I agree that a command prompt does impact memory but not as much as a GUI.
Thanks for the pointer to Kevin's presenation, but I have already read through it. After seeing his presentations at the DoD conference, I downloaded the one from BH as soon as it was available. Kevin is a great speaker and has some sweet IR tools soon to be released. He was recently interviewed on the CyberSpeak podcast.
I would be happy to help in documenting and/or testing. Whatever the effort needs. I just saw the thread and thought I would offer some help to maybe get the thread jumpstarted since there hasn't been a post since Jan 25.
So, is there an acceptable testing framework or guidelines within the ForensicFocus community? I prefer to test using VMware but sometimes use VirtualPC on my PowerBook. To monitor filesystem and registry changes, I typically use InstallWatch, InCtrl5, regmon and filemon.
How about starting with something like this?
Phase 1
1. Start VMware/VirtualPC with Windows 2k/XP
2. Create baseline of system using InstallWatch/InCtrl5
3. Insert Helix CD, click on <InsertTool> from GUI to run.
4. Proceed through running of tool until completion.
5. Close Helix GUI and eject disc.
6. Create changelog based on timeline
Phase 2
1. Start VMware/VirtualPC with Windows 2k/XP
2. Start FileMon
3. Insert Helix CD, click on <InsertTool> from GUI to run.
4. Proceed through running of tool until completion.
5. Close Helix GUI and eject disc.
6. Save FileMon log
Phase 3
1. Start VMware/VirtualPC with Windows 2k/XP
2. Start RegMon
3. Insert Helix CD, click on <InsertTool> from GUI to run.
4. Proceed through running of tool until completion.
5. Close Helix GUI and eject disc.
6. Save RegMon log
Compare results of 3 phases to be sure all relevant changes are properly identified and attributed to the responsible process.
-jhs
Just to point out something of interest, you can run Helix in VMware from its downloaded iso image, you don't atually need to make/use a CD. In the VMware settings, set the CD to point at the downloaded .iso file & start.
Andy
jsawyer, just to clarify the present work or task allocation
nickfx - Helix 1.7 startup and shutdown procedure.
hogfly - FRED
fatrabbit - Integrated image locator
This was originally nickfx's and hogfly's project so they have more of a right to steer task allocation and testing strategy, however, if you pick one that's not on the list I'm sure that will be fine. For me I'm using pretty much the same software set up as you've mentioned, namely VMWare, InCtrl5, regmon and filemon.
I wouldn't like to estimate a time fame yet as I have several other things that I'm also working on.
Andy, thanks for the tip, that will save me a little time!
Well honestly in a community based project like this I'm just happy that people are taking tasks )
Jsawyer, That plan sounds reasonable. I'd like to point out though that the vmware sessions need to be fresh. So I think the VM needs to be vanilla (no excess files on it or applications). Host only network configuration –to take that variable out of the equation. That VM should have a snapshot taken immediately after installation. In between phases and/or passes of each phase the VM needs to be reset to it's vanilla state.
In addition, we need to cross validate the tools. if Inctrl and installwatch pick up different items that needs to be noted and explained.
I intend to continue using VMware 5.5 workstation –unless a patch comes out.
jsawyer,
> I agree that a command prompt does impact memory but not as much as a GUI.
Interesting. What makes you say that?
> …has some sweet IR tools soon to be released
Cool, like what? I only caught the "Live Response" tool, which looks kind of like a GUI version of my FSP. In fact, it's described as having a "client/server architecture".
I'd like to throw a couple of things out there…
First, I agree with Hogfly that multiple tools need to be used and differences between similar tools need to be validated.
What I'm not following along with is why separate sessions need to be run for RegMon and Filemon. Why not simply run them concurrently.
Also, why do the VMWare sessions need to be "fresh"? What we're looking for is changes that occur between two points in time, regardless of what the original configuration was.
I do agree that the session needs to be returned to it's original state, but I also think that if the session is "scrubbed" (ie, extraneous data removed from the Registry and file system) and that fact is documented, then it's all good…right?
