Product Information
Vendor: e-fenseĀ®
Product: Live ResponseĀ®
Version: 2009 Release 3
Price: $499.95 (16GB version)
http://www.e-fense.com/live-response.php
e-fense is best known for the Helix3 Incident Response and bootable Live CD. Helix3, created by forensic specialist Drew Fahey, was a donation-ware Linux LiveCD distribution designed specifically for digital forensics and based on the popular Knoppix and then Ubuntu distributions. It contained many forensic and security related tools designed to aid in the recovery and analysis of digital evidence in live and post-mortem (powered off) computer examinations. There were tools to analyze Windows and Linux file systems like Ext2/Ext3, and even the less common Reiser FS, JFS and XFS.In early 2009 e-fense stopped distribution of the Helix3 CD (which as of this writing that decision was reversed and distribution has just resumed) and began selling the Helix3 Pro CD, the Live ResponseĀ® USB Key and Helix3 Enterprise. When I was trying to decide what product to purchase, I was told by David Dawson at e-fense that the CD is a preview tool, the USB is a one step tool to collect live data, and the enterprise tool is able to be deployed for collections. For our practice I choose the Live ResponseĀ® USB Key.
According to an e-fense marketing paper, āLive ResponseĀ® is the only USB key for First Responders and investigators to collect live volatile data. Acquire ALL volatile and requested data from a live system ā in just minutes! Simply insert the USB key, collect and store the data directly on the device and then walk away.ā
The Package
The Live ResponseĀ® USB Key comes safely protected in a custom shipping box. Inside the shipping box is the LUXIO High-Capacity Luxury USB Drive box. The drive itself comes in the foamed box with a protective leatherette case to protect the hi-gloss black finish and silkscreened e-fense Live ResponseĀ® logo.
The Luxio series of USB drives, from Super TalentĀ®, support transfer rates as high as 200X (30MB/sec) and include AES-256 hardware Encryption.
Luxio Specifications
Capacities: 16GB ā 64GB
Dimension: 21 mm x 76.5 mm
Technical Details:
– Full compatibility with USB 1.1 and 2.0
– Dual channel flash memory architecture
– Hot plug and play; Functions like another hard drive
– Supports password protection
– Supports ReadyBoostā¢
– AES-256 hardware Encryption included (User Manual)
– Custom black leather carrying case included
– No driver needed for most operating systems (Windows 98SE driver available online)
– LED indicates power, busy
– More than 10 years data retention – Limited lifetime warranty
Protected by US patent # 7,428,605.
What You Get
After you order Live ResponseĀ® (or any of the e-fense products) the first thing you will want to do is register at the e-fense Forums (http://forums.e-fense.com). You will want to do this for a few reasons: you paid for it, that is where you get support and most important that is where the latest binaries can be downloaded.
When I plugged in the USB for the first time and browsed to the drive (because we all have autoplay disabled, right?) I found two PDFs: the AES User Manual and the Live ResponseĀ® Manual; and the AES encryption and LiveResponse-win executables. The executable is not the Live ResponseĀ® USB application; it is the installer for the Live ResponseĀ® Admin program. If you want to save these files you will need to copy them to a safe location because they will be deleted when you run the Admin tool.
Letās Install
The installer is an executable not an MSI so if you are in a corporate environment and using any kind of versioning/deployment tool keep that in mind. Installation starts with the typical setup screens (all this is covered in the manual and since this is a review of the program I will be moving right along):
Accepting the license agreement:
Selecting the installation location:
Making really sure you are ready to install:
Finished:
Letās Run the Program
When you launch the program from the start menu you are presented with a login screen:
Once logged in you are presented with the main program window:
You may have to manually initialize your key if this is your first use or the key is not plugged in when you launch the program, however this is all covered in the manual (PDF) which is in the program folder, yet curiously does not have a link from the Start Menu (an annoyance that should be fixed in the installer). The manual can be launched from the Help menu in the Live ResponseĀ® administrative console.
The main window is where the examiner creates a collection key and recovers the data and views the results following an acquisition.
To prepare for a capture you fill in the Key Volume Label, Case Number and Details. Once that information is entered press Initialize Key. This brings up the core of the setup, the Data Collection screen, where all pre-capture choices are selected.
Collection Items
The examiner can choose the default Slow, Moderate or Fast settings or manually choose what items are to be collected. Once you have selected the collection scheme, press Finish Setup to install the software with your preferences to the USB key. Eject the key and you are ready to move to the suspect machine(s).
Letās Collect Some Data
The collection phase is the easiest part of the process. Plug the USB key into the suspect machine and if Autorun is enabled simply select Start Live ResponseĀ® from the menu. If Autorun is not enabled you will have to manually browse to the key and launch the executable.
