Incident Response U3 Switchblade From TCSTool

        I met Russell Butturini (TCSTool) at Phreaknic 2008, there I was introduced to his Incident Response U3 Switchblade. In Russell's own words:

        "The U3 incident response switchblade is a tool designed to gather forensic data from a machine in an automated, self-contained fashion without user intervention for use in an investigation. The switchblade is designed to be very modular, allowing the investigator/IR team to add their own tools and modify the evidence collection process quickly."

        The thing I really like this tool for is those times when you want to know what happened to a compromised Windows box, but can't leave it on the network long term because it may be attacking others. Also, many of the tools I use for security/forensics are seen as "hack tools" by anti-virus, but by having them on the read only CD side of a U3 thumbdrive AV can't automatically delete them. I have a mirror of U3IR here:

                    http://www.irongeek.com/host/u3ir.zip

        which I plan to update as Russ tells me too. This video will cover modifying and creating you own U3 Incident Response Switchblade.

     

If the embedded video below does not show RIGHT click here to save the file to your hard drive.