← Back to Blog
ForenseRecursos

Best tools for forensic analysis

Best tools for forensic analysis

Almost every day we encounter data leaks from companies or individuals on the Internet, whether due to a misconfiguration in the network and computer systems, or because a cybercriminal has managed to bypass the implemented security measures and succeeds in exfiltrating a large amount of information that subsequently ends up online. Today we will discuss the best forensic analysis tools, because when a cybersecurity incident occurs, it is essential to trace the origin and define how to act so that it does not happen again.

Introduction to digital forensic analysis

Digital forensic analysis is a very important specialty within computer security. It is a set of techniques that allow information to be extracted from the disks and memory of a computer without altering their state. This is used to search for data, trying to detect a pattern or discover information that is not immediately visible. In the face of any security incident, it is essential to perform a digital forensic analysis on all information storage media, such as hard drives, SSDs, USB drives, and other types of internal and external storage.

The work of a forensic computer expert has different stages, the first of which is the acquisition and preservation of data from a system, since it is essential to store all information in a secure location. To carry out this work, both free and paid software tools are used, as well as hardware tools for disk cloning. At this stage it is very important to have an exact copy of the disks and to access the complete file system, analyzing in detail the file system, documents, internal operating system records, and much more.

achoir analisis forenses de equipos windows

Next comes the phase of deep analysis of all the information, where the expert will analyze in detail all the information obtained and will attempt to determine what happened to the system that left it exposed, as well as how the data was acquired. There are currently forensic suites that make our lives much easier, as we can search through a large amount of information for exactly what we need. At this point activities such as the recovery of previously deleted files take place, since a great deal of information can be easily recovered because it has not been overwritten.

Although at first glance one might think that digital forensic analysis is limited only to computers, mobile devices such as smartphones and tablets, and similar devices, it also extends to data we send and transmit over the network (including Wi-Fi), making it very important to have tools of this kind.

If we want to combat cybercrime and protect the digital assets we have on the Internet, the best way to do so is through the use of forensic analysis. Thanks to the tools we are about to cover, we will be able to collect and analyze the critical evidence from various electronic devices and data storage media.

Complete operating systems oriented toward forensic computing

There are currently all-in-one operating systems that include the vast majority of forensic computing tools we will cover below. If you are planning to perform a forensic analysis and have not yet built an all-in-one operating system with your own tools, these operating systems will allow you to get started quickly.

CAINE

CAINE is a complete operating system oriented specifically toward forensic computing. It is Linux-based and incorporates the vast majority of tools we will need to perform a complete forensic analysis. It has a graphical user interface, is very easy to use, although you will naturally need the appropriate knowledge to use each and every one of its tools.

CAINE análisis forense

CAINE can be used in LiveCD mode without touching the storage of the computer on which we want to boot it. In this way, all the information on the hard drive will remain intact for the subsequent copy of all the information. Among the tools included with CAINE we have the following: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec, Fsstat, and many others.

A very important aspect of CAINE is that it also provides tools that can be run directly on Windows operating systems, so if we download the ISO image and extract its contents, we can access the Windows software it includes without needing to boot the LiveCD or use a virtual machine. Some of the Windows tools available are: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, and Windows File Analyzer.

Kali Linux

Kali Linux is one of the most widely used security-focused operating systems, both for pentesting and for forensic computing, as it contains a large number of pre-installed and pre-configured tools to get us performing a forensic analysis as quickly as possible.

This operating system not only has a large number of forensic tools built in, but it also has a specific Live mode for forensic analysis that writes absolutely nothing to the hard drive or internal storage of the computers. It also prevents any removable storage device that is connected from being automatically mounted — that must be done manually by the user.

DEFT Linux and DEFT Zero

The DEFT Linux operating system is also oriented specifically toward forensic analysis. It incorporates the vast majority of tools found in CAINE and Kali Linux and represents yet another available alternative we can use. The most noteworthy aspect of DEFT is that it comes with a large number of forensic tools ready to use.

Deft Zero

DEFT Zero is a much lighter and more streamlined version of DEFT, oriented toward exactly the same purpose, but requiring fewer resources to run without issues. It is also compatible with both 32-bit and 64-bit systems as well as UEFI systems.

Free forensic analysis tools

Now that we have covered all the operating systems oriented toward computer and forensic analysis, let us look at different free tools for carrying out forensic tasks. All the tools we are going to show you are completely free, and in fact they are included in the Linux distributions we just covered.

Autopsy and The Sleuth Kit

The Autopsy tool is one of the most widely used and recommended. It allows us to locate many open-source programs and plugins — it is like a library of Unix and Windows-based utilities that greatly simplifies the forensic analysis of computer systems.

Autopsy is a graphical user interface that displays the results of a forensic search. This tool is widely used by law enforcement, the military, and corporations when they want to investigate what happened on a computer.

One of the most interesting aspects is that it is extensible, meaning users can add new plugins easily and quickly. It incorporates some tools by default, such as PhotoRec for file recovery, and can even extract EXIF data from images and videos.

