Friday, July 06, 2007

HeX liveCD: The Analogy

Most of the people have this problem with liveCD, after booting it up, play around and forget about it .....

I think problem with the liveCD is its customized environment, for example if I'm familiar with linux but not bsd, then I have to dig into google to get some setup done because of different approach in setting up stuffs(sys v and bsd style for example), only who develop the liveCD can make use of it efficiently because he or she knows the environment entirely and familiar with the operating system.

Different liveCD is developed for different purpose, many prefer end user based liveCD, security liveCD(penetration testing and hacking), forensic liveCD and thus far, I have never seen any liveCD that mainly develop to perform Network Security Monitoring operation. I do know Knoppix-NSM and NST, but their design is more for real time monitoring with NSM Based tools but HeX is more emphasizing on reactive NSM operation and Network Based Forensics. For me I prefer to call this as Network Data Analysis Centric liveCD and it can be learning tool as well if you are interested in NSM.

First of all, I must admit I love two specific liveCDs - Backtrack and Helix. Both present really good idea to serve their purpose. Guess I don't have to speak about Backtrack anymore as I guess most of the people in security industry find it useful, on the other hand Helix is liveCD mainly developed to perform computer forensics in Incident Response operation, you can easily create the case and duplicate the data with Helix and it offers wide range of Forensic tools as well to do the job. And they are not those throw in new logo and install all the tools without customization liveCD which I hate the most.

Yes, our liveCD development team never aim for wide range of audience when creating this liveCD, as stated officially this liveCD is designed for network security analyzt, and not only we offer wide range of NSM based tools but also concentrating on the work flows. We believe tools are as good as how Network Security Analyzt can utilize it. You may have already read this before using this liveCD. We are following this logic -

Obtain Network Based Data -> Utilizing NSM Based Tools -> Generate Output -> Output Interpretation -> Output Analysis -> Output Summarization -> Report

I would like to draw a beautiful diagram for this but I just want to show the simple quickies. As a analyzt(especially in reactive NSM operation), we need to obtain network based data first, then using all the necessary tools to generate the output(I prefer to call it output because it means nothing if you don't understand them), then interpret the output(this part is pretty dynamic based on the skills level, however the more you understand about each field that presented by the output and the more you practice, you are getting better and efficient). To analyze the output, it is very dependent based on your experience, knowledge(TCP/IP, Programming) and how efficient you can make use of internet resources, Once finished the analysis part, you will have to conclude everything you have studied, and summarize the output. At the end, write the report with hostility but keep in mind the report does present how well you understand the output and translate it to concrete form.

The liveCD can only make up to this part(see below) -

Obtain Network Based Data -> Utilizing NSM Based Tools -> Generate Output

The rest depends on how analyzt able to perform it -

Output Interpretation -> Output Analysis -> Output Summarization -> Report

To further improve the usage of the liveCD and share it with the community, great documentation is a must. Therefore I will start writing a series of how-to guideline so that people who are interested can make full use of this liveCD and learning tips and tricks on using NSM based tools. Hopefully it can fill the gaps and you all love it.

Have I mentioned my Network Security Analyzt Handbook? It's in the progress now and hopefully you can use it inline with this liveCD soon.

Enjoy (;])

No comments: