Incident Response Tools

Regulations such as the Gramm-Leach-Bliley Act, HIPAA, Sarbanes-Oxley, PCI DSS and California SB 1386 are driving companies and government agencies to document their incident-response procedures following a security breach or other crime. How volatile data is handled is especially critical.

Stepping in to help organizations tackle this problem are incident-response tools that ease compliance with regulations. Researchers also are making tremendous progress in increasing the level of analysis that can be applied during the investigation process. With new memory-analysis techniques, incident-response teams can track down changed data and threats far more effectively than ever before.

These incident-response systems provide a structured method for gathering and analyzing evidence. Companies can use them to preserve critical data and minimize downtime following an incident, possibly preventing disclosure of sensitive data and protecting their reputation.But because these different tools handle different functions, it's important to know what type of system makes sense for your company. At a minimum, you'll need documented incident-response procedures, which should be established based on your organization's size and industry and the function of the at-risk systems.

Triage Vs. Surgery

The modifier incident response is applied to tools that let investigators gather any necessary data following an "incident"--a security breach or other event that requires inquiry. Within the broad incident-response category are two main kinds of products: forensics and live incident response. Memory analyzers--which are used during incident response to gather data and during forensics analysis to examine data--straddle both groups.

The difference between forensics and live incident-response tools is comparable to the difference between instruments and methods used on a gunshot victim by paramedics versus by surgeons in the emergency room. Live incident-response tools enable triage and stop the bleeding. Forensic tools come into play later in the process and let an investigator probe deeper.Traditionally, law enforcement officials have instructed first responders to pull the power from the back of a computer at a crime scene. But volatile data, such as that from running processes, open files and network connections, is lost as soon as power is cut off. Live incident-response tools let investigators gather volatile data while minimizing the impact to the system.

When responding to and investigating incidents, companies are not held to the same standards as law-enforcement agencies, but still must develop and follow a methodology that can be presented and explained if an incident leads to civil or criminal prosecution; a business' procedures for handling and resolving security incidents are dictated by regulations, statutes and internal policies. Such requirements may conflict with a business' desire to minimize system downtime because machines may need to be quarantined to prevent attackers from continued access or several machines may need to be taken offline to image the hard drives.

IT staff must be aware that all actions performed on a system during a live response will have an impact on and possibly modify or destroy evidence. As a result, all tools and methods used during a live incident response, such as netstat and tasklist, must be fully documented, and staffers must have a thorough understanding of each tool and method and its impact in the event the incident leads to civil or criminal prosecution.

In addition to the requirements imposed by regulations and legislation, malicious hackers and malware authors are helping to raise the bar for system administrators. The bad guys are becoming savvier with their methods to gain access to systems. Tools such as the open-source Metasploit have features that let attackers exploit a Windows system, stay resident in memory and never be written to disk--with the possible exception of being written to the swap file, which is an extension of memory. Although rootkit technologies let attackers hide files, running processes and listening ports from detection tools (such as netstat and tasklist), those elements may still be visible within memory dump (More on detecting rootkits).

Rapid ResponseFree and/or open-source tools, such as Forensic Server Project, RPIER and WFT (Windows Forensic Toolchest), were developed to capture volatile data. Recently, several companies that provide commercial forensic products or services also have developed tools to aid first responders: Guidance Software sells EnCase Enterprise, Mandiant offers First Response, and Technology Pathways has ProDiscover Incident Response.

One important consideration for a business choosing between open-source and commercial offerings: Commercial tools typically have been introduced in a court settings, and therefore have credibility not yet attained by open-source forensics tools. So a company looking for a product that can withstand the rigors of legal investigations would be better off with an established commercial tool. In order to gain widespread acceptance, open-source tools need broader testing and peer review. We expect this to happen as more technically savvy researchers enter the field and innovative new tools gain mindshare in the forensics community.

Over the past year and a half there's been a sharp rise in the collection and analysis of memory from running Windows systems. Independent researchers, such as Harlan Carvey and Andreas Schuster, have led the field by blogging about their research and developing open-source tools to analyze memory images.

Imaging memory on Windows systems was made easy when independent researcher and developer George Garner released Forensic Acquisition Utilities in 2002. FAU contained a modified Windows version of the Unix utility dd that could image not only hard drives but also memory. Immediately, forensic investigators started using search tools to find text in the memory image. IP addresses, URLs and passwords were turning up in searches and cluing investigators into other areas to look for evidence.The 2005 Digital Forensic Research Workshop (DFRWS), a nonprofit organization that promotes research in forensics, spurred on research by holding a forensic memory challenge. The DFRWS's fictitious story about a "compromised" Windows system was accompanied by two memory images and a timeline of the file system that participants had to analyze. The competition produced a tremendous wealth of information on such things as running processes, loaded DLLs, the executable's path and its command line options.

Since the DFRWS challenge, Carvey has developed many tools to analyze memory images. Most of his tools work only with Windows 2000 images, but Carvey is working to extend them. His latest tool identifies the Windows operating system version from a memory dump. Carvey's code is written in Perl and freely available for anyone to use and modify from his Web site (windowsir.blogspot.com).

Rounding out most prominent group of incident-response researchers is Germany's Schuster, who has a regularly updated blog about current forensic topics such as memory analysis. He developed PTFinder to identify metadata about processes in Windows memory images so they can be analyzed further using other tools. The latest version of PTFinder works with memory images from Windows XP Service Pack 2. Schuster's work closely mirrors Carvey's research and is often the reference for some of Carvey's tools.

John H. Sawyer is a senior it security engineer at the University Of Florida and a GIAC certified firewall analyst, incident handler and forensic analyst. Write to him at [email protected].

Commercial Offerings for First Respondents

Several companies that provide forensics products or services also have tools for live incident response.With Encase Enterprise from Guidance Software, for instance, when an incident occurs, the Snapshot feature captures information about open ports, open files, active processes and even the Windows registry, via an agent that runs on all hosts. An investigator can also perform a forensic preview of the system without destroying critical evidence. Unfortunately, the product is expensive (the base price for server and requisite modules is about $150,000) and requires extensive resources to deploy.

Mandiant's First Response isn't nearly as advanced as Encase Enterprise, but it is free and easy to deploy. The First Response Console is used by investigators to connect to hosts running the agent and collect volatile information such as patch level, registry settings, event logs, services and more.

Technology Pathways' ProDiscover IR combines the forensics functionality of Encase Enterprise and the ease of use of First Response in one package. The lightweight agent can be preinstalled or pushed during incident response. ProDiscover can acquire volatile information such running processes, open ports, ARP cache and routes. In addition to the standard imaging of hard drives, ProDiscover can acquire images of physical memory and even the BIOS over the network. --John Sawyer