Dedicated Server, a VPS or have your own remote machine.
I won’t explain how to configure a Server to accept SSH connections here, I
hope you already know how to do this, and if not, you can find the
documentation online or rent a Server or a VPS to start
experimenting with rsync
in the network too. The network protocol recognition is automatic, by preceding
the data destination with the login data of the machine and its host, followed by a
colon. For example, if you wish to copy remote data to your local computer, use:
$ rsync -a [user@host]:/folder1 /home/[username]/folder2
Here, [user@host] gets the login data value, together with the IP address of
the machine or its domain. When needed, rsync will
prompt you the SSH access
password. If you changed the port of your server (this is TCP 22 by default) into
another one for security reasons, you must tell it to rsync. In this case, the
parameter is slightly more complex, but easy applicable nevertheless:
$ rsync -a --rsh="ssh -p PORT” [user@host]:/folder1 /home/[username]/folder2
By default, rsync cannot show the copy progress status. This can be a
problem, especially when you are not sure about the size of the file to copy, as
well as the transfer speed. To know the copy remaining time use the --progress
parameter:
$ rsync -a --progress [user@host]:/folder1 /home/[username]/folder2
If, instead, you’re used to make remote backups that are already in the
directories but you don’t want to
download them every time, you may also
specify the maximum size (and, when needed, the minimum one too) of the files
you’re going to process. Parameters are --max-size and --min-size, like the next
example:
$ rsync -a --max-size=10M [user@host]:/folder1 /home/[username]/folder2
This way, the files larger than 10 Megabytes will be ignored.
7.6 Cold Boot RAM Extraction
If you have already used
GNU/Linux distros designed for anonymity or
pentesting, you will have surely noticed tools or modes for RAM-level attacks
prevention. OK, let’s take a step back.
RAM means Random Access Memory, that extremely fast memory used by
Operating Systems and applications to provide values to the processor, which
will manipulate and distribute them across the different resources. The RAM is
the fastest memory in the computer, because it doesn’t sort data, which is only
temporarily allocated to the computer; once you stop using your computer, the
RAM memory will lose all its data. If a RAM memory gets full (unlike a
HDD/SSD), the system will
keep on writing and reading, overwriting the older
data.
The RAM contains the temporary data, i.e. when you write a Word file, it
will temporarily store all the saves which are not memorized yet. Unlike other
types of ROM memory, RAM is not encrypted at all. In IT, the most common
type of RAM memory is the DRAM (Dynamic Random Access Memory).
Unlike the SRAM (Static R.A.M.), such memory has an architecture that allows
the surrounding system to clear sectors in short time and then add new elements.
The DRAM also includes sub-levels named DDR (is this familiar to you?). If
you feel at home with computer disassembling, you may know that RAM
currently reached the DDR4
standard, however it’s not rare dealing with DDR3
or even DDR2 types. As we said, when a computer shuts off, its RAM memory
gets wiped. The question is:
how does it get wiped?
7.6.1 How to perform CBRE
The following is a research conducted in July 2008 in San Jose, by a group
of Princeton University researchers, from Electronic Frontier Foundation and
Wind River Systems, who spoke at the
USENIX Security symposium,
showing
[102]
how it’s possible to extract data from the RAM minutes after the
computer has shut off, even removing the RAM from the motherboard (Figure
29).
According to the research, DRAMs are not erased immediately, thus
allowing enough time to perform forensic acquisitions on the operating system
last status. Such technique has been demonstrated by successfully recovering
encryption keys from some of the most famous software in the IT world
(including
BitLocker,
TrueCrypt and
FileVault), revealing that it didn’t require
any particular tool. Furthermore, the research demonstrated
that user login
passwords or RSA private keys from an Apache web server can also be fetched
from the OSX environment.
Do'stlaringiz bilan baham: 
