X hits on this document

120 views

0 shares

0 downloads

0 comments

25 / 47

Orion Incident Response Live CD 2

6.6. Data Acquisition

Acquiring data related to an incident is a task that needs to be done quickly, but also carefully. Digital forensics experts recommend retrieving data in the order of volatility (Henry, 2009). There are many forensic imaging software packages. Some of these are included in Orion, and others can be installed. Orion also includes a simple script, described below, for acquisition of volatile Windows system information.

6.6.1. Remote Files and Logs

In order to analyze logs and malware samples, Orion provides several scripts for acquiring the data from remote hosts. The remote hosts might be other analysts’ systems, or they might be compromised systems. In the latter case, caution needs to be exercised when passing credentials. The current version of Orion attempts to use encrypted protocols and encourages the use of SSH key pairs, but it otherwise provides no mitigation against remote services replaced with trojan software. This is a topic for future research.

The acquire-path script can be invoked from the Orion menu or command line to retrieve files from a remote host. The script uses scp if the path specifies a remote host name or cp if not. The latter case is useful if the remote file system has already been mounted locally with sshfs, SMB, or other protocols.

John Jarocki, john.jarocki@gmail.com

Document info
Document views120
Page views121
Page last viewedSat Dec 03 21:52:32 UTC 2016
Pages47
Paragraphs864
Words8806

Comments