Difference between revisions of "First Responder's Evidence Disk"

From Forensics Wiki
Jump to: navigation, search
m
(Updated history)
Line 1: Line 1:
The First Responder's Evidence Disk, or FRED, is a tool for capturing volatile information from a computer system for later analysis. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other [[Incident Response|incident response]] tools used names similar to FRED.
+
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
  
 
== Usage ==
 
== Usage ==
  
The program is distributed as a compressed image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
+
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
  
 
== History ==
 
== History ==
  
FRED was developed by [[Jesse Kornblum]] for the [[AFOSI|Air Force Office of Special Investigations]] in 2002. It was first presented that year at the [[DFRWS|DFRWS Conference]] along with a paper on general principals for preserving volatile information. This version was available to AFOSI agents only.
+
FRED was developed by [[Jesse Kornblum]] for the [[AFOSI|Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[DFRWS|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.  
  
A version of the FRED script can be found in the [[Helix]] disk.
+
A version of the FRED script was later incorporated into the [[Helix]] disk.  
  
FRED is now maintained by the [[AFCERT|Air Force Computer Emergency Response Team]] and is not publicly available.
+
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
 +
 
 +
Since 2004 FRED has been maintained by the [[AFCERT|Air Force Computer Emergency Response Team]] and is not publicly available.
  
 
== Trivia ==  
 
== Trivia ==  
  
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].  
+
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
 
+
 
+
== External Links ==
+
 
+
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]
+

Revision as of 21:52, 1 March 2007

The First Responder's Evidence Disk, or FRED, is a script based incident response tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the IRCR program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.

Usage

The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.

History

FRED was developed by Jesse Kornblum for the Air Force Office of Special Investigations starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the DFRWS Conference. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, Preservation of Fragile Digital Evidence by First Responders, that included the FRED script.

A version of the FRED script was later incorporated into the Helix disk.

There was a proposal for a program to process the audit files into HTML, but this never came to fruition.

Since 2004 FRED has been maintained by the Air Force Computer Emergency Response Team and is not publicly available.

Trivia

The desire for a recursive MD5 program for FRED inspired the development of md5deep.