As for The Sleuth Kit, it is a collection of command-line tools for investigating and analyzing the volumes and file systems used in digital forensic investigations. With its modular design, it can be used to obtain the right data and find evidence. It is also compatible and runs on Linux and executes on Windows and Unix platforms.

Magnet Encrypted Disk Detector

This tool operates via the command line and quickly and non-intrusively verifies encrypted volumes on a computer to determine whether they exist, so that other tools can subsequently be used to attempt to access them. The latest available version is 3.0, which is the recommended version. It is also advisable to use Windows 7 or later. This tool allows us to detect physical disks encrypted with TrueCrypt, PGP, VeraCrypt, SafeBoot, or Microsoft's BitLocker. Magnet Encrypted Disk Detector is completely free, but you will need to register on their official website to download it.

Magnet RAM Capture and RAM Capturer

Magnet RAM Capture is a tool designed to acquire the physical memory of the computer on which it is used. By using it, we can recover and analyze very valuable data stored in RAM that is not found on a hard drive or SSD. In certain cases we may need to look for evidence directly in RAM, and we must remember that RAM is volatile and is wiped every time we shut down the computer.

What can we find in RAM? Processes, programs running on the system, network connections, malware evidence, user credentials, and much more. This tool allows the raw, unprocessed memory data to be exported for later loading into other tools specifically designed for that purpose. Of course, this software is also free.

Another similar tool is RAM Capturer, which allows us to dump RAM data from a computer to a hard drive, USB drive, or other removable storage device. This tool will allow us to access user credentials for encrypted volumes such as TrueCrypt, BitLocker, PGP Disk, or login credentials for many webmail services and social networks, since all of this information is typically stored in RAM.

Magnet Process Capture

MAGNET Process Capture is a free tool that allows us to capture the memory of individual processes on a system — that is, if we need to know the data being used by a specific process on our operating system, we can do so with this tool.

Magnet Web Page Saver and FAW

MAGNET Web Page Saver is an alternative to the previous tool and is kept up to date, so all the latest improvements are available. This tool is perfect for capturing the state of a website at a specific moment in time, and is especially useful when we want to display a website but have no Internet connection. Additionally, this tool allows captures of each page to be taken; we can specify URLs manually or by importing them via a text or CSV file, and we can easily browse the downloaded website.

FAW, or Forensics Acquisition of Websites, is a tool that allows us to download complete web pages for subsequent forensic analysis. The requirements for this tool are very basic, so you will be able to run it without any issues. With this tool we can acquire web page evidence easily and quickly. Other interesting features include the ability to decide which area of the website we want to analyze, capture images, capture the HTML source code, and even integrate with Wireshark, which we covered earlier.

SIFT

SIFT, which stands for SANS Investigative Forensic Toolkit, is a comprehensive set of forensic tools and one of the most popular open-source incident response platforms. In terms of operating systems, there is a version available for use in a virtual machine running Ubuntu LTS 16.04 in its 64-bit version. This version has undergone significant changes, including better memory utilization, automatic updates of the DFIR package for computer incident response, the latest forensic tools and techniques, and cross-availability between Linux and Windows.

This tool is a genuinely interesting and recommended all-in-one solution. All the tools are free and are designed to perform detailed digital forensic examinations supporting a wide variety of situations. One of the most notable aspects is that it is updated very frequently.

Volatility is another open-source memory forensics application for incident response and malware analysis, and it is included in SIFT. It allows investigators to analyze the runtime state of a device by reading RAM. Volatility does not receive many updates, but this framework is truly powerful and still receives updates.

We recommend visiting their official website where you will find all the details about this excellent tool.

Programs for hashing and integrity checking

HashMyFiles helps you calculate MD5 and SHA1 hashes and works on almost all Windows operating systems. This tool is one of the most widely used for calculating these hashes and ensuring the integrity of all files — if even a single bit changes, the hash will change completely. There are many other programs of this type, both for Windows and Linux. On Windows we also have IgorWare Hasher, HashCheck, HashTools, and many others; for Linux, md5sum and sha1sum are installed by default in the operating system itself.

CrowdResponse

CrowdResponse is a Windows application from CrowdStrike. This tool allows you to collect operating system information in order to respond to incidents that have occurred and any security compromises of the system. This program is portable, requires no installation, and all modules are integrated into the main application with no third-party external tools required.

CrowdResponse is ideal for non-intrusive data collection from multiple systems when deployed on the network. It also includes other useful tools for investigators, such as the Shellshock Scanner, which will scan your network for a Shellshock vulnerability, and much more.

Exiftool

Every image and video contains EXIF data with all the metadata of the file. This free tool will help you read, write, and edit meta-information for various file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, and more. This tool runs directly without requiring installation, is portable, and is available for both Windows and macOS.

This tool is a standalone Perl library plus a command-line application for reading, writing, and editing meta-information in a wide variety of formats.

