Monday, April 29, 2013

There Are Four Lights: Incident Response

When I first thought of what became the Forensic Scanner (free version available here), my goal was to provide a solution for getting analysts to the point of analyzing images acquired from systems sooner; that is, to optimize an analyst's time when it comes to dead-box analysis.  Taking a page from Deming's book, my approach was to take a look at what could be optimized, and I figured that getting analysts to the point of actually doing analysis faster, by automating those tasks that we tend to do over and over again would be a great way to speed things up a bit.

The Forensic Scanner was designed to be used by mounting an acquired image on your analysis system as an accessible volume.  You can mount acquired images using FTK Imager, ImDisk, ProDiscover, or even converting the image to a VHD using vhdtool.

One of the things that's come up since I started talking about the Forensic Scanner is the question of whether this tool can be used in the triage of live systems.  Now, the Scanner was not designed for this purpose, particularly because some of the Perl modules used do not work against the Registry on a live system - a different API is required.  However, as it turns out, with the right tools, you can, in fact, use the Forensic Scanner to triage remote live systems.  For example, if you have F-Response, you can use the Forensic Scanner to retrieve information from remote live systems. I've also heard from one person recently that they were able to use the Forensic Scanner via EnCase PDE.  I don't have any specifics about how they did this, and I am unable to test this myself.

If you don't have access to either of these tools, but still want to use the Forensic Scanner in an infrastructure, take a look at Andrew Hay's post regarding the NBDServer application.  His methodology is a bit involved, but from the perspective of trying to perform remote incident response on a shoe-string budget, the only "costs" involved are two systems (or a VM or two...) and a bit of a learning curve.

1 comment:

Anonymous said...

Harlan, I have stated to use "scanner" as part of my triage efforts when dealing with cases such as malware infections. It does speed up the analysis and addresses the "usual suspects" locations to quickly identify notable binaries. Regarding your commnet on EnCase PDE usage, it can be done quite easily. Simply attach to the hdd as you normally would for an acquisition and then mount the drive via PDE. You can then point the scanner to the mounted drive and execute. Thank you for your very useful tools, keep up the nice work, Brian.