{"id":88,"date":"2013-02-13T13:43:52","date_gmt":"2013-02-13T20:43:52","guid":{"rendered":"http:\/\/somethingk.com\/main\/?p=88"},"modified":"2013-05-12T20:08:10","modified_gmt":"2013-05-13T03:08:10","slug":"ncat-for-live-incident-response","status":"publish","type":"post","link":"https:\/\/somethingk.com\/main\/ncat-for-live-incident-response\/","title":{"rendered":"Ncat for Live Incident Response"},"content":{"rendered":"

When a system is vital in daily operations, it often cannot be taken offline for duplication. Also because of its importance it cannot risk the chance of state change, forensic tools cannot be downloaded onto the system. In a court case, the installation of tools could be considered as tampering with the evidence because there is a chance the tools could overwrite important data. The same goes for saving data on the victim machine. A live incident response looks to collect data from a machine without changing the environment.\u00a0I recommend<\/span>\u00a0mapping a network drive or\u00a0<\/span>preferably\u00a0using\u00a0<\/span>Ncat <\/a>to transfer information between analyzing machine and the victim machine during a live investigation.<\/span><\/span><\/p>\n

Ncat comes pre-installed on most Linux distributions and can be called by the ‘nc’ command. For Windows, a portable executable can be downloaded from here<\/a>.<\/p>\n

If using Ncat to transfer logs the following commands can be used:<\/span><\/p>\n

Command to setup a Ncat listener on host machine<\/b>: \r\nLinux:<\/strong> nc \u2013v \u2013l\u00a0 \u2013p <PORT> > <LOG FILE>\r\nWindows:<\/strong> <NCAT EXECUTABLE> \u2013v \u2013l\u00a0 \u2013p <PORT> > <LOG FILE><\/pre>\n
\"Capture\"<\/a><\/pre>\n
The port number is any port desired for the Ncat listener to listen on for communication. The log file is just a file for the data to be stored in on the\u00a0analyzing\u00a0host machine.<\/p>\n
Command to send data from a victim machine<\/b>: \r\nLinux:<\/strong> <COMMAND> | nc <IP ADDRESS OF LISTENING MACHINE> <PORT>\r\nWindows:<\/strong> <COMMAND> | <NCAT EXECUTABLE> <IP ADDRESS OF LISTENING MACHINE> <PORT><\/pre>\n
\"Capture2\"<\/a><\/pre>\n
Basically the command sends the results of a command performed on the victim machine to the listening host machine. <COMMAND> is the command issued on the victim\u00a0machine. The IP address and port are of the host machine with Ncat listening. The connection can be closed by CONTROL C\/D or closing the terminal\/command prompt. Once closed, the listener will output all\u00a0received\u00a0data to the output file.<\/p>\n
Not only can Ncat be used to send command output but it can be used to listen for text or file transfers.<\/p>\n
\"Capture3\"<\/a><\/p>\n
 <\/p>\n
Overall, it is an easy to use clean tool for transferring information between host machines.<\/p>\n","protected":false},"excerpt":{"rendered":"
When a system is vital in daily operations, it often cannot be taken offline for duplication. Also because of its importance it cannot risk the chance of state change, forensic tools cannot be downloaded onto the system. In a court case, the installation of tools could be considered as tampering with the evidence because there is a chance the tools […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,6,12],"tags":[13,9,45,44,5],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-forensics","category-linux","category-windows","tag-cmd","tag-command","tag-file-transfer","tag-ncat","tag-terminal"],"_links":{"self":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":7,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/88\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}