Cyber Security training from QA

Top 10 free tools for digital forensic investigation

QA Cyber Security Trainer, James Aguilan, lists his favourite free tools for forensic wizardry.


James Aguilan | 19 June 2018

Juniper researchers state that cybercrime will cost over 2 trillion USD to businesses by 2019. As costs go up so the demand for digital forensic experts will increase in tandem. Tools are a forensic examiner's best friend – using the right tool helps to move things faster, improve productivity and gather all the evidence. Here are my top 10 free tools to become a forensic wizard:

 

1. SIFT Workstation

SIFT (SANS investigative forensic toolkit) Workstation is a freely-available virtual appliance that is configured in Ubuntu 14.04. SIFT contains a suite of forensic tools needed to perform a detailed digital forensic examination. It is one of the most popular open source incident response platforms.

Download SIFT Workstation

 

2. Autopsy

Autopsy is a GUI-based open source digital forensic programme to analyse hard drives and smart phones efficiently. Autospy is used by thousands of users worldwide to investigate what happened in the computer. Autopsy was designed to be an end-to-end platform, with modules that come out-of-the-box and others that are available from third-parties. Some of the modules provide timeline analysis, keyword searching, data carving, Indicator of Compromise using STIX.

Download Autopsy

 

3. FTK Imager

FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence. It saves an image of a hard disk, in one file or in segments, which may be reconstructed later on. It calculates MD5 hash values and confirms the integrity of the data before closing the files.

Download FTK Imager

 

4. DEFT

DEFT is a household name when it comes to digital forensics and intelligence activities. The Linux distribution DEFT is made up of a GNU/Linux and DART (Digital Advanced Response Toolkit), a suite dedicated to digital forensics and intelligence activities. On boot, the system does not use the swap partitions on the system being analysed. During system start up there are no automatic mount scripts.

Download DEFT

 

5. Volatility

Also built into SIFT, Volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux (as of version 2.5). Forensic analysis of raw memory dump will be performed on Windows platform. The Volatility tool is used to determine that either the PC is infected or not. As we know that, the malicious programme can be extracted from the running processes from the memory dump.

Download Volatility

 

6. LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, opening open/save dialog-box, opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash and network connection and disconnection.

Download LastActivityView

 

7. HxD

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. The easy-to-use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.

Download HxD

 

8. CAINE

CAINE offers a complete forensic environment that is organised to integrate existing software tools as software modules and to provide a friendly graphical interface. This is a digital forensics platform and graphical interface to the Sleuth Kit and other digital forensics tools.

Download CAINE

 

9. Redline

Redline is a free endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Redline can help audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history; and analyse and view imported audit data, including the ability to filter results around a given timeframe.

Download Redline

 

10. PlainSight

PlainSight is a versatile computer forensics environment that allows you to perform forensic operations such as: getting hard disk and partition information, extracting user and group information, examining Windows firewall configuration, examining physical memory dumps, extracting LanMan password hashes and previewing a system before acquiring it.

Download PlainSight

 

Whether it's for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what's 'under the hood' of a system.

This is by no means an extensive list and may not cover everything you need for an investigation, but it's a great starting point to becoming a forensic examiner.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.