1.save the data u retreive on the hard drive of the target sys.

2 record the data u retreive by hand in a notebook.

3 save the data u retreive on to response external harddisk or other removal midea.
4 save the data u reteive on a remote forensic sys using netcat or cryptcat.

TRANSFERING DATA WITH NETCAT

1 Netcat is free available tool thet creates a channel of communcation between
host.
2 we use it during initial response to create a reliable tcp conn bettween target
sys and
forensic workstation fr analysis.

it lets you get on and off the target sys quickly

it allows yu to perfrm offline review of information attain
Encrypting the data with cryptcat
- the drawback of transfering data across a network is that the data may be visible
to
netwrok attackers and consider encrpting the tracing using cryptcat.

UNIT-4
Network based Evodence:-

-for network based evidence it includes setting up a computer system to perform

network
monitoring deploying network monitor and evaluating the effectiveness of the
network
monitor.

Goals of network monitoring

1 confrim suspicious surroundings and computer security incident.
2 Accumulate additional evidence and information.
3 Verify the scope of a compromise
4 identify additional party involved.
5 Determine a timeline of event occuring on the network.

types of network monitoring:-

1 event monitoring 2 trap and trace monitoring 3 full content monitoring

-event monitoring is based on rukes of threshold employed on the network monitoring

platform events are simply alert that something occur on your network.
-traditional event are generated by a network ids but events can also be created by
the network monitoring software like multirouter trafiic grapher.

2 Trap and trace

- noncontent monitorizing records the session or transaction data summarizing the
network
activity.
-law enforcement refers to such noncontent monitoring as a pen register or a trap
and
trace.
-it typically includes the protocol, ip adress and ports used by a network
communication.

3 Full content Monitoring

- yields data that includes the raw packets collected from the wire.
- it offers the highest fidility,because it represents the actual communication
passed
between computers on a network.Full Content data includes packet headers and
payloads.
SETTING UP A NETWORK MONITORING SYSTEM.
:- Network diagnostic and troubleshooting hardware can capture data reliably and
usually
are the most efficient at capturing data at the full rate of the monitored network
segment.
steps to creating network surveillance :-
1 determine your goals for performing the network surveillance.
2 ensure that u have the proper legal standing to perform the monitor activity.
3 acquire and implement the proper hardware and software.
4 ensure the security of the platform both electronically and phusically.
5 ensure the appropriate placement of the monitor on the network.
6 evaluate your network monitor.

Determing your goals.

- watch traffic to and from a specifoc host
-monitor traffic to and from a specific network
- monitor a specific person's actions
Trap and trace
- monitors specially helpful in dos cases where they may provide the only evidence
other than oral testimony that the router.

AQUIRING HOST BASED EVIDENCE .:-

host systems are far to often the target of malicious actions commonly available
syestems
are routinely manufactured with extensive memory adn storage tb there is a great
deal
of data that couls assist incident responder wuth determinig root cause analysis.

PREPARATION:- INCIDENT REsponse analysist should have the necessary tools at there
disposal for acquiring host based evidence. for supporting an enterprise envino it
is
a good isea that incident response personnel have a solid understsnding of the type
of system commonly deployed.
one technique for incident response anlysis tpo be given individuals credentials
that r enable only during an incident.

EVIDENCE VOLATILITY:-
VOLAtility is used to describe how data on a host system is maintain after changes
such as
log off or power shutdowns.
-volatile data can be data in cpu routing tables or ARP Cache one of the most
critical
pieces of volatile evidence is the memory currently running on the system.
- malware leaves a number of key pieces f evidence within the memory of the system.
-non volatile data includes MFT entries, registry information and actual files in
the
hard drive.

EVIDENCE ACQUISITION:-
- local evidence acquisition-
-online acquisition- an online of evidence accurs when the incident response
analyst
evidence from a system that is power on and running.
-offline acquisition- the offline acquisition method is the one often used by law
enforcement
agency to preserve digital evidence on the hard disk. this technique requires that
the
system is power down and the hard drive remove.
EVIDENCE COLLECTION PROCEDURE:-
- phptpgraph the system and general scene one the key piece of the equpment that
can save
time is a small digital camera while it may seem overkill to photograph a syestem
in place
in teh event that action taken by the incident responder ever see the inside of the
codroom
having photos will allow propoer reconstructuon of the event.
-determine whether the sysrem is power up if the sys is poewer on leave it on and
if
sys is off do not power it on a number of changes take place when turning a system

on or off
-acquiring the running memory this is the critical piece of the evidence that can
produce a well of data concerning running processes,DLL in use and network
connections.
- acquire registry and log files while these files are non volatile in nature and
having near immediate access is benefitial specially whrn investigating malware or
exploitation means.
-unplug the power from the back of the system in the event that teh system is a
laptop
remove the battery as well tjis preserves the state of the systemn.
-