Tuesday, February 17, 2009

HBGary: FastDump and Responder

Thanks to Rich Cummings, I was recently able to take a look at HBGary products that they offer with respect to physical memory collection and analysis; specifically, FastDump Pro and Responder Professional.

First, the FastDump product is pretty cool. The free version of the tool allows you to dump the contents of physical memory from pre-Windows 2003 SP 1 systems (XP, Windows 2003 w/ no Service Pack). Now, a lot of folks are going to look at FastDump Pro and wonder why it's available for a fee; well a close look at the write up for the FastDump Pro should very quickly make anyone realize that the tool is definitely worth what they're charging; FDPro is not encumbered by the 4GB limit, works up to Windows 2008 (Windows 7 Ultimate Beta shouldn't be a problem, either), and it handles both 32- and 64-bit versions of Windows. That's A LOT packed into a $100 executable! FDPro also has the capability to incorporate collection from the pagefile, as well; however, in the limited testing I've done so far, analysis tools other than Responder won't necessarily "understand" the .hpak format.

Before we look at the Responder product, I'll have to upfront about my testing...my focus was incident response, and I really didn't intend to fully exploit Responder's malware analysis capabilities. So, essentially, while I had access to an evaluation version of the Responder Pro product, I was really using what amounted to the capabilities in the Field Edition. However, one of the things I've really been pushing with respect to incident response is speed...when an incident occurs, information collection and analysis needs to start as soon as possible, and tools like FastDump Pro and F-Response give you that speed in collection; Responder gives you speed in analysis for a range of Windows operating systems through a common interface.

So I started off by creating a case in Responder and loading the first memory dump/snapshot from the DFRWS 2005 Memory Challenge. Now, the snapshot can be a raw memory dump, collected via dd.exe (no longer available), F-Response + {enter a tool here}, FastDump, FastDump Pro, etc. Responder will identify the operating system of the memory dump and extract a good deal of information, making it available to the responder via the user interface (UI). So, once the memory dump has been collected, it just takes a couple of mouse clicks to get to the point where the responder is actually looking at the contents of the memory dump, viewing things such as the active process list, network connections, etc.

When I first looked at the Responder product a bit ago, as an incident responder, one of the issues I had as being able to quickly and easily find what I was looking for...in particular, the command line used to launch each of the processes in the active process list. Well, not only is this now available in the current version of the product, but you can also drag the columns in the UI to a more suitable location. For example, I dragged the column for the process command line over to line up the process name, PID, parent PID, and command line so that I could see everything together and quickly run through the entries.

You can also view the open network sockets from the memory dump in a very netstat-like format. An option that the Responder product provides is the ability to export the data you're viewing in a variety of formats (Note: the export functionality was disabled in the evaluation version). This allows you to use either screen scrapes of the Responder UI or exports of the data for reporting, or you export the data you've got and use tools similar to Gleeda's vol2html.pl to modify the format a bit.

Now, one of the options when importing a snapshot is to "Extract and Analyze All Suspicious Binaries"; this allows for a modicum of analysis to occur while importing the snapshot. What is "suspicious" is defined by rules visible in a text file, which means that as you become more familiar with the tool, you can comment out some of the rules, uncomment some, or add your own.

With Responder, you can also view the open handles and network sockets for a specific process, view, analyze, or save a copy of a binary (exe or DLL/module), run strings against a binary, etc. There is a great deal of capability in this tool, and there's no way I'm even beginning to scratch the surface. From an IR perspective, tools like this provide the first responder with a means of getting answers quickly, while at the same time being able to "answer new questions later". This is an extremely powerful capability...imagine quickly triaging an incident and being able to narrow down from your 500 possible systems the 12 or so that may be "in scope". Consider the cost savings. And when you do acquire physical memory, you've also got a copy of the malware (if there is any) in an unencrypted, un-obfuscated state.

Admittedly, Responder doesn't give you the same granularity, deep-dive capabilities, and flexibility of Volatility, but it does allow you to import memory snapshots from a range of Windows versions and puts the tools in your hands to quickly get the answers you need; that in itself is a huge plus! Again, I did not really dig into the full spectrum of capabilities of FastDump Pro and Responder, so if you're interested in really exploiting HBGary's capabilities for doing malware analysis, you should definitely consider giving them a call.

4 comments:

hogfly said...

Harlan,
I too have a copy of responder from Rich. I've got to say I enjoy using it for malware analysis. It took a bit of getting used to, but it's been very useful.

Keydet89 said...

Very cool. I'm glad you're enjoying it. I can see how modifying the baserules.txt file would make the tool even more useful, particularly if a community sprung up around the tool and it's use...

hogfly said...

I'll be throwing up some stuff shortly about the tool when I can find some time this week. I've been creating lots of .vmem dumps to analyze 'in the wild' malware.

RC said...

Harlan,

Thanks very much for taking the time to evaluate and post about HBGary Responder and Fastdump Pro. HBGary really values and appreciates your insight as an incident responder on the front lines fighting the good fight everyday. We're glad you could see some immediate improvements since your testing of Responder and Fastdump last year.

Another thank you for giving Fastdump Pro high marks and recommending it to other incident responders in the field. I know all other memory imaging software is free so your recommendation speaks volumes seeing that we charge $100 for it. We worked very hard on FDPro and are pleased to have received nothing but positive feedback from those using it in the field so far.

I'd like to make a couple clarifications if I may.

1. Regarding HPAK File Format when performing a RAM and Pagefile.sys acquisition with FDPro. FDPro will currently only acquire RAM and Pagefile to an HBGary proprietary *.HPAK file. The HPAK format is used mainly for easy data and project management and pairing the computer sytems RAM with the associated pagefile. FDPro has a switch to export both the RAM and pagefile.sys from the HPAK file as RAW images to your location of choice so you can use other tools to verify findings etc.

2. Shameless Plug: "Responder Field Edition is now $979 per copy".


3. If anyone is interested in an evaluation of Responder or Fastdump please contact sales@hbgary.com.


Thanks Harlan,


-Rich

Rich Cummings
HBGary, Inc.