On the Windows SUBJECT:
1. Insert the SUSPECT F-Response Tactical into the target Windows computer
2. If Autoruns is enabled, the device should automatically load the F-Response utility
3. If Autoruns is NOT enabled, Double-Click on "MyComputer" and open the drive for the USB named "Subject"
4. Open the Folder named "TACTICAL Subject"
5. Double-Click the icon named "f-response-tacsub"
6. Verify that the IP identified is the correct one and select ENABLED for Physical Memory
7. Click Start
On the SIFT Examiner:
1. On the terminal window, enter "sudo su"
2. Enter "fdisk -l" and not the exisiting partitions
3. Note the devices that are identified
4. Insert the F-Response Tactical EXAMINER USB into the SIFT workstation
5. CD to the directory (i.e. cd/ media/EXAMINER/TACTICAL\ Examiner/ )
6. Confirm you can PING the SUBJECT computer
7. Enter "./f-response-tacex-lin.exe -s " <IP of Subject computer> "-p " <port>
8. If successful, you will see a screen similar to the following:
11. Enter fdisk -l and note the NEW device added: (see fdisk-new.png)
12. Now you can do one of two things, you can work directly with the memory or image it so just in case the state of your subject becomes altered.
13. If you choose to image the memory, use dc3dd as you can create an md5 hash of the memory as you create the image. (see dc3dd.png)
14. Now that you have the image, you can run volatility against it for analysis purposes.
No comments:
Post a Comment