Orion Incident Response Live CD
Orion additionally has menu items for Didier’s FindEvil tool, PDF Parser, and several debuggers such as OllyDBG, Evans Debugger, and IDA Pro Free -- some of which are included because they come with BackTrack.
10.2. Behavioral Analysis
Researchers and responders often use virtualized copies of operating systems running under virtual machine software such as VMWare to perform live analysis of malware.
Orion includes the kernel patches and some scripts to manage VM images, but this cannot be distributed with the Live CD. As a result, the user will have to install VMware after the fact. Also, virtual machine images are pretty large, so the author keeps them located on separate media, and uses symbolic links to inform VMWare where to find them. Some of the recommended virtual machines for this analysis work are:
Windows XP, with minimal patches
Windows XP, fully patched
The Federal Desktop Core Configuration (Windows XP again) available from
Fedora and/or Ubuntu Live CD .iso files that can be booted within a VM
This is only a small sample of useful virtual machines for behavioral or dynamic analysis. A complete discussion of this topic is beyond the scope of this paper, but each of these has been tested running as a client OS under Orion.
10.3. Network Analysis
Orion includes several of the author’s favorite tools for analyzing network traffic captures. Some of these, such as Xplico (Gianluca & De Franceschi, 2010) are self- contained systems for complete forensic analysis of packet captures (.pcap files). Other tools, such as analog, search log files. In the internal version of Orion in use at the author’s organization, the Splunk log reporting and analysis tool is installed. Splunk is a terrific tool for diving into log files – even ones that are completely new to the responder
because Splunk allows for on-the-fly creation of new schemas and field parsers.