Monday, July 17, 2006

Live Incident Response Tools

I replied to a post on the Security Focus "Forensics" mailing list today in response to someone asking about other "live incident response" tools like the one Matthew Shannon was pimping, Nigilant32. I'm gonna poke Matt a little because he is a fellow graduate from the University of Florida DIS program.

To quote the Nigilant32 site:
Nigilant32 is an incident response tool designed to capture as much information as possible from a running system with the smallest potential impact. Nigilant32 has been developed with Windows 2000, XP, and 2003 in mind, and should work fine with computers running one of those operating systems. Nigilant32 is beta software and may not work in all instances.
What is the point of this tool? What itch does it scratch that one of the tools below do not? Well, the only feature I tested--that is not included by a tool listed below--was the live preview allowing you to look at a filesystem on a live system. Would I ever use that functionality? No, I do not want to spend any more time on a live system than I have to when doing incident response. The likelihood of destroying evidence increased with every second that a system is running, and that likelihood increases substantially if you are moving the mouse around, running tools and "previewing disks."

Coincidentally, the fact he states "Nigilant32 is beta software and may not work in all instances" is very true. I found that when trying to preview a USB drive, the program completely crashed. In fact, the only drive I was able to preview was the C:\ drive. I'll have to go back and read the accompanying articles to see if this is a known problem. I'd also like to find out how the previewing is handled; for example, is it done on such a low level under the Windows API that the file access times are not modified?

I am going to try and make it to the InfraGard meeting in Jacksonville on Tuesday to listen to a forensics talk. I wonder if he will mention live response...if so, I will blog about it later.

For now, enjoy this list. If you know of any others or have experiences with these you'd like to share, let me know.

Forensic Server Project by Harlan Carvey
- http://windows-ir.com/fsp.html
- http://windowsir.blogspot.com/
- Written in Perl with compiled code for Windows. Can be cross
platform. Very customizable. Client/Server architecture

WFT (Window Forensic Toolchest) by Monty McDougal
- http://www.foolmoon.net/security/wft/
- Executable with config file. Very customizable. Windows only. Can
define rules for touching the drive, slow acquisitions or touch as
little as possible. Checksums tools before running.

First Response by Mandiant (Kevin Mandia's crew)
- http://www.mandiant.com/firstresponse.htm
- Client/server architecture. Windows only. Best if deployed within
organization prior to incident. Provides quick readability of info to
determine if incident has occurred so you can respond properly.

FRISK by John "Four" Flynn
- http://sourceforge.net/projects/frisk
- Window but could be cross platform. Written in Perl and uses Cygwin.
May not be actively developed anymore. Provides client/server if using
the included web server cgi.

2 comments:

Rick Schoellhorn said...

Geez Dad - I don't even understand most of what you are saying...laughter

This is Rick, just got back from Canada, let me know if you still might have some time next week. My network has fallen and I can't get up...

Don't you just love Eran's latest track? Ouch

Anonymous said...

Thanks for taking the time to try out Nigilant32.

Chances are the thumb drive issue is a sleuthkit code issue, most likely it's encountering something on that FAT filesystem it doesn't like.

M Shannon