Sunday, October 20, 2013

What 'tier 2' & 'tier 3' tools do you load on your forensic workstation(s)?


I generally categorize software that I load onto my forensic workstation(s) into three classifications or tiers:

Tier 1 - Primary Forensic Analysis Software
    • EnCase, X-Ways, FTK, Forensic Explorer, iLook, etc.
Tier 2 - Forensic Software that supports the primary analysis tool
    • Internet Evidence Finder, RegRipper, Hex editor, etc.
Tier 3 - Software that is not necessarily designed for forensic examination use, but it provides value to my examination.

    • Office Products (Word), Packet capture/analysis tools, screen capturing software, etc.

There is no shortage of opinion and assertions of which primary forensic analysis tool (tier 1) might be the best for the job, just check out any forensic listserv or message forum. But this post isn't about those tools.

This post is really about the often unmentioned supporting tools that make my life easier as an examiner. They are the tools that I rely upon during almost every examination to help process or view the data from whatever primary analysis tool (FTK, EnCase X-Ways, etc) that I may be using.

There are literally hundreds of tier 2 & 3 tools out there, but my intent was to list those that are relied upon in almost every case. Please feel free to comment or add your own in the comment section, I am sure everyone reading will benefit by hearing about a tool that you may use and why. Here are some of mine, in no particular order.

Tier 2

  1. Internet Evidence Finder (IEF) - Deep Internet artifact searching/reporting
  2. 010 Hex Editor - Great hex editor with structure templates and scripting language
  3. SIFT Workstation - SANS virtual machine with lots of tools
  4. FTK Imager - General purpose imaging and viewing utility
  5. Event Log Explorer - Windows event log viewer
  6. RegViewer - Windows registry viewer
  7. Liveview - Forensic virtualization

Tier 3
  1. Hypersnap - Great screen capture software
  2. Microsoft Office - Report writing
  3. Notepad++ - Great simple text editor with source code highlighting and other powerful features
  4. VMware - Virtualization Software
  5. Wireshark  - Packet analysis software
  6. ActiveState Perl - I tend to write lots of little utilities for specific processing/analysis purposes
  7. Cygwin - *nix environment on Windows and lots of useful parsing tools
  8. Splunk - Log aggregation, searching and reporting tool
  9. WinRar - Archive utility that handles ZIP, RAR, 7z, TAR & GZ
  10. Irfanview - Image viewer
  11. VLC - Video player
  12. FFplay - Video player
  13. Plist Editor - Plist viewer
  14. Hashcalc - Hash calculator that supports several different algorithms
  15. LogParser - Log parsing utility
  16. SQLite Expert - SQLite DB viewer
I will mention two additional pieces of software that are not necessarily used during the forensic examination process, but that I reply upon heavily:


Both of these are information managers or journals (one is cloud based, the other is not). I use them to record information about a process, file structures or take screenshots once I learn a specific procedure or I want to record something so I can understand it a year from now after I may have forgotten all the offsets or structure I may have just learned.

Sunday, October 13, 2013

EnCase EnScript to check files against www.virustotal.com and Bookmark with score

This EnScript submits the hash value of files tagged with the 'VirusTotal' label to Virus Total to see if it is known as malware.

Virus Total provides a free public API here. To use their API, you just sign up for their "community" and you get an API key that allows (4) four requests per minute. If you submit more than four files per minute, the EnScript will go into a wait loop and then resubmit once the one minute limit has expired

This EnScript provides a quick automated way to tag files and then the EnScript will grab their hash values and submit them automatically to Virus Total using your API key. This EnScript comes with a DLL files and an EXE that act as the bridge for the EnScript to submit the hash value to Virus Total.

Once downloaded, just unzip the archive and run the included EnScript (EnPack). The initial screen will ask for your Virus Total API key and the path to the 'VT_Bookmark.exe' file included in the archive.



The EnScript will generate the needed hash value for any file(s) tagged with the 'VirusTotal' tag. It will then send the hash file to Virus Total to see if that hash value is known. If the file with that hash value was previously analyzed, then the VT score is obtained and noted in the bookmark. A zero score would signify that none of the AV engines identified it as malware/dangerous, while any other positive number would signify the number of AV engines that identified it as bad.





The EnScript does not send or transmit any data from within the file(s) you have tagged, it only sends the hash value. Therefore, if the score comes back as zero, that does not necessarily mean the file is safe. It just means that the file with that hash value has never been previously analyzed or it was analyzed before and it is just not detected as malware/dangerous.

The intended use of this EnScript is to identify hash values that have a POSITIVE score to draw attention to those files that should be immediately looked at further  rather than disregarding those that come back with a zero score.


Download Here (EnCase v7)
Download Here (EnCase v6)

Wednesday, October 9, 2013

EnCase EnScript for USB info on Win7/8

I have had several people ask me about an updated EnScript to parse connected USB information from Windows7/8 machines.

I actually updated the original EnScript a long time ago, but never posted a blog entry about it. You can find the updated versions here:

Parse connected USB info for Windows 7/8 (EnCase v6)
Parse setupapidev.log for USB info(EnCase v7)

The latter one is also posted in App Central.

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles