X hits on this document





5 / 47

Orion Incident Response Live CD 4

  • 2.

    Secure communication, collaboration, and data sharing

  • 3.

    Consistent data collection

  • 4.

    Pre-installed tools & scripted analysis

  • 5.

    Common report formats

  • 6.

    Incident data and communication archive

Although these design goals were developed as a result of challenges identified during an incident involving the author and his colleagues, they strongly resemble similar findings by the authors of the Palantir system (Khurana, Basney, Bakht, Freemon, Welch, & Butler, 2009).

4. How Is Orion Different?

There are many bootable live security distributions and virtual machine implementations. Some of them provide solutions to a subset of the Orion design goals. Some of the better known distributions (especially ones that provided inspiration) are described here for comparison purposes.

4.1. FIRE

FIRE was created by William Salusky as one of the first bootable CDROM distributions designed specifically for forensics and incident response (Salusky, 2004). FIRE is no longer actively maintained, but many incident responders still carry a copy of the CDROM because it has some tools not easily found elsewhere. FIRE does not meet the collaboration and work flow requirements of Orion.

4.2. HELIX3

Helix3 started as a tool for creating forensic images and was first publically released in 2003 (e-fense, Inc., 2009). The distribution grew to include a large number of open source tools and provide both a bootable Live CD as well as Live Response environment for Windows and Linux. Eventually Rob Lee incorporated into the SANS forensics training track. In 2009, e-fense created Helix3 Pro as a paid, subscription-based product.

John Jarocki, john.jarocki@gmail.com

Document info
Document views200
Page views201
Page last viewedMon Jan 23 05:09:24 UTC 2017