When a system is vital in daily operations, it often cannot be taken offline for duplication. Also because of its importance it cannot risk the chance of state change, forensic tools cannot be downloaded onto the system. In a court case, the installation of tools could be considered as tampering with the evidence because there is a chance the tools could overwrite important data. The same goes for saving data on the victim machine. A live incident response looks to collect data from a machine without changing the environment. I recommend mapping a network drive or preferably using Ncat to transfer information between analyzing machine and the victim machine during a live investigation.
Ncat comes pre-installed on most Linux distributions and can be called by the ‘nc’ command. For Windows, a portable executable can be downloaded from here.
If using Ncat to transfer logs the following commands can be used:
Command to setup a Ncat listener on host machine: Linux: nc –v –l –p <PORT> > <LOG FILE> Windows: <NCAT EXECUTABLE> –v –l –p <PORT> > <LOG FILE>
The port number is any port desired for the Ncat listener to listen on for communication. The log file is just a file for the data to be stored in on the analyzing host machine.
Command to send data from a victim machine: Linux: <COMMAND> | nc <IP ADDRESS OF LISTENING MACHINE> <PORT> Windows: <COMMAND> | <NCAT EXECUTABLE> <IP ADDRESS OF LISTENING MACHINE> <PORT>
Basically the command sends the results of a command performed on the victim machine to the listening host machine. <COMMAND> is the command issued on the victim machine. The IP address and port are of the host machine with Ncat listening. The connection can be closed by CONTROL C/D or closing the terminal/command prompt. Once closed, the listener will output all received data to the output file.
Not only can Ncat be used to send command output but it can be used to listen for text or file transfers.
Overall, it is an easy to use clean tool for transferring information between host machines.