OK, now that the legal disclaimer is done, let's have some fun. Numerous tools are available. Some are available only to law enforcement, and some are free. They all vary a little in the amount of information they gather and whether they grab volatile data using tools like Sysinternals that you have to download separately or if everything comes prepackaged and ready to rock.
There's been a lot of buzz around Microsoft's Computer Online Forensic Evidence Extractor (a.k.a. COFEE) tool. It is provided free to law enforcement, but there are reports that they latest version was leaked last week. If you are law enforcement and would like a copy, it is currently be distributed by NW3C.
Helix has always been at the top of my recommendation list for CD-based response, and until this year, it was free. The current version is available with a support forum subscription that runs less than $200. The makers of Helix, e-fense, have released a new product that is USB-based called Live Response. I'm not sure the current pricing, but if you're looking for a commercial solution backended by a company who knows incident response, this is a good option.
Drive Prophet is another commercial solution that I've heard good things about, but have not used myself.
I know I've mentioned CAINE before as an alternative to Helix when e-fense changed Helix to a subscription model. Caine is a very well-designed free solution and was just updated to version 1.0. There is a USB-based version called NBCAINE, which was started as a solution for netbook laptops that typically do not have a CD-ROM drive. I tested NBCAINE last week and it worked quite well.
If you want to take a more hands-on approach, you can roll-your-own using several great projects out there. The first is with the Windows Forensic Toolchest. There is now a commercial version but you can download it and see how well it might work for your environment. A similar tool is MIR-ROR available here and there's a good write-up about it here. Last, but not least, there's RAPIER.
As you can see, there's loads of options. You can pay for something that's ready to go as soon it shows up in your mailbox or you can build your own. Take them for a test drive and see what works best for your particular requirements.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.