Building your forensic analysis toolset

A solid toolset is at the core of any successful digital forensics program. Although every toolset is different depending on an organization's needs, some categories should be in all forensics toolkits. Two near encyclopedic sources provide listings of these tools:

• The Forensics Wiki, a huge collection of resources that includes tools, techniques, links to forensics researchers and other reference materials. It is maintained by an independent editorial staff.
• Brett Shaver's DFIR Training website is a comprehensive listing of tools and training resources for examiners and incident responders.

As you look through these tools, it can be overwhelming to pick the right products. I have partitioned them into five categories: overall analysis suites, disk imagers, live CDs, network analysis tools, e-discovery and specialized tools for email and mobile analysis. I have also indicated where free or limited-time evaluation tools are available.

Getting started with forensic suites

The first place to start is to download the SANS Investigative Forensic Toolkit (SIFT). It is a suite of more than a dozen different tools, chosen because they serve specific purposes. It has been assembled by an international team of security experts, led by SANS instructor Robert Lee. Because SIFT is also used by several SANS courses, a ready-made community is there to help you learn how to use it.

It includes Volatility (for in-memory analysis), Autopsy + SleuthKit and bulk extractor tools (for hard drives and smartphone analysis), along with dozens more. Why do you need so many different tools? Mainly because they are very specialized and do different things.

Volatility examines the runtime state of an endpoint and allows an analyst to see what programs are residing in memory and how they are interacting with the rest of the system. It is owned by a non-profit foundation that runs annual contests to help spread the word about its use and encourage collaboration.

Autopsy and SleuthKit are used to examine what is stored on the hard drives of both smartphones and desktops. The former has a graphical interface; the latter uses a command line, but they work in tandem. They support a wide variety of operating system versions and disk file formats.

The bulk extractor was written by Simson Garfinkel and is used to find meaningful data across an entire hard drive, including compressed and encoded data and structured data (such as WIndows PE files). The tool can also examine data that is placed in between file boundaries, which is a popular tactic for malware writers to hide their mischief. 

This is a great starting place, plus the usual quality SANS support with seminars and forums to help you learn more. SIFT runs as a self-contained virtual machine (VM) on Ubuntu and is free. Many of its tools also come in Windows and Mac versions, if you want to run them separately.

Other suites are worth considering, too. Check with your existing endpoint security vendor to see what they offer in the way of forensics, since many of them incorporate these functions as part of their threat hunting activities. For example, FireEye has its Redline, which has both memory and file analysis modules and is free. It runs on various Windows versions since XP. Guidance Software has its EnCase Forensic tool, which is fee-based. It comes with various integrated workflows and reporting features, and is a favorite of many consultants.

Disk imaging tools

Besides a general suite, you should also consider several other special-purpose tools. The first type of tool you'll want to look at are called disk imaging. If you are familiar with backup products that create ISO files or other bootable images (such as Symantec's Ghost), you have the right idea of what these accomplish.

Why would you need disk imaging? In many cases, you want to preserve the state of a PC or a phone before you begin any examination. This is especially important if you seek legal action based on what you find on that device. Forensic examiners create image copies so they don't have to worry about damaging the file system as they perform their analysis. Having these tools is also useful because you don't have to search for the exact OS version that your target system is running, too.

Popular imaging tools include MacQuistion (for Macintosh systems) and OSFClone. PSIClone is an example of specialized piece of hardware that can image a variety of disk drives and formats, which is useful if you are processing many disk drives. 

Network analyzers

A second kind of tool is useful to examine what is going on across your network. The first step is to collect the actual packets transmitted, so you can analyze what is happening later or replay the traffic and see the effects on your routers and endpoints. Two of the more popular open-source packet capture products are Wireshark (free on both Windows and MacOS) and SolarWinds (Windows, free 30-day trial).

Once you have your traffic captured, you can then use this data as the basis for your analysis on other tools. Snort sells a popular intrusion prevention system (free on both Windows and various Linux versions) and Xplico (free for Ubuntu), which will take your capture file and extract useful forensic information about your applications and visualize what is going on across your network. There are also other tools that focus more on detecting rogue WiFi access points, such as Kismet (free on both MacOS and Linux) and NetStumbler (free for Windows).

Live CDs

A third type of tool is called a live CD. This is a bootable utility, typically running a stripped-down version of Linux. Many of these come as part of the basic analyst workstation and usually include a variety of forensic utilities as part of the package. Using a live CD is helpful where you are trying to preserve evidence and perform certain e-discovery or legal-related tasks, and where you don't want to boot up your subject machine using its regular Windows or Mac OS for your investigation. The two most popular tools are:

Paladin Suite, which has a suggested price of $25

Computer Aided Investigative Environment (CAINE) Suite, which is free.

Both include the Autopsy tool, along with numerous other forensic analysis.

E-discovery

These tools are used primarily for analyzing caches of documents in various legal situations, such as searching through public records, investigating email correspondence, and correlating data across cloud and local storage repositories. The gold standard here is from Logikcull. It has a free trial version that uses sample data so you can understand its interface, and the paid versions start at $40 per gigabyte per month for unlimited users. It will cost more if you want training and support.

Specialty tools

These tools are used for specialized purposes, mainly for e-discovery and law enforcement situations. For example, MailXaminer (both free and paid versions) can recognize a variety of email formats and analyze correspondence into what it calls a "concordance" of your entire email database that is easily searchable and contains message metadata. It also has plug-ins that work with EnCase.

Another set of tools come from Cellebrite, which is the go-to vendor for examining smartphones and used by many law enforcement agencies.This is the gold standard for mobile analysis, and it offers both Analytics and Cloud Analyzer for free 30-day trials. These tools can cost $10,000 or more for annual licenses.

The world of digital forensics covers a broad spectrum and involves numerous activities, skills and tools. Assembling your own analysis workbench will take time to get comfortable with the different products and to learn their operations and quirks, overlapping functions and gaps in coverage.

If you get frustrated with one product, remember that there are many others that might be better suited for the particular task at hand or that could appeal to your working style and skill level. Also understand your own biases: If you are approaching forensics from a network perspective, you might need some help in understanding desktop or mobile operations, and vice-versa. If you are a Windows-centric person, look at what can be accomplished using Linux-based tools. Part of conducting your investigations means filling in the gaps of your own knowledge, as well as searching for what hidden meanings you are trying to find in the captured data.