As you can see, it supports many different metadata formats, and some of its features include geotagging images from GPS track log files with time drift correction, as well as generating track logs from geotagged images.

This tool is one of the most complete for viewing all the metadata of an image.

Browser History Capturer (BHC) and Browser History Viewer (BHV)

Browser History Capturer software allows us to capture the web browsing history from any Windows operating system. We can then use Browser History Viewer (BHV), a forensic software tool for extracting and viewing Internet history from the major desktop web browsers.

Both can be found for free. These tools can be run from a USB drive and will essentially capture the history from the major browsers: Chrome, Edge, Firefox, and Internet Explorer. The history files are copied to a destination in their original format for subsequent processing.

Paladin Forensic Suite

Paladin is an Ubuntu-based tool that simplifies the task of the forensic analyst. We will find a large number of tools in this suite for performing various tasks. The most notable aspect is that it includes more than 100 very useful tools for investigating computer incidents. Thanks to Paladin, we can simplify and accelerate forensic tasks. This software has a graphical user interface and does not require the use of command-line tools, making it considerably easier to use.

FTK Imager

FTK Imager is a forensic tool for Windows systems that allows us to preview the recoverable data from a disk of any type. It can also create perfect copies, called forensic images, of that data. Among its additional features and functions is the ability to create hash files or mount already-created disk images, which are other important advantages worth mentioning.

At first glance, AccessData FTK Imager appears to be a very professional tool created only for advanced forensic computing experts. However, it is actually easier to use than it appears and can be used by a broader audience.

Bulk_extractor

Bulk_extractor is a forensic computing tool that allows us to scan a disk image, a file, or a directory of files. The results obtained can be easily inspected and analyzed with automated tools. A notable aspect is that this tool is very fast compared to similar programs, because it ignores the file system structure, allowing it to process different parts of the disk in parallel.

LastActivityView

LastActivityView is portable software for viewing the last recorded activity on your PC. Regarding this application, there is an important point to mention: the Windows registry will no longer be updated. LastActivityView has a very good response time and is capable of detecting activity prior to its first run. It also runs with a very low CPU and RAM footprint, so it will not affect the overall performance of your computer. Low resource consumption is a very positive aspect worth noting.

FireEye RedLine

FireEye is an endpoint security tool that provides host investigation capabilities to users for finding signs of malicious activity through memory and file analysis. It should be noted that it is available on OS X and Linux.

Its main features include the auditing and collection of all running processes and handles from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history. An in-depth analysis capability can also be considered very useful, as it allows the user to establish the timeline and scope of an incident.

Wireshark and Network Miner

Wireshark is currently one of the best network protocol analyzers in existence. It is the most well-known and widely used, cross-platform (Windows, Linux, FreeBSD, and more), and of course completely free. We have discussed this important tool many times at RedesZone, and with it we can perform a comprehensive forensic analysis of the local network by sniffing all packets for later study. Wireshark allows us to perform a deep inspection of all captured packets and has a graphical user interface for viewing everything in detail, classified by layer (physical, data link, network, transport, and application layers). With the information that Wireshark captures, we can view data via TShark through the command line. The most notable feature of Wireshark is its filters, which allow us to filter a large capture to show only what we are interested in.

Network Miner is very similar to Wireshark. It is a network forensic analyzer for Windows, Linux, and Mac OS X. This tool is used to detect operating systems, hostnames, sessions, and which IP addresses and ports were used in a data capture. Network Miner can be used to analyze and even capture packets transferred over the network. We can detect the operating systems of devices on the network, open ports, and much more.

Encase

EnCase Forensic is currently the industry standard in digital forensic investigation technology. Once the investigator has learned to use it, it becomes extremely straightforward, especially when handling very complex investigations. The ability to analyze and search large amounts of data quickly and easily is a critical capability of any incident response, computer forensic investigation, or analysis tool. EnCase offers the most advanced, comprehensive, and straightforward way to carry out these complex and labor-intensive tasks across multiple file systems and languages.

EnCase also provides a powerful search engine that allows you to search for specific information within suspect devices. Fuzzy search enables searching for specific keywords or details. Internet and email search enables searching of various email entities across numerous machines. A large number of other search options are available across data through EnCase's search options.

The EnCase Linen utility is a version of EnCase that runs on Linux machines. This utility allows users who work with the Windows-based version to work on a non-Windows operating system. Linen users will be able to handle large hard drives and retrieve data much faster.

EnCase offers the user an intuitive graphical user interface (GUI) that allows for easy navigation. In most cases, a forensic examiner can easily open a suspect file in another window without closing the GUI tool. The National Institute of Standards and Technology (NIST) under its Computer Forensics Tool Testing Project concluded that investigators using EnCase can rely on this tool's reliability in creating accurate and verifiable bit-for-bit images of suspect devices.

#AnalisisForense#ciberseguridad#investigacion#135#76

Comments

No comments yet. Be the first to share your thoughts.

Leave a Comment

Comments are reviewed before publishing.