Orion Incident Response Live CD 2
6.6. Data Acquisition
Acquiring data related to an incident is a task that needs to be done quickly, but also carefully. Digital forensics experts recommend retrieving data in the order of volatility (Henry, 2009). There are many forensic imaging software packages. Some of these are included in Orion, and others can be installed. Orion also includes a simple script, described below, for acquisition of volatile Windows system information.
6.6.1. Remote Files and Logs
In order to analyze logs and malware samples, Orion provides several scripts for acquiring the data from remote hosts. The remote hosts might be other analysts’ systems, or they might be compromised systems. In the latter case, caution needs to be exercised when passing credentials. The current version of Orion attempts to use encrypted protocols and encourages the use of SSH key pairs, but it otherwise provides no mitigation against remote services replaced with trojan software. This is a topic for future research.
The acquire-path script can be invoked from the Orion menu or command line to retrieve files from a remote host. The script uses scp if the path specifies a remote host name or cp if not. The latter case is useful if the remote file system has already been mounted locally with sshfs, SMB, or other protocols.