Should data from a corrupted workstation be transferred to a forensics laptop?

1. Simply transferring the information (I'll elaborate further)
2. Using a USB token (often referred to as a "pen drive")
3. Using a Windows share on the forensics laptop

I like to transfer data across the network to a forensics laptop (option 1) because it not only minimizes the impact on the infected machine itself, but it also lowers the chance of compromising the forensics laptop. Installing a USB token (option 2) will almost always force the system to load drivers, altering the kernel and software. While those alterations are likely not going to affect your evidence, I like to minimize any changes to the system.

In option 3, you suggest moving data across a Windows share to the forensics system. To do that, however, the forensics machine must have a Windows share available on the network, and to mount that share on the forensics laptop, you'll need to provide a user ID and password. Entering such credentials into a compromised system is a scary proposition and one that I'd avoid. You might be thinking, "Why not just use guest access of a Windows share on the forensics laptop?" That scares me as well, since the chances are better that malware on the infected machine could spread uncontrollably to the forensics laptop.

That's why I prefer the first option, transferring data without using Windows shares. To send data across the network, I like to use Netcat, a free, general-purpose tool that uses TCP or UDP to move data between systems. Users can run a given command and pipe its output into a Netcat client, which can shoot the data across the network to a forensics laptop, where a Netcat listener waits for it and writes it into the file system. With a batch script file, Netcat easily and quickly gathers a whole bunch of data from a compromised machine. The chance of an attacker spreading malware across Netcat is very small indeed, far lower than via Windows shares.

To help automate the Netcat process, you can use Harlan Carvey's free Forensic Server Project (FSP), a great tool that automatically gathers and stores forensics data using the Netcat method described above. I highly recommend Carvey's brand-new book called Windows Forensics Analysis DVD Toolkit, which describes the important data in a compromised system. He also explains how to use scripts and the FSP to improve your abilities to gather and analyze data.

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft security threat management Three ways to prioritize endpoint security over perimeter defenses Examining Conficker: When a worm becomes a botnet Stolen FTP credentials likely in latest website attacks Hackers targeting unpatched Microsoft DirectShow flaw Understand the basics of Microsoft BitLocker encryption Conficker updates with no problems reported Microsoft Threat Management Gateway has some drawbacks Next version of Microsoft ISA Server brings Web security to midmarket Intrusion defense in the era of Windows Vista More or less: Browser security reloaded RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Back Orifice  (SearchMidmarketSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.