Computer forensics (forsensik): a selection of useful links

In order to successfully conduct investigations into information security incidents, one must have practical skills in working with tools for extracting digital artifacts. This article will provide a list of useful links and tools for carrying out work on the collection of digital evidence.

The main purpose of such work is the use of methods and means for preserving (immutability), collecting and analyzing digital evidence in order to reconstruct the incident events.

The term "forensics" is an abbreviated form of "forensic science," literally "forensic science," that is, the science of examining evidence — exactly what is called criminology in Russian. The Russian term "forensic" does not mean any forensic science, namely computer.
Some authors share computer forensics and network forensics.

The main field of application of forensics is the analysis and investigation of events in which computer information appears as an object of infringement, a computer as an instrument for committing a crime, as well as any digital evidence.

For the complete collection and analysis of information, various highly specialized utilities are used, which will be discussed below. I want to warn you that when carrying out work on the conclusion in a particular criminal case, the presence of certain certificates and software conformance (FSTEC license) will most likely be considered. In this case, you will have to use combined methods for collecting and analyzing information, or write conclusions and conclusions based on the data obtained from non-certified sources.

Frameworks

• dff - Digital Forensics Framework is an open source platform for extracting and researching data.
• PowerForensics - PowerForensics utility written in PowerShell, designed to study hard drives.
• The Sleuth Kit - The Sleuth Kit (TSK) is a C library and collection of command line tools that allow you to examine disk images.

Real-time utility

• grr - GRR Rapid Response: a tool for investigating and analyzing incidents.
• mig - Mozilla InvestiGator is a distributed, real-time platform for investigating and analyzing incidents.

Work with images (creation, cloning)

• dc3dd is an improved version of the dd console utility.
• adulau / dcfldd is another improved version of dd.
• FTK Imager - FTK Imager- viewing and cloning data carriers in a Windows environment.
• Guymager - view and clone data carriers in a Linux environment.

Data retrieval

• bstrings is an improved version of the popular strings utility.
• bulk_extractor - detect emails , IP addresses, phones from files.
• floss this utility uses advanced static analysis methods to automatically deobfuscate data from binary malware files.
• photorec is a utility for extracting data and image files.

Work with RAM

• inVtero.net is a framework with high speed.
• KeeFarce - extract KeePass passwords from memory.
• Rekall is a RAM dump analysis written in python.
• volatility - The Volatility Framework is a set of utilities for the versatile analysis of physical memory images.
• VolUtility - web interface for the Volatility framework.

Network analysis

• SiLK Tools - traffic analysis tools to facilitate the analysis of the security of large networks.
• Wireshark is a famous network sniffer.

Windows artifacts (extracting files, download histories, USB devices, etc.)

• FastIR Collector - extensive Windows system information collector (registry, file system, services, autoload, etc.)
• FRED is a cross-platform Windows registry analyzer.
• MFT-Parsers - list of comparison of MFT-parsers (MFT - Master File Table).
• MFTExtractor - MFT-parser.
• NTFS journal parser - NTFS log parser.
• NTFS USN Journal parser - - USN log parser.
• RecuperaBit - recover NTFS data.
• python-ntfs - analysis of NTFS data.

OS X study

• OSXAuditor - OS X Auditor.

Internet artifacts

• chrome-url-dumper - extract information from Google Chrome.
• hindsight - analysis of the history of Google Chrome / Chromium.

Time Interval Analysis

• plaso - timestap extraction and aggregation.
• timesketch - timestamp analysis.

Hex editors

• 0xED - HEX editor OS X.
• Hexinator - Windows version of Synalyze It.
• HxD is a small and fast HEX editor.
• iBored - cross-platform HEX editor.
• Synalyze It! - HEX editor in the templates.
• wxHex Editor - cross-platform HEX editor with file comparison.

Converters

• CyberChef is a multi-tool for encoding, decoding, compressing and analyzing data.
• DateDecode - convert binary data.

File analysis

• 010 Editor Templates - templates for the 010 editor.
• Contruct formats - a parser of various types of files in python.
• HFSPlus Grammars - HFS + components for Synalysis
• Sleuth Kit file system grammars - components for different file systems.
• Synalyse It! Grammars - file components for Synalyze It!
• WinHex Templates - file components for WinHex and X-Ways

Processing disk images

• imagemounter - command line utility for quick mounting of disk images
• libewf - Libewf library and utilities for accessing and processing EWF, E01 formats.
• xmount - converting disk images.

Total

To carry out research and collection of digital evidence, it is necessary to adhere to the principles of immutability, integrity, completeness of information and its reliability. To do this, follow the recommendations for software and methods for conducting investigations. In the next article I will give examples of the practical use of tools for analyzing memory images.