What tools do you use for collecting evidence, making disk images, inspecting live memory and so on?
7 Answers
The majority of my forensics work is done after the fact in a lab environment, so by the time I get involved on-line work is too late, i.e. no memory analysis.
Historically I would use
Recently I have started moving away from that combination and on to
- Argus
- Autopsy - For aquisition and system analysis
- BackTrack (Forensics Mode)
- sed/awk/grep/last, etc
In both cases acquisitions are performed using whichever write-blocker is appropriate, most of the ones I use are made by Tableau. One reason I have moved to Autopsy is the support for hash databases, such as NSRL. Another is that it is free. EnCase is a great tool, but expensive.
- 15,167
- 5
- 61
- 91
I haven't seen FTK by access data mentioned. I've used both Encase and FTK a few years ago, they both have their pluses and minuses, but it's another commercially supported and court accepted forensics tool.
I'm partial to write blockers from weibetech, but don't have much experience with other vendors. You might look at the NIST verification for write blockers. There are also verification reports on additional software/hardware from NIST forensic tool testing as that web site.
- 61,367
- 12
- 115
- 320
- 91
- 2
Take a look at bulk_extractor
, a program that automatically finds email addresses, credit card numbers, and other information from disk images. It then produces a histogram which lets you identify the primary use of the hard drive and that person's primary contacts. It even searches in compressed files.
- 515
- 2
- 9
I have not delved much into the topic, but perhaps this site might help you - http://www2.opensourceforensics.org/home.
I always used EnCase and the Coroner's Toolkit (these day's it's the Sleuthkit) along with dd. To be honest now the Helix and BackTrack LiveCDs are pretty much there for technical forensics, internally within an organisation, or if you have no intention of involving law enforcement or courts.
The problem you will have comes if you need to present in court.
At that point, depending on your jurisdiction, EnCase wins hands down - simpley because police forces tend to know about it so can vouch for it in court. If you can't get certified approval for your favourite toolkit, go with EnCase.
- 61,367
- 12
- 115
- 320
Collecting Evidence
network and http capture
Event logs
- 463
- 3
- 9
-
1These are not forensic tools. – AviD Dec 09 '10 at 18:08
-
@AviD, right... and why don't they fit into the categories of network forensics and logfile analysis? wrong OS? – Anonymous Type Dec 09 '10 at 21:34
-
Not at all - what does the choice of OS have to do with it? It's just that these tools - as good as they are for what they do - don't do actual forensics, like e.g. EnCase that has been mentioned. Real forensic tools is not just logfile analysis and network sniffing. – AviD Dec 09 '10 at 21:57
-
Actually both those categories which we agree these tools fit into are categories of computer forensics. I'm pretty sure nowhere in the question does it ask only for all in one tools that do all areas of forensics. Sorry for assuming you were a linux fanboy. – Anonymous Type Dec 10 '10 at 04:05
-
Heh, not at all a fanboy of any sort (but if I was it wouldnt be linux...) But no, these categories are not really what is usually meant by forensics. – AviD Dec 11 '10 at 20:33
-
http://www.forensicswiki.org/wiki/Tools:Network_Forensics seems to disagree with you. – Anonymous Type Dec 13 '10 at 00:42
-
1I think from the question the OP is asking about platform forensics, whereas this thread is on network forensics. I think I'll pop up a similar question on network forensics as I think it is of value. I haven't done a huge amount of it so I'd be interested in the answers as well. – Rory Alsop Dec 14 '10 at 21:37
You can check this article from NIST http://www.cftt.nist.gov/, Although it is not toolbox but a way to perform tests.
- 1,404
- 1
- 11
- 14