Cyber Security

Top 10 free tools for digital forensic investigation

QA Cybersecurity trainer James Aguilan lists his favourite free tools for digital forensic wizardry.

Juniper researchers state that cybercrime will cost over 2 trillion USD to businesses by 2019. As costs go up, so the demand for digital forensic experts will increase in tandem. Tools are a forensic examiner's best friend – using the right tool helps to move things faster, improve productivity and gather all the evidence.

Whether it's for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what's 'under the hood' of a system.

Here are my top 10 free tools to become a digital forensic wizard:

1. SIFT Workstation

SIFT (SANS investigative forensic toolkit) Workstation is a freely-available virtual appliance that is configured in Ubuntu 14.04. SIFT contains a suite of forensic tools needed to perform a detailed digital forensic examination. It is one of the most popular open-source incident response platforms.

Download SIFT Workstation

2. Autopsy

Autopsy is a GUI-based open-source digital forensic programme to analyse hard drives and smartphones efficiently. Autospy is used by thousands of users worldwide to investigate what happened in a computer.

Autopsy was designed to be an end-to-end platform, with modules that come out-of-the-box and others that are available from third parties. Some of the modules provide timeline analysis, keyword searching, data carving, and Indicator of Compromise using STIX.

Download Autopsy

3. FTK Imager

FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence. It saves an image of a hard disk, in one file or in segments, which may be reconstructed later on. It calculates MD5 hash values and confirms the integrity of the data before closing the files.

Download FTK Imager

4. DEFT

DEFT is a household name when it comes to digital forensics and intelligence activities. The Linux distribution DEFT is made up of a GNU/Linux and DART (Digital Advanced Response Toolkit), a suite dedicated to digital forensics and intelligence activities. On boot, the system does not use the swap partitions on the system being analysed. During system startup, there are no automatic mount scripts.

Download DEFT

5. Volatility

Also built into SIFT, Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux (as of version 2.5).

Forensic analysis of raw memory dump will be performed on a Windows platform. The Volatility tool is used to determine whether the PC is infected or not. Subsequently, the malicious programme can be extracted from the running processes from the memory dump.

Download Volatility

6. LastActivityView

LastActivityView is a tool for the Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events that occurred on this computer.

The activity displayed by LastActivityView includes: Running an .exe file, opening open/save dialog-box, opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash and network connection and disconnection.

Download LastActivityView

7. HxD

HxD is a carefully designed and fast hex editor which, in addition to raw disk editing and modifying of main memory (RAM), handles files of any size. The easy-to-use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.

Download HxD

8. CAINE

CAINE offers a complete forensic environment that is organised to integrate existing software tools as software modules and to provide a friendly graphical interface. This is a digital forensics platform and graphical interface to the Sleuth Kit and other digital forensics tools.

Download CAINE

9. Redline

Redline is a free endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

Redline can help audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history; and analyse and view imported audit data, including the ability to filter results around a given timeframe.

Download Redline

10. PlainSight

PlainSight is a versatile computer forensics environment that allows you to perform forensic operations such as: getting hard disk and partition information, extracting user and group information, examining Windows firewall configuration, examining physical memory dumps, extracting LanMan password hashes and previewing a system before acquiring it.

Download PlainSight

This is by no means an extensive list and may not cover everything you need for an investigation, but it's a great starting point to becoming a forensic examiner. If you find any other tool useful, please leave a comment below.

Interested in Cyber Security Training? Contact our team today

Let's talk

By submitting this form, you agree to QA processing your data in accordance with our Privacy Policy and Terms & Conditions. You can unsubscribe at any time by clicking the link in our emails or contacting us directly.