On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Thursday, June 24, 2010
Overt Analysis (Forensics)
Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Covert Analysis I (Forensics)
On CHFI-XP2, launch Netcat in Listening Mode:
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
Subscribe to:
Posts (Atom)