- Details
-
Created on Wednesday, 28 December 2011 22:00
Over the past couple of days Harlan has been talking about people contributing to the DFIR profession and acknowledging the creators of free software. During an email exchange with him I confessed that I have only once thanked the creator of a free tool, I had always assumed (remember assume makes and ass out of u and me) that they knew how much their work was valued. In the conversation with Harlan it became apparent that this is not the case. Which makes sense when I think about it, why shouldn't I expect everyone else be a selfish bastard just like me? So this evening I started having a look at the free software on my computer and started emailing thank you’s to the creators. While I was at it I thought I would compile the following list of non-forensic tools I use for forensics (I figure that forensics people would already be familiar with the forensic ones). How about after reading this post you have a look at the free tools you use and send the creator a quick note of thanks, let’s see if we can flood an inbox or two....
The only requirement for a program to make it into this list is that a version of it is given away for free. So "free as in beer" apps like vmware player, made by a multimillion dollar company are included alongside true Open Source programs like SQLite Database Browser. I figure that if someone is going to go to the effort of writing a great application they should be free to distribute it as they see fit (sorry Mr Stallman).
If you are after a list of Free forensic tools there are already quite a few out there. Some good ones are:
The forensicswiki tools page
E-Evidence info, other tools
Open Source Digital Forensics
and while not specifically forensic, certainly relevant: sectools.org
If you have any others to add please post in the comments, or just send me an email and I will add it to the list.
Now the tools......
To compare Notepad++ to Microsoft’s notepad would be like comparing a Laser to an AC45.
I was put onto Notepad++ by one of my students in a Network Forensics class. In that case we were examining firewall log files, and he mentioned the great highlighting capabilities of notepad++. For log analysis this is really useful as when one block of text is selected all matching blocks are highlighted, really useful when looking for IP addresses in firewall logs.
Other features include:
Code Styles: with a massive list of built in languages, it is now my code editor of choice, in fact I am using it right now.
Linking to external apps: Run your code straight from the editor, or open html straight into the browser
shortcuts remapping: so you can make your system unusable for anyone else ;-)
The only limitation is a lack of spel checking.....
Knowledge management is a critical aspect of Digital Forensics and really any knowledge based profession and Zotero is the best tool I have found for collecting, collating and searching electronic documents. It is intended to be used as a research tool, to support students and academics creating and managing electronic libraries. Currently it runs as a firefox plugin but version 3 will be able to run as a stand alone app, and add support for Chrome and Safari. The best part is that it enables you to archive any file in a matter of seconds. If the file is accessed through your webbrowser the source, title and date are automatically create. It is also able to scan a document and retrieve publication details from a library website.
This means that I have access to all my reference documents without being online, great for when responding in the field. They are also tagged and organized in a manner which is relevant to me. They also offer a cloud service so that libraries can be synced between multiple computers.
If you only look at one tool in this list, this is the one to check out.
There was a time when I had a lab full of computers, all with different operating systems, network configurations and uses. These days all you need is virtualbox or vmware to run as many systems as you want. While I use the commercial VMware workstation, mainly for the team and snapshoting functions, you can do a lot with the free tools.
In the early 2000's I was working with IDS and network traffic analysis and have been a fan of ethereal/wireshark since then. So it is always a surprise to me when people are not familar with it. When it comes to examining network traffic this is still one of the best out there.
I am sure that everyone is familar with Mark Russinovich and Bryce Cogswell's sysinternals tools, while originally designed for system administration and security these tools are great for working out how applications behave on a system and malware analysis.
These days it seems that every application is storing it's data in a SQLite database. While, if you are really masochistic, you can get out winhex (or any other hex editor) and parse the file manually, it is much easier to use this tool. There are a bunch of different sqlite tools out there, and I have not tested them all, but this is the one that works for me.
"Get that Linux feeling - on Windows" is the Cygwin motto, this great little package will give you a bash shell, plus most of the apps you know and love from the Unix/Linux environment. While not quite as good as the real thing it does make it possible to work in a terminal on windows.
ISOBuster is describe as a CD, DVD, BD data recovery tool. It allows low level access and interpretation of most disc file systems, and will show you all the different formats on a disc. There is a basic version available for free, or for $30 to $50 you get the pro version.
This is the best disc burning software out there. Simple and easy to use, but rarely goes wrong. It even has a nice idiot proof interface that even your grandmother could use. However don't be mislead by the simple GUI, it also has a powerful command line interface so you can script image set archiving and verification.
A great open source encryption package, what more can I say?
You can't forensicate without music can you? There are hundreds of different music managers and players out there, but this is the one that works for me.
This great little player supports a huge range of codecs and also seems to handle corrupted files better than anything else out there.
Every now and then VLC won't work and you need to work out what codec a file is using. In these situations GSpot is THE tool. A simple interface gives you more information then you are ever likely to need about any media file you run across. Just make sure you use "gspot codec" if you are going to Google it, searching for gspot will take you to all the wrong places......
This is a nice little app that performs one of the most comprehensive extraction of EXIF data I have found. One other nice feature is that you can point it at a directory full of files and it will dump everything to a csv file. The only limitation is that you have to specify the manufacturer in advance in order to decode the maker notes. Unfortunately it has not been updated since 2007 so the supported maker notes are now probably a little out of date.
In the event that Exif-Viewer does not do the trick for you there is always ExifTool, this is still actively maintained, in fact there was a new version released today! As a command line app this is really easy to incorporate into scripts (in fact there is a PERL Library Module available as well). There is also a GUI interface available if you are not a fan of typing....
When using a windows platform I am a little paranoid (OK extremely paranoid) when doing anything online, occupational hazard I guess. Noscript is a great little Firefox plugin that allows you to control which scripts are run on a webpage and which are not. A great side benefit is that most advertising also gets blocked. It always surprises me when I use a machine without it installed and suddenly see all these adverts popping up on sites that I think of as just having useful information.
