2. Volatile Data Acquisition
Windows Volatile
UNIX Volatile
3. Volatile data should be taken as soon as the incident has
been detected and before the system is rebooted.
As many attackers will replace the system binaries with
malicious versions, trusted ones must be used.
An Incident Response Toolkit should contain a CD with the
required binaries, statically linked
Use flags so that hostnames are not resolved
The easiest method of getting the data off of the system is
using netcat to send the data to a trusted evidence server.
on server: # nc –l –p 4567 > ps.aux.out
on system: # ps –aux | nc 10.0.0.1 4567
4. fport.exe List open ports and which process opened them - fport
(http://www.foundstone.com)
netstatp.exe: To list open sockets
handle.exe –a: To list all open files, tokens, and Keys by process
pslist.exe -x: Show detailed listing of processes and threads
psservice.exe: List running services
listdlls.exe: List the loaded dll paths, by process
psloggedon.exe: List users that are currently logged on
(http://www.sysinternals.com)
date.exe /T: Get the system date
time.exe /T: Get the system time
5.
6.
7.
8.
9.
10.
11.
12. lsof -n -D i: List open files and sockets by process (do
not resolve host and do not create device file)
netstat -nr: Routing Table
netstat -nva: Open Sockets
ps -el (ps -aux): Running Processes
who -Thu: List of logged in users
List Partitions:
fdisk -l: (Linux)
prtvtoc /dev/rdsk/c?t?d?s2: (Solaris)
date: Get system time to determine clock skew