Hello Friends,
I am really new to Forensic field. I am doing Master of Engineering in Information Systems Security. I like this IT Security Field.
Since, I am more interested to work on Digital Forensic field I have started reading Digital Forensic books. I bought two books one is File system forensic and an other one is Real digital forensics.
I have started reading “Real Digital Forensics” book since yesterday and trying to use its commands as those are mentioned in the book. I am stuck on Chapter one of this book due to few issues. That issue I am going to describe as under.
The name of that book’s chapter one is Windows Live Response.
According to that chapter in windows live responses we have to collect volatile and non volatile data from attacked system
My Experiment-
1- I have made Virtual network with Windows Server 2003 as a Domain, windows 2003 as a client, Windows xp as client, and windows xp
2- In windows xp which is use to collect the data and know as forensic system and in windows server 2003 which his Domain I installed Netcat tool from http//
3- Then I opened the command prompt in both systems then I typed the command in forensics system like “ nc –v –l –p 2222 > command.txt”
4- In windows server I typed this command like “ command | nc 192.168.1.69 2222”
As soon as I typed above commands in each system the command prompt of forensic system showed that connection is established then I go back to the attacked system where I need to gather data such as current time and date of the attacked system. I typed data and time command in the command prompt but it does nothing even it is not showing any thing in the forensic system…???
Now my problem is whatever command I type in attacked systems command prompt I get copy of those commands in the forensics’ command.txt document but the out puts.
I got this out put in forensic text file
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
C\DOCUME~1\ADMINI~1.SER\DESKTOP\NC111NT>date
C\DOCUME~1\ADMINI~1.SER\DESKTOP\NC111NT>time
I do not know where I am falling or what I have done wrong?
I will really thankful if someone help me or guide me to collect those volatile and non volatile data from windows live response.
I hope to hear positive reply and thanks in advance for helping me and guiding me.
3- Then I opened the command prompt in both systems then I typed the command in forensics system like “ nc –v –l –p 2222 > command.txt”
4- In windows server I typed this command like “ command | nc 192.168.1.69 2222”
Are you actually typing the word "command"? That would open a command prompt and pipe the output to the nc…
Try this
on the collection system nc -v -l -p 2222 > diroutput.txt
on the target system dir | nc 192.168.1.69 2222
If the command doesn't return to the command prompt, wait a few seconds and hit control-C. You should now see the output of the DIR command in diroutput.txt
Normally these command sequences are used with automated batch utilities that collect a lot of information, such as fred-nc from the Helix CD.
Hope this helps,
bj
Hello Bj,
I have tried by your mentioned method. It was working but still got something little confusing.
**********************************************************
*******************************************************
1- As soon as I have typed nc -v -l -p 2222 > diroutput.txt in forensic system and dir | nc 192.168.1.69 in attacked or targeted system then connection was established and one file was created under the name of diroutput.txt in the folder. As soon as I opened that file I got this out put which is under given…
Volume in drive C has no label.
Volume Serial Number is AC5A-1418
Directory of C\Documents and Settings\Administrator.SERVER1\Desktop\nc111nt
11/14/2009 0202 PM <DIR> .
11/14/2009 0202 PM <DIR> ..
12/28/2004 1123 AM 12,166 doexec.c
07/09/1996 0401 PM 7,283 generic.h
11/06/1996 1040 PM 22,784 getopt.c
11/03/1994 0707 PM 4,765 getopt.h
02/06/1998 0350 PM 61,780 hobbit.txt
12/27/2004 0537 PM 18,009 license.txt
11/28/1997 0236 PM 544 makefile
12/29/2004 0107 PM 61,440 nc.exe
12/29/2004 0107 PM 69,662 netcat.c
12/27/2004 0544 PM 6,833 readme.txt
10 File(s) 265,266 bytes
2 Dir(s) 21,000,998,912 bytes free
After that i terminate the connection by pressing Ctrl+c and then again typed same command but put little change like nc -v -l -p 2222 > dateoutput.txt in forensic system and date | nc 192.168.1.69 in attacked or targeted system then connection was established and one file was created under the name of dateoutput.txt in the folder. As soon as I opened that file I got this out put which is under given…
The current date is Mon 11/16/2009
Enter the new date (mm-dd-yy)
I repeated same step again to get current time put Time instead of date i.e. nc -v -l -p 2222 > timeoutput.txt in forensic system and time | nc 192.168.1.69 in attacked or targeted system and i got the file in the forensic system in the out which is ….
The current time is 171159.39
Enter the new time
*******************************************************
**********************************************************
2- As a forensic Investigator do I have to run that command everything with new extension or modified command? just like dir, time, date and etc ?
3- Atually, I am little confuse that how can I get volatile or non volatile data from attacked system by running those commands again and again or need to start netcat session and start retrieving the data from Attacked system….?
4- I am doing same thing as stated in this link http//
Please have a look above given link and let me know that where am I falling or doing wrong and what should i do?
I will really appreciate you for your kind reply…
Thanks,
Fez
2- As a forensic Investigator do I have to run that command everything with new extension or modified command? just like dir, time, date and etc ?
3- Atually, I am little confuse that how can I get volatile or non volatile data from attacked system by running those commands again and again or need to start netcat session and start retrieving the data from Attacked system….?
Fez
Normally, a forensic investigator will run a batch file containing many command in it and redirect the output to netcat.
Volitile data is data that will be lost when the system is turned off… RAM, network connections, etc. So you might have a bacth file that starts with
date
time
netstat -an
etc…
You might also run win32dd (or something similar to capture RAM). (check out FRED for an idea) Anyway, all that stuff is copied to the other system via netcat and stored in the one big text file that you can process later. The idea is that on the suspect system you should do as little as possible - run the script, save the output, and get out. Then (and this can get complicated and opinions vary on it), you do a hard shutdown on the system (pull the plug), and then image the hard drive to get the non-volitile data (hard drive).
There are times when you might image the hard drive on a live system (encryption, etc), but these decisions need to be done on a case-by-case basis.
bj