HBGary Responder Professional
Strengths: The powerful tools included provide easy and insightful access to volatile memory.
Weaknesses: Deployment and data acquisition could be optimized slightly. Can be pricey for general use in the average security department.
Verdict: Responder Pro is well worth the investment for the right kind of user, and should be seriously considered by professional malware analysts and computer forensic investigators for volatile memory acquisition and analysis.
HBGary's Responder Professional is a Windows memory acquisition and analysis tool that offers a variety of features useful to malware analysts and computer forensic investigators. It allows the investigator to capture data and processes residing in volatile random-access memory for the purpose of further examination later. Its powerful array of analysis tools makes it a must-have for professionals who desire a rapid delivery of meaningful, interpreted results.
The multifaceted functionality of the tool provides the investigator with enough tools to accomplish a task, but does not hinder with functionality that only particular individuals will find useful. The included FDPro memory acquisition tool allows investigators to capture the data contained in a computer's RAM or, if they so choose, data on VMware snapshots or dd images also can be used. This data is then analyzed to reveal entities, such as emails, web history, user credentials, open network connections and document-oriented data - all of which would prove useful to the forensic examiner in search of evidence. The beauty of this tool is it is unlikely a criminal will consider their volatile memory as a location for evidence. Responder exploits this mentality and enables investigators to drill down into the details of what a computer has been used for.
The second area of functionality, which is arguably Responder's focus, is malware analysis. The same data saved from RAM on a local machine or a VMware snapshot can be analyzed with the intent of finding malicious programs residing on the computer. Responder can reveal running processes, registry entries, operating system information and open files. Although this is useful to the analyst, the volume of data extracted is overwhelming and not particularly useful without some perspective. This perspective is provided by a technology referred to as Digital DNA, which examines the executable program code contained in RAM for malicious activity and classifies each executable based on its suspected danger to the computer. It even goes so far as to explore the capabilities of the malicious program, such as its method of communication or harmful functionality.
Responder could be used as a lightweight utility employed in field situations where time is of the essence. Its installation process is quick and easy - to the point where a trainee could deploy the product. Once installation is complete, a USB thumb drive containing the product key must be inserted into the machine being analyzed. Responder will recognize this device and allow the user to launch the program.
Responder comes with a quick-start guide that is perfect for getting the tool running and capturing what one needs from the RAM, as well as performing some basic analytics on the acquired data. The 161-page manual that is contained on the installation disk serves to answer any remaining questions about the tool.
The cost is $10,200, and a Digital DNA subscription costs an additional $2,000 per year. However, under the right circumstances this can be a small price to pay for the convenience and functionality offered.