Forensics Tools – strap on your util belt

Viewing 17 reply threads
  • Author
    Posts
    • #3458
      Jhaddix
      Participant

      Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics. Its a really good building block, when i find more resources ill add them =) If you have one you would like to list just post!

      Free Forensic Tools

      In November I did a presentation at the monthly NebraskaCert Cyber Security Forum. Someone had suggested an overview of forensic tools. I put together a list of free tools in a couple different categories. Here is the list:

      Imaging

      FTK Imager
      http://www.accessdata.com/downloads.html

      Forensic Acquisition Utilities (FAU)
      http://gmgsystemsinc.com/fau/

      Carving

      Winhex
      http://www.x-ways.net/winhex/

      PhotoRec
      http://www.cgsecurity.org/wiki/PhotoRec

      Scalpel
      http://www.digitalforensicssolutions.com/Scalpel/

      Analyze

      ProDiscover Basic
      http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14

      The Sleuthkit and Autopsy
      http://www.sleuthkit.org/

      PTK
      http://ptk.dflabs.com/

      WinHex
      http://www.x-ways.net/winhex/

      PyFlag
      http://www.pyflag.net/cgi-bin/moin.cgi

      FTK Demo (up to 5000 items)
      http://www.accessdata.com/downloads.html

      SANS SIFT Workstation (only available to portal members)
      http://forensics.sans.org/community/downloads/

      Memory Analysis

      mdd
      http://sourceforge.net/project/showfiles.php?group_id=228865

      win32dd
      http://win32dd.msuiche.net/

      Volatility
      https://www.volatilesystems.com/default/volatility

      Memoryze
      http://www.mandiant.com/software/memoryze.htm

      Virtualization

      LiveView (launch image in VMWare)
      http://liveview.sourceforge.net/

      ProDiscover Basic (creates config files)
      http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14

      VDKWin (edit config files)
      http://petruska.stardock.net/Software/VMware.html

      Live CDs

      Helix
      http://www.e-fense.com/helix/

      Caine
      http://www.caine-live.net/en/index.html

      PlainSight
      http://www.plainsight.info/download.html

      BAckTrack (**will mount drives, but has forensic tools)
      http://www.remote-exploit.org/backtrack.html

      Misc.

      RegRipper (excellent Registry parser)
      http://regripper.net/

      Forensic CaseNotes
      http://www.qccis.com/?section=casenotes

      NirSoft Tools
      http://www.nirsoft.net/

      Historian
      http://www.mandiant.com/software/webhistorian.htm

      Windows File Analyzer
      http://www.mitec.cz/wfa.html

      Websites

      http://windowsir.blogspot.com

      http://forensicir.blogspot.com

      http://sansforensics.wordpress.com

      http://www.ForensicFocus.com

      http://www.E-Evidence.info

    • #22622
      Ketchup
      Participant

      That’s a great list. 

      I also use foremost for data carving, but I do believe it is included on the Helix CD. 

      forensicswiki.org has great information. 

    • #22623
      Spikyles
      Participant

      I just wanted to say thanks for this list.  8)

    • #22624
      UNIX
      Participant

      Thanks for sharing, good list indeed. Haven’t done much in the forensics area yet, this should help though.

      Any other tools worth to check which are not on the list?

    • #22625
      Ketchup
      Participant

      Unfortunately, the best forensics tools out there are not open-source.  I don’t know any investigators who aren’t using EnCase for most of their work.  It’s not cheap.

    • #22626
      vijay2
      Participant

      Unfortunately,

      I have to disagree with the last post. I think Forensics is an Art and requires some level of skills and lots of dirty work to get it right. And, if any of the expensive tools could do that the Forensics investigators wouldn’t be paid so much.

      And every person would be a Forensic Expert.

      I know the best in the business use the combination of Commercial and open source tools for their work, often writing new ones to suit the case they are working on.

      Just my 0.00002 cents

      VJ

    • #22627
      Jhaddix
      Participant

      Encase is awesome, no argument there. You can, with some determination. get all the functionality of it through open source tools. That’d be a good article for someone to write *wink*

    • #22628
      Ketchup
      Participant

      Vijay, there are definitely open source tools that we use on a day to day basis, as well as write our own, but EnCase rules as far as most actual analysis work is concerned, with an occasional mix of FTK.  You still need a great deal of knowledge and experience.  It doesn’t have the “Press This To Solve Case” button just yet.  You have to know where all the artifacts are and what they mean, etc.

      Today, I don’t know how feasible it is to rely on open source tools for more than one off tasks, like data carving, acquisition, and index.dat analysis as an example.  EnCase has been accepted as the industry standard, and is used by the Secret Service, FBI, Customs, etc.  It’s hard to compete with that.  This doesn’t happen as much any more, but in litigation, tools used to always get questioned in terms of repeatability and procedure.  Guidance has a team of attorneys that are ready to hop on a plane and testify in court on the solidity of EnCase. 

      I haven’t seen any open source tools that rival EnCase and FTK for managing a case and doing actual analysis work.  I hope that I am wrong because I would love to save money and go open-source.

    • #22629
      vijay2
      Participant

      I think being most expensive and have a team of lawyers to defend it does not make it the best. Yes, agreed it is one of the better commercial collections of tools which can do some reliable point and click stuff.

