- Simply transferring the information (I'll elaborate further)
- Using a USB token (often referred to as a "pen drive")
- Using a Windows share on the forensics laptop
I like to transfer data across the network to a forensics laptop (option 1) because it not only minimizes the impact on the infected machine itself, but it also lowers the chance of compromising the forensics laptop. Installing a USB token (option 2) will almost always force the system to load drivers, altering the kernel and software. While those alterations are likely not going to affect your evidence, I like to minimize any changes to the system.
In option 3, you suggest moving data across a Windows share to the forensics system. To do that, however, the forensics machine must have a Windows share available on the network, and to mount that share on the forensics laptop, you'll need to provide a user ID and password. Entering such credentials into a compromised system is a scary proposition and one that I'd avoid. You might be thinking,
Requires Free Membership to View
SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!
Michael S. Mimoso, Editorial Director
"Why not just use guest access of a Windows share on the forensics laptop?" That scares me as well, since the chances are better that malware on the infected machine could spread uncontrollably to the forensics laptop.
That's why I prefer the first option, transferring data without using Windows shares. To send data across the network, I like to use Netcat, a free, general-purpose tool that uses TCP or UDP to move data between systems. Users can run a given command and pipe its output into a Netcat client, which can shoot the data across the network to a forensics laptop, where a Netcat listener waits for it and writes it into the file system. With a batch script file, Netcat easily and quickly gathers a whole bunch of data from a compromised machine. The chance of an attacker spreading malware across Netcat is very small indeed, far lower than via Windows shares.
To help automate the Netcat process, you can use Harlan Carvey's free Forensic Server Project (FSP), a great tool that automatically gathers and stores forensics data using the Netcat method described above. I highly recommend Carvey's brand-new book called Windows Forensics Analysis DVD Toolkit, which describes the important data in a compromised system. He also explains how to use scripts and the FSP to improve your abilities to gather and analyze data.
This was first published in February 2009