Building your forensic analysis toolset

Every security team should have these types of digital forensics tools available. Many are free, and there are enough options to find one that suits your skills and approach.

A solid toolset is at the core of any successful digital forensics program. Although every toolset is different depending on an organization’s needs, some categories should be in all forensics toolkits. Two near encyclopedic sources provide listings of these tools:

  • The Forensics Wiki, a huge collection of resources that includes tools, techniques, links to forensics researchers and other reference materials. It is maintained by an independent editorial staff.
  • Brett Shaver’s DFIR Training website is a comprehensive listing of tools and training resources for examiners and incident responders.

As you look through these tools, it can be overwhelming to pick the right products. I have partitioned them into five categories: overall analysis suites, disk imagers, live CDs, network analysis tools, e-discovery and specialized tools for email and mobile analysis. I have also indicated where free or limited-time evaluation tools are available.

Getting started with forensic suites

The first place to start is to download the SANS Investigative Forensic Toolkit (SIFT). It is a suite of more than a dozen different tools, chosen because they serve specific purposes. It has been assembled by an international team of security experts, led by SANS instructor Robert Lee. Because SIFT is also used by several SANS courses, a ready-made community is there to help you learn how to use it.

It includes Volatility (for in-memory analysis), Autopsy + SleuthKit and bulk extractor tools (for hard drives and smartphone analysis), along with dozens more. Why do you need so many different tools? Mainly because they are very specialized and do different things.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!