From the resulting Live ResponseĀ® Window click Start to begin the capture. When the process is finished the Start button changes to Quit; click to finish. If you are capturing RAM you will need to return to your Live ResponseĀ® admin machine and download the data and re-initialize the key before moving to a new suspect computer. If you are not capturing RAM you can move on to other suspect computers without downloading the data.
There are many factors that can impact the collection time, including the usual USB speed issues. The manual reads, āOn average, collection of everything to include 2GB of RAM should take 10 minutes. If you are not collecting RAM then everything can be accomplished in a matter of seconds.ā I have found this holds true in real world use.
An important consideration of interacting with any live system is the āfootprintā left by the tool. From Andrew Fahey | Founder & CTO e-fense Inc.:
The footprint left behind on a machine using our Live ResponseĀ® Key is no different than the one left behind by the act of plugging in a brand new usb device:
We alter the SetupAPI log, or the SetupAPI.dev log file with our key information.
Certain Registry keys get updated:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\OpenSaveMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2\E
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2\F
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\UsbFlags\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\STORAGE\RemovableMedia \
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\TPAutoConnSvc
Letās See What We Captured
Once the collection phase is completed it is time to return to the Live ResponseĀ® admin computer to download the data. First log in to the program and from the Home Screen click on Recover. From the Recover Screen click Recover Key.
When the screen shows Results Available you will be able to expand the tree view in the left pane to begin examining your results.
Select an item in the left pane, then select an item in the upper right pane and you will see the details for that item in the lower right pane.
Letās Generate a Report
All the information in the world is of no use if you cannot disseminate it.
To generate a report, select the Report button from the toolbar, pull down and select your Case No., and Audit Date and select the items you want included in your report. Once you have your selections click the Create Report button.
Live ResponseĀ® will generate an Adobe Acrobat document with the results from your selections. On a typical machine with all items for the report selected it is quite easy to generate a 1500+ page report. The one item lacking from the report is a table of contents or index, so it can take a lot of searching if you are looking for a particular item.
Letās Get Historical
The Live ResponseĀ® administrative console also keeps historical data on captures. This is quite useful if you are documenting a history of policy abuse or violations. Start by clicking the Historical button on the toolbar. The Historical screen is the same as the Recovery screen with the newest collection results at the top of the chronologic list. By default the collections are named by date and time, however you can rename them with more meaningful names.
Letās Do Some Forensics
The last button on the toolbar is the Forensic button. This feature is not documented in the manual. With a little clicking around you will find this screen is for quickly searching through the RAM dump.
Once on the Forensic screen click Open File and browse to the Live ResponseĀ®\Cases folder and then to the case you want to examine. Then select the MemDumpN.dd. You can then perform searches in the dump and copy selections to the Clipboard.
Letās Review
e-fense Live ResponseĀ® is a completely different product from the original Helix3 CD. It is not a collection of Open Source tools, rather a purpose-built tool designed from the ground-up rather than cobbled together from various sources. I have read on some of the forums that a new tool will have to be vetted and have case history behind it like EnCase. Personally I find this a bit of a red herring. While great in a marketing spiel in reality the reputation a tool commands is far down the list of items about which I am questioned. I find that explaining my use of a tool is far more important than past uses of a tool. Just because a tool has been used before does not mean it was used correctly in the current situation. That said, Live ResponseĀ® does have more than just a few months of history.
From Andrew Fahey | Founder & CTO e-fense Inc.:
“Live ResponseĀ® while a new product in name has been used for the last two years in the form of our law enforcement only tool. It has been used around the world in many situations with high success.”
One of the other concerns I have heard voiced is that the USB key is only 16GB (remember when 256K of RAM and 10MB of hard drive space was a big thing?). If that is a concern e-fense can provide a larger USB key (a special order at this time) or you can just install the application to any USB drive you have in-house. It probably works equally well on Firewire or eSATA drives – I have not tried it yet, though.
So far Live ResponseĀ® has worked quite well in all captures I have performed. Although some may be able to script the same functions, I find that Live ResponseĀ® provides a nice structure for verifying what will be captured before moving into the field. This enables examiners or less experienced technicians to collect the same types of data reliably and consistently.
I believe Live ResponseĀ® fills a niche. The original Helix3 CD was a jack-of-all-trades that had some good and bad and some that was outdated. Having a purpose built tool, and more specifically a commercial tool, should make the tools from e-fense better and should enable the company to devote more resources to their products rather than relying on others to create a tool that is then integrated into an interface.
This review can be discussed here.