X hits on this document

140 views

0 shares

0 downloads

0 comments

26 / 47

Orion Incident Response Live CD 2

Figure 19: Orion acquire-path menu item

The acquire-path tool is simple, but it enforces a standard methodology for transferring data to the responder’s system in a repeatable way. It uses, encrypted file transfers and an SSH key pair for authentication when the public key has been distributed to the remote host. The example below also shows the MD5, SHA1, and SHA256 hashes that are stored in hashes.md5.txt, hashes.sha1.txt, and hashes.sha256.txt in the data store. The timestamp stored when the hashes are written allows multiple copies of the same data to be retrieved at different times. The hashes can be compared to detect changes.

root@orion:~# /orion/scripts/acquire-path john@host:/tmp/a.pcap /usr/bin/scp -i /root/.ssh/orion -r john@host:/tmp/a.pcap /root/data/tmp

Enter passphrase for key ‘/root/

  • a.

    pcap

    • #

      Sun Apr 11 01:19:40 BST 2010

d41d8cd98f00b204e9800998ecf8427e

.ssh/orion’: 100% 0

0.0KB/s

/root/data/tmp/a.pcap

00:00

Hit any key to close this window

  • -

    >

John Jarocki, john.jarocki@gmail.com

Document info
Document views140
Page views141
Page last viewedWed Dec 07 16:55:12 UTC 2016
Pages47
Paragraphs864
Words8806

Comments