How to perform a digital forensic analysis using only free tools

Currently, there are a lot of good forensics commercial tools, can be used to perform a whole dfir workflow. However, several analyst anche companies cannot afford the purchase of those (awesome) tools.

For this reason, all my dfir tutorial are based only on opensource or free tools.
Today, I'd like to share a full list of this kind of tools.

Acquisition

CAINE

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project and managed by Nanni Bassetti. 

The main design objectives that CAINE aims to guarantee are the following:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user-friendly graphical interface
• user-friendly tools

This environment can be used to perform, using DD utility, physical disk acquisition on local USB disk or over network.

References

• Forensic disk acquisition over the network

---

FTK Imager Lite

FTK Imager is a free tool developed by The Access Data Group for creating disk images without making changes to the original evidence.

This tool is also useful for volatile memory acquisition: from my point of view, it creates better images than other windows tools.

References

• How to dump volatile memory on Windows systems?

---

AVML

AVML is a volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.

AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

References

• Linux Forensics: Memory Capture and Analysis

---

LIME

LiME is a Loadable Kernel Module (LKM) developed for volatile memory acquisition from Linux and Linux-based devices, such as Android.

It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

In order to use a LiME memory dump with volatility, a memory profile must be generated on target sistem.

References

• How to generate a Volatility profile for a Linux system

---

MacPmem

MacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:

• /dev/pmem: allows physical memory read access, but can be built also with write support.
• /dev/pmem_info: Exposes informational dump.

Using this devices, a standard acquisition using DD can be simply accomplished.

References

• OS X forensic acquisition: a basic workflow

---

Data extraction and analysis

The SleuthKit

The Sleuth Kit (TSK) is a library and collection of utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. 
The collection is open source and protected by the GPL, the CPL and the IPL.

References

• How to extract data and timeline from Master File Table on NTFS filesystem
• Extract filesystem bodyfile from a VirtualBox VM

---

Photorec

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks and CD-ROMs. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

TestDisk

TestDisk is a free data recovery tool primarily designed to help recover lost partitions and undelete files from FAT, exFAT, NTFS and Undelete files from FAT, exFAT, NTFS and ext2 filesystem filesystem.

References

• Some thoughts about file carving
• Four tools for File Carving in forensic analysis

---

VShadowInfo and VShadowMount

Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.

libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.

ARSENAL Image Mounter

Arsenal Image Mounter mounts the contents of disk images as a real SCSI disks in Windows, allowing integration with Disk Manager, launching virtual machines (and then bypassing Windows authentication), managing BitLocker-protected volumes, mounting Volume Shadow Copies, and more.

ShadowCopyView

ShadowCopyView is tool developed by Nirsoft that lists the snapshots created by the 'Volume Shadow Copy' service of Windows 10/8/7/Vista.

References

• Volume Shadow Copies in forensic analysis
• Accessing Volume Shadow Copies within a forensic image

---

Plaso

Plaso is a Python-based engine designed to extract timestamps from various files found on a typical computer system(s) and aggregate them, into a enhanced timeline, called super timeline.

The super timeline goes beyond the traditional file system timeline creation based on metadata extracted from acquired images by extending it with more sources, including more artifacts that provide valuable information to the investigation.

The technique was published in June 2010, on the SANS reading room, in a paper from Kristinn Gudjonssonas part of his GCFA gold certification.

References

• Forensic Timeline Creation: my own workflow

---

Volatility

The well-known open source memory forensics framework for incident response and malware analysis.

About Volatility I’ve already written several posts and books.

References

• Volatility articles

---

Autopsy

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used to investigate what happened on a computer system, but also to recover and analyze files.

References

• Open a VMWare Disk Image (VMDK) with Autopsy for forensics analisys
• How to convert a Parallels Disk Image with qemu-img for forensics analysis with Autopsy