For example, who would you want to hire or work with...someone who only knows how to use one tool (for example, EnCase), or someone who can explain how EnCase does what it does (such as file signature analysis) and can come up with solutions for the problems and challenges that we all run into?
What I've decided to do is compile a list of free (as in "beer") resources that can be used by schools and individuals to develop labs, training exercises, etc., for the purposes of providing an educational background in the field of computer forensic analysis. With nothing more than a laptop and an Internet connection, anyone interested in computer forensics analysis can learn quite a lot without ever spending any $.
Imaging
FTK Imager 2.5.3 (and Lite 2.5.1)
George M. Garner, Jr's FAU
dcfldd - Wiki
dc3dd
Image/File Integrity Verification
MD5Deep
Images/Analysis Challenges
Lance's Forensic Practicals (#1 and #2) (no EnCase? Use FTK Imager to convert the .E0x files to dd format)
NIST Hacking Case
DFTT Tool Testing Images
HoneyNet Project Challenges
VMWare Appliances (FTK Imager will allow you to add these - most of which are *nix-based - as evidence items and create dd-format images)
Analysis Applications
TSK 2.51 (as of 10 Feb 2008...includes Windows versions of the tools, but not the Autopsy Forensic Browser - see the Wiki for how to use the tools)
NOTE: DFLabs is developing PTK, an alternative Sleuthkit interface, and they are reportedly working on a full Windows version, as well!
ProDiscover 4.9 Basic Edition
PyFlag
Mounting/Booting Images
VDK & VDKWin
LiveView (ProDiscover Basic will allow you to create the necessary .vmdk file for a dd-format image)
VMPlayer
Analysis Tools
Perl ('nuff said!!) - my answer for everything, it seems ;-)
File Analysis
MiTec Registry File Viewer - import Registry hive files
TextPad
Rifiuti - INFO2 file parser
BinText - like strings, but better
Windows File Analyzer
File Carving
Scalpel
Browser History
WebHistorian
Archive Utilities
Universal Extractor
jZip
PeaZip
AV and Related Tools
Miss Identify - identify Win32 PE files (different from an AV scan)
GriSoft AVG Free Edition anti-virus
Avira AntiVir PersonalEdition anti-virusGriSoft AVG Free Edition anti-virus
McAfee Stinger - standalone tool to scan for specific malware
ThreatFire (requires live system, best when used w/ AV)
GMER Rootkit Detection (requires live system)
Packet Capture and Analysis
PacketMon
WireShark
Other Tools
According to Claus at the GSD blog , Mozilla uses SQLite databases to store information, so if you're doing browser analysis, you may want to take a look at SQLite DB Browser, or SQLiteSpy. If you want to create your own databases in SQLite, check out SQLite Administrator. So, you can use these tools not only for analysis of the Mozilla files, but also with creating your own databases for use with other tools (ie, Perl).
Please keep in mind that this is just a list...and not an exhaustive one...of technical resources that are available. There are many, many other tools available.
Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do.
17 comments:
You forgot a section on "books!" For people who are really cheap like me, most can be requested through one's local public library.
Actually, I didn't "forget"...if I post everything, what does that leave for others?
So...what books do you get from your public library, in pursuit of CF knowledge??
Great list!
May I also suggest ftimes. It is capable of file carving, gathering MAC times, file analysis, etc. It is freely available (as in beer) and is available on Windows as well.
Of course I didn't borrow "Windows Incident Response" from the library, I *purchased* a copy ;)
But there is:
File System Forensic Analysis - Carrier, Brian
Incident Response and Computer Forensics - Mandia, Kevin and Prosise, Chris
Real Digital Forensics - Jones, Keith and Bejtlich, Richard
for a start...
Thanks Harlan, very useful and very needed. Now we just need to find a similar/updated list of resources for network security monitoring (NSM).
Great tools and utilities roundup! Once you get started it is very hard to stop!
I often drop in over at the SecurityFocus website. Their Infocus: Incidents section often contains great "case-studies" that walk readers through an investigation and the different approaches and techniques that could be used.
I also had been listening to the LiveAmmo computer forensics podcast archives
They had a set of podcasts on Digital Forensics and Hacking Investigations. (5 episodes I think). Each ran about 35-45 min long. I am assuming they are still available. I still have them on my iPod at least...
Great list! I have a couple others:
Zietline- a forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php
And, although not a forensic tool, one used to document your investigations:
Casenotes
http://www.qccis.com/content.php?section=casenotes
Oh yes,
Almost forgot these.
I'm not a forensics guy (though some days I wish I were), but I do find many of the principles and methods useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. Plus it provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment.
Another of your posts linked to TechPathways, which turns out has a free "ProDiscover" GUI-based computer forensic software package. It looks nice for people wanting to get their feet wet in this area.
Also, I have found the following Linux "Live-CD's" that have a particularly useful forensics bent to them. All free.
Plan-B
Helix
FIRE
FCCU GNU/Linux Forensic Boot CD
Penguin Sleuth Bootable CD
PLAC
--Cheers!
Rich,
Great tools. Unfortunately, the Zietline link is "403". I stopped by and started checking out your blog, as well...very cool.
Inuk-x,
Try reaching out to Richard Bejtlich on that one...
Claus,
Wow!
PDBasic was linked in my blog post. I've been a user of PD since version 3 and I'm eagerly awaiting the release of version 5.0. I've been told that some of the things I've been concerned about for about 2 yrs now should be addressed after the release.
Thanks for the links to the bootable Linux CDs...these are all very useful and definitely something to keep in mind and have handy (as in, on hand, and know how to use them).
This is a great list. There are a few of thing I would add, though:
Acquisition:
PsTools (nice collection of tools that list files, users currently logged on, system info)
Fport
Oem3sr2.zip
Memory Acquisition:
MDD (Yeah, I know it wasn't available at the time you posted this)
Win32dd (Also wasn't around at the time you posted)
Memory Analysis:
Volatility
PtFinder
Network Analysis:
TCP Flow (Linux)
p0f (Linux)
Snort (Linux)
Tcpdump
The blog is nice. I like it very much. Laptop batteries
Awesome write up and very concise list. I didn't know each of them so I've got something new to try out. Thank you
Anyone know what happened to the LiveAmmo computer forensics podcasts referenced above? Are they worth checkout out even though they are (guessing) over a year old?
Harlan,
This post is incredibly useful. How about a revisit to this with updated links and an incorporation of the tools listed in the comments.
Love the site!
Ed
Ed,
Thanks, and you may be right...I'll see what I can do...
h
Ed,
So you know, Google returns multiple hits for the podcast archives...
Harlan,
Unfortunately, they just seem to be directories that mirror the info, but kept the original download links. So when you try to go listen or download, you get a 404. I am still digging. If I find something, I will post it here.
Thanks!
Ed
It sounds good that they have decided to do is compile a list of free resources that can be used by schools and individuals to develop labs, training exercises etc, for the purposes of providing an educational background in the field of computer forensic analysis.
Post a Comment