Updated FRUC releas...
 
Notifications
Clear all

Updated FRUC released

4 Posts
2 Users
0 Likes
472 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

All,

I wanted to let you know that I released an updated version of the First Responder Utility (Commandline) (ie, FRUC) today, fixing a couple of minor issues

http//www.windows-ir.com/fruc.zip

The FRUC is the client component of the Forensic Server Project

http//www.windows-ir.com/fsp.html

This allows you to collect all manner of volatile data from a system, in a flexible and extensible manner. The FRUC manages running external tools, as well as collecting information about Registry keys, and sending it all to the waiting the server. The server (FSPC) handles data management…hashing files, logging activity with timestamps, etc.

This is like using netcat to collect data, only much, much better!

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 11/08/2005 2:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I updated my blog this morning with a brief explanation of the FRUC and FSPC.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 11/08/2005 5:07 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

harlan,
I'm going to start working with your product in an attempt to roll it out as a centralized resource. We use a kerberized environment and what I'm interested in doing, is allowing someone to authenticate to the server, have specific information filled out automatically such as user name, date, department(and whatever else I can come up with that is pertinent), have the first responder fill out other information then conduct the "first responder" examination. The results would then be sent to the first responder and our incident response team. Ultimately, I'd like to process the data collected with some of the tools we would write to analyze the output, but that's down the road…

I haven't had too much time lately to read about FSP, but can you tell me if it is extensible enough to allow us to wrap kerberos authentication around it? I know you are a big perl user, so I am going to guess that the answer is yes but would appreciate a definitive answer.

 
Posted : 21/08/2005 12:31 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I haven't had too much time lately to read about FSP, but can you tell me if it is extensible enough to allow us to wrap kerberos authentication around it?

It should be…the entire thing is written in Perl and the distro includes the source.

As it is right now, the framework was set up as an automated "netcat on steroids". The FRU collects data and fires it out over a TCP connection…I felt that that made it the most flexible of all of the other choices that were out there.

I'm not sure where you'd need to use Kerberos with this, though. My "definitive answer" would be…you don't need it.

You're right that some analysis can be done and made available to the first responder…with some thought, it could be done easily. For example, one of the scripts I provided on the CD that accompanies my book correlates much of the data collected…processes, process-to-port mapping, and network connections…and provides a "per PID" view of what's going on. This information can be saved as an HTML page and made avaiable to the first responder via a web server.

If you have any other questions or comments, please feel free to post them here, or email me directly.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 26/08/2005 4:38 pm
Share: