Mandiant First Response 1.1.1

Mandiant First Response 1.1.1 is considered as a free yet very useful software solution for incident responders that provides an efficient toolkit for collecting and analyzing critical data following a suspected computer security event.

MFR provides the ability to remotely collect the volatile data that allows organizations to perform precision strike responses when an incident occurs. Information from file listings, system registries, running processes and services, event logs, and many other data sources can now be centrally gathered and rapidly reviewed to validate a computer security event.

The software is comprised of a deployable Agent that gathers relevant forensic data from target systems, and a centralized Console for command, control, and analysis functions. Data acquisitions can be performed locally or via a network connection, providing investigators with the necessary flexibility to conduct forensic operations in a variety of environments.

Major Features:

1. First response agent features:
   • Gathering of critical system information, including:
   • System configuration, including OS, patch level, date/time settings, MAC address, processor identification, and uptime.
   • File listings.
   • System registry.
   • Running processes.
   • Available services and status.
   • Event logs.
   • Open network ports and their associated processes/image paths.
   • Scheduled tasks.
   • Gather system information locally via the Agent or install it as a service and retrieve information via network connections from the Console
   • Data acquisition pre-filtering: minimize the collected data set to identify specific problems and make network acquisition more efficient
   • Data gathered and stored as compressed XML
2. Command console features:
   • View data from multiple audits and multiple systems.
   • “Precision Strike” Forensics: launch audits on deployed Agents and acquire data interactively in real-time using filters to get only what you need.
   • Tabbed interface for review and flagging of data acquired from deployed Agents, including:
   • • Column-formatted, sortable views for all audit data.
     • Multiple customizable flags for use in your review process.
     • Multi-format display of registry key payloads to assist in searches for hidden information.
     • Detailed event view for every gathered data item.
     • Analyst notes.
   • Interactive and automatic report generation.

• Version 1.1.1 addresses various bugs in the MFR Agent, as well as a bug in the MFR Console that was preventing generation of plaintext reports.

Requirements:

• Agent:
• • Windows 2000 or higher.
  • 400Mhz Celeron or better.
  • 256MB RAM.
• Console:
• • Windows XP.
  • 1GHz Pentium 4 or better.
  • 1GB RAM.