Wednesday, February 20, 2008

Getting started, or forensic analysis on the cheap

Quite often, I'll see posts or receive emails from folks asking about how to get started in the computer forensic analysis field. What most folks don't realize is that "getting into" this field really isn't so much about the classes you took at a college or the fact that you have a copy of EnCase. What it's about is how well you know your stuff, what you're capable of doing, and if you're capable of learning new stuff.

For example, who would you want to hire or work with...someone who only knows how to use one tool (for example, EnCase), or someone who can explain how EnCase does what it does (such as file signature analysis) and can come up with solutions for the problems and challenges that we all run into?

What I've decided to do is compile a list of free (as in "beer") resources that can be used by schools and individuals to develop labs, training exercises, etc., for the purposes of providing an educational background in the field of computer forensic analysis. With nothing more than a laptop and an Internet connection, anyone interested in computer forensics analysis can learn quite a lot without ever spending any $.

Imaging
FTK Imager 2.5.3 (and Lite 2.5.1)
George M. Garner, Jr's FAU
dcfldd - Wiki
dc3dd

Image/File Integrity Verification
MD5Deep

Images/Analysis Challenges
Lance's Forensic Practicals (#1 and #2) (no EnCase? Use FTK Imager to convert the .E0x files to dd format)
NIST Hacking Case
DFTT Tool Testing Images
HoneyNet Project Challenges
VMWare Appliances (FTK Imager will allow you to add these - most of which are *nix-based - as evidence items and create dd-format images)

Analysis Applications
TSK 2.51 (as of 10 Feb 2008...includes Windows versions of the tools, but not the Autopsy Forensic Browser - see the Wiki for how to use the tools)
NOTE: DFLabs is developing PTK, an alternative Sleuthkit interface, and they are reportedly working on a full Windows version, as well!
ProDiscover 4.9 Basic Edition
PyFlag

Mounting/Booting Images
VDK & VDKWin
LiveView (ProDiscover Basic will allow you to create the necessary .vmdk file for a dd-format image)
VMPlayer

Analysis Tools
Perl ('nuff said!!) - my answer for everything, it seems ;-)

File Analysis
MiTec Registry File Viewer - import Registry hive files
TextPad
Rifiuti - INFO2 file parser
BinText - like strings, but better
Windows File Analyzer

File Carving
Scalpel

Browser History
WebHistorian

Archive Utilities
Universal Extractor
jZip
PeaZip

AV and Related Tools
Miss Identify - identify Win32 PE files (different from an AV scan)
GriSoft AVG Free Edition anti-virus
Avira AntiVir PersonalEdition anti-virus
McAfee Stinger - standalone tool to scan for specific malware
ThreatFire (requires live system, best when used w/ AV)
GMER Rootkit Detection (requires live system)

Packet Capture and Analysis
PacketMon
WireShark

Other Tools
According to Claus at the GSD blog , Mozilla uses SQLite databases to store information, so if you're doing browser analysis, you may want to take a look at SQLite DB Browser, or SQLiteSpy. If you want to create your own databases in SQLite, check out SQLite Administrator. So, you can use these tools not only for analysis of the Mozilla files, but also with creating your own databases for use with other tools (ie, Perl).

Please keep in mind that this is just a list...and not an exhaustive one...of technical resources that are available. There are many, many other tools available.

Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do.

17 comments:

iamnowonmai said...

You forgot a section on "books!" For people who are really cheap like me, most can be requested through one's local public library.

Keydet89 said...

Actually, I didn't "forget"...if I post everything, what does that leave for others?

So...what books do you get from your public library, in pursuit of CF knowledge??

Tyler said...

Great list!

May I also suggest ftimes. It is capable of file carving, gathering MAC times, file analysis, etc. It is freely available (as in beer) and is available on Windows as well.

iamnowonmai said...

