Welcome! Thank you for visiting HBGary, Inc. and your interest in our products. All of the existing free tools are available to registered users on the HBGary support site. We have upgraded the security on the community support site and now require two-factor authentication for all access, both for commercial customers and free tools.

If you would like to become an HBGary registered user, please take a few minutes and complete the form here. Please note that your registration information will not be used for marketing or sales purposes. If you would like to learn more about our products and speak with an HBGary sales representative, please contact sales@hbgary.com.

HBGary is committed to keeping customers ahead of the threat curve. HBGary's free tools provide a significant advantage for practioners working in the fields of Enterprise incident response, malware analysis, and information operations. These tools can be used at no cost for internal corporate and government use. Note: consulting firms and outsourced contractors, however, must obtain a special license for use.

Summary of Tools

Responder Community Edition

Responder™ Community Edition provides the most thorough and comprehensive memory analysis capability in the industry. Responder™ Community Edition virtually rebuilds all the underlying data structures up to 6 gigabytes of RAM. This includes all physical to virtual address mappings, recreates the object manager, exposes all objects, and enables investigators to perform a complete and comprehensive computer investigation. For more information, click here.

AcroScrub

AcroScrub provides enterprise network administrators a quick and easy way to discover which users and end-node computers in their organization are potentially susceptible to a PDF-based spearphishing attack. AcroScrub scans without using agents, and utilizes built-in Windows networking to scan for old and vulnerable installations of Adobe Acrobat Reader. For more information, click here.

FastDump

Fastdump is the industry’s most forensically sound Windows™ memory dumping utility. Fastdump has a memory footprint that is far less than other tools such as Helix/DD. All required code is statically linked so no additional DLL’s are loaded. The final executable size is only 80K. Click here for more information.

Flypaper

HBGary Flypaper is an invaluable tool in your fight against malware. Most malware is designed into two or three stage deployment. First, a dropper program will launch a second program, and then delete itself. The second program may take additional steps, such as injecting DLL's into other processes, loading a rootkit, etc. These steps are taken quickly, and it can be difficult for an analyst to capture all of the binaries used in the deployment. HBGary Flypaper solves this problem for the analyst. Click here for more information.

Detailed Information: Fingerprint

FingerPrint is a simple framework for scanning binaries (preferably binaries extracted from memory so they are already unpacked). It allows scanning for ascii/wide strings and byte patterns, then annotating results. Results are saved in an xml format and can be compared to previous results. The goal is to allow quick development of new search patterns and easy comparison to previous binaries.

FingerPrint is 100% C# and requires the Microsoft .NET Framework v3.5

FingerPrint is extendable via "FingerPrints"... FingerPrints are C# files that implement the IFingerPrint interface (aka plugins). You can create new FingerPrints and the FP.exe will automatically compile and execute them if they are placed in the \FingerPrint sub directory.

The Source code is provided, with restrictions

fp [file or directory]
    to get a dump of fingerprint data

fp -c [file 1] [file 2] 
    to compare two files

fp -c [directory] 
    to scan a directory and compare it to the scan history, showing a summary of results

fp -r [directory] 
    to recursively scan a directory

fp -db [file 1] 
    to compare a file to the scan history, only showing > 80% matches

fp -dball [file 1] 
    to compare a file to the scan history, showing all comparisons

Everytime you fingerprint a file, it is added to a database called "scan_history.xml" in the current directory. Scan_history.xml can get very large when examining large sets of files, so if you need more speed/efficiency, modify the ScanResults.cs class to output a binary format or backend to SQL.

The fget tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (inlcuding those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction, including the prefetch directory, temporary internet files, event logs, system registry files, user registry files, recycle bin, system restore points, AV/firewall logs, and web-browser DAT files. In addition, fget can aqcuire the $MFT itself, offering the lowest and most complete picture of the filesystem for forensic analysis. Fget can also extract any file of the user’s choosing, including deleted files (’deleted’ files may contain sectors that have been re-used or overwritten depending on system state).

Detailed Information: FastDump Community Edition

The community edition of Fastdump supports 32 bit acquisition of up to 4 gigs of RAM, but does not support Vista, Windows 2003, or Windows 2008, or 64 bit platforms. Note: FDPro (the commercial version) does not have these limitations. The community edition can be downloaded free of charge.

Click here to learn more about FastDump PRO which can image all Windows platforms (win2k and above, all SP's), 32 and 64 bit, and greater than 64 GB of RAM.

Detailed Information: Flypaper

HBGary Flypaper is an invaluable tool in your fight against malware. Most malware is designed into two or three stage deployment. First, a dropper program will launch a second program, and then delete itself. The second program may take additional steps, such as injecting DLL's into other processes, loading a rootkit, etc. These steps are taken quickly, and it can be difficult for an analyst to capture all of the binaries used in the deployment. HBGary Flypaper solves this problem for the analyst.

HBGary Flypaper loads as a device driver and blocks all attempts to exit a process, end a thread, or delete memory. All components used by the malware will remain resident in the process list, and will remain present in physical memory. The entire execution chain is reported so you can follow each step. Then, once you dump physical memory for analysis, you have all the components 'frozen' in memory - nothing gets unloaded. All of the evidence is there for you.

HBGary's Flypaper is designed to be used with HBGary's Responder Product or OllyDbg and to be launched in a virtual machine. Once activated, Flypaper will also block network traffic to and from the machine. If you are using HBGary Responder with the virtual machine, only the traffic to and from Responder is allowed, effectively quarantining the malware for analysis. (Note, this blocking operation would not block NDIS level rootkit material, only malware that uses the existing TCP/IP stack.)

HBGary Flypaper is an incredible timesaver and a "must have" tool in your arsenal. HBGary Flypaper is released free for non-commercial use. Commercial use requires a license from HBGary, Inc.

Share