Article initially published in: Infosec Institute by Pedro Tavares

Introduction

Nowadays, the number of security incidents have increased. If an organization’s business is paralyzed by an unwanted or unforeseen event, the business needs to recover and to continue. In addition to recovery issues, an unwanted incident can also result in other issues such as insurance claims, legal matters and regulatory issues. This is a clear signal that forensic analysis has an important role at an early stage of the problem. An exponential growth of wild attacks is expected for the next years and an in-depth analysis can be crucial to fight these security obstacles. The increased use of information technology in many organizations have resulted in the availability of software that can be used to unravel the what, where, how and why in the event of an unwanted incident.

This article is a sequel to a forensics knowledge-base (see part 1 here) and it lists several open source forensics tools that can be used to solve many issues. These tools were grouped into seven categories: Data capture and Disk tools; Email analysis; File and Data analysis; Mobile devices; Internet analysis; Registry analysis; and Data analysis suites.

Data Capture and Disk Tools

This section presents some tools that can be used to capture data across the network and to inspect data in a physical or volatile device.

1. Nmap

Nmap is a free and open source tool for network discovery and security auditing. This is a useful piece of software designed for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

• Flexible and supports dozens of advanced techniques for mapping out networks
• Used for huge networks and thousands of machines
• Most operating systems are supported
• Easy to use and available in a command line and graphical version
• Well documented and support for community

Link: http://nmap.org

2. Fiddler

Fiddler helps you debug web applications by capturing network traffic between the Internet and test computers. It enables you to investigate incoming and outgoing data to monitor and modify requests and responses before the browser receives them (man-in-the-middle tool).

• Edit web sessions easily and carry out performance tests
• Customizable tool
• Development of security tests
• HTTP/HTTPS traffic is recorded for further analysis
• Supports web debugging of applications
• Excellent user experience

Link: https://www.magnetforensics.com/free-tool-magnet-ram-capture

3. Volatility

Volatility is an open collection of tools developed for the extraction of digital artifacts from volatile memory (RAM) samples.

• Supports memory dumps for Windows, Linux, Mac OS X, and Android
• Open Source GPLv2 and written in Python
• Extensible and scriptable API
• Unparalleled feature sets based on reverse engineering and specialized research
• Fast and efficient algorithms let you investigate RAM dumps from large systems

Link: https://github.com/volatilityfoundation/volatility

4. HxD

HxD is a fast hex editor which allows editing and modifying of main memory (RAM) and handling files of any size.

• Available as a portable and installable edition
• Flexible and fast searching/replacing for several data types
• File compare incorporated
• Basic statistic data analysis
• Easy to use and modern interface
• Clipboard support for other hex editors

Link: https://mh-nexus.de/en/hxd/

Email analysis

This section describes some tools designed to analyze data inside email files format.

1. EDB Viewer

EDB Viewer aids system administrators in opening EDB files without the installation of an MS Exchange Server.

• View the Exchange data on stand-alone workstations
• Open corrupted EDB files
• View user mailboxes and public folders
• Filter the mailbox data based on various criteria
• Search for particular items in user mailboxes and public folders

Link: https://www.nucleustechnologies.com/exchange-edb-viewer.html

2. MBOX Viewer

SysTools MBOX Viewer is a standalone MBOX Explorer tool that allows a user to easily open MBOX file emails and attachments of any email client like Google Takeout, Apple Mail (Mac Mail), Gmail, Thunderbird etc.

• Preview and open MBOX file emails with proper formatting
• Quick scanning of MBOX files
• View multiple MBOX files
• Simple user interface
• No limitations on MBOX size files

Link: https://www.systoolsgroup.com/mbox-viewer.html

File and Data analysis

The following tools are used to collect valuable information inside metadata files.

1. ExifTool

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.

• Powerful, fast, flexible and customizable
• Supports a large number of different file formats
• Multi-lingual output
• Copies meta information between files
• Automatically backs up original image when writing
• Advanced verbose and HTML-based hex dump outputs

Link: https://sno.phy.queensu.ca/~phil/exiftool

2. LastActivityView

LastActivityView is a tool for Windows OS that collects information from various sources on a running system and displays a log of actions made by the user and events occurred on the computer.

Some events supported:

• Know which user runs the .EXE file
• History about open file and folder, and view folder actions
• Information related to software installation
• System started and shutdown logs
• Software crash logs
• Logs about user logon and logoff

Link: http://www.nirsoft.net/utils/computer_activity_view.html

Mobile devices

Below are introduced two tools produced to perform forensic tasks on mobile operating systems.

