Welcome to the BriMor Labs blog. BriMor Labs is located near Baltimore, Maryland. We specialize in offering Digital Forensics, Incident Response, and Training solutions to our clients. Now with 1000% more blockchain!
Tuesday, January 12, 2016
Live Response Collection - Allosaurus
Hello readers and welcome back! Today we are proud to announce the newest round of updates to the Live Response Collection, specifically with a focus on some new features on the OSX side!
Improved OSX features!
The biggest change is that the OSX version of the Live Response Collection now creates a memory dump using osxpmem, as long as you run the program with root privileges. The script does the internal math, just like on the Windows side, to make sure that you have enough free space on your destination, regardless of whether or not it is an internal or external drive. I have encountered where OSX provides differently formatted results for the sizes (sometimes throwing in things like an equal sign or a random letter) and I tried to account for that as much as possible. If you encounter a bug with the memory dump please let me know and I will try to figure it out, but as I have done more and more work on the OSX side I have come to realize just how terrible OSX is. For example, some Apple programs do not work properly if it was created on Yosemite and it was running on El Capitan...so much for "it just works"! If you encounter any issues I will try to get to the bottom of it as best as I can though!
The other main OSX feature is a topic that was briefly touched on during the Forensic Lunch on Friday. Dave, Nicole, and James talked about the FSEvents Parser that they wrote. If you run the script with root privileges the script will copy the fseventsd data to the correlating destination folder, and then you can run their tool to go through the data. (NOTE: It is best to transfer the data to a Windows machine to do this, otherwise the fseventsd data may be hidden from you, depending on how the access permissions on your machine are set)
A new naming scheme!
As you may have noticed, the title is "Live Response Collection - Allosaurus". I decided to go with the names of dinosaurs to differentiate between Live Response Collection versions, which will also ensure that you are using the latest build and also to help with any bugs that may pop up. Sometimes a bug that is reported has been fixed in a newer release, but because of the old naming scheme, it wasn't immediately clear if you were actually using the latest build.
As always, please do not hesitate to contact me if you have any questions or comments regarding the Live Response Collection
LiveResponseCollection-Cedarpelta.zip - download here
Updated: September 5, 2019
Subscribe to: Post Comments (Atom)
Hey Brian this tool is great any chance you are going to update it?ReplyDelete
Also, do you have any particular suggestions for what you would like to have updated?Delete
As it is an open source project and I get around to updates/features/enhancements when I get free time, those updates/features/enhancements only happen when I actually get free time.ReplyDelete
With that being said, it looks like I will have a bit of free time coming up in which I will hopefully get out some updates sooner rather than later, but it is entirely dependent on my schedule, which is always subject to change. :)
This project seems to introduce tools into the target machine to be investigated, e.g. winpcap. Think there needs to be an option whether we want to install anything on the target machine.ReplyDelete
It does, winpcap is installed due to nmap needing it to run properly. The nmap scan runs to ensure that the default gateway correlation between the results of ARP and nmap are the same. If they are different, it suggests the possibility of ARP spoofing occurring. Following this methodology allows you to identify possible ARP/MITM attacks without having network capture.Delete