Hello, Cybrary community!It has been a lot of time after my latest article about Tequila, a forensic distribution whose profile is presented as the first OS distribution focused on forensics in the Latam territory.Part of the project is also an additional suite of tools targeted to perform Incident Response over Windows environments called Agave. I promised in my previous article
that I was going to write about it. Finally, I´m here accomplishing this promise to the community.Agave: The plant used to make Tequila.Agave is part of Tequila acting as an useful suite to perform incident response processes on suspected or confirmed compromised Windows systems. There are versions for 32 and 64 bits available to download in https://archive.org/search.php?query=creator%3A%22Jocsan+Laguna%22. There you would find the repository for Tequila and Agave versions, detailed in the red squares.
Image 1. Agave: 32 / 64 bits repositoriesYou could use the tool copied on a USB or CD-ROM, almost all the tools do not require an installation over the system to be analyzed due they run as a self-executables. Anyway, please remember that ALWAYS you must document the actions performed to the system in the chain of custody formats and other reports in order to conduct a formal process and have a track of the activities and actions executed over the system during the incident response, triage or investigation processes. And a general level, please FIRST get a memory dump (This would be discussed later in this article) and then perform other actions. It may be possible the system would become as part of a legal or administrative process that trigger legal actions and others.The purpose of this article is providing an overview of this suite of tools, I let you Cybrarians the option to explore further details about them.Now, let´s navigate for some of the options and tools presented in Agave. You can run the tool from the exe file to display the tools and options available in a graphic interface.
Image 2. Agave files and Agave.exe launchingNote: Optionally, you can use directly the different tools which are stored in the source folder (src) of Agave instead the GUI exe deployed of Agave.exe.Once you run the tool you would see the following screen, there are tools to acquire evidences such as FTK Imager Lite and RamCapturer. I highly recommend you get done FIRST the memory dump acquisition at time of using perform incident response activities on a system by using this suite or any other tool. This should be part of the first steps to accomplish when you perform this kind of activities at time of investigation. I also recommend you have a reading around the RFC 3227 in order to get some theory about volatility of data and get some additional knowledge about what to gather at first because the risk of modification or loss of data.
Image 3. Acquisition and preservation toolsThe tool available to get the information about memory for further analysis is RamCapturer
Image 4. RAM Capture interfaceThe second panel of options are related to navigation history, you could launch some of the tools from NirSoft to inspect and look over sites the user navigated if there is suspect about a threat coming from Internet and the use of common web browsers.
Image 5. Web browser analysis toolsThe next options come with tools to inspect over processes.
Image 6. Processes and system information gathering toolsFor example, MyEventViewer tool is very useful because it takes automatically the full files of events available in the system grouped by the date and hour, helping you to see the events like a timeline and help your investigation about a malicious threat.
Image 7. NirSoft MyEventViewer interfaceIn the following pictures, I´m going just to show you the tools available, I encourage you to explore deeper them according to your needs.
Image 8. Recovery tools
Image 9. Network tools
Image 10. Autopsy and OSForensics launchersThe last menu of options is simply a collection of additional tools to help you. One important tool here is the Command Prompt utility. At the time of perform an investigation over a system possibly violated by a malicious software agent or any other threat, is important to avoid the use of programs hosted in the system because their risk or be contaminated (Like the local CMD). The recommendation is using this command line utility if you may want to run any additional tool as part of your IR arsenal.
Image 11. UtilitiesThanks a lot for reading this article, more than let it as an additional source for reading, try them, I´m completely sure it will be useful for you if you are in an incident handler role, first responder, security or digital forensics professional, or Windows administrator.-Jaime