Tools for computer forensics (forensics)

8 May 2023 10 minutes Author: Cyber Witcher

Prospects for the development of digital forensics

The development of modern society has led to the emergence of the latest computer and digital technologies. However, this trend towards computerization has also borne fruit in the criminal aspect, because criminal groups are increasingly using “virtual” space as a platform for preparing, committing and further developing acts. But, as you know, the Internet space keeps all the traces: both passive (technical information about the use of electronic devices) and active (traces of actions taken directly by the user: photos, various records). In connection with this, a fairly new and actively developing branch appeared – digital forensics. Digital forensics is one of the branches of forensics that studies the detection, recording and use of digital traces of the “virtual” world on the Internet. In this regard, law enforcement agencies engaged in the detection of digital crimes have their own specifics of conducting investigative actions aimed at identifying and using traces of crimes, such as, for example, police agencies maintain video banks and video libraries of persons who have undergone (are undergoing) in cases and materials of police inspections.

In addition, a variety of integration software is used, which makes it possible to expand the capabilities of the used technical means. With all the variety of ways to replace the human factor and simplify the investigator’s work through the use of technology, there are ongoing discussions among forensic scientists. The criminal world does not stand still, more and more space is given to a relatively new direction – digital forensics.

Multifunctional “harvesters”

  • SIFT Workstation — a set of free, open source forensics and incident response tools from the SANS Institute. Universal and thoroughly documented toolkit based on Ubuntu LTS 20.04.

  • Appliance for Digital Investigation and Analysis (ADIA) — Open Source toolkit for conducting digital investigations and data collection, including Autopsy, Sleuth Kit, Digital Forensics Framework, log2timeline, Xplico и Wireshark. Available as images for VMware and VirtualBox.

  • Skadi — another set of open source utilities that enable the collection, processing, and advanced analysis of forensic artifacts and images. Works on MacOS, Windows and Linux, easily scalable.

  • Autopsy functional enough to hold its own place on this list. It is a digital forensics platform and GUI for The Sleuth Kit disc image analyzer, PhotoRec, STIX and other digital forensics software. Supports third-party modules in Java and Python that extend the capabilities of the platform.

Tools for collaborative investigation

  • IRIS — a web application for collaborative work on complex and confusing investigations. Facilitates sharing of files such as Windows logs. Can be deployed on a server or local computer from a Docker image.

  • Kuiper — the platform is focused on gathering and analyzing evidence. Provides a user-friendly graphical interface, centralized management of parsers, supports mass upload of artifacts from any channel, and enables a whole group of analysts to jointly label and sort files.

  • TheHive — an open source security incident response platform designed for SOCs, CSIRTs, CERTs and any other information security professionals. Easily integrates with MISP and features an elaborate role model that allows analysts from different companies to seamlessly work on the same case.

  • GRR Rapid Response enables a team of analysts to triage attacks and perform their analysis remotely in real time. It consists of a python client agent, which is installed on target systems, and a managing python server. Supports low-level access and automatic scheduling of repetitive tasks.

  • DFIRTrack — a platform for forensics, focused on the analysis of one or several large incidents that affected many different systems at once. This is a Django-based web application deployable on Ubuntu that uses PostgreSQL.

  • Orochi — is a platform for batch analysis of memory dumps. De facto is a GUI for Volatility 3. Stores the results of this utility in ElasticSearch.

  • Timesketch — utility for joint timeline analysis. Allows to restore and visualize the sequence of events during the incident.

Monitoring of hosts

  • Zentral — endpoint monitoring solution. Combines event log collection using osquery with a flexible messaging system and various data stores: ElasticStack, Azure Log Analytics, Splunk.

  • Fleetdm — another host monitoring tool that uses osquery to retrieve event logs and collect them from target systems in real-time.

  • POFR — a client-server “black box” that logs data on process execution, file access, and network connections in Linux systems, and then transmits reports to the server via the SSH protocol.

  • IntelMQ — an automated incident handling system that can be used to collect data for further analysis. It has a modular structure consisting of bots for extracting, enriching and recording data.

  • Velociraptor — a tool for collecting information about the status of hosts using the flexible VQL query language. Allows to largely automate the collection of various forensic artifacts.

  • Meerkat — a set of PowerShell modules designed to collect artifacts from Windows-based systems without first installing an agent. Use scenarios include threat response, threat detection, basic monitoring, snapshot comparison.

IOC – scanners

  • Loki — a simple indicator-of-compromise scanner for testing endpoints.

  • Fenrir — universal bash script for scanning Linux, OSX and Unix systems. Works with a wider set of indicators of compromise.

  • Fastfinder — a cross-platform utility for searching for suspicious files. Supports md5/sha1/sha256 checksums, regular expressions and YARA rules.

Collection of artifacts

  • artifactcollector — a configurable agent for collecting artifacts from Windows, macOS, and Linux. Able to extract files, directories, registry entries, WMI commands. Integrates with the Digital Forensics Artifact Repository.

  • osquery — operating system analytics for database connoisseurs. The utility presents the operating system as a high-performance relational database. This allows you to use SQL to work with all the content on your computer. Available for Linux, macOS, Windows and FreeBSD.

  • ir-rescue — a pair of Windows and Unix scripts that gather a large amount of forensic data to suit the needs of most investigations. Many commands and tools are launched, so they leave noticeable traces in the system.

  • UAC — (Unix-like Artifacts Collector) – uses the built-in tools of Unix-like systems to automate the collection of artifacts. Works regardless of architecture, including macOS and Android.

