Helpful Navigation Toolbar

Tuesday, January 12, 2016

Live Response Collection - Allosaurus


Hello readers and welcome back! Today we are proud to announce the newest round of updates to the Live Response Collection, specifically with a focus on some new features on the OSX side! 



Improved OSX features!

The biggest change is that the OSX version of the Live Response Collection now creates a memory dump using osxpmem, as long as you run the program with root privileges. The script does the internal math, just like on the Windows side, to make sure that you have enough free space on your destination, regardless of whether or not it is an internal or external drive. I have encountered where OSX provides differently formatted results for the sizes (sometimes throwing in things like an equal sign or a random letter) and I tried to account for that as much as possible. If you encounter a bug with the memory dump please let me know and I will try to figure it out, but as I have done more and more work on the OSX side I have come to realize just how terrible OSX is. For example, some Apple programs do not work properly if it was created on Yosemite and it was running on El Capitan...so much for "it just works"! If you encounter any issues I will try to get to the bottom of it as best as I can though!


The other main OSX feature is a topic that was briefly touched on during the Forensic Lunch on Friday. Dave, Nicole, and James talked about the FSEvents Parser that they wrote. If you run the script with root privileges the script will copy the fseventsd data to the correlating destination folder, and then you can run their tool to go through the data. (NOTE: It is best to transfer the data to a Windows machine to do this, otherwise the fseventsd data may be hidden from you, depending on how the access permissions on your machine are set)


A new naming scheme!

As you may have noticed, the title is "Live Response Collection - Allosaurus". I decided to go with the names of dinosaurs to differentiate between Live Response Collection versions, which will also ensure that you are using the latest build and also to help with any bugs that may pop up. Sometimes a bug that is reported has been fixed in a newer release, but because of the old naming scheme, it wasn't immediately clear if you were actually using the latest build. 


As always, please do not hesitate to contact me if you have any questions or comments regarding the Live Response Collection 




LiveResponseCollection-Bambiraptor.zip - download here 

MD5: 8603e36be474e8b69c652e5dc86adc2e
SHA-256: ec79422ce2e7218a7bc57b0caf52a5eae2eca98810ac466dddac1115aade493e 

Updated: December 12, 2016





5 comments:

  1. Hey Brian this tool is great any chance you are going to update it?

    ReplyDelete
    Replies
    1. Also, do you have any particular suggestions for what you would like to have updated?

      Delete
  2. As it is an open source project and I get around to updates/features/enhancements when I get free time, those updates/features/enhancements only happen when I actually get free time.

    With that being said, it looks like I will have a bit of free time coming up in which I will hopefully get out some updates sooner rather than later, but it is entirely dependent on my schedule, which is always subject to change. :)

    ReplyDelete
  3. This project seems to introduce tools into the target machine to be investigated, e.g. winpcap. Think there needs to be an option whether we want to install anything on the target machine.

    ReplyDelete
    Replies
    1. It does, winpcap is installed due to nmap needing it to run properly. The nmap scan runs to ensure that the default gateway correlation between the results of ARP and nmap are the same. If they are different, it suggests the possibility of ARP spoofing occurring. Following this methodology allows you to identify possible ARP/MITM attacks without having network capture.

      Delete