The science of researching evidence
In order to successfully investigate information security incidents, it is necessary to have practical skills in working with tools for the extraction of digital artifacts. This article will provide a list of useful links and tools for digital evidence collection. The main purpose of conducting such works is to use methods and means for preservation (immutability), collection and analysis of digital material evidence in order to reconstruct the events of the incident. The term “forensics” is an abbreviated form of “forensic science”, literally “forensic science”, that is, the science of examining evidence – exactly what is called criminology. The term “forensics” does not mean any criminology, but rather computer criminology. Some authors divide computer forensics and network forensics. The main area of application of forensics is the analysis and investigation of events in which computer information appears as an object of encroachment, a computer as a tool for committing a crime, as well as any digital evidence.
Various highly specialized utilities are used to fully collect and analyze information, which will be discussed below. I would like to warn you that during the execution of a criminal case, the presence of certain certificates and software compliances (FSTEC licenses) will most likely be considered. In this case, you will have to use combined methods of collecting and analyzing information, or write conclusions and a conclusion based on the data obtained from non-certified sources.
Network analysis
SiLK Tools
Traffic analysis tools to facilitate network security analysis.
CLICK HERE
Wireshark
The most famous network sniffer.
CLICK HERE
Real-time utilities
Grr
GRR Rapid Response is a tool for incident investigation and analysis.
CLICK HERE
Mig
Mozilla InvestiGator is a platform for investigating and analyzing incidents.
CLICK HERE
Work with images (creation, cloning)
Dc3dd
An improved version of the dd console utility.
CLICK HERE
Adulau/dcfldd
Another improved version of dd.
CLICK HERE
FTK Imager
Viewing and cloning media in a Windows environment.
CLICK HERE
Guymager
Viewing and cloning media in a Linux environment.
CLICK HERE
Data extraction
Bstrings
An improved version of the popular strings utility.
CLICK HERE
Bulk_extractor
Detection of emails, IP addresses, phones from files.
CLICK HERE
Floss
Uses advanced static analysis techniques to automatically deobfuscate data from malware binaries.
CLICK HERE
Photorec
A free data recovery program designed to recover lost files in the memory of a digital camera and more.
CLICK HERE
Artifacts of the Internet
Chrome-url-dumper
Extracting information from Google Chrome.
CLICK HERE
Hindsight
Analysis of the history of Google Chrome/Chromium.
CLICK HERE
Analysis of time intervals
Plaso
Extraction and aggregation of timestamps.
CLICK HERE
Converters
CyberChef
A multi-tool for encoding, decoding, compression and data analysis.
CLICK HERE
Working with RAM
InVtero.net
A framework with a high speed of operation.
CLICK HERE
Volatility
A set of utilities for versatile analysis of physical memory images.
CLICK HERE
KeeFarce
Removing KeePass passwords from memory.
CLICK HERE
Rekall
RAM dump analysis written in python.
CLICK HERE
VolUtility
Web interface for Volatility framework.
CLICK HERE
Frameworks
Dff
The Digital Forensics Framework is an open source platform for data mining and investigation.
CLICK HERE
PowerForensics
PowerForensics is a utility written in PowerShell, designed for examining hard drives.
CLICK HERE
The Sleuth Kit
(TSK) is a C library and collection of command-line tools that allow you to examine disk images.
CLICK HERE
Windows artifacts (extraction of files, download histories, USB devices)
FastIR Collector
A large collector of information about the Windows system.
CLICK HERE
FRED
Cross-platform for the operating system Windows registry analyzer.
CLICK HERE
MFT-Parsers
Comparison sheet of MFT parsers (MFT – Master File Table).
CLICK HERE
NTFS USN Journal parser
USN log parser.
CLICK HERE
Hex editors
Hexinator
Windows version of Synalyze It.
CLICK HERE
Synalyze It!
HEX editor in the template.
CLICK HERE
WxHex Editor
HEX editor with file comparison.
CLICK HERE
Analysis of files
O10 Editor Templates
Templates for editor 010.
CLICK HERE
HFSPlus Grammars
HFS+ components for Synalysis.
CLICK HERE
Sleuth Kit file system grammars
Repositories for different file systems.
CLICK HERE
Synalyse It! Grammars
File components for Synalyze It!
CLICK HERE
WinHex Templates
File components for WinHex and X-Ways.
CLICK HERE
Processing disk images
Imagemounter
A command-line utility for quickly mounting disk images.
CLICK HERE
Libewf
Libewf library and utilities for accessing and processing EWF, E01 formats.
CLICK HERE
Xmount
Converting disk images. Very high quality and useful item.
CLICK HERE
Result
In order to conduct research and collect digital evidence, it is necessary to observe the principles of immutability, integrity, completeness of information and its reliability. For this, it is necessary to follow the recommendations for software and methods of conducting investigations.