Computer Forensics: A Compilation of Useful Tools

It takes a great deal of expertise in extracting digital artifacts to investigate information security incidents successfully. The main goal of this activity is to reconstruct an incident by means of specific methods and tools aimed at preserving, collecting and analyzing digital evidence.

The term “forensics,” in the broad sense, denotes the use of scientific techniques to investigate a crime. Speaking of the digital application, some researchers differentiate between computer forensics and network forensics.

Forensics is predominantly leveraged for analyzing and investigating incidents that involve digital information as the target of encroachment, computer as the instrument of crime, as well as any other concomitant digital artifacts.

Forensics experts use specially crafted utilities to harvest and analyze digital evidence. In order for the information to be valid from a legal perspective, some of the tools to be covered below should have appropriate certification that the authorities may request. Under the circumstances, it may be necessary to apply a combo of information collection and analysis methods to comply with those requirements.

This article provides a list of useful links and tools applicable to digital evidence collection.

Frameworks

• DFF (Digital Forensics Framework) – an open source platform applicable for data retrieval and analysis.
• PowerForensics is a PowerShell based utility intended for live disk forensic analysis.
• The Sleuth Kit (TSK) is a C-based library and collection of command line tools facilitating the analysis of volume and file system data.

Real-Time Utilities

• grr (GRR Rapid Response) is a remote live forensics tool for incident response.
• mig (Mozilla InvestiGator) – a distributed real-time platform for investigating incidents on remote endpoints.

Imaging Tools (Data Acquisition and Cloning)

• dc3dd – an enhanced edition of the GNU dd utility featuring on-the-fly hashing, pattern writing, file verification, and other functions for digital evidence acquisition.
• dcfldd is yet another improved version of the dd program.
• FTK Imager allows viewing and cloning data media in the Windows environment.
• Guymager is an imaging tool running under Linux that allows viewing and cloning data media.

Data Extraction

• bstrings is an improved version of the popular strings utility.
• bulk_extractor enables you to extract email addresses, IP addresses and phone numbers from files.
• flare-floss is a utility using static analysis techniques to automatically extract obfuscated strings from malware binaries.
• photorec is a recovery tool that extracts deleted files, including documents, archives, photos, and videos from hard drives and CDs.

RAM Memory Forensics

• inVtero.net – this tool’s distinguishing hallmark is the high speed of extracting data directly from memory.
• KeeFarse extracts KeePass passwords from memory.
• Rekall is a Python-based tool for analyzing RAM memory dumps.
• Volatility framework is a collection of utilities for extracting digital artifacts from RAM memory samples.
• VolUtility provides a web interface for the Volatility Framework mentioned above.

Network Analysis

• SiLK Tools is a traffic analysis toolkit that facilitates security analysis for large networks.
• Wireshark is one of the world’s most popular network sniffers.

Windows Artifacts (Extracting Files, Downloads History, USB memory stick data, etc.)

• FastIR Collector is an all-in-one tool for harvesting Windows information (registry, file system, services, startup programs, etc.).
• FRED is a cross-platform Windows registry analysis utility.
• MFT Parsers is a tool facilitating comparative analysis of Master File Table information.
• MFTExtractor – another handy parser of Master File Table.
• RecuperaBit reconstructs NTFS file system.
• python-ntfs is a Python library for NTFS analysis.

OS X Analysis

• OS X Auditor is a popular free forensics tool supporting Mac OS X that parses and hashes various system artifacts.

Internet Artifacts

• chrome-url-dumper is intended for extracting different types of web surfing information from Google Chrome.
• Hindsight analyzes Google Chrome/Chromium history.

Timeline Analysis

• plaso is a tool that extracts and aggregates timestamps.
• Timesketch facilitates collaborative timeline analysis.

Hex Editors

• 0xED is a hex editor for Mac OS X.
• Synalyze It! is a popular hex editor for Mac OS X featuring an intuitive interface and extensible controls.
• Hexinator is a Windows/Linux version of Synalyze It!.
• HxD – a lightweight and fast hex editor.
• iBored is a cross-platform hex editor supporting Windows, Linux, and Mac OS X.
• wxHexEditor is another free cross-platform hex editor delivering extensive features for file comparison.

Data Converters

• CyberChef is a universal tool for encryption, decoding, compression, and data analysis.
• DateDecode is applicable for decoding random unintelligible date strings provided in 13 different formats.

File Analysis

• 010 Editor Templates is a collection of binary templates for the 010 Editor tool.
• HFSPlus Grammars is a collection of HFS+ components for Synalyze It!.
• Synalyze It! Grammar is a resource encompassing grammar files for the Synalyze It! hex editor.
• WinHex Templates – file components for the WinHex and X-Ways Forensics utilities.

Disk Image Processing

• imagemounter is a command line tool that helps mount/unmount disk images.
• libewf is a library and toolkit to access and work with EWF (Expert Witness Compression Format) and E01 format files.
• xmount is a utility that converts between different disk image types.

Bottom Line

When harvesting digital evidence and analyzing online crimes, a rule of thumb is to maintain the integrity, completeness, and authenticity of the data. This is a matter of adhering to the relevant research methodology and recommendations that go with your software of choice.