Orion Incident Response Live CD 2
Figure 20: Using FTK Imager in Orion
Since Orion is intended to be used in the line of fire during an incident, it includes a number of tools that aid in situational awareness for the responder. One such tool, etherape (http://etherape.sourceforge.net/), is a graphical monitor for network activity. Etherape is a quick way to assess the type and direction of network traffic flow on the LAN. Another included tool is arpalert (http://www.arpalert.org/), which watches ARP
activity on the local area network and detects any non-whitelisted MAC addresses. It can also be configured to run arbitrary commands to alert the responder or take other actions. Since SSH is the only authorized protocol, Orion also uses the denyhosts (http://denyhosts.sourceforge.net/) tool to blacklist IP addresses that are the source of too many failed SSH login attempts.
The Orion script tcpick-int uses the tcpick (http://tcpick.sourceforge.net/) utility for highlighting incoming traffic with color and extracting TCP options and data. This can be run in a small window to watch for unexpected traffic. Here is an example of an unexpected telnet session attempt: