Information Technology Reference
In-Depth Information
After booting, the tool launches a terminal interface that the examiner can use to
start certain applications such as TCPDump, Ethereal, Snort, Swatch and so on.
The CD can thus be used for a preliminary analysis of the logs present on the
machine or for an analysis of the machine using the TASK/autopsy tool, which is
more specific to the analysis of the hard disc. The correlation process, in this case,
involves the comparison of logs present on the machine with others on other ma-
chines. In this case, the IRItaly CD essentially works in very small environments or
even in one-to-one contexts, as illustrated in
Fig. 7
.
Here, T
1
,T
2
and T
3
represent various targets that may be booted with the IRItaly
CD and connected to the main forensic workstation with the aid of Netcat or Crypt-
cat. As stated above, the main limitation of the use of the completely functional CD
is that it cannot be used in a distributed architecture due to obvious management dif-
ficulties. However, the IRItaly workgroup is carrying out a series of tests of a new
version of the CD that should resolve some of the above problems with the aid of
other tools.
F
IG
. 7. IRItaly CD-ROM normal use.
