±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35647
New Yesterday: 9 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Writing Live data to a local USB key

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

tebodell
Member
 

Writing Live data to a local USB key

Post Posted: Jun 05, 05 05:30

So far most of things I've read say that you must send data over the network to a destination host (usually via a netcat pipe or something) when collecting live data from a system.

My question is, how 'bad juju' or 'bad practice' is it to stick a large usb key in the compromised host and send your live data to that if you needed to?

Thanks,
Tebodell  
 
  

Djazz
Newbie
 

Re: Writing Live data to a local USB key

Post Posted: Jun 05, 05 08:56

First of all, there is always the chance that the hacker will find out that you are collecting evidence and overwrite/destroy the data you collected (I have seen this happen).
You can prevent this by sending the data via netcat to a well protected box.

Also will it be easier to prove that nobody tampereded with the evidence, because it was inaccessible for others.  
 
  

keydet89
Senior Member
 

Re: Writing Live data to a local USB key

Post Posted: Jun 06, 05 12:17

My question is, how 'bad juju' or 'bad practice' is it to stick a large usb key in the compromised host and send your live data to that if you needed to?

If you're mucking around and don't really know what you're doing, then yes, it is possible that a "hacker" could see what you're up to and overwrite the data you're collecting.

If you're talking about Windows, though, the "hacker" may not be so quick to see what's going on, unless of course, they've installed something like VNC...and if they did, you'd see the mouse moving as they took over control, etc.

If you have your data collection tools on a CD, and the data collection process is automated, then you shouldn't have any problem at all using a USB thumb drive as your data repository. In fact, I'm developing just such a tool, using the FSP/FRU as a basis.

Again, if you're on a Windows system, you have to keep in mind the effect that plugging in a USB device has on the system. According to research I've conducted and published, specific Registry keys are added under the HKLM\SYSTEM hive, and the setupapi.log file is updated, as well. If you're collecting evidence as part of a law enforcement-based application, you may want to use a tool like InControl5 to document the changes made to an exemplar system when the USB device is plugged into the system.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

andy1500mac
Senior Member
 

Re: Writing Live data to a local USB key

Post Posted: Jul 23, 05 15:37

Hi all,

This is somewhat related to the above topic and an opinion would be appreciated.

I have a USB thumb drive with various apps (listdlls, psinfo, pslist etc…) that can be used should I have to pull info from a live system. Included on the drive is a copy of cmd.exe and a batch file I run to collect the data.

On the live system is typing the full path to the cmd.exe in the run dialogue box and then running the batch file preferable to going into my computer-selecting the drive and clicking away to launch it. I know an entry will be added to the registry in regards to what I’ve typed in “run” hence the question on what is preferable…

My assumption is that if you are forced to do some sort of live analysis as long as you explain why, how and what setting may have been changed by your “tools” all is good, so to speak..?

Andrew-  
 

Page 1 of 1