I was curious if anyone could give any pros or cons of the current Live investigative tools on the market. I am just trying to do a comparison of the different tools available, people's opinions on how they work, and which one works best.
Thanks
anyone?
Dude, I sent you a PM on this a while back. If that wasn't something you could use, please say something.
Thanks.
My apologies, still fairly new to the forums and wasn't aware you had sent me a PM….but as far as your question I am looking for tools that are used to collect volitile data, and if they can collect an image of a drive then thats a plus.
Thanks
For "volatile" info, I posted this
http//
Also, see ProDiscover, etc.
Thanks for that, definitely interesting…..I was also reading through some of your other posts and noticed that you mentioned a product called livewire in your "trends in digital forensics, and news" section. Any experience with this tool as an incident response/live tool. The only reason I ask is because you mention ProDiscover so I was curious if the tools are alike….different…..?
Forensicon,
> Any experience with this tool as an incident response/live tool.
I'm not sure if I understand what you're asking here. If you've read my blog, you'll see that I posted what my experience was with the tool. It has its uses and limitations, like any tool. For example, if you point it at an image, and all of the accounts have passwords, you may have an issue. The LEO-only version allows you to zero out passwords, but that is not publicly available.
I get the impression from your post that you may be confusing LiveView with LiveWire. LiveView is not necessarily a live response tool…it allows you to boot an image file in VMWare, from which you can then perform live response.
LiveView is different from ProDiscover, although ProDiscover does include some functionality that is similar to LiveView (allows you to create the necessary files to boot the image in VMWare).
HTH,
Harlan
I'm not sure what Liveview is…..I was referring to Livewire. You referred to it in your blog about Marty Muesters article on live investigations. Muesters listed Encase and Livewire as two tools currently in use in the market for live investigations, so I was just curious if you had had any experience with Livewire as I am sure everyone knows something about encase already.
I'm not trying to make this question complicated but it seems to be going that way…..simply put, have you used the livewire tool or know of anyone who has and what do you/they think of it.
Thanks
> I'm not sure what Liveview is…..I was referring to Livewire.
Ah, okay.
> You referred to it in your blog about Marty Muesters article on live
> investigations.
Ah, no wonder I couldn't find a reference to this…it's "Musters", not "Muesters". The misspelling threw off my searches.
As you've read my blog, you know what my thoughts are on both LiveWire and live response. I have seen folks use LiveWire, and there's really no difference in the information collection phase from any other tools to include my own FSP. I will say that the data presentation portion of what I saw include no analysis or correlation, and just presented the raw data to the user. In fact, although the executable names were different, the output of the various tools within LiveWire look amazing similar to any number of freely available tools.
To answer your original question about pros/cons of these tools, without exception they all do information collection, and leave it up to the user to do any correlation or analysis of the raw data. While it is a step in the right direction (ie, forward, rather than backward), it's only a small step. For whatever reason, the tool manufacturers do not seem to be interested in taking the next step.
H