      Also, as you said  “but in litigation, tools used to always get questioned in terms of repeatability and procedure. ” So if you can demonstrate repeatability and procedure with a tool in courts you dont need a team of expensive lawyers to defend it

      the final point being it is very easy to use and Hex editor and modify the partition table just enough to make that expensive toold not be able to seee or read any data on the image or hard drive.

      VJ

    • #22630
      Anonymous
      Participant

      Another Forensics distro to try…. http://www.deftlinux.net/
      It has some nice tools for forensics on mobile devices.

      Xbox Forensics tool kit (primarily used by law enforcement, but others may find it useful too)

      http://www.mysecured.com/?p=301

    • #22631
      Ketchup
      Participant

      Vijay, most expensive definitely doesn’t make it the best. 😀   Agreed there.  

      You can modify anything in a hex editor, including wiping out the MBR, creating encrypted partitions within encrypted partitions, shredding files, etc.  This is where EnCase makes it much easier to put together the correct story.  We used to use Norton’s Disk Editor for forensic investigations.  With today’s volumes of data and deadlines, that’s no longer practical, but is still possible.  It is my opinion that the same logic extends to the open source tools out there.

      The amount of data types supported alone make EnCase and FTK  tools much more robust than anything else out there.  For example, what other forensics tools can handle PST files, NSF files, Exchange EDB (granted not so well on the later :)) files, Registry files, etc., all natively within the same application.  I understand that you can export an NSF file and open it in Lotus Notes, or export the registry file and open it in a Registry viewer.   The problem is that you are involving yet another piece of software.  In the case of Lotus Notes or Outlook, it likes to modify the file immediately.   Outlook won’t even open a write-protected PST file.   The list just goes on.   Guidance has spent years reversing various file formats and incorporating them into EnCase.  I am much more comfortable saying that I am reasonably certain EnCase didn’t modify the structure of my PST file than I am even mentioning that I analyzed a PST file in Microsoft Outlook.

      In the open-source world, you have Autopsy/PTK/Sleuthkit, and a set of tools like skalpel, dcflldd, regviewer, etc.   What you have is a combination of tools that do about 70% of what EnCase does in a single tool.  Every time you export a file from your safe and verified image, you are introducing another element to your report.  When you have to deal with the native software application because you couldn’t find a forensics tool that supports the format, that’s another nightmare.

      Like I said, I would love to be proven wrong here and come away with a good set of tools that do everything EnCase and FTK do.  I am a big supporter of open-source tools.  I would love to be able to go open-source.   Every time we have researched this the conclusion is always the same, open source tools will do about 70% of what we need.   That’s just not enough.  

      I guess my point is that the open-source community is lacking in the forensics industry when compared to others, especially pen testing.  One of the problems is that software vendors like Microsoft will actually release some of their source code to companies like Guidance.  That will never release anything to an open source project.  It’s quite frustrating actually.

    • #22632
      rattis
      Participant

      We’ve used Helix 3 for a couple of issues at work. They were internal issues, that did go to legal. (It’s also what started me down the path that has lead me here).

      I’d love to get my hands on EnCase, and learn more, but I’d probably have to buy it myself. I don’t know how well Helix works compared to EnCase, but it’s worked for what we’ve needed so far.

    • #22633
      UNIX
      Participant

      As I have recently read some books on forensics, some more tools and toolkits which were mentioned (though most of them were already mentioned in this thread):

      Autopsy Forensic Browser
      F.I.R.E.
      F.R.E.D.
      ForensiX-CD
      EnCase
      dd, sdd, dcfldd
      IRCR (Incident Response Collection Report)
      Forensic Acquisition Utilities
      WFT (Windows Forensic Toolchest)
      STD (Security Tools Distribution, based on Knoppix)
      Helix
      FTK (AccessData Forensic Toolkit)
      Live View
      TCTUtils, TCT (The Coroner’s Toolkit)
      The Sleuth Kit

    • #22634
      3PIL0GU3
      Participant

      Is there any version of Helix still free that started out good as a free open source software don’t know any more

    • #22635
      hiddenillusion
      Participant

      you can still find copies of Helix2008R1.iso floating on the internet that’s free.

    • #22636
      morpheus063
      Participant

      3PIL0GU3: I think this is what you looking for:

      http://helix.onofri.org/
    • #22637
      UNIX
      Participant

      In terms of commercial tools or open-source ones, I think Ketchup’s statement

      This doesn’t happen as much any more, but in litigation, tools used to always get questioned in terms of repeatability and procedure.  Guidance has a team of attorneys that are ready to hop on a plane and testify in court on the solidity of EnCase. 

      is quite true. Open-source tools offer traceability and transparency, though the sourcecode must be read by someone, otherwise it doesn’t matter if they are OS or not. In court often offensive questions are asked and reliability must be proven. Additionally the investigator should be able to reproduce the results with different tools.

      Whichever tools the investigator is going to use, several questions should be answered (limitations, function volume, automatization, approved by other experts, etc.) before going on. Also it might be better to use tools from the same architecture as the target system is.

    • #22638
      3PIL0GU3
      Participant

      Thanks will give it a go 😀

Viewing 17 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?