Home page logo
/

basics logo Security Basics mailing list archives

RE: tools used to examine a computer
From: "Nickels, Walter P (Nick), SOLCM" <nickels () att com>
Date: Fri, 14 Feb 2003 12:55:17 -0500

http://www.atstake.com/research/tools/task/
And
http://www.porcupine.org/forensics/tct.html

Would be a good start.  Both free, I believe.

NICK
CISSP, CCSI
Senior Security Staff Member
AT&T Managed IP Security Services


-----Original Message-----
From: Hopkins, Joshua [mailto:joshua.hopkins () aruplab com]
Sent: Thursday, February 13, 2003 6:41 PM
Cc: security-basics () securityfocus com
Subject: tools used to examine a computer


I could really use some help in finding a tool that will be used when and
employee gets terminated or when a computer gets broken into.  I had a
network breach happen from the inside and when I went and took the machine
back to the operation center I found that a login script was placed into the
admin account for that machine and the script erased the evidence.  I was
able to copy some files over the network before I took the computer into
custody. What tools are out there that can really be helpful in
monitoring/forensics.


Joshua R. Hopkins
Information Security Analyst
ARUP Laboratories
Salt Lake City, UT
tel.  801.583.2787 ext 3110
fax. 801.584.5108
josh.hopkins () aruplab com
 -----Original Message-----
From:   James Taylor [mailto:james_n_taylor () yahoo com] 
Sent:   Wednesday, February 12, 2003 7:56 PM
To:     Naman Latif
Cc:     security-basics () securityfocus com
Subject:        Re: Read Only Ethernet Cable

From google...

http://www.silicondefense.com/techsupport/ro-ethernet.htm

http://www.mcabee.org/lists/snort-users/Jun-01/msg00504.html

http://www.robertgraham.com/pubs/sniffing-faq.html - 3.6
How can I create a receive-only Ethernet adapter?

You use 2 cards, one in 'read-only' promiscous mode
sniffing the wire, the other connected to the management
network (& severly restricted) to communicate with the
sensor.

Regards
JT


--- Rory <nazgul () csn ul ie> wrote:
I'm assuming here by the information you've given so if
i'm wrong please
correct me. You want to make a cable that allows the
traffic to go in one
direction. the idea being that your snort box does not
send information
just receives it. I don't think you can do this with a
special cable as
ethernet need to be able to send acks back to let the
sending side know
that it received that data. So you will need to do this
at OS level not
with a special cable. If you were to do what you were
suggesting the
sending box would send only the number of packets in the
TCP window and
that would be it (it mayt resend them but in the end it
will just be a
small set of information ). you will need to do this with
chain rules.

If my assumptions were totally wrong sorry.

cheers,
Rory

On Tue, 11 Feb 2003, Naman Latif wrote:

Hi,
Can anyone tell me how to make a Read-Only Ethernet
Cable to be used
with Snort\Sniffer

IS this correct

LAN         Snort\Switch
1          1
2          2
3----------3
4
5
6----------6
7
8

Then on both sides, connect 1&2 to eachother ?

\\ Naman




__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]