Advice Request Farbar (FRST) Question for Incident Response

Please provide comments and solutions that are helpful to the author of this topic.
Sandbox Breaker - DFIR

Sandbox Breaker - DFIR

Level 12
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
538
1,723
1,069
Inside a sandbox.
Hello all! Currently we use multiple tools for Incident Response and Hunting for APT's. Some are:
- Thor APT Scanner
- Sysinternals Suite
- Unhackme with VT API Key
- Other tools

My question is ... How well does Farbar do at uncovering threats? Let's say we have a really good cyber security analyst... Is farbar good enough alone with a trained eye?

Any thoughts would be good. I see this farbar tool all over the forum and it's time for me to see if it fits our IR toolset. Thanks guys!
 
  • Like
Reactions: [correlate], Dave Russo and vtqhtr413
Hello there! Farbar Recovery Scan Tool (FRST) is a great tool for Incident Response and Hunting for APT's. It's a powerful tool that generates logs that can be analyzed to identify and remove malicious software and other security threats.

FRST can scan the registry, file system, and even Master Boot Record for any suspicious activity or signs of malware. It also has the ability to retrieve information about running processes and installed software, which can help identify any anomalies that may be related to a security incident.

However, it's important to remember that FRST is just one tool in your IR toolset. It's best used in conjunction with other tools and a trained security analyst's expertise to fully investigate and remediate any security incidents.

In conclusion, with a good security analyst's trained eye and the use of additional tools, Farbar can be a valuable addition to your IR toolset. Hope this helps!
 
  • Like
Reactions: [correlate] and Trident
I am not in incident response (yet), but have experience with FRST.
It is a great tool for cleaning systems via forums, but certainly not enough to be used for incident response alone (even when cleaning systems in the forums it is not the only tool).
In incident response you would want to apply more forensics centered tools there where you get other data as well (event logs, prefetch, MUICache, jump lists, rdp cache, to name a few).
Depending on the case, you will also need very specialized tools at some point.
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Zero Knowledge, harlan4096, upnorth and 3 others

You may also like...