HBGary Responder Field Edition
Strengths: Powerful product with many uses at a decent price.
Weaknesses: Documentation is weak.
Verdict: While lacking in documentation, once you start to understand how to use it, it is much better than analyzing the memory by hand.
SummaryHBGary Responder Field Edition is advertised for memory preservation as well as analysis of items in memory. This product is valuable to both incident response as well as forensics on obstinate malware, with several features particularly useful for each.
After a quick five-minute install, Responder Field Edition is ready to analyze with its straightforward and to-the-point interface. While the Field Edition of Responder includes FDPro, which captures memory, the additional license that may be required for other versions of the product is $100 and the advantages of using it may justify the cost. Not only does it have a small memory footprint, but also a proprietary "hpak" output format that captures the Windows Pagefile along with a memory image. This provides more data to analyze, allowing a deeper investigation into a system. If FDPro is not at hand, Responder Field Edition can also import a multitude of other files - including raw image files, and VMware memory snapshots among others. FDPro is bundled with Field Edition at no additional cost and is sold separately for $100.
The process to load and analyze two gigabytes of RAM into the application took less than 15 minutes, after which a tree hierarchy was presented. The product analyzes the memory as well as - if it exists - any malware in memory and it does this job splendidly. While individual items can take several minutes to analyze, it allows you to view extra information, such as what files, registry keys and network sockets it may have opened, as well as strings in the product. Other tasks such as displaying the browsing history, documents and passwords that can be deciphered from the memory are also features present in Responder Field Edition. There is also a reporting functionality embedded, providing detailed investigation reports of the memory.
The physical documentation is minimal, just enough to install the product. The bundled documentation is useful, if you know exactly what you are looking for, but there are no general tutorials, explaining in step-by-step instructions how to accomplish some of the more daunting tasks.
When purchasing Responder Field Edition, one year of support service is provided at no additional cost for government and law enforcement purchasers while commercial customers pay a 20 percent annual fee. Updates and support by email, telephone, message boards and a ticket system on their website is included when purchasing Responder Professional, with a fee of 20 percent of the cost annually for all customers to continue the service.
With a cost of $979, HBGary Responder Field Edition did everything it advertised, showing itself as a versatile forensics tool, justifying the cost significantly.