How to perform a digital forensic analysis using only free tools

Currently, there are a lot of good forensics commercial tools, can be used to perform a whole dfir workflow. However, several analyst anche companies cannot afford the purchase of those (awesome) tools.

For this reason, all my dfir tutorial are based only on opensource or free tools.
Today, I’d like to share a full list of this kind of tools.

Acquisition

CAINE

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project and managed by Nanni Bassetti

The main design objectives that CAINE aims to guarantee are the following:

  • an interoperable environment that supports the digital investigator during the four phases of the digital investigation
  • a user-friendly graphical interface
  • user-friendly tools

This environment can be used to perform, using DD utility, physical disk acquisition on local USB disk or over network.

References


FTK Imager Lite

FTK Imager is a free tool developed by The Access Data Group for creating disk images without making changes to the original evidence.

This tool is also useful for volatile memory acquisition: from my point of view, it creates better images than other windows tools.

References


AVML

AVML is a volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.

AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

References


LIME


LiME is a Loadable Kernel Module (LKM) developed for volatile memory acquisition from Linux and Linux-based devices, such as Android.

It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

In order to use a LiME memory dump with volatility, a memory profile must be generated on target sistem.

References


MacPmem

MacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:

  • /dev/pmem: allows physical memory read access, but can be built also with write support.
  • /dev/pmem_info: Exposes informational dump.

Using this devices, a standard acquisition using DD can be simply accomplished.

References


Data extraction and analysis

The SleuthKit

The Sleuth Kit (TSK) is a library and collection of utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. 
The collection is open source and protected by the GPL, the CPL and the IPL.

References


Photorec

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks and CD-ROMs. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.

TestDisk

TestDisk is a free data recovery tool primarily designed to help recover lost partitions and undelete files from FAT, exFAT, NTFS and Undelete files from FAT, exFAT, NTFS and ext2 filesystem filesystem.

References


VShadowInfo and VShadowMount

Shadow Copy (also known as Volume Snapshot ServiceVolume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.

libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.

ARSENAL Image Mounter

Arsenal Image Mounter mounts the contents of disk images as a real SCSI disks in Windows, allowing integration with Disk Manager, launching virtual machines (and then bypassing Windows authentication), managing BitLocker-protected volumes, mounting Volume Shadow Copies, and more.

ShadowCopyView

ShadowCopyView is tool developed by Nirsoft that lists the snapshots created by the ‘Volume Shadow Copy’ service of Windows 10/8/7/Vista.

References


Plaso

Plaso is a Python-based engine designed to extract timestamps from various files found on a typical computer system(s) and aggregate them, into a enhanced timeline, called super timeline.

The super timeline goes beyond the traditional file system timeline creation based on metadata extracted from acquired images by extending it with more sources, including more artifacts that provide valuable information to the investigation.

The technique was published in June 2010, on the SANS reading room, in a paper from Kristinn Gudjonssonas part of his GCFA gold certification.

References


Volatility

The well-known open source memory forensics framework for incident response and malware analysis.

About Volatility I’ve already written several posts and books.

References


Autopsy

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used to investigate what happened on a computer system, but also to recover and analyze files.

References

Related posts

  1. How to sort and organize files recovered by PhotoRec
  2. How to detect Cobalt Strike Beacons using Volatility
  3. How to process recent Windows 10 memory dumps in Volatility 2
  4. How to boot an Encase (E01) image using VirtualBox
  5. Linux Forensics: Memory Capture and Analysis