01 SANS SIFT

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all
the tools you need to conduct an in-depth forensic or incident response investigation. It supports
analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd)
evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system
logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

When you first boot into the SIFT environment, I suggest you explore the documentation on the
desktop to help you become accustomed to what tools are available and how to use them. There
is also a good explanation of where to find evidence on a system. Use the top menu bar to open
a tool, or launch it manually from a terminal window.

Key features
 64-bit base system
 Auto-DFIR package update and customizations
 Cross compatibility with Linux and Windows.
 Expanded filesystem support
 Option to install the standalone system

02 CrowdStrike CrowdResponse
CrowdResponse is a lightweight console application that can be used as part of an incident
response scenario to gather contextual information such as a process list, scheduled tasks, or
Shim Cache. Using embedded YARA signatures you can also scan your host for malware and
report if there are any indicators of compromise.
To run CrowdsResponse, extract the ZIP file and launch a Command Prompt with Administrative
Privileges. Navigate to the folder where the CrowdResponse*.exe process resides and enter your
command parameters. At minimum, you must include the output path and the ‘tool’ you wish to
use to collect data. For a full list of ‘tools’, enter CrowdResponse64.exe in the command prompt
and it will bring up a list of supported tool names and example parameters.

Once you’ve exported the data you need, you can use CRconvert.exe to convert the data from
XML to another file format like CSV or HTML.

Key features
 Comes with three modules – directory-listing, active running module, and YARA processing
module.
 Displays application resource information
 Verifies the digital signature of the process executable.
 Scans memory, loaded module files, and on-disk files of all currently running processes

03 Volatility
Volatility is a memory forensics framework for incident response and malware analysis that allows
you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can
extract information about running processes, open network sockets and network connections,
DLLs loaded for each process, cached registry hives, process IDs, and more.
If you are using the standalone Windows executable version of Volatility, simply place volatility -
2.x.standalone.exe into a folder and open a command prompt window. From the command
prompt, navigate to the location of the executable file and type “volatility-2.x.standalone.exe –f
<FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would
be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine
the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to
use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory
dump for TCP connection information.

Key features
 Supports a wide variety of sample file formats.
 Runs on Windows, Linux, and Mac
 Comes with fast and efficient algorithms to analyze RAM dumps from large systems.
 Its extensible and scriptable API opens new possibilities for extension and innovation.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in -depth
analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It
comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword
Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a
Windows box.
When you launch Autopsy, you can choose to create a new case or load an existing one. If you
choose to create a new case you will need to load a forensic image or a local disk to start your
analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose
which results to view.

Key features
 Displays system events through a graphical interface.
 Offers registry, LNK files, and email analyses.
 Supports most common file formats
 Extracts data from SMS, call logs, contacts, Tango, and Words with Friends, and analyses the
same.

05 FTK Imager
FTK Imager is a data preview and imaging tool that allows you to examine files and folders on
local hard drives, network drives, CDs/DVDs, and review the content of forensic images or
memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files
and folders from forensic images to disk, review and recover files that were deleted from the
Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic
image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.
When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for
review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source
you wish to forensically image.

Key features
 Comes with data preview capability to preview files/folders as well as the content in it.
 Supports image mounting
 Uses multi-core CPUs to parallelize actions.
 Accesses a shared case database, so a single central database is enough for a single case.

06 Linux ‘dd’
dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora).
This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero -
ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is
recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd

includes additional features that were added specifically for digital forensic acquisition tasks.

To use dd, simply open a terminal window and type dd followed by a set of command parameters
(which command parameters will obviously depend on what you want to do). The basic dd synta x
for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024
with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion
options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up
the help manual for the dd command.

Key features
 Duplicates data across files, devices, partitions, and volumes.
 Supports master boot record backup and restore.
 It can modify data easily
 Needs to be used with caution as it can wipe a disk completely.

07 CAINE
CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of
digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and
tools for Mobile Forensics, Network Forensics, Data Recovery and more.

