Tuesday, June 7, 2011

My Fav Free Forensic Analysis Tools

I was talking about colleges with my son the other day to see what he is interested in for a possible major. I was hoping and praying he wouldn't say English since my guidance there would be like trying to divide by zero or philosophy because that meant he'd be living here until his late 30's. He told me he was interested in being a detective. Well! I must say my ears perked right up! I have always thought the two best careers in IT are forensics and data center. But no...he wants to be a actual detective...like you know the ones that carry a badge and stuff. I'm not sure were that even came from to be honest. He doesn't watch detective shows or read detective novels. Heck the closest I was to ever being a detective was looking for my pants and wondering why I was wearing moose antler horns and a eye patch after a blackout. Well I guess it could been worse. He could have wanted to go to Auburn...

Best comptia A+ Training, Comptia A+ Certification at Certkingdom.com

But that got me thinking about forensics itself and some of the tools I use. I believe that if someone is just getting into IT and they want a solid career path, it's hard to beat forensic science or data center engineering. Understand to be good in forensics you really need to understand HOW data actually works and moves though a system. Forensics is a top level discipline that you work towards after you master PCs, servers, networking (especially networking) and coding. Sounds tough but man alive is it a lot of fun. I would not say I am a forensics expert. Not even close. I am more of a hobbyist in this area. Now some of the tools out there in forensics are VERY expensive due to their incredible speed and "court room" validation.

However, if you just wanting to mess around and practice on a few machines to see if this is a career path for you, here are a few of the freebie tools I use and have had a ton of success with.

Are your pants on fire yet? Web Browsers analysis
This most common use I see for forensic hobbyist is getting to a history file when the history has been erased. This is a browser specific function so the tools must use the browser API's to accomplish this. Here are a few of my favs:
- From across the pond the folks at Forensics-software http://forensic-software.co.uk have two most excellent tools. Fox Analysis and Chrome Analysis
- If it's IE your looking for then its really hard to beat Nirsoft http://www.nirsoft.net/ I absolutely love their IECookieViewer They have a bunch of other tools as well for you to mess around with but their IE stuff is really second to none. Honorable mention to their Skype Log View as well. Very cool tool!

Email Fun
Email is more difficult to find a freeware tool on the forensics side of the house. Email is really a database with a bunch of insane tables and procedures that can lead you down a path more dangerous then walking around Olongopo drunk with money falling out of your pockets. And before you ask No wasn't me on the don't do this poster... Email Detective is a proggy we used back in the AOL/Compuserv days to rebuild email. About the only game on the freeware side of the track is from MiTec http://www.mitec.cz/mailview.html out of the Czech Republic called Mail Viewer It's lightweight and works good on Outlook Express, T-Bird and Windows Live email. See the commonality here? All of the email is cached or stored local and not on a server. For Outlook and other server based DB style systems, I just have not found a good freeware email tool I really like too much.

Lookin' for a file in a haystack
There are so many attributes to look at with files. The good news here is there is no shortage of really good freebie tools that allow you dissect a file with the precision of a kid removing the vegetables out of Kung Pow Chicken. For stuff like reconstructing images to see if folks have been taking pictures of you eating a salad at a steakhouse (I was watching for my wife!) it's hard to beat Forensic Image Viewer from Sanderson Forensics http://www.sandersonforensics.com also check out MFTview while your there. He requires you to register to download, but it is totally worth it!
- A tool I really love to mess around with is Memoryze from Mandiant http://www.mandiant.com/products/free_software/memoryze/ This digital bundle of awesomeness allows you to analyze live memory and even page files on a running system. It works great even on memory images. Oh man this tools digital foot must be hurtin' from the ass it kicks!

But, isn't there a ISO we can use like BackTrack instead of messin' round and piece mailing all of these tools?
ISO are really awesome. Just like there are many different fishing lures to catch Bass, there's also multiple ISO for different forensics needs. Of course you can just use the forensics mode on BT and it works good also. Here are a couple others I keep close at hand.
- Caine Live CD http://www.caine-live.net/ is one of my favs. Full featured with a ton of useful scripts built right in, this is a great general propose ISO with great support and really does Italy proud!
- Deft Linuxhttp://www.deftlinux.net/ another great ISO from Italy this is also another full featured ISO. It is very well documented and man alive is it fast! When I need speed, I turn to Deft!
- Plain Sight http://www.plainsight.info/ is a great ISO to get started on messing around with forensics and it has a lot horsepower too! The volatile memory examination tools are really the stuff!

Websites baby!
Some of my RSS locked forensics favs are:
- http://www.forensicfocus.com/ hardcore folks, news and training here!
- http://www.forensicswiki.org/wiki/Tools Nice up to date tool wiki
- http://www.ciscoworkshops.com Great free geek workshops that cover all things computer geeks dig!

Forensics is a huge field and I believe folks can really make there mark here. It really overlays nearly every single piece of IT out there today and oh man are these folks in demand. Plus it a fun hobby to get into just to really improve your troubleshooting skills. Well, time for me to head off to a customer call. I just glad he likes to talk networking on a Bass boat....

Jimmy Ray Purser

Trivia File Transfer Protocol
Soon after the site was established MGM/UA set up a website for Hackers it was hacked! A group calling itself the Internet Liberation Front managed to draw all over the photo of Hackers stars Angelina Jolie and Jonny Lee Miller, and replaced verbiage, 'this is going to be an entertaining, fun promotional site for a movie,' with 'this is going to be a lame, cheesy promotional site for a movie!' The studio decided to maintain the site during the theatrical run of the movie in its altered form. At least their not Sony....

No comments:

Post a Comment