Incident Response & Malware Analysis
The new face of malware is designed to never touch the disk and reside only in memory. Important delivery information, rootkit behaviors and malware not detected by AV can be easily found using Responder. Once malware is detected by Active Defense with Digital DNA, you can use Responder Professional, stand-alone workstation tool, for a deeper level of analysis of a computer's memory and its malware to get more critical intelligence about today's elusive, adaptive APT attackers and other unknown cyberthreats.
Responder Pro
Designed for Incident Responders, Malware Analysts, and Computer Forensic Investigators who demand the very best, Responder Professional is the defacto industry standard for physical memory forensics and automated malware analysis, and provides early malware detection and software behavioral identification with Digital DNA™.
Malware analysis includes automated code disassembly, behavioral profiling reporting, pattern searching, code labeling, and control flow graphing. This is a huge step forward for the information security and computer forensic communities. Finally, these long-awaited capabilities are available to complement enterprise security best practices in the areas of host intrusion detection, computer forensics and security assessments.
To learn more about Responder Pro, click here.
Responder Field Edition
Used primarily by computer forensic investigators and law enforcement, HBGary Responder™ Field quickly captures and identifies critical information found in memory. Cyber investigations are incomplete if volatile memory is not preserved and analyzed for potential evidentiary artifacts. Responder Field Edition includes memory preservation, memory analysis, rootkit behavior detection, basic malware analysis and reporting. To learn more about Responder Field Edition, click here.
Responder Community Edition
Responder Community Edition is the free version of HBGary's flagship Responder product, the defacto standard for physical memory analysis. Built on the same comprehensive and complete live Windows memory investigation platform as out other two Responder products, Responder Pro and Responder Field Edition, Responder Community Edition offers a new, cost-effective way to gather this critical intelligence found only in computer memory. To learn more about Responder Community Edition, click here.
REcon
REcon, in conjunction with HBGary's Responder Professional, provides IR teams allows small security teams to automate malware analysis (typically outsourced in the past) giving them run-time information. For larger teams, it allows a deeper analysis and the ability to quickly correlate pertinent streams of information.
REcon can record the entire lifecycle of a software program, from the first instruction to the last. All behavior is recorded, including all loaded DLL's, plugins, browser helper objects (BHO's), file system activity, network activity, and registry access. Users can configure additional tracks of data to be recorded in almost limitless ways. Any function point can be recorded, including DLL exported functions, and internal undocumented functions (aka API-spy type capability). Users can control the sampling behavior, including number and type of arguments to a call. The full control flow graph is recovered for a program, including all basic blocks and branch conditions, even branches not taken. The opcodes, top of stack, and register context can be captured at a single-step resolution. This allows the recovery of packed executables, such as those packed by ASProtect, ASPack, Armadillo, UPX, and even Themida. REcon operates entirely in kernel mode and remains hidden from many anti-debugger checks, including checks for kernel mode debuggers.
FastDump Pro
FastDumpPro is included with Responder™ Professional and is the industry's most complete memory acquisition software utility designed to preserve Windows™ physical memory for information security and computer forensic purposes. FDPro™ supports all versions of Windows™ operating systems and service packs, 32 and 64 bit, including systems with more than 4 gigs of RAM. FDPro also supports acquisition of the Windows™ Pagefile following the acquisition of RAM and other useful tricks for a more thorough memory investigation.
Responder Feature Comparison
Feature |
Community Edition |
Field Edition |
Pro Edition |
| Maximum memory snapshot size |
6 GB |
N/A |
N/A |
| RAM Preservation and analysis |
 |
|
|
| Recreate objects table and expose all objects |
|
|
|
| Identify and extract suspicious files |
|
|
|
| Explorer tree-structure user interface |
|
|
|
| Exposed API for user extensibility |
|
|
|
| Scripting for user extensibility |
|
|
|
| Automated reporting |
|
|
|
| Remote memory snapshots |
|
|
|
| Binary static disassembly |
|
|
|
| Binary runtime analysis |
|
|
|
| Automated malware analysis |
|
|
|
| Interactive binary control flow graphing |
|
|
|