Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/9/2009
01:46 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

USB-Based Incident Response Tools

Last month's "Using USBs For Incident Response" blog garnered a lot of e-mail responses asking about what tools are available, free or commercial, and how easy they were to use. While there isn't an "EASY" button that makes incident response and digital forensics easy for the layperson, there are tools that enable first responders to arrive on scene, pop a USB flash drive (or hard drive), grab volati

Last month's "Using USBs For Incident Response" blog garnered a lot of e-mail responses asking about what tools are available, free or commercial, and how easy they were to use. While there isn't an "EASY" button that makes incident response and digital forensics easy for the layperson, there are tools that enable first responders to arrive on scene, pop a USB flash drive (or hard drive), grab volatile data, and get out with minimal impact to the system.Sounds great, right? Well, before I get into some of the available solutions, I want to make sure I stress the important caveat that these tools *will* make changes to the system you use them on. You need to test them and understand their impact before using them in the field. This way you can explain to the judge and jury why you made changes to the system and what those changes were when opposing counsel targets your methods.

OK, now that the legal disclaimer is done, let's have some fun. Numerous tools are available. Some are available only to law enforcement, and some are free. They all vary a little in the amount of information they gather and whether they grab volatile data using tools like Sysinternals that you have to download separately or if everything comes prepackaged and ready to rock.

There's been a lot of buzz around Microsoft's Computer Online Forensic Evidence Extractor (a.k.a. COFEE) tool. It is provided free to law enforcement, but there are reports that they latest version was leaked last week. If you are law enforcement and would like a copy, it is currently be distributed by NW3C.

Helix has always been at the top of my recommendation list for CD-based response, and until this year, it was free. The current version is available with a support forum subscription that runs less than $200. The makers of Helix, e-fense, have released a new product that is USB-based called Live Response. I'm not sure the current pricing, but if you're looking for a commercial solution backended by a company who knows incident response, this is a good option.

Drive Prophet is another commercial solution that I've heard good things about, but have not used myself.

I know I've mentioned CAINE before as an alternative to Helix when e-fense changed Helix to a subscription model. Caine is a very well-designed free solution and was just updated to version 1.0. There is a USB-based version called NBCAINE, which was started as a solution for netbook laptops that typically do not have a CD-ROM drive. I tested NBCAINE last week and it worked quite well.

If you want to take a more hands-on approach, you can roll-your-own using several great projects out there. The first is with the Windows Forensic Toolchest. There is now a commercial version but you can download it and see how well it might work for your environment. A similar tool is MIR-ROR available here and there's a good write-up about it here. Last, but not least, there's RAPIER.

As you can see, there's loads of options. You can pay for something that's ready to go as soon it shows up in your mailbox or you can build your own. Take them for a test drive and see what works best for your particular requirements.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
devidhenry
50%
50%
devidhenry,
User Rank: Apprentice
11/21/2018 | 2:09:19 PM
USB
In today's date USB is great for all, so for that, I have some different tricks, if you interested with it then you will do one thing you just read the blog and after that, you just use it which is great for all.  For further about it 

epson error code 0x97 just visit with it which is great for all.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...