From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Using CryptCat and Tee
From the course: Incident Response: Evidence Collection in Windows
Using CryptCat and Tee
- [Instructor] The next thing we need to talk about is Cryptcat and Tee. Cryptcat and Tee are two utility programs that we're going to use to capture volatile evidence from a Windows machine. Cryptcat is a utility program that's used to collect data from a Windows victim machine and send that output to our collection laptop. Now, this is going to be done over an encrypted tunnel using the two fish encryption scheme. This allows us to connect our forensic laptop to the same network as the victim machine and be able to copy data from that victim machine over to our laptop. Now, the reason we use something like Cryptcat is because if our trusted tools disc is on a CD or DVD, we can't write information to it directly. And instead, we'll have to send it over the network back to our collection laptop. To do this, you'll enter the command, crypcat, dash l, for listening, dash p, for port, and specify the port number. If you want…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-