http://www.atstake.com/research/tools/task/ And http://www.porcupine.org/forensics/tct.html
Would be a good start. Both free, I believe. NICK CISSP, CCSI Senior Security Staff Member AT&T Managed IP Security Services -----Original Message----- From: Hopkins, Joshua [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 6:41 PM Cc: [EMAIL PROTECTED] Subject: tools used to examine a computer I could really use some help in finding a tool that will be used when and employee gets terminated or when a computer gets broken into. I had a network breach happen from the inside and when I went and took the machine back to the operation center I found that a login script was placed into the admin account for that machine and the script erased the evidence. I was able to copy some files over the network before I took the computer into custody. What tools are out there that can really be helpful in monitoring/forensics. Joshua R. Hopkins Information Security Analyst ARUP Laboratories Salt Lake City, UT tel. 801.583.2787 ext 3110 fax. 801.584.5108 [EMAIL PROTECTED] -----Original Message----- From: James Taylor [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 7:56 PM To: Naman Latif Cc: [EMAIL PROTECTED] Subject: Re: Read Only Ethernet Cable >From google... http://www.silicondefense.com/techsupport/ro-ethernet.htm http://www.mcabee.org/lists/snort-users/Jun-01/msg00504.html http://www.robertgraham.com/pubs/sniffing-faq.html - 3.6 How can I create a receive-only Ethernet adapter? You use 2 cards, one in 'read-only' promiscous mode sniffing the wire, the other connected to the management network (& severly restricted) to communicate with the sensor. Regards JT --- Rory <[EMAIL PROTECTED]> wrote: > I'm assuming here by the information you've given so if > i'm wrong please > correct me. You want to make a cable that allows the > traffic to go in one > direction. the idea being that your snort box does not > send information > just receives it. I don't think you can do this with a > special cable as > ethernet need to be able to send acks back to let the > sending side know > that it received that data. So you will need to do this > at OS level not > with a special cable. If you were to do what you were > suggesting the > sending box would send only the number of packets in the > TCP window and > that would be it (it mayt resend them but in the end it > will just be a > small set of information ). you will need to do this with > chain rules. > > If my assumptions were totally wrong sorry. > > cheers, > Rory > > On Tue, 11 Feb 2003, Naman Latif wrote: > > > Hi, > > Can anyone tell me how to make a Read-Only Ethernet > Cable to be used > > with Snort\Sniffer > > > > IS this correct > > > > LAN Snort\Switch > > 1 1 > > 2 2 > > 3----------3 > > 4 > > 5 > > 6----------6 > > 7 > > 8 > > > > Then on both sides, connect 1&2 to eachother ? > > > > \\ Naman > > > __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com