Currently, there are a lot of good forensics commercial tools, can be used to perform a whole dfir workflow. However, several analyst anche companies cannot afford the purchase of those (awesome) tools. Show
For this reason, all my dfir tutorial are based only on opensource or free tools. AcquisitionCAINECAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project and managed by Nanni Bassetti. The main design objectives that CAINE aims to guarantee are the following:
This environment can be used to perform, using DD utility, physical disk acquisition on local USB disk or over network. References
FTK Imager LiteFTK Imager is a free tool developed by The Access Data Group for creating disk images without making changes to the original evidence. This tool is also useful for volatile memory acquisition: from my point of view, it creates better images than other windows tools. References
AVMLAVML is a volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
References
LIMELiME is a Loadable Kernel Module (LKM) developed for volatile memory acquisition from Linux and Linux-based devices, such as Android.
In order to use a LiME memory dump with volatility, a memory profile must be generated on target sistem. References
MacPmemMacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:
Using this devices, a standard acquisition using DD can be simply accomplished. References
Data extraction and analysisThe SleuthKitThe Sleuth Kit (TSK) is a library and collection of utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. References
PhotorecPhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks and CD-ROMs. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. TestDiskTestDisk is a free data recovery tool primarily designed to help recover lost partitions and undelete files from FAT, exFAT, NTFS and Undelete files from FAT, exFAT, NTFS and ext2 filesystem filesystem. References
VShadowInfo and VShadowMountShadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. libvshadow is a library to access the Volume Shadow Snapshot (VSS) format. ARSENAL Image MounterArsenal Image Mounter mounts the contents of disk images as a real SCSI disks in Windows, allowing integration with Disk Manager, launching virtual machines (and then bypassing Windows authentication), managing BitLocker-protected volumes, mounting Volume Shadow Copies, and more. ShadowCopyViewShadowCopyView is tool developed by Nirsoft that lists the snapshots created by the 'Volume Shadow Copy' service of Windows 10/8/7/Vista. References
PlasoPlaso is a Python-based engine designed to extract timestamps from various files found on a typical computer system(s) and aggregate them, into a enhanced timeline, called super timeline. The super timeline goes beyond the traditional file system timeline creation based on metadata extracted from acquired images by extending it with more sources, including more artifacts that provide valuable information to the investigation. The technique was published in June 2010, on the SANS reading room, in a paper from Kristinn Gudjonssonas part of his GCFA gold certification. References
VolatilityThe well-known open source memory forensics framework for incident response and malware analysis. About Volatility I’ve already written several posts and books. References
AutopsyAutopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used to investigate what happened on a computer system, but also to recover and analyze files. What operating system was used on the computer autopsy?Autopsy 3.0 is written in Java using the NetBeans platform. It was released under the Apache license 2.0. Autopsy 4.0 runs on Windows, Linux, and macOS.
What is autopsy used for in computer forensics?Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
What is the role of file systems in digital forensics and explain different types of file systems?A file system in a computer is the manner in which files are named and logically placed for storage and retrieval. It can be considered as a database or index that contains the physical location of every single piece of data on the respective storage device, such as hard disk, CD, DVD or a flash drive.
Which files get examined in network forensic?Taking into consideration these concerns, the main task of a network forensics investigator is to analyze network packet capture, known as PCAP files.
|