Sunday, October 20, 2013

What 'tier 2' & 'tier 3' tools do you load on your forensic workstation(s)?

I generally categorize software that I load onto my forensic workstation(s) into three classifications or tiers:

Tier 1 - Primary Forensic Analysis Software
    • EnCase, X-Ways, FTK, Forensic Explorer, iLook, etc.
Tier 2 - Forensic Software that supports the primary analysis tool
    • Internet Evidence Finder, RegRipper, Hex editor, etc.
Tier 3 - Software that is not necessarily designed for forensic examination use, but it provides value to my examination.

    • Office Products (Word), Packet capture/analysis tools, screen capturing software, etc.

There is no shortage of opinion and assertions of which primary forensic analysis tool (tier 1) might be the best for the job, just check out any forensic listserv or message forum. But this post isn't about those tools.

This post is really about the often unmentioned supporting tools that make my life easier as an examiner. They are the tools that I rely upon during almost every examination to help process or view the data from whatever primary analysis tool (FTK, EnCase X-Ways, etc) that I may be using.

There are literally hundreds of tier 2 & 3 tools out there, but my intent was to list those that are relied upon in almost every case. Please feel free to comment or add your own in the comment section, I am sure everyone reading will benefit by hearing about a tool that you may use and why. Here are some of mine, in no particular order.

Tier 2

  1. Internet Evidence Finder (IEF) - Deep Internet artifact searching/reporting
  2. 010 Hex Editor - Great hex editor with structure templates and scripting language
  3. SIFT Workstation - SANS virtual machine with lots of tools
  4. FTK Imager - General purpose imaging and viewing utility
  5. Event Log Explorer - Windows event log viewer
  6. RegViewer - Windows registry viewer
  7. Liveview - Forensic virtualization

Tier 3
  1. Hypersnap - Great screen capture software
  2. Microsoft Office - Report writing
  3. Notepad++ - Great simple text editor with source code highlighting and other powerful features
  4. VMware - Virtualization Software
  5. Wireshark  - Packet analysis software
  6. ActiveState Perl - I tend to write lots of little utilities for specific processing/analysis purposes
  7. Cygwin - *nix environment on Windows and lots of useful parsing tools
  8. Splunk - Log aggregation, searching and reporting tool
  9. WinRar - Archive utility that handles ZIP, RAR, 7z, TAR & GZ
  10. Irfanview - Image viewer
  11. VLC - Video player
  12. FFplay - Video player
  13. Plist Editor - Plist viewer
  14. Hashcalc - Hash calculator that supports several different algorithms
  15. LogParser - Log parsing utility
  16. SQLite Expert - SQLite DB viewer
I will mention two additional pieces of software that are not necessarily used during the forensic examination process, but that I reply upon heavily:

Both of these are information managers or journals (one is cloud based, the other is not). I use them to record information about a process, file structures or take screenshots once I learn a specific procedure or I want to record something so I can understand it a year from now after I may have forgotten all the offsets or structure I may have just learned.


H. Carvey Tuesday, 22 October, 2013  

Very interesting post, Lance...thanks for sharing. I don't have access to the tier 1 tools, so your tier 2 is my tier 1...

Thanks for sharing...

Thomas Millar Tuesday, 22 October, 2013  

I like to view my preferred tool sets for this work based on the criteria if they are open, and well used in the community. I don't wish anyone to come away possibly thinking I am discounting commercial applications in any way. ( I frankly think many of them are terrific.) But I feel the more chances a tool has source code that can be reviewed, studied, examined, and (if the writer is gracious enough to take on feedback, feature requests, or helpful criticism) evaluated, the better it can be. The Log2timeline project is a perfect example. I noticed something about the way it handled reporting of packet data in the output module and I asked for a feature request from Kristinn. In some way, IMHO I think that sort of thing helps advance the community and practice.

For the purposes of this blog subject, If woken up and asked to do analysis on a lean budget, I would tend towards using The Slueth Kit (TSK) usually on a Linux platform, log2timeline, and tshark. Two other essentials to me are vi or nano, and xxd for dealing with text files and hex data/binary files, respectively.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles