Difference between revisions of "First Responder's Evidence Disk"

From Forensics Wiki
Jump to: navigation, search
m
m (Editing for specificity on what has been disabled/removed)
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The First Responder's Evidence Disk, or FRED, is a tool for capturing volatile information from a computer system for later analysis. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other [[Incident Response|incident response]] tools used names similar to FRED.
+
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
  
 
== Usage ==
 
== Usage ==
  
The program is distributed as a compressed image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
+
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
  
 
== History ==
 
== History ==
  
FRED was developed by [[Jesse Kornblum]] for the [[AFOSI|Air Force Office of Special Investigations]] in 2002. It was first presented that year at the [[DFRWS|DFRWS Conference]] along with a paper on general principals for preserving volatile information. This version was available to AFOSI agents only.
+
FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.  
  
A version of the FRED script can be found in the [[Helix]] disk.
+
A version of the FRED script was later incorporated into the [[Helix]] disk.  
  
FRED is now maintained by the [[AFCERT|Air Force Computer Emergency Response Team]] and is not publicly available.
+
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
 +
 
 +
Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]]. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure. The publicly available version has the remote functionality as well as the PKI encryption capabilities turned off.
  
 
== Trivia ==  
 
== Trivia ==  
  
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].  
+
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
 +
 
 +
== See Also ==
 +
 
 +
* [[IRCR]]
 +
* [[COFEE]]
 +
 
 +
== External Links ==
 +
 
 +
; [[FRED]]
 +
: http://darkparticlelabs.com/portfolio.php
  
  
== External Links ==
 
  
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]
+
[[Category:Incident response tools]]

Revision as of 07:37, 1 November 2011

The First Responder's Evidence Disk, or FRED, is a script based incident response tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the IRCR program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.

Contents

Usage

The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.

History

FRED was developed by Jesse Kornblum for the Air Force Office of Special Investigations starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the DFRWS Conference. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, Preservation of Fragile Digital Evidence by First Responders, that included the FRED script.

A version of the FRED script was later incorporated into the Helix disk.

There was a proposal for a program to process the audit files into HTML, but this never came to fruition.

Since 2004 FRED has been maintained by the Air Force Computer Emergency Response Team. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure. The publicly available version has the remote functionality as well as the PKI encryption capabilities turned off.

Trivia

The desire for a recursive MD5 program for FRED inspired the development of md5deep.

See Also

External Links

FRED
http://darkparticlelabs.com/portfolio.php