Wednesday, August 26, 2009

Goin' commando

Cory had post a bit ago about using alternatives to commercial analysis suites when conducting an exam, and that got me to thinking...when I wrote WFA 2/e, one of the things I was acutely aware of was that some of the information would age pretty quickly; that is, from the time that I submitted the manuscript (early March) until the book was published (June), there would be a LOT of things that changed or improved, with new tools and new versions coming out. So something like a published book would be a good start, but it wouldn't be a great way to keep track of freely available tools that may be of use. Considering the fact that in most cases, folks don't even look for (or in some cases, write) tools until they actually need them, something online and easily edited (ForensicWiki) would be a better resource for tracking this sort of thing. The ForensicWiki would also be a great resource for not only providing information about tools (free or otherwise) for conducting analysis, but also for information on the format on the files being analyzed.

As a side note, I've found that over the past year or more, with the exception of PCI-specific searches, I've pretty much gone commando (i.e., sans dongle) on my exams, relying instead on specific, free tools...not because I have anything against the commercial stuff, but because the free tools fit the bill for what I needed. Does that make me a bad person?

Anyway, I think that is would be a great place to start throwing up information, discussion and links to free and open-source tools that folks are using for analyzing various files or formats. This can include general stuff (such as, does anyone have a good, free grep utility for Windows that doesn't use cygwin?)

For example, over on the ForensicFocus forums recently, there was a question regarding viewing information in MSI files. The original poster (OP) found that one of the recommended tools, InstEd, was extremely helpful for what he needed to do.

So, I'll be posting links to and comments about tools here, but I'd love to have folks send in comments or emails about tools they use that are free and/or open-source, and allow them to "go commando" on their exams. Please, no pictures! ;-)


Anonymous said...
seems to have been superseeded by
but I still use it...


Keydet89 said...

Good stuff...but how do you use it?

TLDietrich said...


While it isn't exactly an "exam tool", one nice open source program I like is PeaZip.

It is a full featured replacement for WinZip or PKZip. One of the additional features is that it will open .ISO images and files can be exported. (The website says it will open .DMG files as well, but I haven't tried those.)

Jon said...

Tracking changes to freely available tools on a Wiki is a great idea.
As well as ForensicsWiki, there is also Forensic Wiki ( It has been down for a while but is now back up with a couple more people on board in the Admin Team. Feel free to join and post away.

Claus said...

Have you looked at BareGrep from Bare Metal Software?

Single small (246k) executable.
Free (with splashscreen) or low registered price point.
"portable" so can run off USB drive if desired.
GUI interface.
Highly complex search filters.
Much much more.

There are quite a few other grep tools for Windows but I like this one a lot.

BTW...have you seen this yet?

Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics - SANS Forensic Blog.

I'm curious to your take. It could have implications from both sysadmins and forensics folks.


Claus V.

Jason said...

I also use the UnixUtils on my Windows systems - makes it easier since I can just use commands I'm used to in Linux (ls vs. dir for example). It also provides a free grep.

I use Sun's Virtualbox as my vm platform of choice. It appears (no true benchmarking) to be faster. In it's native VDI format it supports an "immutable" function. I just wish it had support for DD raw images directly.

Though not free, The Journal by DavidRM Software, is an excellent tool for keeping track of information (i.e. how-tos) and logging work performed. It's only about $50, so it's very workable for any budget. It's new version has just been released... looking forward to it.

Brett Shavers said...

There are quite few listings here - with freeware/shareware/demoware. Some of the links are broken but there are enough small toolsets that something would be of interest to everyone.