by Ken Pryor
A few years ago when I was first starting to learn about forensics, I requested a license for the ILook program, which was free to law enforcement at the time. I never got comfortable with the software and never wound up using it on a case. I always thought I’d get some training, but before that could happen the free ILook went the way of the Dodo and I had to find something else to learn with.
After completing the NW3C courses I described in the last post, I felt like I had a better idea of the types of software tools I needed. Cruising around the net and reading what others had to say on the various forums and blogs helped immensely. I strongly encourage those just getting started to stay up with those resources. The tools I describe below are ones I personally use(d). Other free tools besides these are out there and I have linked to a list of them later in this post.
A collection of tools I learned about early on was The Sleuth Kit (TSK). TSK is, to me anyway, the king of free forensics software packages. It is currently at version 3.2 and is continually maintained by Brian Carrier. Most any investigation you perform can involve this collection of programs, which includes file system and volume tools. From the Sleuth Kit features page: “Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. It runs on Windows and Unix platforms.” TSK has more capabilities than can be covered in a single blog post, so I hope you’ll check it out, read the docs and test it for yourself.
TSK is used extensively in the SANS Computer Forensic Investigation and Incident Response course, and that was where I became most familiar with it. Another resource is Barry Grundy’s LinuxLEO website. Barry not only provides a well-written, informative guide to using Linux and TSK in forensics, he also has training materials available for download so you can actually perform the exercises in the guide. His work was a huge benefit to me as I was getting started and I still refer to parts of it today. The most recent guide is two years old as of this post, but it still contains very relevant and helpful information.
The Autopsy browser is a nice, free add-on for the Sleuth Kit. If you don’t like working at the command line, Autopsy may be your answer. There is no direct support for using Autopsy in Windows, so you’ll have to use a Unix based OS or other work-arounds suggested on the site.
A newer entry on the scene for graphically working with TSK is the PTK browser. Like Autopsy, it provides a graphical front-end for TSK, but does it using Ajax and provides a few more features. A free version is available for non-professional use as well as a commercial version. I’ve had somewhat mixed results with an older version of PTK with regards to stability, but have not tried it for quite some time.
If you’re looking for a graphical Windows solution to work with, but aren’t ready shell out the cash for a forensic package, I suggest you check out the free version of ProDiscover. ProDiscover Basic is available on the Technology Pathways website at the bottom of the linked page. It is a stripped down version of their commercial packages and provides a nice environment for doing some basic investigation work. For someone just learning, it may be just what you need.
If I was to pick a “co-king” of free tools, I would have to pick RegRipper. I use this tool on nearly every case. Created and maintained by Harlan Carvey, this tool parses the registry hive files and provides information that could make your case. It comes with both a GUI and a command line version. A large number of plug-ins are included with the tool and more can be found on other sites to parse the registry files for the information you want. Not only that, you can also write your own plug-ins if you know Perl. If you do that, I hope you’ll share your creations with the community. It’s through such sharing that tools like this can continue to grow and help everyone. Harlan also maintains a large list of free tools on his blog.
Mark McKinnon, one of the co-authors of the Case Leads articles on this blog, is also the owner of Redwolf Computer Forensics. Mark creates some excellent software, both free and commercial. His commercial Drive Prophet software is a tool I frequently use in my work and his free software tools are some of my favorites, too. His Internet browser investigation software provides great information, as do his Prefetch and Recycle Bin tools. I have tested most of Mark’s free tools and found them to be of high quality
David Kovar offers his AnalyzeMFT software for free. It does an excellent job of parsing the Master File Table and providing you with a complete report on its contents. David says his inspiration to create the tool was MFT Ripper by Mark Menz, which is another fine MFT parser. MFT Ripper offers both a free basic version as well as a low cost professional edition. Both produce similar reports and both are quite useful.
If you don’t want to deal with downloading and installing everything, here’s another idea. Go to the SANS Computer Forensics and Incident Response site and download the SANS SIFT Kit, in which you’ll find pretty much everything you’ll need to perform an investigation. The SIFT is available as a VMWare image (also works in VirtualBox) and as a live CD iso. The SIFT Kit includes the Sleuth Kit, Autopsy, PTK, RegRipper, AnalyzeMFT and much, much more. If you are looking for a single, forensic toolkit for learning and real world application, SIFT is your solution. Rob Lee created the SIFT and actively maintains and upgrades it.
As you can see, there are a plethora of free and low cost forensic tools out there for your use. Don’t get hung up on the fact they are free, all are excellent choices and would be worth paying for. The thing to remember is that the most important forensic tool you have is your brain. These software tools provide you with the information you ask for, nothing more. It’s up to you to analyze and understand the information produced with these tools.
Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He became a police officer in 1987 and has been working in the area of digital forensics since 2008. He can be contacted at firstname.lastname@example.org.
This article was originally published as a blog post on the SANS Computer Forensics website and is reprinted with kind permission.