October 2019 - Stark 4N6

Tuesday, October 8, 2019

10 Free Forensic Tools I Can't Live Without
October 08, 2019 3 Comments

In perusing YouTube I always come across Everyday carry lists or GQ's series on 10 things some celebrity can't live without. Here I've compiled a list of free forensic tools that I use on a constant basis for investigations and daily work. All of these tools I carry on a USB drive for quick access when traveling. Let me know your thoughts, what are some of your favorite free tools?

Arsenal Image Mounter
Arsenal's Image Mounter is a very useful tool for mounting evidence files to be able to get direct access to the files found in it while bypassing UAC in certain aspects. They continue to push updates to the current beta with new features.

Basic Technology's Autopsy is a completely free forensic suite which can be fully customized with plugins for your parsing needs. You can even add your own Python plugins (I recommend Mark McKinnon's set). It gets updated a few times a year with new features.

DB Browser for SQLite
SQLite databases are everywhere from web browsers, to third party applications to almost all over the place in Android file systems. DB Browser lets you view the database structures very easily and even execute custom SQL queries to pull out the information you need.

Yes, I'm aware this is multiple tools in one, but there is so much room for automation across the board. You can "set it and forget it" by running multiple collection or parsing modules. JLECmd, LECmd, PECmd, MFTECmd all working in tandem to quickly get you to meaningful data means everything while triaging.

Phil Harvey's ExifTool pulls out as much metadata about files as it can from a very large variety of media types. You can even run it on multiple files and have the results piped to files. This is especially useful for images taken with a phone that could contain info such as lat/long.

FTK Imager
It may not be the preferred tool to ever capture RAM or mount images, but it is still useful for quick viewing of file systems and forensic images. I still find myself using the command line version to take full disk images for remote situations.

Ryan Benson has one of, if not the best Chrome forensic parsing tool out there. It pulls out all the relevant info you'd expect and more while throwing it into a nice timeline for you as an export. It also works great for Edge browser as they transition to a Chromium based backend.

This one is more of the new kid on the block for me. I only learned about the SRUM artifacts just last year. There is definitely some excellent information on what application usage is happening on the system and what can be parsed. Some excellent research from Yogesh can be found here. SRUM-DUMP from Mark Baggett is command line but fairly simple to execute (he even has a beta for GUI now).

USB Detective
Some of the most common investigations I take part in are "did a person take any documents on a USB drive". Using USB Detective we can correlate the relevant registry hives as well as setupapi logs and display it in a way that makes sense. Proving that device X was plugged in or mounted at a certain time can provide more evidence of data exfiltration.

Are there any other memory forensic tools that you use? Probably not, because Volatility does it so well. I am by no means an expert in this area as I don't do it nearly as often but it is extremely useful for pulling data that is only memory resident, especially around full disk encryption keys. V3 beta will be unveiled at OSDFCon.