Using Netcat

While using a USB drive meets our goals of not installing anything or creating new files on the subject system (with the exceptions noted above) it does not minimize our memory footprint. Copying to slow USB storage devices (especially USB 2.0 drives) is likely to result in a significant amount of caching which will increase our memory footprint. For this reason, the use of netcat is preferred when the subject system is connected to a network of reasonable speed and reliability.

Wired gigabit Ethernet is the most desirable media. If you are forced to use wireless networking, do your best to ensure your forensics workstation has a strong signal from the access point. If neither of these are an option, you may be able to connect your forensics laptop directly to the subject system via a crossover cable.

Realize that the subject system is probably set up to use Dynamic Host Configuration Protocol (DHCP) so you will either need to use static IP addresses on both ends or install a DHCP server on your forensics laptop if you go the crossover cable route. If the subject system has only one network interface that must be disconnected I recommend against using the crossover cable as it will disturb the system too much. To temporarily setup a static IP on each end of your crossover cable issue the command sudo ifconfig

{interface} down && sudo ifconfig {interface} {IP} netmask {netmask} up, i.e. sudo ifconfig eth0 down && sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up. Make sure you give each end a different IP on the same subnet! Setting up a netcat listener

You will need to set up one or more listeners on the forensics workstation. The syntax for setting up a listener is pretty simple. Typing netcat -l {port} will cause a listener to be created on every network interface on the machine. Normally this information should be stored in a file by redirecting netcat’s output using > or >>. Recall that the difference between > and >> is that > causes an existing file to be overwritten and >> appends data if the file already exists.

I recommend that you create a listener on the forensics workstation that receives the output of all the commands you wish to run on the subject system in a single log file. This keeps everything in one place. By default netcat will terminate the listener upon receiving the end-of-file (EOF) marker. The -k option for netcat will keep the listener alive until you press Control-C in the terminal where you started netcat. The command to start the log file listener is netcat -k -l {port} >> {log file}, i.e. netcat -k -l 9999 >> example-log.txt. This command is shown in Figure

2.8. Note that while I have used netcat here this is a symbolic link to the same program pointed to by nc on most systems, so you can use whichever you prefer.

FIGURE 2.8

Running a netcat listener on the forensics workstation.