Wednesday, September 9, 2009

LiveDetector - H11 Digital Forensics

I spent some time testing LiveDetector from H11 Digital Forensics. The program(s) can be run from a CD however, I chose to run it from a USB thumbdrive to allow the output files/report to be exported.

When I first looked at the tool, I noticed that is uses Mantech Memory DD to capture RAM. Although this product captures a nice variety of 32-bit Windows OS's, it is "governed" by a 4GB RAM maximum and I read nothing about it working for 64-bit machines. The GUI is very easy to understand but does not allow for configuration of process (to run). The tool allows you to "Collect Volatile Data" (including or excluding RAM) and "Collect Nonvolatile Data".

Data is exported to a directory defined during the initial screen which allows you to enter case "tombstone" information. Reporting is actually quite nice. Sharp HTML reports with links to report generated by the individually-run apps. The apps are almost exclusively Nirsoft apps.

Overall, the program ran very nice. I'm not sure if the program is at the level that I could recommend it for "forensic" or "incident response" but perhaps for non-evidentiary type data collection. Two other suggestions: consider a more robust RAM acquisition tool and allow a greater degree of configurability ie: allowing user to chose which tools/features to run. .... now that Win32dd has been renamed Windd and supports 64-bit systems. Thanks Matthieu!!
Price: free

No comments:

Post a Comment