Strengths: The powerful tools included provide easy and insightful access to volatile memory
Weaknesses: Deployment and data acquisition could be optimised slightly. Can be pricey for general use in the average security department
Verdict: Responder Pro is well worth the investment for the right kind of user, and should be seriously considered by professional malware analysts and computer forensic investigators for volatile memory acquisition and analysis
HBGary's Responder Professional is a Windows memory acquisition and analysis tool that offers a variety of features useful to malware analysts and computer forensic investigators. It allows the investigator to capture data and processes residing in volatile random-access memory for the purpose of further examination later. Its powerful array of analysis tools makes it a must-have for professionals who desire a rapid delivery of meaningful, interpreted results.
The multifaceted functionality provides the investigator with enough tools to accomplish a task, but does not hinder with functionality that only particular individuals will find useful.
The included FDPro memory acquisition tool allows investigators to capture the data contained in a computer's RAM or, if they so choose, data on VMware snapshots or dd images can also be used. This data is then analysed to reveal entities, such as emails, web history, user credentials, open network connections and document-oriented data - all of which would prove useful to the forensic examiner in search of evidence. The beauty of this tool is it is unlikely a criminal will consider their volatile memory as a location for evidence. Responder exploits this mentality and enables investigators to drill down into the details of what a computer has been used for.
The second area of functionality, which is arguably Responder's focus, is malware analysis. The same data saved from the RAM on a local machine or a VMware snapshot can be analysed with the intent of finding malicious programs residing on the computer. Responder can reveal running processes, registry entries, operating system information and open files. Although this is useful to the analyst, the volume of data extracted is overwhelming and not particularly useful without some perspective. This perspective is provided by a technology referred to as Digital DNA, which examines the executable program code contained in the RAM for malicious activity and classifies each executable based on its suspected danger to the computer. It even goes so far as to explore the capabilities of the malicious program, such as its method of communication or harmful functionality.
Responder could be used as a lightweight utility employed in field situations where time is of the essence. Its installation process is quick and easy - to the point where a trainee could deploy the product. Once installation is complete, a USB thumb drive containing the product key must be inserted into the machine being analysed. Responder will recognise this device and allow the user to launch the program.
Responder comes with a quick-start guide that is perfect for getting the tool running and capturing what one needs from the RAM, as well as performing some basic analytics on the acquired data. The detailed manual that is contained on the installation disk serves to answer any remaining questions about the tool.
The cost is c£6,635, and a Digital DNA subscription costs an additional c£1,300 per year. However, under the right circumstances this can be a small price to pay for the convenience and functionality offered by Responder Professional.