Sunday, May 31, 2009

MIR-ROR, for incident response

You can’t publish a cool tool without a cool name.
To that end, I am proud to present:
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate.
If that doesn’t qualify me as an uber-dork (like that needed qualification), nothing will. ;-)
I was rooting about all my USB fobs and discovered one I received while at LE Tech last year. Hiding therein was a handy script that Microsoft forensics mastermind Troy Larson had written to gather investigative data from target machines using a USB stick. I reached out to Troy, and he graciously agreed to allow me to brand the script, as well as maintain and optimize it for your use during incident response engagements.

I consider MIR-ROR a specialized, command-line, RAPIER-like script that makes use of the all-important Windows Sysinternals tools, as well as some other useful tools. Further, as you will see, you can easily enhance the script to your liking with whatever command line tool tickles your fancy.

Incident responders and handlers, malware hunters, and system investigators will all find MIR-ROR useful with one caveat. MIR-ROR is noisy, if you need to maintain forensic integrity, take an image and investigate at your analysis station.

Download MIR-ROR at the project site.
For my complete toolsmith article, courtesy of the ISSA Journal, download it here. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)


Alexander Sverdlov said...

I don't think that can be considered a serious forensic tool. Simply running standard commands built into Windows, then running the sysinternals tools it runs, it gathers the info one can gather in 10 minutes manually. Thus, not that much of a tool, or script, or anything useful at all. If it were using tools to extract browsing history, list the USB device plugin history, things of that nature, I'd consider it useful. But it's not.

Russ McRee said...

It's clear you have a limited understanding of what incident response is.
The only mention I make of this tool in any forensic capacity is as follows: "MIR-ROR does not meet the bar for sound forensic evidence
collection; this is an incident response tool".
When incident responders in a real production environment need a tool for quick, clean analysis when they don't have time to do it in "10 minutes manually" on hundreds of systems, this script is ideal.
1) What alien processes may have been started?
2) What network connections are being made?
3) What registry changes have been occured?
4) What user accounts have been created?
If that's not "useful" to you I suggest brushing up on the nuances between incident response and forensics.

James said...

Caught the post on ISC, and giving it a try, one note, fetch.txt missed listing srvinfo.exe as from win2k3 reskit. not a biggie, but inconsistent.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...