1. iPBA2

This piece of software allows browsing through the content of an iPhone/iPad backup made by iTunes or other backup software. It is packed with all the routines needed to understand and show the content of files found.

• Real name and name in the backup directory
• File UNIX permissions
• Data hash (as calculated by iOS)
• User and group ID
• Modify time, access time and creation time
• File type (from magic numbers)

Link: https://github.com/PicciMario/iPhone-Backup-Analyzer-2

2. SAFT

SAFT is a free and easy-to-use mobile forensics application and allows you to extract valuable information from device in just one click. It only supports Android devices.

It can collect:

• Call logs
• SMS logs
• All the contact list
• It generates well-structured reports

Link: http://www.signalsec.com/saft/

Internet analysis

Tools especially built for web browser data analysis.

1. Browser History Capturer

Browser History Capturer allows you to easily capture web browser history from a Windows computer. The tool can be run from a USB dongle to capture history from web browsers.

• Browsers supported: Chrome, Firefox, Internet Explorer and Edge
• Easy to use
• Data captured includes bookmarks, cached files, cookies, downloads, form history, saved logins, searches and website history

Link: https://www.foxtonforensics.com/browser-history-capturer

2. Dumpzilla

Dumpzilla is developed with the purpose to extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.

• Get all the cookies + DOM storage
• User preferences (domain permissions, proxy settings, etc)
• Content from download directory
• Web forms (Searches, emails and comments)
• History, bookmarks and cached files
• Browser saved passwords
• SSL Certificates added as a exception
• Session data, and more

Link: http://www.dumpzilla.org

Registry analysis

Next, some tools focused on registry analysis are described.

1. Process Monitor

Process Monitor allows you to spy registry, file System and process and thread activity.

• More data obtained for operation input and output parameters
• Non-destructive filters without losing data
• Capture of thread stacks for each operation
• Reliable capture of process details, including image path, command line, user and session ID
• Advanced logging architecture
• Process tree tool shows the relationship between all processes referenced in a trace.
• Native log format preserves all data for loading in a different Process Monitor instance
• Boot time logging of all operations

Link: https://docs.microsoft.com/pt-pt/sysinternals/downloads/procmon

2. Regshot

Regshot is a registry compare that allows you to promptly take a snapshot of your registry and compare it with a second one, done after doing system changes or installing a new software.

• Available in a portable version
• Snapshot of whole Windows registry
• Doesn’t make any changes to the registry
• generates HTML reports

Link: https://sourceforge.net/projects/regshot

3. Windows Registry Recovery

This tool allows reading files containing Windows registry artifacts. It extracts useful information about configuration and windows installation settings.

• Registry can be exported into REGEDIT4 format
• Every topic data can be saved to CSV
• Designed in a multiple document interface

Link: http://www.mitec.cz/wrr.html

Data analysis suites

This section describes some powerful software suites.

1. Burp Suite

Burp is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

• Operates as a web proxy server
• Often used for performing automated vulnerability scans
• Used to manually test an application and also to perform automated attacks
• It has a module for transforming encoded data into its canonical form
• Loads Burp extensions from your repository
• It’s is free but a closed source

Link: http://portswigger.net/burp

2. X-Ways Forensics

X-Ways Forensics is an advanced platform for digital forensics investigators. It runs on all available version of Windows. It works efficiently even on low hardware specifications.

• Disk imaging and cloning
• Ability to read file system structures inside various image files
• Automatic detection of deleted or lost hard disk partition
• Various data recovery techniques
• Memory and RAM analysis
• Extracts metadata from various file types
• Ability to extract emails from various available email clients

Link: http://www.x-ways.net/forensics

3. PlainSight

It is a versatile computer forensics environment that allows inexperienced forensic researchers to conduct common tasks using powerful open source tools.

• Get hard disk and partition information
• Extract user and group information
• Examine Windows firewall configuration
• Discover recent documents
• Examine physical memory dumps
• Preview a system before acquiring it

Link: http://www.plainsight.info/index.html

4. Microsoft SysInternals Suite

Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

Some general tasks that can be performed:

• Full control over security and file permissions
• Restore deleted objects
• Monitor debug output on your local system
• List the currently active sessions
• Show file version number, timestamp information, and digital signature details, and more.

All the tools are listed here.

Link: https://docs.microsoft.com/pt-pt/sysinternals/downloads/sysinternals-suite