In order to successfully investigate information security incidents, it is necessary to have practical skills in working with tools for the extraction of digital artifacts. This article will provide a list of useful links and tools for digital evidence collection. The main purpose of conducting such works is to use methods and means for preservation (immutability), collection and analysis of digital material evidence in order to reconstruct the events of the incident. The term “forensics” is an abbreviated form of “forensic science”, literally “forensic science”, that is, the science of examining evidence – exactly what is called criminology. The term “forensics” does not mean any criminology, but rather computer criminology. Some authors divide computer forensics and network forensics. The main area of application of forensics is the analysis and investigation of events in which computer information appears as an object of encroachment, a computer as a tool for committing a crime, as well as any digital evidence.
Various highly specialized utilities are used to fully collect and analyze information, which will be discussed below. I would like to warn you that during the execution of a criminal case, the presence of certain certificates and software compliances (FSTEC licenses) will most likely be considered. In this case, you will have to use combined methods of collecting and analyzing information, or write conclusions and a conclusion based on the data obtained from non-certified sources.
Traffic analysis tools to facilitate network security analysis.
The most famous network sniffer.
GRR Rapid Response is a tool for incident investigation and analysis.
Mozilla InvestiGator is a platform for investigating and analyzing incidents.
An improved version of the dd console utility.
Another improved version of dd.
Viewing and cloning media in a Windows environment.
Viewing and cloning media in a Linux environment.
An improved version of the popular strings utility.
Detection of emails, IP addresses, phones from files.
Uses advanced static analysis techniques to automatically deobfuscate data from malware binaries.
A free data recovery program designed to recover lost files in the memory of a digital camera and more.
Extracting information from Google Chrome.
Analysis of the history of Google Chrome/Chromium.
Extraction and aggregation of timestamps.
Analysis of timesteps.
A multi-tool for encoding, decoding, compression and data analysis.
Converting binary data.
A framework with a high speed of operation.
A set of utilities for versatile analysis of physical memory images.
Removing KeePass passwords from memory.
RAM dump analysis written in python.
Web interface for Volatility framework.
The Digital Forensics Framework is an open source platform for data mining and investigation.
PowerForensics is a utility written in PowerShell, designed for examining hard drives.
(TSK) is a C library and collection of command-line tools that allow you to examine disk images.
NTFS data recovery.
Analysis of NTFS data.
A large collector of information about the Windows system.
Cross-platform for the operating system Windows registry analyzer.
Comparison sheet of MFT parsers (MFT – Master File Table).
NTFS log parser.
USN log parser.
Windows version of Synalyze It.
Small and fast HEX editor.
Cross-platform HEX editor.
HEX editor in the template.
HEX editor with file comparison.
Templates for editor 010.
HFS+ components for Synalysis.
Repositories for different file systems.
File components for Synalyze It!
File components for WinHex and X-Ways.
A command-line utility for quickly mounting disk images.
Libewf library and utilities for accessing and processing EWF, E01 formats.
Converting disk images. Very high quality and useful item.
In order to conduct research and collect digital evidence, it is necessary to observe the principles of immutability, integrity, completeness of information and its reliability. For this, it is necessary to follow the recommendations for software and methods of conducting investigations.