Writing Live data t...
Clear all

Writing Live data to a local USB key

Junior Member

So far most of things I've read say that you must send data over the network to a destination host (usually via a netcat pipe or something) when collecting live data from a system.

My question is, how 'bad juju' or 'bad practice' is it to stick a large usb key in the compromised host and send your live data to that if you needed to?


Topic starter Posted : 05/06/2005 6:30 am
New Member

First of all, there is always the chance that the hacker will find out that you are collecting evidence and overwrite/destroy the data you collected (I have seen this happen).
You can prevent this by sending the data via netcat to a well protected box.

Also will it be easier to prove that nobody tampereded with the evidence, because it was inaccessible for others.

Posted : 05/06/2005 9:56 am
Community Legend

My question is, how 'bad juju' or 'bad practice' is it to stick a large usb key in the compromised host and send your live data to that if you needed to?

If you're mucking around and don't really know what you're doing, then yes, it is possible that a "hacker" could see what you're up to and overwrite the data you're collecting.

If you're talking about Windows, though, the "hacker" may not be so quick to see what's going on, unless of course, they've installed something like VNC…and if they did, you'd see the mouse moving as they took over control, etc.

If you have your data collection tools on a CD, and the data collection process is automated, then you shouldn't have any problem at all using a USB thumb drive as your data repository. In fact, I'm developing just such a tool, using the FSP/FRU as a basis.

Again, if you're on a Windows system, you have to keep in mind the effect that plugging in a USB device has on the system. According to research I've conducted and published, specific Registry keys are added under the HKLM\SYSTEM hive, and the setupapi.log file is updated, as well. If you're collecting evidence as part of a law enforcement-based application, you may want to use a tool like InControl5 to document the changes made to an exemplar system when the USB device is plugged into the system.

H. Carvey
"Windows Forensics and Incident Recovery"

Posted : 06/06/2005 1:17 pm

Hi all,

This is somewhat related to the above topic and an opinion would be appreciated.

I have a USB thumb drive with various apps (listdlls, psinfo, pslist etc…) that can be used should I have to pull info from a live system. Included on the drive is a copy of cmd.exe and a batch file I run to collect the data.

On the live system is typing the full path to the cmd.exe in the run dialogue box and then running the batch file preferable to going into my computer-selecting the drive and clicking away to launch it. I know an entry will be added to the registry in regards to what I’ve typed in “run” hence the question on what is preferable…

My assumption is that if you are forced to do some sort of live analysis as long as you explain why, how and what setting may have been changed by your “tools” all is good, so to speak..?


Posted : 23/07/2005 4:37 pm