Security Basics mailing list archives
RE: tools used to examine a computer
From: "Nickels, Walter P (Nick), SOLCM" <nickels () att com>
Date: Fri, 14 Feb 2003 12:55:17 -0500
http://www.atstake.com/research/tools/task/ And http://www.porcupine.org/forensics/tct.html Would be a good start. Both free, I believe. NICK CISSP, CCSI Senior Security Staff Member AT&T Managed IP Security Services -----Original Message----- From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com] Sent: Thursday, February 13, 2003 6:41 PM Cc: security-basics () securityfocus com Subject: tools used to examine a computer I could really use some help in finding a tool that will be used when and employee gets terminated or when a computer gets broken into. I had a network breach happen from the inside and when I went and took the machine back to the operation center I found that a login script was placed into the admin account for that machine and the script erased the evidence. I was able to copy some files over the network before I took the computer into custody. What tools are out there that can really be helpful in monitoring/forensics. Joshua R. Hopkins Information Security Analyst ARUP Laboratories Salt Lake City, UT tel. 801.583.2787 ext 3110 fax. 801.584.5108 josh.hopkins () aruplab com -----Original Message----- From: James Taylor [mailto:james_n_taylor () yahoo com] Sent: Wednesday, February 12, 2003 7:56 PM To: Naman Latif Cc: security-basics () securityfocus com Subject: Re: Read Only Ethernet Cable
From google...
http://www.silicondefense.com/techsupport/ro-ethernet.htm http://www.mcabee.org/lists/snort-users/Jun-01/msg00504.html http://www.robertgraham.com/pubs/sniffing-faq.html - 3.6 How can I create a receive-only Ethernet adapter? You use 2 cards, one in 'read-only' promiscous mode sniffing the wire, the other connected to the management network (& severly restricted) to communicate with the sensor. Regards JT --- Rory <nazgul () csn ul ie> wrote:
I'm assuming here by the information you've given so if i'm wrong please correct me. You want to make a cable that allows the traffic to go in one direction. the idea being that your snort box does not send information just receives it. I don't think you can do this with a special cable as ethernet need to be able to send acks back to let the sending side know that it received that data. So you will need to do this at OS level not with a special cable. If you were to do what you were suggesting the sending box would send only the number of packets in the TCP window and that would be it (it mayt resend them but in the end it will just be a small set of information ). you will need to do this with chain rules. If my assumptions were totally wrong sorry. cheers, Rory On Tue, 11 Feb 2003, Naman Latif wrote:Hi, Can anyone tell me how to make a Read-Only EthernetCable to be usedwith Snort\Sniffer IS this correct LAN Snort\Switch 1 1 2 2 3----------3 4 5 6----------6 7 8 Then on both sides, connect 1&2 to eachother ? \\ Naman
__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
Current thread:
- tools used to examine a computer Hopkins, Joshua (Feb 14)
- Re: tools used to examine a computer Chuck Swiger (Feb 14)
- Re: tools used to examine a computer Ivan Hernandez (Feb 18)
- Re: tools used to examine a computer planz (Feb 19)
- <Possible follow-ups>
- RE: tools used to examine a computer Michael Parker (Feb 14)
- RE: tools used to examine a computer Mitchell, Edmund (Feb 14)
- RE: tools used to examine a computer Nickels, Walter P (Nick), SOLCM (Feb 14)
- re: tools used to examine a computer H C (Feb 17)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)