How to perform a digital forensic analysis using only free tools
Currently, there are a lot of good forensics commercial tools, can be used to perform a whole dfir workflow. However, several analyst anche companies cannot afford the purchase of those (awesome) tools.
For this reason, all my dfir tutorial are based only on opensource or free tools.
Today, I'd like to share a full list of this kind of tools.
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project and managed by Nanni Bassetti.
The main design objectives that CAINE aims to guarantee are the following:
- an interoperable environment that supports the digital investigator during the four phases of the digital investigation
- a user-friendly graphical interface
- user-friendly tools
This environment can be used to perform, using DD utility, physical disk acquisition on local USB disk or over network.
FTK Imager Lite
FTK Imager is a free tool developed by The Access Data Group for creating disk images without making changes to the original evidence.
This tool is also useful for volatile memory acquisition: from my point of view, it creates better images than other windows tools.
AVML is a volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.
LiME is a Loadable Kernel Module (LKM) developed for volatile memory acquisition from Linux and Linux-based devices, such as Android.
It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
In order to use a LiME memory dump with volatility, a memory profile must be generated on target sistem.
MacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:
- /dev/pmem: allows physical memory read access, but can be built also with write support.
- /dev/pmem_info: Exposes informational dump.
Using this devices, a standard acquisition using DD can be simply accomplished.
Data extraction and analysis
The Sleuth Kit (TSK) is a library and collection of utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems.
The collection is open source and protected by the GPL, the CPL and the IPL.
- How to extract data and timeline from Master File Table on NTFS filesystem
- Extract filesystem bodyfile from a VirtualBox VM
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks and CD-ROMs. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.
TestDisk is a free data recovery tool primarily designed to help recover lost partitions and undelete files from FAT, exFAT, NTFS and Undelete files from FAT, exFAT, NTFS and ext2 filesystem filesystem.
VShadowInfo and VShadowMount
Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.
libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.
ARSENAL Image Mounter
Arsenal Image Mounter mounts the contents of disk images as a real SCSI disks in Windows, allowing integration with Disk Manager, launching virtual machines (and then bypassing Windows authentication), managing BitLocker-protected volumes, mounting Volume Shadow Copies, and more.
ShadowCopyView is tool developed by Nirsoft that lists the snapshots created by the 'Volume Shadow Copy' service of Windows 10/8/7/Vista.
Plaso is a Python-based engine designed to extract timestamps from various files found on a typical computer system(s) and aggregate them, into a enhanced timeline, called super timeline.
The super timeline goes beyond the traditional file system timeline creation based on metadata extracted from acquired images by extending it with more sources, including more artifacts that provide valuable information to the investigation.
The technique was published in June 2010, on the SANS reading room, in a paper from Kristinn Gudjonssonas part of his GCFA gold certification.
The well-known open source memory forensics framework for incident response and malware analysis.
About Volatility I’ve already written several posts and books.
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used to investigate what happened on a computer system, but also to recover and analyze files.