X hits on this document

147 views

0 shares

0 downloads

0 comments

30 / 47

Orion Incident Response Live CD 2

Figure 20: Using FTK Imager in Orion

7. Awareness

Since Orion is intended to be used in the line of fire during an incident, it includes a number of tools that aid in situational awareness for the responder. One such tool, etherape (http://etherape.sourceforge.net/), is a graphical monitor for network activity. Etherape is a quick way to assess the type and direction of network traffic flow on the LAN. Another included tool is arpalert (http://www.arpalert.org/), which watches ARP

activity on the local area network and detects any non-whitelisted MAC addresses. It can also be configured to run arbitrary commands to alert the responder or take other actions. Since SSH is the only authorized protocol, Orion also uses the denyhosts (http://denyhosts.sourceforge.net/) tool to blacklist IP addresses that are the source of too many failed SSH login attempts.

The Orion script tcpick-int uses the tcpick (http://tcpick.sourceforge.net/) utility for highlighting incoming traffic with color and extracting TCP options and data. This can be run in a small window to watch for unexpected traffic. Here is an example of an unexpected telnet session attempt:

John Jarocki, john.jarocki@gmail.com

Document info
Document views147
Page views148
Page last viewedThu Dec 08 10:15:04 UTC 2016
Pages47
Paragraphs864
Words8806

Comments