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from
the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’
folder on the applications menu bar.
Key features
 Comes with a user-friendly interface that brings together many open-source forensics tools.
 Adheres to the investigation procedure laid down by Italian laws.
 Its environment is optimized for in-depth forensic analysis
 Generates reports that are easily editable and exportable.

08 ExifTool
ExifTool is a command-line application used to read, write or edit file metadata information. It is
fast, powerful and supports a large range of file formats (although image file types are its
speciality). ExifTool can be used for analysing the static properties of suspicious files in a host -
based forensic investigation, for example.

To use ExifTool, simply drag and drop the file you want to extract metadata from onto the
exiftool(-k).exe application and it will open a command prompt window with the information
displayed. Alternatively, rename exiftool(-k).exe to exiftool.exe and run from the command
prompt.

Key features
 Supports different file formats, verbose, and HTML-based hex dump outputs.
  Copies meta-data information between files
 Automatically backs up the original image
 Converts output in many languages.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot
of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool
useful for loading large files (e.g. database files or forensic images) and performing actions such
as manual data carving, low-level file editing, information gathering, or searching for hidden data.
Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window
where you can begin to navigate through the hex manually or press CTRL + F to run a search.

Key features
 Makes it easy to find data patterns across large files
  Supports multiple core processing
 Handles regular expression searches across files
 Allows you to quickly make file patches or tune any aspect of the user interface.

10 Bulk Extractor
bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and
extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP
files. The extracted information is output to a series of text files (which can be reviewed manually
or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number,
e-mail address, domain name, etc. You will also see a decimal value in the first column of the text
file that, when converted to hex, can be used as the pointer on disk where the entry was found
(i.e. if you were analysing the disk manually using a hex editor for example, you would jump to
this hexadecimal value to view the data).
Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk
extractor tool to extract information from a forensics image I took earlier and output the results to
a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the
output text files mentioned above.

Key features
 Processes different parts of the disk in parallel.
 Automatically detects, decompresses, and reprocesses compressed data.
 Extracts critical information such as credit card details and email addresses from digital data
 Can be used to process information across most digital media.

11 DEFT
DEFT is another Linux Live CD which bundles some of the most popular free and open source
computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and
Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network
Forensics, Data Recovery, and Hashing.

When you boot using DEFT, you are asked whether you wish to load the live environment or
install DEFT to disk. If you load the live environment you can use the shortcuts on the application
menu bar to launch the required tools.

Key features
 Includes a file manager that comes with a disk mount’s status.
 Offers full support for Android and iOS.
 Comes with a few open-source and closed-source Windows applications that currently have no
alternative in the Unix world.
  An integrity check runs before any program is started in safe mode.

12 Xplico
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications
data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP
traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP),
TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

Once you’ve installed Xplico, access the web interface by navigating to

http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to
do is create a case and add a new session. When you create a new session you can either load a
PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has
finished decoding, use the navigation menu on the left hand side to view the results .

Key features
 Comes with three modules – an input module for data input, output module for decoding data and
presenting it to the end-user, and decoding modules for decoding the individual network protocol.
 Supports different user interfaces
 All modules can be loaded or unloaded through the configuration file.
 It can decode VoIP calls.

13 LastActivityView
I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free
System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what
actions were taken by a user and what events occurred on the machine. Any activities such as
running an executable file, opening a file/folder from Explorer, an application or system crash or a
user performing a software installation will be logged. The information can be exported to a CSV /
XML / HTML file. This tool is useful when you need to prove that a user (or account) performed
an action he or she said they didn’t.
When you launch LastActivityView, it will immediately start displaying a list of actions taken on
the machine it is being run on. Sort by action time or use the search button to start investigating
what actions were taken on the machine.

Key features
 Records many user actions such as opening and closing of files, software installation, and more.
 Gathers information from the event log and other sources.
 You don’t have to install it or run it as a background process at all times. When you launch it once,
it will create a timeline of events for you.
 Runs only on Windows 200 and later versions.

14 DSi USB Write Blocker

DSi USB Write Blocker is a software based write blocker that prevents write access to USB
devices. This is important in an investigation to prevent modifying the metadata or timestamps
and invalidating the evidence.

