Sunday, April 20, 2008

Free Analysis

What??!? "Free" (as in 'beer') analysis? A bit ago, I blogged about Forensic Analysis on the Cheap, and I wanted to revisit that topic, particularly to mention a couple of tools I've run across since then...

Event Logs
In an earlier post, I mentioned some tools you could use to perform Event Log analysis. I still like the functionality in EvtUI (although I may be seen as biased because I wrote it), but if tools like this scare you, there are other options available. For example, Event Log Explorer is a nice little little app, and you can obtain a free license for its use. In direct mode, it works just like EvtUI, accessing the event records directly within a .evt file extracted from an acquired image.

Registry Analysis
I have to say that I'm really partial to RegRipper and its associated CLI utility, rip.exe. A couple of minor tweaks, as well as some new plugins, both of which were recently added, make this an immensely useful (not to mention unique) tool.

When looking for things I may want/need to add as plugins to RegRipper, my favorite Registry Viewer to use is MiTeC's RFV. I can go through the hive file and look at things, and fire rip.exe off against it without having to unload the hive or anything like that. RFV is a great Registry Viewer that facilitates the development of plugins.

File Carving
I've mentioned scalpel before as a tool for file carving...XaberSoft provides a GUI interface for setting up the scalpel config file

Another useful tool for file carving is PhotoRec. Even though its intended for extracting image files, I'm sure that there are a number of folks out there interested in doing just that...

Other Tools
Shadow Explorer - I haven't had an opportunity to try this tool yet, but I'm told that it's great for recovering files using Vista's Volume Shadow Copy Service. If you can boot an acquired image using LiveView, and log into the running image, you may be able to get some useful information or recover some files using this tool.


SynJunkie said...

I know it's not a windows app but I just love Foremost for file recovery. Saying that, I think it will run under cygwin.

By the way, reg ripper was great. I'm looking forward to the new version



H. Carvey said...

From ForensicWiki...

Foremost is a Linux based program data for recovering deleted files and served as the basis for the more modern Scalpel.

Also, from another site...

Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.

Unknown said...

Hmmm.. "newbie" label. Smart. :)


Mark said...

Hi, you mention photorec as a tool intended for extracting image files. PhotoRec is my ultimate tool for file carving (over 80 file types at the moment, a.o. .reg, .evt, .lnk etc.). PhotoRec is also able to carve files from Encase E01 files (EWF). The results of recent tests are that PhotoRec is much better in file carving compared with FTK and Encase. An absolute must have !