Agave – A complete suite of tools for Incident Response

January 25, 2019 | Views: 3804

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello, Cybrary community!

It has been a lot of time after my latest article about Tequila, a forensic distribution whose profile is presented as the first OS distribution focused on forensics in the Latam territory.

Part of the project is also an additional suite of tools targeted to perform Incident Response over Windows environments called Agave. I promised in my previous article that I was going to write about it. Finally, I´m here accomplishing this promise to the community.

Agave: The plant used to make Tequila.

Agave is part of Tequila acting as an useful suite to perform incident response processes on suspected or confirmed compromised Windows systems. There are versions for 32 and 64 bits available to download in There you would find the repository for Tequila and Agave versions, detailed in the red squares.

Image 1. Agave: 32 / 64 bits repositories

You could use the tool copied on a USB or CD-ROM, almost all the tools do not require an installation over the system to be analyzed due they run as a self-executables. Anyway, please remember that ALWAYS you must document the actions performed to the system in the chain of custody formats and other reports in order to conduct a formal process and have a track of the activities and actions executed over the system during the incident response, triage or investigation processes. And a general level, please FIRST get a memory dump (This would be discussed later in this article) and then perform other actions. It may be possible the system would become as part of a legal or administrative process that trigger legal actions and others.

The purpose of this article is providing an overview of this suite of tools, I let you Cybrarians the option to explore further details about them.

Now, let´s navigate for some of the options and tools presented in Agave. You can run the tool from the exe file to display the tools and options available in a graphic interface.

Image 2. Agave files and Agave.exe launching

Note: Optionally, you can use directly the different tools which are stored in the source folder (src) of Agave instead the GUI exe deployed of Agave.exe.

Once you run the tool you would see the following screen, there are tools to acquire evidences such as FTK Imager Lite and RamCapturer. I highly recommend you get done FIRST the memory dump acquisition at time of using perform incident response activities on a system by using this suite or any other tool. This should be part of the first steps to accomplish when you perform this kind of activities at time of investigation. I also recommend you have a reading around the RFC 3227 in order to get some theory about volatility of data and get some additional knowledge about what to gather at first because the risk of modification or loss of data.

Image 3. Acquisition and preservation tools

The tool available to get the information about memory for further analysis is RamCapturer

Image 4. RAM Capture interface

The second panel of options are related to navigation history, you could launch some of the tools from NirSoft to inspect and look over sites the user navigated if there is suspect about a threat coming from Internet and the use of common web browsers.

Image 5. Web browser analysis tools

The next options come with tools to inspect over processes.

Image 6. Processes and system information gathering tools

For example, MyEventViewer tool is very useful because it takes automatically the full files of events available in the system grouped by the date and hour, helping you to see the events like a timeline and help your investigation about a malicious threat.

Image 7. NirSoft MyEventViewer interface

In the following pictures, I´m going just to show you the tools available, I encourage you to explore deeper them according to your needs.

Image 8. Recovery tools

Image 9. Network tools

Image 10. Autopsy and OSForensics launchers

The last menu of options is simply a collection of additional tools to help you. One important tool here is the Command Prompt utility. At the time of perform an investigation over a system possibly violated by a malicious software agent or any other threat, is important to avoid the use of programs hosted in the system because their risk or be contaminated (Like the local CMD). The recommendation is using this command line utility if you may want to run any additional tool as part of your IR arsenal.

Image 11. Utilities

Thanks a lot for reading this article, more than let it as an additional source for reading, try them, I´m completely sure it will be useful for you if you are in an incident handler role, first responder, security or digital forensics professional, or Windows administrator.


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?