Wednesday, September 9, 2009

LiveDetector - H11 Digital Forensics

I spent some time testing LiveDetector from H11 Digital Forensics. The program(s) can be run from a CD however, I chose to run it from a USB thumbdrive to allow the output files/report to be exported.

When I first looked at the tool, I noticed that is uses Mantech Memory DD to capture RAM. Although this product captures a nice variety of 32-bit Windows OS's, it is "governed" by a 4GB RAM maximum and I read nothing about it working for 64-bit machines. The GUI is very easy to understand but does not allow for configuration of process (to run). The tool allows you to "Collect Volatile Data" (including or excluding RAM) and "Collect Nonvolatile Data".

Data is exported to a directory defined during the initial screen which allows you to enter case "tombstone" information. Reporting is actually quite nice. Sharp HTML reports with links to report generated by the individually-run apps. The apps are almost exclusively Nirsoft apps.

Overall, the program ran very nice. I'm not sure if the program is at the level that I could recommend it for "forensic" or "incident response" but perhaps for non-evidentiary type data collection. Two other suggestions: consider a more robust RAM acquisition tool and allow a greater degree of configurability ie: allowing user to chose which tools/features to run. .... now that Win32dd has been renamed Windd and supports 64-bit systems. Thanks Matthieu!!
Price: free

Wednesday, September 2, 2009

Accessdata Imager Lite and RAM

Accessdata has recently released it's lite version of Imager, which now has the ability to image RAM - Imager v2.6.1. The full install version came out a while back, but recently they update their lite version. Haven't had an opportunity to test it beyond 32-bit XP, but the free all-in-one product is appealing. Only tools you'll need is forensically clean USB Thumbdrive. Give yourself some room to spare and consider imaging the RAM to the thumbdrive. I'm waiting for information on the memory footprint. Updates like this certainly add polish to v2.2.1 of it's full FTK product which I've recently added to my arsenal. Take my word - it's now worth the upgrade from v1.8.
Next.....speed. I'm really thinking that my new Digital Media card - SanDisk Extreme III -(30MB/Sec) may allow faster acquisition. Certainly faster than my cheap $9 thumbdrive. Time to dig out the benchmark software.