Commit 976a5733 authored by heiko.reese's avatar heiko.reese 💬

parent 5b6213bc
......@@ -6,10 +6,29 @@ Forensic investigations of computer hardware is usually divided in two phases:
online forensics (analysis of the running system) and offline forensics
(examination of the permanent storage).
This document's primary focus s the first phase (online forensics).
This document's primary focus is the first phase (online forensics).
## Find a proper place to store your finding
## Find a proper place to store your findings
Every action that interacts with the storage subsystem can potentially destroy
evidence (both data and metadata). Mounting external storage changes the
contents of `/etc/mtab` and the timestamps of the containing directory `/etc`.
Merely looking at the file (`cat /etc/mtab`) changes the access time of `/etc`.
### Pushing data onto the network
You may push your findings directly onto the network, thus preventing/minimizing
changes to the local filesystems. This only works if the compromized machine is
still able to connect to your server.
Open a listener on your server:
```bash
nc -l 6789 >> logfilename.txt
```
To send the standard output of a command, simply add this
```bash
| nc -w 2 name_or_ip_of_server 6789
```
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment