tools used to examine a computer

From: Hopkins, Joshua (joshua.hopkins@aruplab.com)
Date: 02/14/03

Next message: Stefan Lister: "RE: SQL & MSDE and Ports 1433 and 1434"

Previous message: raymond: "Re: Vulnebrability level definition"
Next in thread: Michael Parker: "RE: tools used to examine a computer"
Maybe reply: Michael Parker: "RE: tools used to examine a computer"
Reply: Chuck Swiger: "Re: tools used to examine a computer"
Maybe reply: Nickels, Walter P (Nick), SOLCM: "RE: tools used to examine a computer"
Maybe reply: Mitchell, Edmund: "RE: tools used to examine a computer"
Maybe reply: H C: "re: tools used to examine a computer"
Reply: Ivan Hernandez: "Re: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Robinson, Sonja: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Robinson, Sonja: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: David Moisan: "RE: tools used to examine a computer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Hopkins, Joshua" <joshua.hopkins@aruplab.com>
To: 
Date: Thu, 13 Feb 2003 16:40:45 -0700

I could really use some help in finding a tool that will be used when and
employee gets terminated or when a computer gets broken into. I had a
network breach happen from the inside and when I went and took the machine
back to the operation center I found that a login script was placed into the
admin account for that machine and the script erased the evidence. I was
able to copy some files over the network before I took the computer into
custody. What tools are out there that can really be helpful in
monitoring/forensics.

Joshua R. Hopkins
Information Security Analyst
ARUP Laboratories
Salt Lake City, UT
tel. 801.583.2787 ext 3110
fax. 801.584.5108
josh.hopkins@aruplab.com
-----Original Message-----
From: James Taylor [mailto:james_n_taylor@yahoo.com]
Sent: Wednesday, February 12, 2003 7:56 PM
To: Naman Latif
Cc: security-basics@securityfocus.com
Subject: Re: Read Only Ethernet Cable

From google...

http://www.silicondefense.com/techsupport/ro-ethernet.htm

http://www.mcabee.org/lists/snort-users/Jun-01/msg00504.html

http://www.robertgraham.com/pubs/sniffing-faq.html - 3.6
How can I create a receive-only Ethernet adapter?

You use 2 cards, one in 'read-only' promiscous mode
sniffing the wire, the other connected to the management
network (& severly restricted) to communicate with the
sensor.

Regards
JT

--- Rory <nazgul@csn.ul.ie> wrote:
> I'm assuming here by the information you've given so if
> i'm wrong please
> correct me. You want to make a cable that allows the
> traffic to go in one
> direction. the idea being that your snort box does not
> send information
> just receives it. I don't think you can do this with a
> special cable as
> ethernet need to be able to send acks back to let the
> sending side know
> that it received that data. So you will need to do this
> at OS level not
> with a special cable. If you were to do what you were
> suggesting the
> sending box would send only the number of packets in the
> TCP window and
> that would be it (it mayt resend them but in the end it
> will just be a
> small set of information ). you will need to do this with
> chain rules.
>
> If my assumptions were totally wrong sorry.
>
> cheers,
> Rory
>
> On Tue, 11 Feb 2003, Naman Latif wrote:
>
> > Hi,
> > Can anyone tell me how to make a Read-Only Ethernet
> Cable to be used
> > with Snort\Sniffer
> >
> > IS this correct
> >
> > LAN Snort\Switch
> > 1 1
> > 2 2
> > 3----------3
> > 4
> > 5
> > 6----------6
> > 7
> > 8
> >
> > Then on both sides, connect 1&2 to eachother ?
> >
> > \\ Naman
> >
>

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com

Next message: Stefan Lister: "RE: SQL & MSDE and Ports 1433 and 1434"
Previous message: raymond: "Re: Vulnebrability level definition"
Next in thread: Michael Parker: "RE: tools used to examine a computer"
Maybe reply: Michael Parker: "RE: tools used to examine a computer"
Reply: Chuck Swiger: "Re: tools used to examine a computer"
Maybe reply: Nickels, Walter P (Nick), SOLCM: "RE: tools used to examine a computer"
Maybe reply: Mitchell, Edmund: "RE: tools used to examine a computer"
Maybe reply: H C: "re: tools used to examine a computer"
Reply: Ivan Hernandez: "Re: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Robinson, Sonja: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Robinson, Sonja: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: H C: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: Trevor Cushen: "RE: tools used to examine a computer"
Maybe reply: David Moisan: "RE: tools used to examine a computer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: tools used to examine a computer
... >network breach happen from the inside and when I went and took the machine ... >How can I create a receive-only Ethernet adapter? ... >>On Tue, 11 Feb 2003, Naman Latif wrote: ... >Do you Yahoo!? ...
(Security-Basics)
RE: tools used to examine a computer
... it will redirect you to the first URL ... I was able to copy some files over the network ... >>On Tue, 11 Feb 2003, Naman Latif wrote: ... >Do you Yahoo!? ...
(Security-Basics)
Re: Read Only Ethernet Cable
... How can I create a receive-only Ethernet adapter? ... > On Tue, 11 Feb 2003, Naman Latif wrote: ... Do you Yahoo!? ...
(Security-Basics)
Home network/workgroup no long working
... I have 2 computers on my home network. ... XP Pro SP2 and is connected via ethernet cable to the router. ... Ethernet adapter Ethernet Connection: ... There are 2 servers in domain NEWNET on transport ...
(microsoft.public.windowsxp.network_web)
Re: Network Adapters questions...
... In Network Tasks, I have a box with a Soyo K7V880 v2.0 in it. ... It has a VIA Networking Velocity Family Giga-bit Ethernet Adapter that shows as running at 1.0 Gigs. ... My previous computer had a very nice connection - ... my two disks will do ...
(alt.comp.hardware.pc-homebuilt)