According to Juniper Research, cybercrime losses to businesses will surpass $2 trillion by the year 2019. With data breaches occurring all around the world every day, the demand for experts in computer forensics will also increase. Whether you need to investigate an unauthorized server access, look into an internal case of human resources, or are interested in learning a new skill, these free and open source computer forensics tools will help you conduct in-depth analysis, including hard drive forensics, memory analysis, forensic image exploration, and mobile forensics. However, this is not an extensive list by all means and may not cover all necessary tools required for a complete investigation. It only includes some of the popular and useful tools. Using the right tools can always help you move things faster and result in more productive results.
These are multipurpose forensic toolkits that can carry out a number of detailed digital forensic tasks.
SANS Investigative Forensic Toolkit (SIFT)
Based on Ubuntu, SIFT has all the important tools needed to carry out a detailed forensic analysis or incident response study. It supports analysis in advanced forensic format (AFF), expert witness format (E01) and RAW evidence (DD) format. It comes with tools to carve data files, generate timeline from system logs, examine recycle bins, and much more.
SIFT provides user documentation that allows you to get accustomed to the available tools and their usage. It also explains where evidence can be found on a system. Tools can be opened manually from the terminal window or with the help of top menu bar.
Having more than 100,000 downloads to date, SIFT continues to be a widely used open-source forensic and incident response tool.
New key features Include:
- Ubuntu LTS 16.04 Base
- 64-bit base system
- Auto-DFIR package update and customization
- VMware appliance ready to tackle forensics
- Cross-compatibility between Windows and Linux
- Choice to install stand-alone via (.iso) or use via VMware Player/Workstation
- Online documentation project athttp://sift.readthedocs.org/
Pros: Better utilization of memory, modern forensic tools and techniques, expanded file system support.
Sleuth Kit Autopsy
Autopsy is a digital forensics platform that efficiently analyzes smartphones and hard disks. It is used worldwide by a large number of users, including law enforcement agencies, the military, and corporations to carry out investigations on a computer system. It has an easy-to-use interface, processes data fast, and is cost-effective. Sleuth Kit is a collection that consists of command line tools and a C library allowing the analysis of disk images and file recovery. It is used at the back end in the Autopsy tool.
Key features of Autopsy include:
- Timeline Analysis—Advanced interface for graphical event viewing.
- Hash Filtering—Flags known bad files and overlooks known good files.
- Keyword Search—Indexed keyword search makes file search easier.
- Web Artifacts—Extracting bookmarks, history, and cookies from web browsers.
- Data Carving—Recovering deleted files from unallocated space by using PhotoRec.
- Multimedia—Extracting EXIF from pictures and watching videos.
- Compromise Indicators—Scanning a computer using STIX.
Pros: Good documentation and support
Cons: It requires special user skills because it is based on Unix.
Oxygen Forensic Suite
Available in free and professional versions, this forensics tool helps you to collect evidence from a mobile phone. It collects all device information such as serial number, IMEI, OS, etc., and recovers messages, contacts and call logs. Its file browser feature enables you to have access to and analyze photos, documents, videos and device database.
Some more important features include:
- Built-in cloud data recovery.
- Contact aggregation helps to identify linked profiles from all sources, including app accounts.
- Social graph features identify most frequently communicated contacts, making it easier to conduct the investigation.
- Map feature locates all check-ins, map lookups, visited websites, and messages containing geolocation metadata of all the devices being studied under the case.
- Timeline feature reveals the most active user hours and most common ways in which the device is operated.
- Allows importing messages from three other mobile forensic tools, JTAG/ISP images, RAW/DD files, and chip-off dumps.
Pros: It provides several ways to extract data including Bluetooth, USB cable, iTunes backups, other forensic software backups, and Android backups. Also, the main interface is straightforward and easy to use. It provides sophisticated data analysis and has several useful data analysis features.
Cons: Unlike its competitors XRY and UFED, its free version does not provide advanced features such as cracking Android backups or locked iPhone.
DEFT (digital evidence and forensics toolkit) is a Linux-based distribution that allows professionals and non-experts to gather and preserve forensic data and digital evidence. The free and open source operating system has some of the best computer forensics open source applications. DEFT Zero is a lightweight version released in 2017.
Some of its useful features are as follows:
- Supports 32 and 64 bit hardware with UEFI and secure boot.
- Supports NVMExpress memories and eMMC memories.
- DEFT Zero Linux 2017.1 can be operated in three booting modes: GUI mode, RAM preload GUI mode, and text mode.
Pros: Needs only 400 MB memory to run. This means that it can be run even on a slow or obsolete PC.
Network Forensic Tools
These tools help in the extraction and forensic analysis of activity across the network.
WireShark is one of the most commonly used network protocol analyzers. It allows you to investigate your network activity at the microscopic level. Wireshark is widely used by government agencies, corporations and educational institutes.
- Allows deep investigation into many protocols, with the number of protocols being added constantly.
- Offline and online analysis.
- Supports multiple platforms that include Windows, Solaris, Linux, FreeBSD, Mac OS, NetBSD, and others.
- Network data can by browsed through TTY mode (Tshark utility) or a graphical user interface.
