Join Us!

Software used befor...
 
Notifications
Clear all

Software used before pulling the plug  

  RSS
anitajshah
(@anitajshah)
New Member

Anyone familiar with trusted software or methods that can be used before "pulling the plug" and a search site to document running processes and other information that might be needed.

Quote
Posted : 24/02/2005 4:41 pm
andy1500mac
(@andy1500mac)
Member

Would depend on the operating system. There are some commands native to windows that work well such as tasklist and netstat ( swithes for each will provide some versitility type /? after the command to see them). Fport which I think is available from foundstone will also show open ports and associated PID’s.

These are a few I’m familiar with…what running them on a live system will do to any subsequent investigation (in terms of modifying any time stamps etc…) someone with more experience would be better equipped to answer.

Hope it helps,
Andrew

ReplyQuote
Posted : 24/02/2005 5:31 pm
anitajshah
(@anitajshah)
New Member

I'm mainly interested in windows operating systems and in capturing information that is potentially lost when pulling the plug.

ReplyQuote
Posted : 24/02/2005 7:49 pm
keydet89
(@keydet89)
Community Legend

anitajshah,

There are a couple of ways to go about this…one that I recommend is to use the Forensic Server Project (FSP):
http://www.windows-ir.com/fsp.html

If you have any questions, please drop me a line.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 25/02/2005 5:17 pm
gmarshall139
(@gmarshall139)
Active Member

Encase Enterprise Edition and the Field Intelligence module both have these features.

ReplyQuote
Posted : 25/02/2005 7:22 pm
keydet89
(@keydet89)
Community Legend

anitajshah,

Have any of the suggestions been helpful?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 01/03/2005 12:06 pm
anitajshah
(@anitajshah)
New Member

Thanks for all your suggestions. I have been able to retrieve from useful information from http://www.windows-ir.com/fsp.html .
I've also received tips on using tools like pslist and netstat.

I am really looking for retrieving volatile information from standalone machines. Stuff that would be lost by yanking the plug. So any other suggestions would be appreciated.

Thanks in advance.

ReplyQuote
Posted : 01/03/2005 5:31 pm
keydet89
(@keydet89)
Community Legend

I am really looking for retrieving volatile information from standalone machines.

Well, that's what the FSP was designed for. If you have any questions, drop me a line…keydet89 at yahoo dot com

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 02/03/2005 7:31 pm
Share: