Computer Forensics has become one of the most sought after skill in the Information Security field and many people have wonder "How do I get into Forensics" and Sans Investigate Forensics Toolkit (SIFT) Workstation - The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.
LINUX OS – Ensure the following is installed (may be default with many distro)
Mandiant Web Historian - helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome
Mandiant Redline - Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection
Access Data FTK Imager - Forensics Imager
Access Data Registry Viewer - Offline Windows Registry Viewer
HBGary FastDump - forensically sound Windows™ memory dumping utility (Requires login)
HBGary Responder Community Edition - provides the most thorough and comprehensive memory analysis capability in the industry. Responder™ Community Edition virtually rebuilds all the underlying data structures up to 6 gigabytes of RAM. This includes all physical to virtual address mappings, recreates the object manager, exposes all objects, and enables investigators to perform a complete and comprehensive computer investigation. (Requires login)
QCC Casenote - Application to allow forensic analysts and examiners to securely record their contemporaneous notes electronically.
– Script to parse Windows registry files to txt.
Prefetch-Parser – Parse the prefetch files and display information from files.
Pasco – Internet Explorer Activity Forensic Analysis Tool
Internet Explorer Cache View is s a small utility that reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache.
– Recover lost passwords stored by Internet Explorer - is a small password management utility that reveals the passwords stored by Internet Explorer Web browser.
MozillaCacheView – Mozilla/Firefox Browsers History Viewer is a small utility that reads the history data file (history.dat) of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web pages in the last days.
PasswordFox - is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser.
SkypeLogView – Skype Log Viewer (.dbb and main.db files) is reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account.
Mail PassView - is a small password-recovery tool that reveals the passwords and other account details for popular email clients.
PstPassword - is a small utility that recover lost password of Outlook .PST (Personal Folders) file.
OperaCacheView - is a small utility that reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache.
ChromeCacheView - is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
LiveContactsView - is a small utility that allows you to view the details of all contacts in your Windows Live Messenger.
Thumbnail_html – Read a directory of graphics and create a webpage to display them plus display EXIF info
FragView - application that allows a recursive list of html, jpg and Flash files to be viewed in an adjacent pane without having to manually navigate to each one individually and open it. A great time saver, especially for previewing exported webmail fragments!
VideoTriage - designed to produce thumbnails of selected movie files so that the movie doesn’t need to be watched.
Windows File Analyzer – an application that decodes and analyzes the following Windows OS files: Thumbnail Database, ACDSee Thumbnail database, Google Picasa Thumbnail Database, FastStone Viewer Thumbnail Database, HP Digital Imaging Thumbnail Database, Prefetch, Shortcut, Index.dat and Recycle Bin.
FixEvt - is a tool for automating the recovery and analysis of Windows NT5 (XP and 2003) event logs, primarily for computer forensics.
Vista-thumbcache-parser – Parse the Vista thumbcache file
Windows ShellBag Parser – Parse registry shellbag key. ShellBag information is a set of keys in a user registry hive (eg. ntuser.dat file) used by the Windows operating system to track user window viewing preferences.
Recycle-Bin – parse the Recycle bin and output information about it.
Rifiuti - A Recycle Bin Forensic Analysis Tool.
Forensic Toolkit v2.0 – contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity.
Other Useful Utilities
7zip - Open Source file archiver with high compression ratio
VLC media player - a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols.
MalwareBytes - One of the best Anti-virus program on the market
Sysinternal - a collection of advance system utilities for Windows.
sqlitebrowser - a light GUI editor for SQLite databases
Mandiant Highlighter - is a free utility designed primarily for security analysts and system administrators. Highlighter provides a user with three views of the log or text file being analyzed:
- a text view that allows users to highlight interesting keywords and remove lines with “known good” content
- a graphical, full-content view that shows all content and the full structure of the file, rendered as an image that is dynamically editable through the user interface
- a histogram view that displays patterns in the file over time. Usage patterns become visually apparent and provide the examiner with useful metadata that is not available in other text viewers/editors.
Firefox - a free and open source web browser
Oracle VirtualBox - powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use
TeamViewer - Remote Control sharing program.
CutePDF - Convert to PDF documents on the fly — for Free!
Filezilla - FTP and SCP client
Putty - a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator
FastResolver - a small utility that resolves multiple host names into IP addresses and vice versa.
DNSDataView - utility is a GUI alternative to the NSLookup tool that comes with Windows operating system. It allows you to easily retrieve the DNS records (MX, NS, A, SOA) of the specified domains. You can use the default DNS server of your Internet connection, or use any other DNS server that you specify. After retrieving the DNS records for the desired domains, you can save them into text/xml/html/csv file.
Expresso (Regex Editor) - an editor that equally suitable as a teaching tool for the beginning user of regular expressions or as a full-featured development environment for the experienced programmer or web designer with an extensive knowledge of regular expressions.
Notepad ++ - a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages
Microsoft Log Parser 2.2 – is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.