top 20 free digital forensic investigation tools for...
TRANSCRIPT
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 1/28
MENU
(33 votes, average: 3.76 out of 5) 14 comments
Top 20 Free Digital Forensic Investigation Tools forSysAdmins
Here are 20 of the best free tools that will help you conduct a digitalforensic investigation. Whether it’s for an internal human resources case, aninvestigation into unauthorized access to a server, or if you just want tolearn a new skill, these suites and utilities will help you conduct memoryforensic analysis, hard drive forensic analysis, forensic image exploration,forensic imaging and mobile forensics. As such, they all provide the abilityto bring back in-depth information about what’s “under the hood” of asystem.
The most essential tool forsysadmins:
Automate multiple OS patching
Scan for vulnerabilities
Audit hardware and software
Run compliance reports
Discover, manage and secureyour network
Monitor & control web activity
Manage bandwidth & internet usage
Secure downloads & web browsing
Control of applications & stronger policy
Try premium business software for FREE for 30 days!
Get it for FREE now!Get it for FREE now!
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 2/28
This is by no means an extensive list and may not cover everything you need for your investigation. Youmight also need additional utilities such a file viewers, hash generators, and text editors – checkout 101Free Admin Tools for some of these.
My articles on Top 10 Free Troubleshooting Tools for SysAdmins, Top 20 Free Network Monitoringand Analysis Tools for Sys Admins and Top 20 Free File Management Tools for Sys Admins might alsocome in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations(e.g. BackTrack and the SysInternals Suite or the NirSoft Suite of tools).
Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or twoamongst this list.
01 SANS SIFT
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the toolsyou need to conduct an in-depth forensic or incident response investigation. It supports analysis ofExpert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFTincludes tools such as log2timeline for generating a timeline from system logs, Scalpel for data filecarving, Rifiuti for examining the recycle bin, and lots more.
When you first boot into the SIFT environment, I suggest you explore the documentation on thedesktop to help you become accustomed to what tools are available and how to use them. There is alsoa good explanation of where to find evidence on a system. Use the top menu bar to open a tool, orlaunch it manually from a terminal window.
02 ProDiscover Basic
No credit card required, Trial also includes GFI technical support
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 3/28
ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse andreport on evidence found on a drive. Once you add a forensic image you can view the data by content orby looking at the clusters that hold the data. You can also search for data using the Search node basedon the criteria you specify.
When you launch ProDiscover Basic you first need to create or load a project and add evidence from the‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Toolsmenu to perform actions against the data. Click the ‘Report’ node to view important information aboutthe project.
03 Volatility
Volatility is a memory forensics framework for incident response and malware analysis that allows you toextract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract informationabout running processes, open network sockets and network connections, DLLs loaded for eachprocess, cached registry hives, process IDs, and more.
If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt,navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of thememory dump file you wish to analyse, PROFILENAME would be the machine the memory dump wastaken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 4/28
Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump forTCP connection information.
04 The Sleuth Kit (+Autopsy)
The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis ofvarious file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with featureslike Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, withthe ability to add other modules for extended functionality.
Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running aWindows box.
When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose tocreate a new case you will need to load a forensic image or a local disk to start your analysis. Once theanalysis process is complete, use the nodes on the left hand pane to choose which results to view.
05 FTK Imager
FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local harddrives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. UsingFTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensicimages to disk, review and recover files that were deleted from the Recycle Bin (providing that their datablocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.
Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 5/28
When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review.To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish toforensically image.
06 Linux ‘dd’
dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). Thistool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out adrive) and creating a raw image of a drive.
Note: dd is a very powerful tool that can have devastating effects if not used with care. It isrecommended that you experiment in a safe environment before using this tool in the real world.
Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3ddincludes additional features that were added specifically for digital forensic acquisition tasks.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 6/28
To use dd, simply open a terminal window and type dd followed by a set of command parameters(which command parameters will obviously depend on what you want to do). The basic dd syntax forforensically wiping a drive is:
dd if=/dev/zero of=/dev/sdb1 bs=1024
where if = input file, of = output file, bs = byte size
Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 withthe size of the byte blocks you want to write out.
The basic dd syntax for creating a forensic image of a drive is:
dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync
where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options
Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up thehelp manual for the dd command.
07 CAINE
CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digitalforensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for MobileForensics, Network Forensics, Data Recovery and more.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 7/28
When you boot into the CAINE Linux environment, you can launch the digital forensic tools from theCAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder onthe applications menu bar.
08 Oxygen Forensic Suite 2013 Standard
If you are investigating a case that requires you to gather evidence from a mobile phone to support yourcase, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features includethe ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts,Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Taskinformation. It also comes with a file browser which allows you to access and analyse user photos,videos, documents and device databases.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 8/28
When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar tolaunch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type ofinformation you wish to extract.
09 Free Hex Editor Neo
Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of theadditional features are found in the commercial versions of Hex Editor Neo, I find this tool useful forloading large files (e.g. database files or forensic images) and performing actions such as manual datacarving, low-level file editing, information gathering, or searching for hidden data.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 9/28
Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where youcan begin to navigate through the hex manually or press CTRL + F to run a search.
10 Bulk Extractor
bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extractsinformation such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extractedinformation is output to a series of text files (which can be reviewed manually or analysed using otherforensics tools or scripts).
Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mailaddress, domain name, etc. You will also see a decimal value in the first column of the text file that,when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you wereanalysing the disk manually using a hex editor for example, you would jump to this hexadecimal valueto view the data).
