The ninth session from a two day course I ran for potential first responders in a large financial services client.

1. Phil Huggins
February 2004

2.  Volatile Data Acquisition
 Windows Volatile
 UNIX Volatile

3.  Volatile data should be taken as soon as the incident has
been detected and before the system is rebooted.
 As many attackers will replace the system binaries with
malicious versions, trusted ones must be used.
 An Incident Response Toolkit should contain a CD with the
required binaries, statically linked
 Use flags so that hostnames are not resolved
 The easiest method of getting the data off of the system is
using netcat to send the data to a trusted evidence server.
 on server: # nc –l –p 4567 > ps.aux.out
 on system: # ps –aux | nc 10.0.0.1 4567

4.  fport.exe List open ports and which process opened them - fport
 (http://www.foundstone.com)
 netstatp.exe: To list open sockets
 handle.exe –a: To list all open files, tokens, and Keys by process
 pslist.exe -x: Show detailed listing of processes and threads
 psservice.exe: List running services
 listdlls.exe: List the loaded dll paths, by process
 psloggedon.exe: List users that are currently logged on
 (http://www.sysinternals.com)
 date.exe /T: Get the system date
 time.exe /T: Get the system time

12.  lsof -n -D i: List open files and sockets by process (do
not resolve host and do not create device file)
 netstat -nr: Routing Table
 netstat -nva: Open Sockets
 ps -el (ps -aux): Running Processes
 who -Thu: List of logged in users
 List Partitions:
 fdisk -l: (Linux)
 prtvtoc /dev/rdsk/c?t?d?s2: (Solaris)
 date: Get system time to determine clock skew