.

Pen testing logs

<<

cyberbreeze

User avatar

Newbie
Newbie

Posts: 6

Joined: Thu May 21, 2009 6:46 pm

Location: New Zealand

Post Tue Feb 02, 2010 2:52 pm

Pen testing logs

Not being a pen tester, I have been wondering how one would keep track of the information gathered during the test.

The way I see it, there is always the possibility of needing information you have gathered for legal/forensic reasons later so I imagine the amount of data kept and it's integrity should be high.

Not only that but there is tons of information to sift through on Google, etc.

Where would you keep and collate this? Is there a tool for this sort of thing? Do you just create a new SQL database every time? do you need to use a keystroke logger on your own machine plus some kind of mitm logger on the network?  ???

That is actually quite a lot of questions, sorry.  :)
C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Feb 02, 2010 3:00 pm

Re: Pen testing logs

I read that often similar tools such as keyloggers and desktop-monitoring software are used, not only to document everything, but also to have some kind of backup. Documentation is the a-and-o of pentesting.

In terms of forensic tasks usually a copy of the target system is taken and then used for analysis - the original is most often stored in a safe or similar secure environment. There are some members here which can certainly give you more detailed and accurate information on this one. ;)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Feb 02, 2010 3:07 pm

Re: Pen testing logs

Hi Breeze.

The answers you get will vary, to an extent.  It depends upon what tools you / the tester uses.  Many tools (such as Core Impact) setup a separate project with it's own mini database and logs, for each project you are doing.  GFI Languard behaves similarly, for record-keeping, for an individual test scenario.  But when using BackTrack or other tools, you often use other means and data folders for record-keeping, where you may file screen captures, logs, files you extracted from a customer machine, etc.  It's sort of based upon the tester, as to how you want to keep record, but you're absolutely correct, in that ALL records should be kept, both for clarification of what steps and tests were performed, as well as for your own safety, after the testing is performed, to cover your backside.  And as for how any / all of this data is collected to begin with, each tester has their own preferences, but in the end, it could be keyloggers, packet captures, screen captures, or any one of MANY other methods of capturing your activities for record.

Once my tests have been completed and the customer has signed off on the deliverables, I securely archive all of the data (won't go into how, as again, this changes per tester, and I prefer to keep my methods to myself,  ;) ) and file it away, for future reference, if absolutely necessary.  (Otherwise I never open it again.)

Hope that helps, at least a little bit...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cyberbreeze

User avatar

Newbie
Newbie

Posts: 6

Joined: Thu May 21, 2009 6:46 pm

Location: New Zealand

Post Tue Feb 02, 2010 4:32 pm

Re: Pen testing logs

Wow, thanks for the quick response guys.

This was kind of what I was expecting, that it is down to preference. I have not yet used Core Impact, or GFI Languard, so that is probably my next step. It seems like to get a good, repeatable, technique going for logging this info you would almost need a virtual enterprise environment that you could just build and disassemble at the stat and end of a project.

Hayabusa, you also raised another interesting point about storage of such data. I know you don't want to give away your methods, but I would guess people use HDD in safe deposit boxes ??? but then you have a constant overhead, so a safe maybe? any online storage would seem too risky. ::)

Don't want to pry, I'm just interested.
C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Feb 02, 2010 4:40 pm

Re: Pen testing logs

I won't discuss as far as safe deposit boxes, but I will tell you that in my case, all data, first is safely tar'd / zipped up into a passworded file and stored on encrypted file store, and I then store the encrypted files in an undisclosed, 'safe' location.

Again, as with the logging, it's all about preference, and yuo sort of have to work out what's best for you and for your customers' satisfaction and safety.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Feb 02, 2010 5:09 pm

Re: Pen testing logs

Like hayabusa said, I too maintain all my captures, screenshots, logs, and other output on a TrueCrypt drive.  If I am really paranoid and I am testing something I think may crash, I may record the entire session in Wireshark or tcpdump.  I have another TrueCrypt encrypted USB drive for such purposes. 
~~~~~~~~~~~~~~
Ketchup

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software