James Aguilan | 19 June 2018
Juniper researchers state that cybercrime will cost over 2 trillion USD to businesses by 2019. As costs go up so the demand for digital forensic experts will increase in tandem. Tools are a forensic examiner's best friend – using the right tool helps to move things faster, improve productivity and gather all the evidence. Here are my top 10 free tools to become a forensic wizard:
1. SIFT Workstation
SIFT (SANS investigative forensic toolkit) Workstation is a freely-available virtual appliance that is configured in Ubuntu 14.04. SIFT contains a suite of forensic tools needed to perform a detailed digital forensic examination. It is one of the most popular open source incident response platforms.
Autopsy is a GUI-based open source digital forensic programme to analyse hard drives and smart phones efficiently. Autospy is used by thousands of users worldwide to investigate what happened in the computer. Autopsy was designed to be an end-to-end platform, with modules that come out-of-the-box and others that are available from third-parties. Some of the modules provide timeline analysis, keyword searching, data carving, Indicator of Compromise using STIX.
3. FTK Imager
FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence. It saves an image of a hard disk, in one file or in segments, which may be reconstructed later on. It calculates MD5 hash values and confirms the integrity of the data before closing the files.
DEFT is a household name when it comes to digital forensics and intelligence activities. The Linux distribution DEFT is made up of a GNU/Linux and DART (Digital Advanced Response Toolkit), a suite dedicated to digital forensics and intelligence activities. On boot, the system does not use the swap partitions on the system being analysed. During system start up there are no automatic mount scripts.
Also built into SIFT, Volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux (as of version 2.5). Forensic analysis of raw memory dump will be performed on Windows platform. The Volatility tool is used to determine that either the PC is infected or not. As we know that, the malicious programme can be extracted from the running processes from the memory dump.
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, opening open/save dialog-box, opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash and network connection and disconnection.
HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. The easy-to-use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.
CAINE offers a complete forensic environment that is organised to integrate existing software tools as software modules and to provide a friendly graphical interface. This is a digital forensics platform and graphical interface to the Sleuth Kit and other digital forensics tools.
Redline is a free endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Redline can help audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history; and analyse and view imported audit data, including the ability to filter results around a given timeframe.
PlainSight is a versatile computer forensics environment that allows you to perform forensic operations such as: getting hard disk and partition information, extracting user and group information, examining Windows firewall configuration, examining physical memory dumps, extracting LanMan password hashes and previewing a system before acquiring it.
Whether it's for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what's 'under the hood' of a system.
This is by no means an extensive list and may not cover everything you need for an investigation, but it's a great starting point to becoming a forensic examiner.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.