Orion Incident Response Live CD 2
Figure 19: Orion acquire-path menu item
The acquire-path tool is simple, but it enforces a standard methodology for transferring data to the responder’s system in a repeatable way. It uses, encrypted file transfers and an SSH key pair for authentication when the public key has been distributed to the remote host. The example below also shows the MD5, SHA1, and SHA256 hashes that are stored in hashes.md5.txt, hashes.sha1.txt, and hashes.sha256.txt in the data store. The timestamp stored when the hashes are written allows multiple copies of the same data to be retrieved at different times. The hashes can be compared to detect changes.
root@orion:~# /orion/scripts/acquire-path john@host:/tmp/a.pcap /usr/bin/scp -i /root/.ssh/orion -r john@host:/tmp/a.pcap /root/data/tmp
Enter passphrase for key ‘/root/
Sun Apr 11 01:19:40 BST 2010
.ssh/orion’: 100% 0
Hit any key to close this window