USB-Based Incident Response Tools

Last month's "Using USBs For Incident Response" blog garnered a lot of e-mail responses asking about what tools are available, free or commercial, and how easy they were to use. While there isn't an "EASY" button that makes incident response and digital forensics easy for the layperson, there are tools that enable first responders to arrive on scene, pop a USB flash drive (or hard drive), grab volatile data, and get out with minimal impact to the system.Sounds great, right? Well, before I get into some of the available solutions, I want to make sure I stress the important caveat that these tools *will* make changes to the system you use them on. You need to test them and understand their impact before using them in the field. This way you can explain to the judge and jury why you made changes to the system and what those changes were when opposing counsel targets your methods.

OK, now that the legal disclaimer is done, let's have some fun. Numerous tools are available. Some are available only to law enforcement, and some are free. They all vary a little in the amount of information they gather and whether they grab volatile data using tools like Sysinternals that you have to download separately or if everything comes prepackaged and ready to rock.

There's been a lot of buzz around Microsoft's Computer Online Forensic Evidence Extractor (a.k.a. COFEE) tool. It is provided free to law enforcement, but there are reports that they latest version was leaked last week. If you are law enforcement and would like a copy, it is currently be distributed by NW3C.

Helix has always been at the top of my recommendation list for CD-based response, and until this year, it was free. The current version is available with a support forum subscription that runs less than $200. The makers of Helix, e-fense, have released a new product that is USB-based called Live Response. I'm not sure the current pricing, but if you're looking for a commercial solution backended by a company who knows incident response, this is a good option.

Drive Prophet is another commercial solution that I've heard good things about, but have not used myself.

I know I've mentioned CAINE before as an alternative to Helix when e-fense changed Helix to a subscription model. Caine is a very well-designed free solution and was just updated to version 1.0. There is a USB-based version called NBCAINE, which was started as a solution for netbook laptops that typically do not have a CD-ROM drive. I tested NBCAINE last week and it worked quite well.

If you want to take a more hands-on approach, you can roll-your-own using several great projects out there. The first is with the Windows Forensic Toolchest. There is now a commercial version but you can download it and see how well it might work for your environment. A similar tool is MIR-ROR available here and there's a good write-up about it here. Last, but not least, there's RAPIER.

As you can see, there's loads of options. You can pay for something that's ready to go as soon it shows up in your mailbox or you can build your own. Take them for a test drive and see what works best for your particular requirements.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.