RE: tools used to examine a computer

["Nickels, Walter P (Nick), SOLCM" <nickels () att com>]

http://www.atstake.com/research/tools/task/
And
http://www.porcupine.org/forensics/tct.html

Would be a good start.  Both free, I believe.

NICK
CISSP, CCSI
Senior Security Staff Member
AT&T Managed IP Security Services


-----Original Message-----
From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com]
Sent: Thursday, February 13, 2003 6:41 PM
Cc: security-basics () securityfocus com
Subject: tools used to examine a computer


I could really use some help in finding a tool that will be used when and
employee gets terminated or when a computer gets broken into.  I had a
network breach happen from the inside and when I went and took the machine
back to the operation center I found that a login script was placed into the
admin account for that machine and the script erased the evidence.  I was
able to copy some files over the network before I took the computer into
custody. What tools are out there that can really be helpful in
monitoring/forensics.


Joshua R. Hopkins
Information Security Analyst
ARUP Laboratories
Salt Lake City, UT
tel.  801.583.2787 ext 3110
fax. 801.584.5108
josh.hopkins () aruplab com
 -----Original Message-----
From:   James Taylor [mailto:james_n_taylor () yahoo com] 
Sent:   Wednesday, February 12, 2003 7:56 PM
To:     Naman Latif
Cc:     security-basics () securityfocus com
Subject:        Re: Read Only Ethernet Cable

> From google...

http://www.silicondefense.com/techsupport/ro-ethernet.htm

http://www.mcabee.org/lists/snort-users/Jun-01/msg00504.html

http://www.robertgraham.com/pubs/sniffing-faq.html - 3.6
How can I create a receive-only Ethernet adapter?

You use 2 cards, one in 'read-only' promiscous mode
sniffing the wire, the other connected to the management
network (& severly restricted) to communicate with the
sensor.

Regards
JT


--- Rory <nazgul () csn ul ie> wrote:
> I'm assuming here by the information you've given so if
> i'm wrong please
> correct me. You want to make a cable that allows the
> traffic to go in one
> direction. the idea being that your snort box does not
> send information
> just receives it. I don't think you can do this with a
> special cable as
> ethernet need to be able to send acks back to let the
> sending side know
> that it received that data. So you will need to do this
> at OS level not
> with a special cable. If you were to do what you were
> suggesting the
> sending box would send only the number of packets in the
> TCP window and
> that would be it (it mayt resend them but in the end it
> will just be a
> small set of information ). you will need to do this with
> chain rules.
>
> If my assumptions were totally wrong sorry.
>
> cheers,
> Rory
>
> On Tue, 11 Feb 2003, Naman Latif wrote:
>
> > Hi,
> > Can anyone tell me how to make a Read-Only Ethernet
> Cable to be used
> > with Snort\Sniffer
> >
> > IS this correct
> >
> > LAN         Snort\Switch
> > 1          1
> > 2          2
> > 3----------3
> > 4
> > 5
> > 6----------6
> > 7
> > 8
> >
> > Then on both sides, connect 1&2 to eachother ?
> >
> > \\ Naman


__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com