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 10/28
Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulkextractor tool to extract information from a forensics image I took earlier and output the results to afolder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the outputtext files mentioned above.
11 DEFT
DEFT is another Linux Live CD which bundles some of the most popular free and open source computerforensic tools available. It aims to help with Incident Response, Cyber Intelligence and ComputerForensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, DataRecovery, and Hashing.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 11/28
When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFTto disk. If you load the live environment you can use the shortcuts on the application menu bar tolaunch the required tools.
12 Xplico
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications datafrom internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Featuresinclude support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and theability to output data to a MySQL or SQLite database, amongst others.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 12/28
Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 andlogging in with a normal user account. The first thing you need to do is create a case and add a newsession. When you create a new session you can either load a PCAP file (acquired from Wireshark forexample) or start a live capture. Once the session has finished decoding, use the navigation menu onthe left hand side to view the results.
13 LastActivityView
I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 FreeSystem Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actionswere taken by a user and what events occurred on the machine. Any activities such as running anexecutable file, opening a file/folder from Explorer, an application or system crash or a user performing asoftware installation will be logged. The information can be exported to a CSV / XML / HTML file. Thistool is useful when you need to prove that a user (or account) performed an action he or she said theydidn’t.
When you launch LastActivityView, it will immediately start displaying a list of actions taken on themachine it is being run on. Sort by action time or use the search button to start investigating whatactions were taken on the machine.
14 DSi USB Write Blocker
DSi USB Write Blocker is a software-based write blocker that prevents write access to USB devices. This isimportant in an investigation to prevent modifying the metadata or timestamps and invalidating theevidence.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 13/28
When you run DSi USB Write Blocker, it brings up a window that allows you to enable or disable the USBWrite Blocker. Once you make changes and exit the application, you can keep an eye on the status fromthe padlock icon in the taskbar. When performing an analysis of a USB drive, enable the USB WriteBlocker first and then plug the USB drive in.
Note: If you are looking for a command line alternative USB Write Blocker, check out ‘USB Write Blockerfor ALL Windows’: http://sourceforge.net/projects/usbwriteblockerforwindows8/
15 Mandiant RedLine
RedLine offers the ability to perform memory and file analysis of a specific host. It collects informationabout running processes and drivers from memory, and gathers file system metadata, registry data,event logs, network information, services, tasks, and Internet history to help build an overall threatassessment profile.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 14/28
When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you alreadyhave a memory dump file available, you’ll need to create a collector to gather data from the machineand let that process run through to completion. Once you have a memory dump file to hand you canbegin your analysis.
16 PlainSight
PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digitalforensic tasks such as viewing internet histories, data carving, USB device usage information gathering,examining physical memory dumps, extracting password hashes, and more.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 15/28
When you boot into PlainSight, a window pops up asking you to select whether you want to perform ascan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.
17 HxD
HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-useand performance in mind and can handle large files without issue. Features include searching andreplacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files,generation of statistics and more.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 16/28
From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras> Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’
18 HELIX3 Free
HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensicsand E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors todata carving software to password cracking utilities, and more.
Note: The HELIX3 version you need is 2009R1. This version was the last free version available beforeHELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a usefuladdition to your digital forensics toolkit.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 17/28
When you boot using HELIX3, you are asked whether you want to load the GUI environment or installHELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-basedscreen will appear giving you the option to run the graphical version of the bundled tools.
19 Paladin Forensic Suite
Paladin Forensic Suite is a Live CD based on Ubuntu that is packed with wealth of open source forensictools. The 80+ tools found on this Live CD are organized into over 25 categories including Imaging Tools,Malware Analysis, Social Media Analysis, Hashing Tools, etc.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 18/28
After you boot Paladin Forensic Suite, navigate to the App Menu or click on one of the icons in thetaskbar to get started.
Note: A handy Quick Start Guide for Paladin Forensic Suite is available to view or download from thePaladin website as well as the taskbar within Paladin itself.
20 USB Historian
USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USBdrives that were plugged into the machine. It displays information such as the name of the USB drive,the serial number, when it was mounted and by which user account. This information can be very usefulwhen you’re dealing with an investigation whereby you need to understand if data was stolen, movedor accessed.
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 19/28
When you launch USB Historian, click the ‘+’ icon on the top menu to launch the data parse wizard.Select which method you want to parse data from (Drive Letter, Windows and Users Folder, or IndividualHives/Files) and then select the respective data to parse. Once complete you will see information similarto that shown in the above image.
You may also like:
Top 10 free database tools for sys adminsTop 5 Free Rescue Discs for Your Sys Admin ToolkitThe Top 20 Free Network Monitoring and Analysis Tools for…Top 20 Free Disk Tools for SysAdmins
5/10/2016 Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/ 20/28
14 Comments
About the Author: Andrew Tabona
Andrew has over 10 years experience in Quality Assurance, Incident Management, and Pre- and Post-SalesTechnical Support roles, as well as recent specialization in Digital Forensics and E-Discovery. He hascontributed to several blogs and worked on various technical writing projects for multiple organizations, aswell as being invited to be a regular guest lecturer and speaker at a top UK university.
More Posts from Andrew Suggest a Topic
David Williams October 29, 2013 at 5:16 am
Good stuff, I was wondering which one of these tools can correct a user profile that cannot be loaded.
Reply
Bilal Bokhari November 9, 2013 at 6:57 pm
You sir did a great job Compiling this list and have saved a lot time for geeks like me who were trying to learn the
basics of forensics.