.

Forensics Tools - strap on your util belt

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Feb 24, 2009 8:13 am

Forensics Tools - strap on your util belt

Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics. Its a really good building block, when i find more resources ill add them =) If you have one you would like to list just post!

Free Forensic Tools

In November I did a presentation at the monthly NebraskaCert Cyber Security Forum. Someone had suggested an overview of forensic tools. I put together a list of free tools in a couple different categories. Here is the list:


Imaging

FTK Imager
http://www.accessdata.com/downloads.html

Forensic Acquisition Utilities (FAU)
http://gmgsystemsinc.com/fau/


Carving

Winhex
http://www.x-ways.net/winhex/

PhotoRec
http://www.cgsecurity.org/wiki/PhotoRec

Scalpel
http://www.digitalforensicssolutions.com/Scalpel/


Analyze

ProDiscover Basic
http://www.techpathways.com/DesktopDefa ... 9&tabid=14

The Sleuthkit and Autopsy
http://www.sleuthkit.org/

PTK
http://ptk.dflabs.com/

WinHex
http://www.x-ways.net/winhex/

PyFlag
http://www.pyflag.net/cgi-bin/moin.cgi

FTK Demo (up to 5000 items)
http://www.accessdata.com/downloads.html

SANS SIFT Workstation (only available to portal members)
http://forensics.sans.org/community/downloads/


Memory Analysis

mdd
http://sourceforge.net/project/showfile ... _id=228865

win32dd
http://win32dd.msuiche.net/

Volatility
https://www.volatilesystems.com/default/volatility

Memoryze
http://www.mandiant.com/software/memoryze.htm


Virtualization

LiveView (launch image in VMWare)
http://liveview.sourceforge.net/

ProDiscover Basic (creates config files)
http://www.techpathways.com/DesktopDefa ... 9&tabid=14

VDKWin (edit config files)
http://petruska.stardock.net/Software/VMware.html


Live CDs

Helix
http://www.e-fense.com/helix/

Caine
http://www.caine-live.net/en/index.html

PlainSight
http://www.plainsight.info/download.html

BAckTrack (**will mount drives, but has forensic tools)
http://www.remote-exploit.org/backtrack.html


Misc.

RegRipper (excellent Registry parser)
http://regripper.net/

Forensic CaseNotes
http://www.qccis.com/?section=casenotes

NirSoft Tools
http://www.nirsoft.net/

Historian
http://www.mandiant.com/software/webhistorian.htm

Windows File Analyzer
http://www.mitec.cz/wfa.html


Websites

http://windowsir.blogspot.com

http://forensicir.blogspot.com

http://sansforensics.wordpress.com

www.ForensicFocus.com

www.E-Evidence.info
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Feb 24, 2009 10:46 am

Re: Forensics Tools - strap on your util belt

That's a great list. 

I also use foremost for data carving, but I do believe it is included on the Helix CD. 

forensicswiki.org has great information. 
~~~~~~~~~~~~~~
Ketchup
<<

Spikyles

Newbie
Newbie

Posts: 2

Joined: Thu Sep 03, 2009 3:42 pm

Post Fri Sep 04, 2009 12:07 am

Re: Forensics Tools - strap on your util belt

I just wanted to say thanks for this list.  8)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Sep 04, 2009 1:19 am

Re: Forensics Tools - strap on your util belt

Thanks for sharing, good list indeed. Haven't done much in the forensics area yet, this should help though.

Any other tools worth to check which are not on the list?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Sep 04, 2009 7:27 am

Re: Forensics Tools - strap on your util belt

Unfortunately, the best forensics tools out there are not open-source.  I don't know any investigators who aren't using EnCase for most of their work.  It's not cheap.
~~~~~~~~~~~~~~
Ketchup
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Fri Sep 04, 2009 8:59 am

Re: Forensics Tools - strap on your util belt

Unfortunately,

I have to disagree with the last post. I think Forensics is an Art and requires some level of skills and lots of dirty work to get it right. And, if any of the expensive tools could do that the Forensics investigators wouldn't be paid so much.

And every person would be a Forensic Expert.

I know the best in the business use the combination of Commercial and open source tools for their work, often writing new ones to suit the case they are working on.

Just my 0.00002 cents

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Sep 04, 2009 9:09 am

Re: Forensics Tools - strap on your util belt

Encase is awesome, no argument there. You can, with some determination. get all the functionality of it through open source tools. That'd be a good article for someone to write *wink*
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Sep 04, 2009 9:23 am

Re: Forensics Tools - strap on your util belt

Vijay, there are definitely open source tools that we use on a day to day basis, as well as write our own, but EnCase rules as far as most actual analysis work is concerned, with an occasional mix of FTK.  You still need a great deal of knowledge and experience.  It doesn't have the "Press This To Solve Case" button just yet.  You have to know where all the artifacts are and what they mean, etc.

Today, I don't know how feasible it is to rely on open source tools for more than one off tasks, like data carving, acquisition, and index.dat analysis as an example.  EnCase has been accepted as the industry standard, and is used by the Secret Service, FBI, Customs, etc.  It's hard to compete with that.  This doesn't happen as much any more, but in litigation, tools used to always get questioned in terms of repeatability and procedure.  Guidance has a team of attorneys that are ready to hop on a plane and testify in court on the solidity of EnCase. 

