Pages

Tuesday, February 08, 2005

Forensic Server Project

As promised, I'm going to blog more often on the Forensic Server Project, or FSP. I'd like to kick that off with a brief description, and then follow that up with a request to the readers, particularly those who use the FSP.

The FSP is a client-server based approach to information collection during incident response. I'm specifying "information collection", b/c I've explicitly separated the collection and analysis phases. The FSP, and the client component First Responder Utility (FRU), work together to perform collection. In a nutshell, the admin/first responder downloads the utilities (both are standalone .EXEs, with their Perl source code included), and places the FSP server component on a system of her choosing. She then configures the fruc.ini file (per the documentation) and copies fruc.ini, p2x584.dll, and fruc.exe (along with all of the necessary supporting tools) to a CD or USB thumb drive. The fruc.ini also allows the admin/first responder to specify Registry keys and values to query.

When responding to an incident, the first responder place the media containing the FRU in the system, and launches the FRU with the necessary command line switches (if applicable). The FRU will automatically connect to the FSP server, and place all information it collects on that system. The server component of the FSP handles storage and checksumming of the data that its sent, as well as logging of all activity.

Again, this is simply the data collection phase...analysis is another thing all together. I provided some useful Perl scripts with my book for performing data correlation, and I would like to expand the analysis suite. However, nothing prevents the user from doing the same...using any programming language(s) (ie, Perl, VBScript, Python, Ruby, etc.), and any other utilities (mySql, Excel, etc), you can perform data reduction, analysis, and presentation.

Now, my request to the readers...actually, this is a couple of requests:

1. Are you using the FRU/FSP? If so, what are your comments? What's good or bad about it, how could it be improved, etc.?

2. If you are using the FRU, what does your fruc.ini file look like? Got a link to it someplace where you'd care to share? If you don't feel like sharing it in this forum, is there another forum that you'd be more comfortable with?

3. What kind of analysis are you doing? Do you have any analysis tools? What specific things are you looking for, or at?

One final thought...Robert states in his blog that the WOLF tool is not available publicly. I can definitely understand the reasons why. If you're interested in a tool like that, that will write it's data to a drive (mapped, USB-connected, etc.), let me know. I've been toying with the idea of writing a version of the FRU that does that.

Thanks!

6 comments:

  1. Anonymous5:33 AM

    Harlan:

    Please take a look at the hyperlink for the Forensic Server Project in you blog posting on Tuesday, February 8, 2005. It returns www.windows-ir.com which hosts some content you probably don't want associated with your blog.

    BTW, I enjoyed reading your book Windows Forensic Analysis.

    ReplyDelete
  2. Anonymous9:28 AM

    I recently purchased the book Windows Forensic Analysis. There is a lot to go through. I wished the book was a bit more structured and a bit more clear to those of us just starting out in the field. I understand there is a lot to learn and this book just threw out a bunch of tools that can be used but it should have been broken up more by Operating Systems since every tool works differently. Plus there is a DVD that comes with the book. I wish within the book there was some comments that said "play video on DVD here" (There are PERL scripts included but where do I get PERL2.exe in order to run them?)
    I'm reading the book for the second time and hoping things make a bit more sense.

    ReplyDelete
  3. Anonymous,

    ...where do I get PERL2.exe in order to run them?

    You don't need Perl2Exe to run the scripts.

    If you're looking at the Perl scripts themselves, you just need Perl...I recommend version 5.8.9 from ActiveState. If you are trying to run the EXEs provided along with the scripts, all you need to do is ensure that the p2x588.dll file is included along with the .exe file...you don't need to have Perl2Exe to run anything...

    ReplyDelete
  4. Also, if you DO want to get Perl2Exe...just Google it...

    ReplyDelete
  5. Hi

    I am reading about the FSP, but it seems that it didn't changed since 2006. Is it still operate able ? Do you suggest on any other server/client like it ?

    Thanks

    ReplyDelete
  6. Hanan,

    No, I haven't done anything to update the FSP...no one's requested anything.

    ReplyDelete