Forensic Community and FOSS Tools

Forensics Community

One of the great things about digital forensics is the people who support the community. Forensics, like many others in InfoSec, are full of highly skilled individuals who share their knowledge online. While extraordinary individuals ones make challenges for others to test their skills. My latest example is the DFIR MADNESS site and the “Case of the Stolen Szechuan Sauce” (https://dfirmadness.com/the-stolen-szechuan-sauce/) Much thanks to James Smith (@DFIRmadness) for provide us with this forensics jewel. Not only do your get the images and the answers, but James has provided an outline of how to approach answering the questions. With great reference links, not just Google searches!


FOSS Tools

I tinker with the usual suite of FOSS tools that forensicators use and rely on in their daily work. There are many tools out there and some are more “famous” than others. The golden rules are: make sure you understand what you are looking for, know all the places you need to look for supporting indicators, know what the tool is doing while making sure you can verify the results. Which is much easier said that done.

The tools I use most often to process images and their artifacts are :
Autopsy (https://www.autopsy.com/) from Brain Carrier (https://dfir-training.basistech.com/) I took two courses; one free, called “Intro to DFIR: The Divide and Conquer Process (3 hours long) and one paid, called “Autopsy Basics and Hands On” that is 8 hours long. The Intro to DFIR is well done and the Autopsy Basics is a great way to get you up to speed using Autopsy.

Basistech also make an interesting product CyberTriage, which I tested in December 2020 – https://www.cybertriage.com/ . Depending on the skills of your IT staff, and your IR or forensics needs, you might find this of use.

RegRipper ( https://github.com/keydet89/RegRipper3.0 ) from Harlan Carvey. Don’t forget his excellent blog https://windowsir.blogspot.com/ Excellent source of critical thinking in forensics.

SANS has the SIFT workstation, which is an absolute treasure chest.
https://digital-forensics.sans.org/community/downloads
I have used it for many years and every update provides even more goodies than before. The “swiss army knife” of forensics tools.

Volatility – the original – for memory analysis: https://github.com/volatilityfoundation


Reverse Engineering

I have mostly used https://remnux.org/ from the amazingly talented Lenny Zeltser. I was at SANS SanDiego in 2003 where he hosted a night class on what would later become the SANS GREM. https://digital-forensics.sans.org/certification/grem

Other options include: FireEye FLARE https://github.com/fireeye/flare-vm

Fernando Mercês https://twitter.com/mer0x36 A very interesting github project: https://github.com/mentebinaria/retoolkit


Exceptions to the FOSS rule

Last year I celebrated surviving 9 months of working at home and bought Magnet Forensics AXIOM. I have used its predecessor, Internet Evidence Finder (IEF) since 2004, but this product is being phased out for AXIOM. I use AXIOM as a reference platform, because I can just throw images at it and it processes them automatically.

Not that “push button” forensics is what forensics is all about, but it can be a time saver; especially if you want to do timeline analysis of several images. I have seldom worked on more than two or three images or devices at a time, so I am sure those who do have their own techniques for handling all the data. So I generally, process the image with Autopsy / Axiom while I do the manual “sniper forensics” on the side with SIFT.

Leave a Reply

Your email address will not be published. Required fields are marked *