I haven't seen any open source tools that rival EnCase and FTK for managing a case and doing actual analysis work.  I hope that I am wrong because I would love to save money and go open-source.
~~~~~~~~~~~~~~
Ketchup
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Fri Sep 04, 2009 9:50 am

Re: Forensics Tools - strap on your util belt

I think being most expensive and have a team of lawyers to defend it does not make it the best. Yes, agreed it is one of the better commercial collections of tools which can do some reliable point and click stuff.

Also, as you said  "but in litigation, tools used to always get questioned in terms of repeatability and procedure. " So if you can demonstrate repeatability and procedure with a tool in courts you dont need a team of expensive lawyers to defend it

the final point being it is very easy to use and Hex editor and modify the partition table just enough to make that expensive toold not be able to seee or read any data on the image or hard drive.

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Bane

Post Fri Sep 04, 2009 10:18 am

Re: Forensics Tools - strap on your util belt

Another Forensics distro to try.... http://www.deftlinux.net/
It has some nice tools for forensics on mobile devices.

Xbox Forensics tool kit (primarily used by law enforcement, but others may find it useful too)

http://www.mysecured.com/?p=301
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Sep 04, 2009 10:49 am

Re: Forensics Tools - strap on your util belt

Vijay, most expensive definitely doesn't make it the best. :D   Agreed there.  

You can modify anything in a hex editor, including wiping out the MBR, creating encrypted partitions within encrypted partitions, shredding files, etc.  This is where EnCase makes it much easier to put together the correct story.  We used to use Norton's Disk Editor for forensic investigations.  With today's volumes of data and deadlines, that's no longer practical, but is still possible.  It is my opinion that the same logic extends to the open source tools out there.

The amount of data types supported alone make EnCase and FTK  tools much more robust than anything else out there.  For example, what other forensics tools can handle PST files, NSF files, Exchange EDB (granted not so well on the later :)) files, Registry files, etc., all natively within the same application.  I understand that you can export an NSF file and open it in Lotus Notes, or export the registry file and open it in a Registry viewer.   The problem is that you are involving yet another piece of software.  In the case of Lotus Notes or Outlook, it likes to modify the file immediately.   Outlook won't even open a write-protected PST file.   The list just goes on.   Guidance has spent years reversing various file formats and incorporating them into EnCase.  I am much more comfortable saying that I am reasonably certain EnCase didn't modify the structure of my PST file than I am even mentioning that I analyzed a PST file in Microsoft Outlook.

In the open-source world, you have Autopsy/PTK/Sleuthkit, and a set of tools like skalpel, dcflldd, regviewer, etc.   What you have is a combination of tools that do about 70% of what EnCase does in a single tool.  Every time you export a file from your safe and verified image, you are introducing another element to your report.  When you have to deal with the native software application because you couldn’t find a forensics tool that supports the format, that's another nightmare.

Like I said, I would love to be proven wrong here and come away with a good set of tools that do everything EnCase and FTK do.  I am a big supporter of open-source tools.  I would love to be able to go open-source.   Every time we have researched this the conclusion is always the same, open source tools will do about 70% of what we need.   That's just not enough.  

I guess my point is that the open-source community is lacking in the forensics industry when compared to others, especially pen testing.  One of the problems is that software vendors like Microsoft will actually release some of their source code to companies like Guidance.  That will never release anything to an open source project.  It's quite frustrating actually.
Last edited by Ketchup on Fri Sep 04, 2009 10:55 am, edited 1 time in total.
~~~~~~~~~~~~~~
Ketchup
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Sep 04, 2009 11:55 am

Re: Forensics Tools - strap on your util belt

We've used Helix 3 for a couple of issues at work. They were internal issues, that did go to legal. (It's also what started me down the path that has lead me here).

I'd love to get my hands on EnCase, and learn more, but I'd probably have to buy it myself. I don't know how well Helix works compared to EnCase, but it's worked for what we've needed so far.
OSWP, Sec+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Nov 19, 2009 6:18 am

Re: Forensics Tools - strap on your util belt

As I have recently read some books on forensics, some more tools and toolkits which were mentioned (though most of them were already mentioned in this thread):

Autopsy Forensic Browser
F.I.R.E.
F.R.E.D.
ForensiX-CD
EnCase
dd, sdd, dcfldd
IRCR (Incident Response Collection Report)
Forensic Acquisition Utilities
WFT (Windows Forensic Toolchest)
STD (Security Tools Distribution, based on Knoppix)
Helix
FTK (AccessData Forensic Toolkit)
Live View
TCTUtils, TCT (The Coroner's Toolkit)
The Sleuth Kit
<<

3PIL0GU3

Newbie
Newbie

Posts: 38

Joined: Tue Aug 18, 2009 7:48 am

Post Thu Nov 19, 2009 9:21 am

Re: Forensics Tools - strap on your util belt

Is there any version of Helix still free that started out good as a free open source software don't know any more
----------------------------
CEH
<<

hiddenillusion

Newbie
Newbie

Posts: 26

Joined: Tue Oct 07, 2008 5:45 pm

Post Fri Nov 20, 2009 9:48 am

Re: Forensics Tools - strap on your util belt

you can still find copies of Helix2008R1.iso floating on the internet that's free.
GCIH, ACE, OSCP, CCNA, CEH, CHFI, Security+
Next

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software