Monday, July 17, 2006

Live Incident Response Tools

I replied to a post on the Security Focus "Forensics" mailing list today in response to someone asking about other "live incident response" tools like the one Matthew Shannon was pimping, Nigilant32. I'm gonna poke Matt a little because he is a fellow graduate from the University of Florida DIS program.

To quote the Nigilant32 site:
Nigilant32 is an incident response tool designed to capture as much information as possible from a running system with the smallest potential impact. Nigilant32 has been developed with Windows 2000, XP, and 2003 in mind, and should work fine with computers running one of those operating systems. Nigilant32 is beta software and may not work in all instances.
What is the point of this tool? What itch does it scratch that one of the tools below do not? Well, the only feature I tested--that is not included by a tool listed below--was the live preview allowing you to look at a filesystem on a live system. Would I ever use that functionality? No, I do not want to spend any more time on a live system than I have to when doing incident response. The likelihood of destroying evidence increased with every second that a system is running, and that likelihood increases substantially if you are moving the mouse around, running tools and "previewing disks."

Coincidentally, the fact he states "Nigilant32 is beta software and may not work in all instances" is very true. I found that when trying to preview a USB drive, the program completely crashed. In fact, the only drive I was able to preview was the C:\ drive. I'll have to go back and read the accompanying articles to see if this is a known problem. I'd also like to find out how the previewing is handled; for example, is it done on such a low level under the Windows API that the file access times are not modified?

I am going to try and make it to the InfraGard meeting in Jacksonville on Tuesday to listen to a forensics talk. I wonder if he will mention live response...if so, I will blog about it later.

For now, enjoy this list. If you know of any others or have experiences with these you'd like to share, let me know.

Forensic Server Project by Harlan Carvey
- http://windows-ir.com/fsp.html
- http://windowsir.blogspot.com/
- Written in Perl with compiled code for Windows. Can be cross
platform. Very customizable. Client/Server architecture

WFT (Window Forensic Toolchest) by Monty McDougal
- http://www.foolmoon.net/security/wft/
- Executable with config file. Very customizable. Windows only. Can
define rules for touching the drive, slow acquisitions or touch as
little as possible. Checksums tools before running.

First Response by Mandiant (Kevin Mandia's crew)
- http://www.mandiant.com/firstresponse.htm
- Client/server architecture. Windows only. Best if deployed within
organization prior to incident. Provides quick readability of info to
determine if incident has occurred so you can respond properly.

FRISK by John "Four" Flynn
- http://sourceforge.net/projects/frisk
- Window but could be cross platform. Written in Perl and uses Cygwin.
May not be actively developed anymore. Provides client/server if using
the included web server cgi.

Friday, July 14, 2006

It's Official: I am a CISSP

I've finally done it! Well, the finally part is more to the fact that I took the exam on May 13, passed it and just finally sent in my resume almost TWO MONTHS later. I'm not sure why it took me so long to send it in. It could be that I didn't enjoy the whole CISSP process. In Feb, I attended SANS' CISSP prep class in Orlando. It was a good class, and I would probably think it helped me more if I had been able to take the test a week or two later, but I couldn't. The next availability in the area was almost two months after the prep class. When the exam was about two weeks away, I started taking practice exams every day until I was ready to barf CISSP material. Finally, when the test rolled around, I thought it was quite difficult...not because of the material, but because of the way the questions were asked. Now, I probably can't talk about it any further because of the "Fight Club" agreement I had to sign when taking the exam, but I can say I did not enjoy it at all, and the bad taste left in my mouth is probably why I didn't rush to send in my resume in order to complete the process.

I don't really want to complain about the whole process, but I am glad it is over, and I definitely have a feeling of accomplishment having done it. (Plus, it can't hurt to have on my resume;)

Monday, July 10, 2006

Zone Lab Blog on VA Laptop Forensics

I had been wanting to post about this topic for a while but seem to get a little fired up whenever I think about it at length. So, instead of ranting, I thought I would simply post a link to a good write-up from Zone Labs. Take a look and let me know what you think.

Also, Jordan has a BUZZCUT that will be posted on Network Computing soon about the same topic. I haven't read it, yet, but I am sure it will be a worthwhile read.