  • FastIR Artifacts — a cross-platform artifact collector with support for the Digital Forensics Artifact Repository.

  • DFTimewolf — a framework for organizing the collection, processing and export of data valuable to forensics.

  • AChoir — script to collect Windows artifacts in real time.

  • CyLR — a tool for collecting forensic artifacts from systems with the NTFS file system.

  • DFIR ORC — toolkit for delicately collecting artifacts: file tables, registry branches, and event logs from Windows machines. Designed to minimize impact on the system it runs on. Does not install any programs, creates a minimum of files, registry keys, and services, and writes the minimum required amount of data.

Working with the registry

  • RegRipper —an open source tool for extracting information (keys, values, other data) from the registry. Written in Perl language.

  • RegRippy и Regipy a couple more libraries for reading and extracting useful forensic data from Windows registry branches. This time in Python.

Work with magazines

  • Logdissect — CLI utility and Python API to analyze, filter, and export data to Windows log or JSON files.

  • APT Hunter — designed to look for suspicious activity in Windows logs. Automates the collection of Sysmon, Security, System, Powershell, Powershell Operational, ScheduledTask, WinRM, TerminalServices, Windows Defender logs. Sorts events by severity and maintains statistics that help identify anomalies.

  • LogonTracer — parses Windows Active Directory, matches the host name (or IP address) and account name found in logon events, and then displays them as a schema. Allows you to reconstruct the history of authorizations.

  • StreamAlert — a serverless real-time log analysis system written in Python. Accepts data from any sources, has a built-in notification system based on customizable user logic. Runs with minimal privileges, stores data in encrypted form.

  • USBRip — a simple console utility for restoring the history of connecting USB media to computers running Linux. Can export collected data to a JSON file.

Work with memory and system images

  • Volatility 3 — one of the most popular frameworks for investigating RAM dumps. Supports 18 different versions of operating systems, can work with Virtualbox kernel dumps and VMware snapshots.

  • AVML — a portable tool for collecting data from the non-volatile memory of Linux systems. Written in Rust and intended to be deployed as a static binary. It can be used to retrieve data “blindly” without knowing the distribution version of the target OS.

  • LiME — a bootable kernel module (LKM) for capturing data from the memory of Linux devices, including Android smartphones. It has been developed and improved since 2012.

  • Bmap-tools — a tool for copying files using the creation of a block map (bmap).

  • INDXParse — toolkit for extracting NTFS artifacts.

  • nTimetools — a toolkit for working with timestamps in Windows. Allows forensics experts to check labels in the NTFS file system with an accuracy of up to 100 nanoseconds.

  • RecuperaBit — utility for forensic file system reconstruction and file recovery. Only supports NTFS.

  • Sleuth Kit — a library for low-level exploration of disk images, file systems, and evidence retrieval.

  • MemProcFS — utility for easy access to physical memory as files of a virtual file system.

  • dof (Docker Forensics Toolkit) — extracts and helps interpret forensic artifacts from Docker containers. Displays the build history of an image, mounts a container’s file system at a given location, distributes artifacts on a timeline, and more.

Removal of web artifacts

  • hindsight — a simple and functional web artifact analysis tool with support for Chromium-based browsers. Allows you to analyze the history of visits and downloads, the contents of the cache, cookies, bookmarks, autofill, saved settings, extensions and passwords. All extracted data is placed on a timeline.

  • Dumpzilla — a similar program for collecting interesting information from Firefox, Iceweasel and Seamonkey browsers.

Work with metadata

  • Exif Tool — reading, writing and editing metadata in files of various graphic formats.

  • Exiv2 — a library for working with Exif, IPTC, XMP and ICC metadata.

  • PdfParser — serves to extract data from a PDF file.

  • FOCA — is a tool for finding metadata and hidden information in documents uploaded to the web. Works with Microsoft Office, Open Office, PDF, Adobe InDesign and SVG.

Tools for Mac

  • macOS Artifact Parsing Tool — a suite for processing Mac disk images and extracting data useful for investigations. It’s a Python-based framework, and plugins to handle individual artifacts, such as Safari history.

  • ESF Playground — a tool for viewing events in the Apple Endpoint Security Framework (ESF) in real time.

  • Knockknock — displays a complete list of items (programs, scripts, commands, binaries) that are automatically executed in macOS.

Tools for smartphones

  • MobSF — an automated system for analyzing malware and assessing the security of mobile applications (Android/iOS/Windows), capable of performing static and dynamic analysis. Supports mobile app binaries (APK, XAPK, IPA, and APPX) along with archived source code and provides a REST API for seamless integration with your CI/CD or DevSecOps pipeline.

  • Andriller — utility for collecting data from Android devices. Can be used to unlock a smartphone.

  • ALEAPP — event log parser and Protobuf for Android.

  • iLEAPP — event log parser for iOS.

Various tools

  • Bitscout — a tool for creating LiveCD/LiveUSB suitable for digital forensics and not only.

  • Digital Forensics Artifact Repository — a machine-readable knowledge base on digital forensics.

  • sherloq — a set of digital photo forensics tools.

  • swap_digger — bash script that automates extracting the Linux swap file and searching for user credentials, email addresses, web form content, WiFi SSID keys, and other sensitive data.

  • bulk extractor — scans disk images, directories or individual files and extracts useful information from them, such as email addresses, JPEG or JSON snippets.

  • LaZagne — an open source application for extracting passwords stored on a computer.

  • Fibratus — a tool for investigating and tracing the Windows kernel.

  • fflib — extensible open format for storing disk images and forensic information.

  • Sigma — open signature format for SIEM systems.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.