Responder Field Edition
Strengths: Powerful product with many uses, at a decent price
Weaknesses: Documentation is weak
Verdict: While lacking in documentation, once you start to understand how to use it, it is much better than analysing the memory by hand
HBGary's Responder Field Edition is advertised for memory preservation as well as analysis of items in the memory. This product is valuable to both incident response as well as forensics on obstinate malware, with several features particularly useful for each.
After a five-minute install, the product is ready to analyse with its straightforward and to-the-point interface. While the Field Edition of Responder does not include FDPro, which captures memory, the additional licence is c£67 and the advantages may justify the cost. Not only does it have a small memory footprint, but also a proprietary "hpak" output format that captures the Windows Pagefile along with a memory image, allowing a deeper investigation into a system.
If FDPro is not at hand, Responder Field Edition can also import a multitude of other files - including raw image files and VMware memory snapshots.
The process to load and analyse 2GB RAM into the application took less than 15 minutes, after which a tree hierarchy was presented. The product analyses the memory as well as - if it exists - any malware in the memory and it does this job splendidly. While individual items can take minutes to analyse, it allows you to view extra information, such as what files, registry keys and network sockets it may have opened, as well as strings in the product.
Other features include tasks such as displaying the browsing history, documents and passwords that can be deciphered from the memory. There is also reporting functionality, providing detailed investigation reports.
The physical documentation is minimal, just enough to install it. The bundled documentation is useful, if you know exactly what you are looking for. However, there are no general tutorials, explaining how to accomplish the more daunting tasks.
One year of support service is provided. Support by email, telephone, message boards and a ticket system on the website is included when purchasing Responder Professional, with a fee of 20 per cent of the cost annually to continue the service.
At a cost of £950, Responder Field Edition did everything it advertised, showing itself as a versatile forensics tool, justifying the cost significantly.