Orion Incident Response Live CD 4
Secure communication, collaboration, and data sharing
Consistent data collection
Pre-installed tools & scripted analysis
Common report formats
Incident data and communication archive
Although these design goals were developed as a result of challenges identified during an incident involving the author and his colleagues, they strongly resemble similar findings by the authors of the Palantir system (Khurana, Basney, Bakht, Freemon, Welch, & Butler, 2009).
4. How Is Orion Different?
There are many bootable live security distributions and virtual machine implementations. Some of them provide solutions to a subset of the Orion design goals. Some of the better known distributions (especially ones that provided inspiration) are described here for comparison purposes.
FIRE was created by William Salusky as one of the first bootable CDROM distributions designed specifically for forensics and incident response (Salusky, 2004). FIRE is no longer actively maintained, but many incident responders still carry a copy of the CDROM because it has some tools not easily found elsewhere. FIRE does not meet the collaboration and work flow requirements of Orion.
Helix3 started as a tool for creating forensic images and was first publically released in 2003 (e-fense, Inc., 2009). The distribution grew to include a large number of open source tools and provide both a bootable Live CD as well as Live Response environment for Windows and Linux. Eventually Rob Lee incorporated into the SANS forensics training track. In 2009, e-fense created Helix3 Pro as a paid, subscription-based product.