Mandiant First Response
Strengths: Strong audit features.
Weaknesses: Limited support and limited documentation.
Verdict: Free audit tool that deploys agents across network computers to gather a snapshot before evidence is gathered.
First Response is a freeware audit tool and is a little difficult to use in the beginning. The interface, deploying agents and gathering data can also be a little awkward at first, but this program can be very useful once the user has a grasp on what it does and what it is capable of.
We found that after working with this product for a while, the information it gathers is reported in an organised and simple-to-read fashion.
This product has features that make it a great addition to any set of forensic and incident response toolkits. First Response is less a forensic tool and more of an audit tool. It has a console that deploys on a single computer on a network, with agents deployed across the network to gather information from connected computers.
The information gathered includes system information, current processes, services, tasks, files, issues, and registry information. After all the data has been gathered, it can then all be put into a central report in order to provide a nice snapshot of a network before any additional forensic evidence is acquired. The agents this program deploys leave a small footprint.
Once installed initially, we had no trouble deploying First Response agents on our test network and gathering information on network computers. We found this program to perform quite well and we were able to gather and analyse data in a fairly short period of time.
First Response has fairly comprehensive documentation, which is quite good for a freeware program. The user guide is a combination of a program overview and a light guide to program features. We found that the manual does a good job of explaining the program, but is fuzzy as to how to do certain things such as deploying agents and using some program features.
Since this is a program that Mandiant offers as freeware, its only support is limited to email. But being free, the program is an excellent addition to any forensic toolkit. We would recommend this for all three levels of incident-response kits.