- Powerful display filters.
- Strong VoIP analysis
- Reading/writing enabled in multiple file formats, such as tcpdump (libpcap), Cisco Secure IDS iplog, Network General Sniffer® (compressed and uncompressed), Novell LANalyzer, to name a few.
- Data can be read live from IEEE 802.11, Ethernet, FDDI, Token Ring, and others.
- Supports decryption for various protocols, including Kerberos, ISAKMP, IPsec, SSL/TLS, WPA/WPA2, and WEP.
- Supports the export of output to CSV, XML, or plain text
Pros: Digs deep to uncover minor details in the network data.
Cons: Does not exactly pinpoint the solution you are looking for and dumps raw data into large files for you to figure out.
This is a network forensic analysis tool (NFAT) for Windows, Mac OS X, Linux, and FreeBSD. These tools come in a free edition as well as a professional paid edition. Network Miner’s free edition can
- Work as a passive network sniffer that captures packets to detect hostnames, sessions, open ports and operating systems without generating traffic on network.
- Allow for offline analysis by parsing PCAP files.
- Regenerate transmitted certificates and files from PCAP files.
- Save time of forensic analysts by presenting extracted data with a user-friendly interface.
Pros: Captures network traffic, investigates potential rogue hosts, assembles and extracts files from captured traffic.
This is an open-source network forensic analysis tool (NFAT) that can extract app data from internet traffic. For instance, Xplico can extract email, HTTP contents, VoIP call, FTP, TFTP, etc., from a pcap file. Important features of Xplico are:
- Supports HTTP, IMAP, POP, SIP, SMTP, UDP, TCP, Ipv6 protocols
- Port-independent protocol identification for application protocol
- Outputs data and information as a MySQL or SQLite database
- Associates an XML file with each reassembled data set
- Reverse DNS lookup
- No size limit on number of files or data size
- Supports IPv4 and IPv6
- Modular components, i.e., input interface, output interface, and protocol decoder.
Pros: There is no size limit on number of files or data size. Its command line shows more detail and its geo-map feature can be used in web interface as well as console mode.
Cons: it is not possible to copy packets and send them to two separate dissectors; instead, there is the possibility of losing the packets, as the average processing time for a packet is higher than the average number of packets per second in Xplico.
Forensic Imaging Tools
These tools help in analyzing disk images at microscopic level.
this is a data preview and imaging tool with which one can study files and folders on a hard drive, network drive, and CDs/DVDs. It allows you to:
- review forensic memory dumps or images.
- create MD5 or SHA1 file hashes that are already deleted from the recycle bin, if their data blocks have not already been overwritten.
- mount forensic images to view their contents in browser.
Pros: Creates bit-by-bit image and creates exact replica of the drive, thus allowing the investigator to view deleted or irretrievable files. It also creates a keyword index for every image, which makes future searches easier.
Cons: It doesn’t carve files and lacks recursive export capabilities.
Linux dd is a powerful tool that is installed by default in most Linux distributions (Fedora, Ubuntu). It can be used for conducting a number of forensic tasks like creating raw image of a folder, file, or drive.
On the negative side, it can be quite destructive if not used properly, thus earning the name “Data Destroyer” from some users. It is therefore advisable to test the command in a safe environment first and then apply it to the real data.
This comes with a small, and fast-booting forensic image analysis in a microkernel that runs from portable media. It physically boots the device, captures and authenticates a computer system, and reconstructs the filesystem.
Key features include:
- Securely accounts for data corruption.
- Documents and records data tampering.
- Uses high-speed data compression RW.
- Has the capability for data to span different file systems, media types and output devices.
- Creates detailed data acquisition logs.
- Creates encrypted authentication log file for user actions and locks it to prevent it from being tampered.
Magnet RAM Capture
Magnet Ram Capture is one of the many tools provided by Magnet Forensics. It is a free tool that captures the physical memory of a computer. This can help forensic investigators recover and analyze useful artifacts in the computer’s memory.
Having a small memory footprint, the tool can be run while the overwritten data in the memory is minimized. The collected memory data can be exported in RAW format and uploaded into any of the forensic analysis tools.
RAM evidence captured by the tool includes processes and programs, network connections, registry hives, malware intrusion evidence, decrypted keys and files, usernames and passwords, and any other activity not usually stored on the hard disk.
Pros: Acquires full physical memory fast and leaves small footprint on live system that is under analysis.
This free memory forensic tool helps discover malicious activity in live memory. It can acquire and analyze images from memory.
Key features include:
- Creating an image of entire system memory.
- Creating an image of a specific driver or all drivers in memory to the disk.
- Creating an image of the complete address space of a process to disk.
- Counting all running process and listing them.
- Identifying drivers that are loaded in memory.
FAW (Forensics Acquisition of Websites)
This is the first browser that can acquire web pages from websites available online to conduct forensic investigation.
Its key features include:
- Viewing and editing host files.
- Audio/video capture.
- Acquiring code for iFrames on the webpage.
- Acquiring IP address and hostname of webpage.
- Support for English, French, Italian, and Polish languages.
- Improved performance and stability.
Πηγή : infosecinstitute