Orion Incident Response Live CD
GIAC (GCIH) Gold Certification
Author: John Jarocki, firstname.lastname@example.org Advisor: Rodney Caudle
Accepted: April 24th 2010
Computer intrusion response often requires working in hostile environments. In an ideal situation, the defender would work on trusted systems, with trusted – even out-of-band –
communications channels. This paper assumes a non-ideal situation that more likely matches the norm. In this environment, everything is suspect: servers might be
compromised, clients might be hostile, and the network itself could be suspect. The
proposed solution is a custom-built, persistent Live CD pre-installed with incident
response and analysis tools on a platform that allows strong authentication and encrypted communication with other defenders in the line of fire.
Orion is a prototype Live CD-based system intended to provide a self-contained, trusted
platform for incident response team members to use for analysis, communication, and
collaboration. Orion is currently based on the BackTrack Linux distribution from Offensive Security. While BackTrack is focused on Penetration Testing, Orion is focused
on incident response and defense. In security parlance, BackTrack is built for Red Team,
while Orion is built for Blue Team.