X hits on this document

125 views

0 shares

0 downloads

0 comments

27 / 47

Orion Incident Response Live CD 2

Notice that the file a.pcap was zero bytes in length in the first transfer and has grown in this second example to 28 bytes and now has different hashes.

root@orion:~# /orion/scripts/acquire-path john@host:/tmp/a.pcap /usr/bin/scp -i /root/.ssh/orion -r john@host:/tmp/a.pcap /root/data//tmp

Enter passphrase for key ‘/root/

  • a.

    pcap

    • #

      Sun Apr 11 01:20:29 BST 2010

663863b054d8792e6f3ab1249d5a4f7f

.ssh/orion’: 100% 28

0.0KB/s

/root/data/tmp/a.pcap

00:00

Hit any key to close this window

  • -

    >

This can be seen by viewing the hash files themselves. If a file is being collected repeatedly via a cron job, for example, the change to the hashes can be used to alert the responder of a new condition. In this way, Orion can be used as a detective tool.

root@orion:~# tail data/md5.hashes

  • #

    Sun Apr 11 01:19:40 BST 2010

d41d8cd98f00b204e9800998ecf8427e

  • #

    Sun Apr 11 01:20:29 BST 2010

663863b054d8792e6f3ab1249d5a4f7f

/root/data/tmp/a.pcap

/root/data/tmp/a.pcap

In some cases, the data to be acquired will be mounted already on the responder’s workstation. The file system might be mounted using sshfs or SMB/CIFS from a remote system. The other possibility is that a read-only copy of an acquired drive might be mounted using loopback (mount -o ro,loop image.dd /mnt/dd) or the vmware- mount.pl utility (http://www.vmware.com/support/reference/linux/loopback_linux.html) in the case of VMware disk images (vmdk).

When the data is mounted, the responder can use acquire-path to retrieve a subset of the data, place it in the data area, and perform the same hashing that is performed when acquiring data from a remote system. Since acquire-path uses the bash readline function

John Jarocki, john.jarocki@gmail.com

Document info
Document views125
Page views126
Page last viewedSun Dec 04 06:26:49 UTC 2016
Pages47
Paragraphs864
Words8806

Comments