to send to Cryptcat without creating a local file, it would be an acceptable option. I know I'll need to create a local hash on a floppy for output to hash the file as well and that is a consideration.
Thanks,
Awakenings
P.S. If you know a way for me to program the output to send to Cryptcat without creating a local file, it would be an acceptable option. I know I'll need to create a local hash on a floppy for output to hash the file as well and that is a consideration.
ASKER
J,
This is a basic windows forensic boot disk. It does the netstat, etc. etc. etc. It collects the information about the system before it is shunted elsewhere. I am writing it using a batch file so I can run it quickly and a human is not doing the work thus potentially altering the system.
----
Maybe the issue is not knowing how to directly feed it to cryptcat. The thing is, if I fed Cryptcat line by line, I'd have to access the security server again and again as Cryptcat turns off after it has been used once so you have to shunt a whole file at once to it. It would take 10+ floppies for me to copy the information. I'm hoping to find another way. My batch file has commands like;
netstat -ano >> cryptcat ServerIP
But of course I can't do that for each line. Without creating a file, is there a way to shunt it to cryptcat? Of course if I do that, I'd just have to create a hash of the file separately while on the server instead of letting the batch file create the hash for me.
Thoughts? Opinions?
Awakenings
This is a basic windows forensic boot disk. It does the netstat, etc. etc. etc. It collects the information about the system before it is shunted elsewhere. I am writing it using a batch file so I can run it quickly and a human is not doing the work thus potentially altering the system.
----
Maybe the issue is not knowing how to directly feed it to cryptcat. The thing is, if I fed Cryptcat line by line, I'd have to access the security server again and again as Cryptcat turns off after it has been used once so you have to shunt a whole file at once to it. It would take 10+ floppies for me to copy the information. I'm hoping to find another way. My batch file has commands like;
netstat -ano >> cryptcat ServerIP
But of course I can't do that for each line. Without creating a file, is there a way to shunt it to cryptcat? Of course if I do that, I'd just have to create a hash of the file separately while on the server instead of letting the batch file create the hash for me.
Thoughts? Opinions?
Awakenings
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PowerIT,
This portion of the forensics deals with live data collection. USB is disabled in the BIOS on many of our stations. If I turned off the machine to turn on the BIOS then live data collection would be invalid because one should muck with the computer as little as possible.
So how does one write information to RAM? Also, I had another thought. What if my disk did something like this;
forensicbat.bat | cryptcat SomeIP -p SomePort
I'm running through some errors getting this going though trying this...
SomePort: inverse host lookup failed: h_errno 11004: NO_Data
no port[s] tp cpmmect tp: NO_DATA
I'm just in the testing phase right now. Of course the drawback is that I'll have to do the hash on the server.
Awakenings
This portion of the forensics deals with live data collection. USB is disabled in the BIOS on many of our stations. If I turned off the machine to turn on the BIOS then live data collection would be invalid because one should muck with the computer as little as possible.
So how does one write information to RAM? Also, I had another thought. What if my disk did something like this;
forensicbat.bat | cryptcat SomeIP -p SomePort
I'm running through some errors getting this going though trying this...
SomePort: inverse host lookup failed: h_errno 11004: NO_Data
no port[s] tp cpmmect tp: NO_DATA
I'm just in the testing phase right now. Of course the drawback is that I'll have to do the hash on the server.
Awakenings
ASKER
When I do a cryptcat -v SomeIP SomePort
I ge tthe connection open (which is good), then I see;
farm9crypt_write 2
farm9crypt_write 32
etc. until
farm9crypt: ** 0 result **
then the application stops... On the server side, cryptcat is still running and no file is output. Cryptcat usually stops. Any suggestions are appreciated.
I ge tthe connection open (which is good), then I see;
farm9crypt_write 2
farm9crypt_write 32
etc. until
farm9crypt: ** 0 result **
then the application stops... On the server side, cryptcat is still running and no file is output. Cryptcat usually stops. Any suggestions are appreciated.
It's a running machine? You were talking about a 'basic forensic BOOT disk'.
Oh well, OK. Then you should not use a RAM-disk.
I think your are missing the -p in the cryptcat verbose command you just showed.
J.
Oh well, OK. Then you should not use a RAM-disk.
I think your are missing the -p in the cryptcat verbose command you just showed.
J.
BTW, have you tried with netcat?
J.
J.
ASKER
J,
Well I am in the process of making a live data collection CD to run on a live machine (hopefully never, but possibly in the future) to collect all the information I can about the machine. The boot disk was my fault. I was going to have a batch file that does all the work for me in a minimal amount of time so I am not mucking around with the machine during live data collection. The data will be sent, via cryptcat, to the forensic server. I chose cryptcat over netcat because of the encryption and no one else could theoretically take the information if they were on the wire (unless the forensics machine is owned in which case game over).
Awakenings
Well I am in the process of making a live data collection CD to run on a live machine (hopefully never, but possibly in the future) to collect all the information I can about the machine. The boot disk was my fault. I was going to have a batch file that does all the work for me in a minimal amount of time so I am not mucking around with the machine during live data collection. The data will be sent, via cryptcat, to the forensic server. I chose cryptcat over netcat because of the encryption and no one else could theoretically take the information if they were on the wire (unless the forensics machine is owned in which case game over).
Awakenings
I agree with the choice of cryptcat but are asking about using netcat just for trial and debugging purposses.
J.
J.
ASKER
J,
We have a freeze on the production forensics server due to an audit so I'm not installing anything new. Cryptcat was already present so I'm testing with that.
Awakenings
We have a freeze on the production forensics server due to an audit so I'm not installing anything new. Cryptcat was already present so I'm testing with that.
Awakenings
ASKER
Ok... I just need this to work... I have netstat within the batch file. Piping the batch file in Windows works, but I am having problems when piping it into cryptcat. Here is what I type (santized) on the client;
c:\temp\test.bat | cryptcat -v SomeIP SomePort
I hit enter
It seems to do stuff as I am seeing the farm 9 messages posted above (and it clearly connects to the server), but it just sits there and waits.... I've been waiting for a half hour for it to finish.
Any thoughts?
Awakenings
c:\temp\test.bat | cryptcat -v SomeIP SomePort
I hit enter
It seems to do stuff as I am seeing the farm 9 messages posted above (and it clearly connects to the server), but it just sits there and waits.... I've been waiting for a half hour for it to finish.
Any thoughts?
Awakenings
ASKER
Hey! I'm back on this project again. I'm still running into the errors and it is very frustrating. Any thoughts?
Again, I am trying
Client
forensic.bat | cryptcat -vvn 1.1.1.1 9999
Server;
cryptcat -l -p 9999 > /tmp/test.txt
Thanks!
Again, I am trying
Client
forensic.bat | cryptcat -vvn 1.1.1.1 9999
Server;
cryptcat -l -p 9999 > /tmp/test.txt
Thanks!
ASKER
I have it working. I'll give you points.
Nice! What solved it then?
J.
J.
ASKER
PowerIT, it had to do with my inexperience with Cryptcat an not knowing what to expect. It was working properly and I just needed to modify the batch file to exit properly.
No problem, we have all been there - novices - and still are everytime something new arives ;-)
J.
J.
J.