When you run DSi USB Write Blocker, it brings up a window that allows you to enable or disable
the USB Write Blocker. Once you make changes and exit the application, you can keep an eye on
the status from the padlock icon in the taskbar. When performing an analysis of a USB drive,
enable the USB Write Blocker first and then plug the USB drive in.
If you are looking for a command line alternative, check out ‘USB Write Blocker for ALL
Windows’. This tool works by updating a registry entry to prevent USB drives from being written
to. To run the tool, you simply execute the batch file and select Option 1 to put the USB ports into
read-only mode.

Key features
 Converts a USB stick into a readable mode to prevent any data deletion/modification.
 Runs mostly on Windows, though you can make some changes to run it on the latest version of
iOS.
 Gives you the option to see this application’s status in your taskbar.
15 FireEye RedLine
RedLine offers the ability to perform memory and file analysis of a specific host. It collects
information about running processes and drivers from memory, and gathers file system metadata,
registry data, event logs, network information, services, tasks, and Internet history to help build
an overall threat assessment profile.
When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless
you already have a memory dump file available, you’ll need to create a collector to gather data
from the machine and let that process run through to completion. Once you have a memory dump
file to hand you can begin your analysis.
Key features
 Helps to identify when a compromised file was introduced and how it persists in the
system/network.
 Use whitelist indicators to filter out known data.
 Collects information from run processes, files, images, and registry data.

16 PlainSight
PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital
forensic tasks such as viewing internet histories, data carving, USB device usage information
gathering, examining physical memory dumps, extracting password hashes, and more.

When you boot into PlainSight, a window pops up asking you to select whether you want to
perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction a nd
analysis process.

Key features
 Recovers many file types such as jpg, png, pdf, mov, wav, zip, rar, exe, and more.
 Uses a spider to scan systems that contain sensitive data.
 Saves results in HTML or plain text formats.
 Runs from a CD or USB.

17 HxD
HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-
level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-
use and performance in mind and can handle large files without issue. Features include
searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or
splitting of files, generation of statistics and more.
From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk
from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’
18 HELIX3 Free
HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer
Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from
hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available
before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and
makes for a useful addition to your digital forensics toolkit.

When you boot using HELIX3, you are asked whether you want to load the GUI environment or
install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a
Linux-based screen will appear giving you the option to run the graphical version of the bundled
tools.

Key features
 Data-folds are used to tag different memory sections.
 Comes with a RAM editor.
 Exports data to many formats
 Makes it easy to split or concatenate files.

19 Paladin Forensic Suite

Paladin Forensic Suite is a Live CD based on Ubuntu that is packed with wealth of open source
forensic tools. The 80+ tools found on this Live CD are organized into over 25 categories
including Imaging Tools, Malware Analysis, Social Media Analysis, Hashing Tools, etc.
After you boot Paladin Forensic Suite, navigate to the App Menu or click on one of the icons in
the taskbar to get started.

Note: A handy Quick Start Guide for Paladin Forensic Suite is available to view or download from
the Paladin website as well as the taskbar within Paladin itself.

Key features
 Provides complete visibility into your network.
 Acquires temporary data such as internet history and memory and stores the same in a USB drive.
 Works well on Mac, Windows, and Linux.
 Supports many open-source forensic applications.

20 USB Historian
USB Historian parses USB information, primarily from the Windows registry, to give you a list of
all USB drives that were plugged into the machine. It displays information such as the name of
the USB drive, the serial number, when it was mounted and by which user account. This
information can be very useful when you’re dealing with an investigation whereby you need to
understand if data was stolen, moved or accessed.
When you launch USB Historian, click the ‘+’ icon on the top menu to launch the data parse
wizard. Select which method you want to parse data from (Drive Letter, Windows and Users
Folder, or Individual Hives/Files) and then select the respective data to parse. Once complete you
will see information similar to that shown in the above image.

Key features
 Ideal for those who deal with data and identity theft.
 Parses the computer name to locate USB devices
 Offers a wizard-driven analysis.