Orion Incident Response Live CD
After some questions from the community, e-fense also made the last free version (Helix3 2009R1) available, but no further updates will be made.
4.3. SANS Incident Response and Forensic Workstation (SIFT)
For several years the SANS SEC 508 class was taught using the Helix3 CD and virtual machine images. When e-fense went commercial with Helix3, SANS built a customized Fedora-based VMWare image.
“Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation featured in the Computer Forensic Investigations and Incident Response course (FOR 508) in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools.” (Lee, 2010)
SIFT not only provides tools, but also additional virtual hard drives that can be used by students to practice acquisition and analysis skills. This is not only an excellent learning tool, but a solid workbench for forensic analysts and incident responders. Although it contains sshfs for encrypted file sharing as well as report writing tools, it doesn’t have the focus on team work and collaboration that Orion has been designed with.
BackTrack has become one of the most sophisticated security distributions ever created – and one of the most actively updated (Offensive Security, 2010). A favorite of security professionals and penetration testers, it contains many offensive tools and some forensic acquisition tools, but does not have an incident response focus. Orion is based on BackTrack because of the modular design and easy customization of the distribution. This was true in version 3, but now that BT4 is based on Ubuntu, adding and removing packages using the Advanced Packaging Tool (apt-get) is extremely easy.
4.5. NST (Network Security Toolkit)
The Network Security Toolkit, NST, is a very comprehensive suite of tools with a sophisticated set of web-based documentation (Network Security Toolkit (NST v2.11.0),