±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Updated FRUC released

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

keydet89
Senior Member
 

Updated FRUC released

Post Posted: Aug 11, 05 02:35

All,

I wanted to let you know that I released an updated version of the First Responder Utility (Commandline) (ie, FRUC) today, fixing a couple of minor issues:

www.windows-ir.com/fruc.zip

The FRUC is the client component of the Forensic Server Project:

www.windows-ir.com/fsp.html

This allows you to collect all manner of volatile data from a system, in a flexible and extensible manner. The FRUC manages running external tools, as well as collecting information about Registry keys, and sending it all to the waiting the server. The server (FSPC) handles data management...hashing files, logging activity with timestamps, etc.

This is like using netcat to collect data, only much, much better!

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

keydet89
Senior Member
 

Re: Updated FRUC released

Post Posted: Aug 11, 05 17:07

I updated my blog this morning with a brief explanation of the FRUC and FSPC.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

hogfly
Senior Member
 

Re: Updated FRUC released

Post Posted: Aug 21, 05 00:31

harlan,
I'm going to start working with your product in an attempt to roll it out as a centralized resource. We use a kerberized environment and what I'm interested in doing, is allowing someone to authenticate to the server, have specific information filled out automatically such as user name, date, department(and whatever else I can come up with that is pertinent), have the first responder fill out other information then conduct the "first responder" examination. The results would then be sent to the first responder and our incident response team. Ultimately, I'd like to process the data collected with some of the tools we would write to analyze the output, but that's down the road...

I haven't had too much time lately to read about FSP, but can you tell me if it is extensible enough to allow us to wrap kerberos authentication around it? I know you are a big perl user, so I am going to guess that the answer is yes but would appreciate a definitive answer.  
 
  

keydet89
Senior Member
 

Re: Updated FRUC released

Post Posted: Aug 26, 05 16:38

I haven't had too much time lately to read about FSP, but can you tell me if it is extensible enough to allow us to wrap kerberos authentication around it?

It should be...the entire thing is written in Perl and the distro includes the source.

As it is right now, the framework was set up as an automated "netcat on steroids". The FRU collects data and fires it out over a TCP connection...I felt that that made it the most flexible of all of the other choices that were out there.

I'm not sure where you'd need to use Kerberos with this, though. My "definitive answer" would be...you don't need it.

You're right that some analysis can be done and made available to the first responder...with some thought, it could be done easily. For example, one of the scripts I provided on the CD that accompanies my book correlates much of the data collected...processes, process-to-port mapping, and network connections...and provides a "per PID" view of what's going on. This information can be saved as an HTML page and made avaiable to the first responder via a web server.

If you have any other questions or comments, please feel free to post them here, or email me directly.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 

Page 1 of 1