Of course I didn't borrow "Windows Incident Response" from the library, I *purchased* a copy ;)

But there is:
File System Forensic Analysis - Carrier, Brian
Incident Response and Computer Forensics - Mandia, Kevin and Prosise, Chris
Real Digital Forensics - Jones, Keith and Bejtlich, Richard

for a start...

inuk-x said...

Thanks Harlan, very useful and very needed. Now we just need to find a similar/updated list of resources for network security monitoring (NSM).

Claus Valca said...

Great tools and utilities roundup! Once you get started it is very hard to stop!

I often drop in over at the SecurityFocus website. Their Infocus: Incidents section often contains great "case-studies" that walk readers through an investigation and the different approaches and techniques that could be used.

I also had been listening to the LiveAmmo computer forensics podcast archives

They had a set of podcasts on Digital Forensics and Hacking Investigations. (5 episodes I think). Each ran about 35-45 min long. I am assuming they are still available. I still have them on my iPod at least...

Rich said...

Great list! I have a couple others:

Zietline- a forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php

And, although not a forensic tool, one used to document your investigations:
Casenotes
http://www.qccis.com/content.php?section=casenotes

Claus Valca said...

Oh yes,

Almost forgot these.

I'm not a forensics guy (though some days I wish I were), but I do find many of the principles and methods useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. Plus it provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment.

Another of your posts linked to TechPathways, which turns out has a free "ProDiscover" GUI-based computer forensic software package. It looks nice for people wanting to get their feet wet in this area.

Also, I have found the following Linux "Live-CD's" that have a particularly useful forensics bent to them. All free.

Plan-B

Helix

FIRE

FCCU GNU/Linux Forensic Boot CD

Penguin Sleuth Bootable CD

PLAC

--Cheers!

Keydet89 said...

Rich,

Great tools. Unfortunately, the Zietline link is "403". I stopped by and started checking out your blog, as well...very cool.

Inuk-x,

Try reaching out to Richard Bejtlich on that one...

Claus,

Wow!

PDBasic was linked in my blog post. I've been a user of PD since version 3 and I'm eagerly awaiting the release of version 5.0. I've been told that some of the things I've been concerned about for about 2 yrs now should be addressed after the release.

Thanks for the links to the bootable Linux CDs...these are all very useful and definitely something to keep in mind and have handy (as in, on hand, and know how to use them).

JL said...

This is a great list. There are a few of thing I would add, though:

Acquisition:
PsTools (nice collection of tools that list files, users currently logged on, system info)

Fport

Oem3sr2.zip

Memory Acquisition:

MDD (Yeah, I know it wasn't available at the time you posted this)

Win32dd (Also wasn't around at the time you posted)

Memory Analysis:

Volatility

PtFinder


Network Analysis:
TCP Flow (Linux)

p0f (Linux)

Snort (Linux)

Tcpdump

laptop battery said...

The blog is nice. I like it very much. Laptop batteries

Anonymous said...

Awesome write up and very concise list. I didn't know each of them so I've got something new to try out. Thank you

Ed Smiley said...

Anyone know what happened to the LiveAmmo computer forensics podcasts referenced above? Are they worth checkout out even though they are (guessing) over a year old?

Harlan,

This post is incredibly useful. How about a revisit to this with updated links and an incorporation of the tools listed in the comments.

Love the site!
Ed

Keydet89 said...

Ed,

Thanks, and you may be right...I'll see what I can do...

h

Keydet89 said...

Ed,

So you know, Google returns multiple hits for the podcast archives...

Ed Smiley said...

Harlan,

Unfortunately, they just seem to be directories that mirror the info, but kept the original download links. So when you try to go listen or download, you get a 404. I am still digging. If I find something, I will post it here.

Thanks!
Ed

cheap computers said...

It sounds good that they have decided to do is compile a list of free resources that can be used by schools and individuals to develop labs, training exercises etc, for the purposes of providing an educational background in the field of computer forensic analysis.