Software used befor...
 
Notifications
Clear all

Software used before pulling the plug

8 Posts
4 Users
0 Likes
579 Views
(@anitajshah)
Posts: 3
New Member
Topic starter
 

Anyone familiar with trusted software or methods that can be used before "pulling the plug" and a search site to document running processes and other information that might be needed.

 
Posted : 24/02/2005 4:41 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Would depend on the operating system. There are some commands native to windows that work well such as tasklist and netstat ( swithes for each will provide some versitility type /? after the command to see them). Fport which I think is available from foundstone will also show open ports and associated PID’s.

These are a few I’m familiar with…what running them on a live system will do to any subsequent investigation (in terms of modifying any time stamps etc…) someone with more experience would be better equipped to answer.

Hope it helps,
Andrew

 
Posted : 24/02/2005 5:31 pm
(@anitajshah)
Posts: 3
New Member
Topic starter
 

I'm mainly interested in windows operating systems and in capturing information that is potentially lost when pulling the plug.

 
Posted : 24/02/2005 7:49 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

anitajshah,

There are a couple of ways to go about this…one that I recommend is to use the Forensic Server Project (FSP):
http://www.windows-ir.com/fsp.html

If you have any questions, please drop me a line.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 25/02/2005 5:17 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Encase Enterprise Edition and the Field Intelligence module both have these features.

 
Posted : 25/02/2005 7:22 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

anitajshah,

Have any of the suggestions been helpful?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 01/03/2005 12:06 pm
(@anitajshah)
Posts: 3
New Member
Topic starter
 

Thanks for all your suggestions. I have been able to retrieve from useful information from http://www.windows-ir.com/fsp.html .
I've also received tips on using tools like pslist and netstat.

I am really looking for retrieving volatile information from standalone machines. Stuff that would be lost by yanking the plug. So any other suggestions would be appreciated.

Thanks in advance.

 
Posted : 01/03/2005 5:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am really looking for retrieving volatile information from standalone machines.

Well, that's what the FSP was designed for. If you have any questions, drop me a line…keydet89 at yahoo dot com

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 02/03/2005 7:31 pm
Share: