HB Gary Responder Field Edition Evaluation
I decided it was time to set my first steps in memory forensics, and was given the opportunity by HBGary’s friendly folks to use the evaluation version of their Responder suite for 2 weeks.
At a first glance, the Responder’s user interface has a very intuitive look and feel to it. I expected that there would be an option to create the memory image, but as far as I have found it can only import pre-existing images. No biggie, this gives me the chance to have a look at ManTech’s MDD as well.
MDD is easy and straight-forward: just append the –o switch to tell it where to dump the memory to, and off it goes. After about 2 minutes, the memory image was created and an MD5 was generated automagically. Nice!
NOTE: I noticed in the evaluation guide that HB Gary’s own Fastdump Pro software was included for acquiring RAM… too late :(
Now let’s head back to the Responder. As there’s not much to clickety-click on at first, I created a new project and began importing my freshly created memory image.
After running through a bunch of different phases of processing the image, the Responder drew my attention to some modules that might be suspicious, and if I’d like to analyse them further. I already recognised my Check Point SecureClient in the list, but hey, who knows what else this VPN client is capable of, so I just selected all modules and sat back while the Responder extracted and disassembled the potentially suspicious modules.
Once done, it kicked of some more plug-ins such as malware analysis, and in about 30 minutes all together the image was imported.
Now all that’s left to do is to click through the results, and I have to say, it’s amazing what this software finds. It lists pretty much everything, from hardware interrupts to running processes, keyword search results, open files, network sockets and registry keys at the time of memory imaging.
What’s interesting too, is that not only can you view lists of all this, you can also view this information per process and drill down into it.
The Responder also has what seems to be a very nice reporting engine behind it, as it can export results to various formats such as PDF, TXT, HTML, etcetera. I haven’t been able to test this in the evaluation version, but it looks promising as far as I can tell.
Although I haven’t had enough free time to go into as much detail as I wanted, I can see already that if I’d work in incident response or forensics one day, this is what I want in my toolkit. From the evaluation guide I received, you can tell how much thought HB Gary put into this tool, even if only for evaluation purposes. The guide pointed to several useful online video’s and explain different situations the application could be used in. Further it lists suggested tests one could do to evaluate the software. Very useful for labs that haven’t used the software yet, and want to verify its workings thoroughly!
A big thank you to Bob from HB Gary for giving me the chance to play with this amazing piece of software. A couple of days ago he informed me that not all features are available in the evaluation software, but the final shipping software is also able to search through the pagefile for keys and passwords, and parse internet history (including timestamps!), emails and other documents. Love it!
At a first glance, the Responder’s user interface has a very intuitive look and feel to it. I expected that there would be an option to create the memory image, but as far as I have found it can only import pre-existing images. No biggie, this gives me the chance to have a look at ManTech’s MDD as well.
MDD is easy and straight-forward: just append the –o
NOTE: I noticed in the evaluation guide that HB Gary’s own Fastdump Pro software was included for acquiring RAM… too late :(
Now let’s head back to the Responder. As there’s not much to clickety-click on at first, I created a new project and began importing my freshly created memory image.
Once done, it kicked of some more plug-ins such as malware analysis, and in about 30 minutes all together the image was imported.
Now all that’s left to do is to click through the results, and I have to say, it’s amazing what this software finds. It lists pretty much everything, from hardware interrupts to running processes, keyword search results, open files, network sockets and registry keys at the time of memory imaging.
What’s interesting too, is that not only can you view lists of all this, you can also view this information per process and drill down into it.
The Responder also has what seems to be a very nice reporting engine behind it, as it can export results to various formats such as PDF, TXT, HTML, etcetera. I haven’t been able to test this in the evaluation version, but it looks promising as far as I can tell.
Although I haven’t had enough free time to go into as much detail as I wanted, I can see already that if I’d work in incident response or forensics one day, this is what I want in my toolkit. From the evaluation guide I received, you can tell how much thought HB Gary put into this tool, even if only for evaluation purposes. The guide pointed to several useful online video’s and explain different situations the application could be used in. Further it lists suggested tests one could do to evaluate the software. Very useful for labs that haven’t used the software yet, and want to verify its workings thoroughly!
A big thank you to Bob from HB Gary for giving me the chance to play with this amazing piece of software. A couple of days ago he informed me that not all features are available in the evaluation software, but the final shipping software is also able to search through the pagefile for keys and passwords, and parse internet history (including timestamps!), emails and other documents. Love it!
Labels: digital forensics
Post a Comment