By extraneous, I mean the UserAssist and MUICache keys, delete all .pf files from the Prefetch directory on XP, etc.
Harlan
Harlan,
Regarding the VM state, when I said "fresh" I meant returned to the original state. Scrubbing the session is kind of pointless if you have a snapshot that you can return to (vanilla state).
As this is ideally going to be a control set of changes, the system should be as clean as possible (ie, return to original snapshot) so as to guarantee that there is no contamination of the clean state.
> I agree that a command prompt does impact memory but not as much as a GUI.
Interesting. What makes you say that?
Simply look at the memory fingerprint of "cmd.exe" vs "helix.exe"!
> …has some sweet IR tools soon to be released
Cool, like what? I only caught the "Live Response" tool, which looks kind of like a GUI version of my FSP. In fact, it's described as having a "client/server architecture".
You should've been at the DoD conference where he presented twice. j/k Live Response looks like you can be more proactive (or totally reactive) while FSP is completely reactive (from the uses I have seen). Although, FSP will most likely continue to be more flexible and less pretty, Live Response will be more for those who are afraid to edit configs or can be given to HelpDesk ops who don't know as much but can read pretty GUIs better than text/HTML results.
What I'm not following along with is why separate sessions need to be run for RegMon and Filemon. Why not simply run them concurrently.
I would prefer to do them separately so they don't step on each other. When doing the filesystem/registry comparisons, I don't want to see extraneous stuff caused by another analysis tool. Now, you can put in exclusions within filemon/regmon but still, it is cleaner to do them separately.
Also, why do the VMWare sessions need to be "fresh"? What we're looking for is changes that occur between two points in time, regardless of what the original configuration was.
Same as I said above. The cleaner and fewer things running, the less cruft to wade through when doing the analysis.
Just to point out something of interest, you can run Helix in VMware from its downloaded iso image, you don't atually need to make/use a CD. In the VMware settings, set the CD to point at the downloaded .iso file & start.
True, that works, however, if you do that, make sure you don't have your VM set to boot from CD. Otherwise, after clicking start and booting into Windows, then set your CD to point to the ISO.
This was originally nickfx's and hogfly's project so they have more of a right to steer task allocation and testing strategy..
Hopefully, I didn't step on any toes, but to me, it didn't look like a project yet. Just looked like some people interested in testing a tool with no real direction other than a couple people saying I will do this. As Harlan pointed out several times, there was no testing methodology put forth. That is why I posted my ideas in hopes that someone would agree/disagree and we could move forward.
Jsawyer, no you didn’t step on anyone’s toes. My post was in order to collate the, admittedly brief, task allocation list in order for newly interested members to see who was doing what.
JSawyer,
> Simply look at the memory fingerprint of "cmd.exe" vs "helix.exe"!
Exactly my point. If you can document the impact that something has on a system, and can explain the artifacts (permanent or temporary), then what's the issue?
> You should've been at the DoD conference where he presented twice
Believe me, I know! I was supposed to have been there…but my employer decided to neither approve nor disapprove my request. Anyway, how many tools did Kevin mention besides Live Response? Where there too many to list?
Harlan
Hi guys, sorry I've been away from this for a while. I've a really complex Murder case at the moment and I'm spending my days ploting triangulation data for mobile phones onto Google Earth, lots of fun!
Thanks fabrabbit for listing the tasks and hello to jhs, your input is welcome. I've noted from page 3 of this thread that there is still a little disagreement over what constitutes appropriate testing of the tool.
If I may state the obvious, the original point of looking at Helix was to create a definative change log which we can include in case notes if we use the tool in anger to outline exactly what effect the tool and its constituent parts have on a system.
Whether we test on a 'live' PC or a clean VM and no matter what tools we use, we should still be able to find agreement when our results are peer reviewed perhaps using a different method.
For example if jhs uses his method and it is checked by Harlen using his method, theoretically the captured changes should be the same.
My initial inctrl and regmon work on the open and close of the gui raised some odd results and I need to work through them before writing it up.
JHS is there any part of the tool you would like to take on?
Nick