Orion Incident Response Live CD
The orion-tunnel command uses SSH port forwarding to forward a short list of services to the primary responder’s system. For example, if the secondary responder runs orion- tunnel and then opens the URL http://localhost/ in a web browser, it will display (via encrypted SSH tunnel) the RTIR server web interface from the primary system.
Port forwarding works by initiating an SSH session with one or more -L command line arguments, such that -L lport:rhost:rport forwards connections from port lport on localhost to port rport on the host rport. One could also use dynamic port forwarding (the -D option) to forward all connections using the SOCKS protocol, but the connections between handler systems are kept to a minimum, by design, to avoid any unwelcome surprises and also to make connections to 127.0.0.1:<port> do “the right thing” automatically whether the primary handler is local or remote.
Orion web site
25/465 (smtp/s), 8504 (http), 993 (imaps), 5222 (xmpp)
RTIR web interface
6.5.1. Shared Desktop
Desktop sharing is also an extremely valuable capability during incident response. In Orion, desktops can be shared using VNC (Virtual Network Computing) tunneled over SSH. The x11vnc program allows the X11 system to share display zero (:0). This means a remote VNC session will connect to the console being used by the local user. The remote user then uses the Enhanced TightVNC tool, SSVNC (http://www.karlrunge.com/x11vnc/ssvnc.html), to tunnel a connection to the VNC session over SSH.