Almost every day we find that there are leaks of data from individuals or companies to the Internet, either due to a bad configuration in the network and in the computer systems, or because a cybercriminal has managed to circumvent the security measures implemented and has done with a lot of information that has subsequently ended up on the Internet. Today in this article we are going to talk about the best free tools for computer forensics , since when a security incident occurs, it is essential to trace where it has come from, what has happened, and how to act so that it does not happen again never more.
Introduction to digital forensic computing
Digital forensics is a very important specialty of computer security. It is a set of techniques that allow the extraction of information from the disks and memories of a computer, without altering their state. This is used to search for data, trying to detect a pattern or discover information that is not in plain sight. In the event of any security incident, it is essential to perform a digital forensic analysis on all information media, such as hard drives, SSDs, USB sticks and other types of internal and external storage.
The work of a forensic computer expert has different stages, the first of which is the acquisition and preservation of the data of a system, since it is essential to keep all the information in a safe place. To carry out this work, free and paid software tools are used, as well as hardware tools for disk cloning. At this stage it is very important to have an exact copy of the disks, and to access the complete file system, analyzing in detail the file system, documents, internal operating system registers and much more.
Then we have the phase of deep analysis of all the information, where the expert will analyze in detail all the information that he has obtained, and will try to find out what has happened in the system so that it has been exposed, and also how they have managed to get hold of all the data. Currently there are forensic suites that make life much easier for us, since we can search among a large amount of information for what we need. Of course, we can perform activities such as recovering previously deleted files, since there is a lot of information that can be easily recovered because it has not been overwritten.
Although at first it might be thought that digital forensic analysis is only limited to computers, mobile devices such as smartphones and tablets, and others, the truth is that it also extends to the data that we send and transmit through the wired network or wireless, so it is very important to have tools of this type.
If we want to fight cybercrime and protect the digital assets we have on the Internet, the best way to do it is with the use of computer forensics. Thanks to these tools that we are going to indicate, we will be able to obtain and analyze these important tests of the different electronic devices and data storage media.
Next, we present a complete list of forensic tools, both operating systems that are oriented to computer forensics, as well as tools that are incorporated into these operating systems.
Complete operating systems oriented to computer forensics
Currently there are all-in-one operating systems, which have the vast majority of computer forensic tools that we will see below. If you are thinking of conducting a forensic analysis and you do not have an all-in-one operating system created with your own tools, with these operating systems you can get started quickly.
CAINE
CAINE is a complete operating system that is specifically oriented to computer forensics, it is based on Linux and incorporates the vast majority of tools that we will need to perform a complete forensic analysis. It has a graphical user interface, it is very easy to use, although of course you will need the appropriate knowledge to use each and every one of its tools.
CAINE can be used in LiveCD mode without touching the storage of the computer where we want to start it, in this way, all the information on the hard disk will remain intact to later make the copy of all the information. Among the tools included with CAINE we have the following: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec, Fsstat and many others.
A very important aspect of CAINE is that it also has tools that can be run directly on Windows operating systems, so if we download the ISO image and extract its content, we will be able to access the software for Windows that it incorporates, without having to start the LiveCD or use a virtual machine. Some of the tools for Windows that we have available are: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector , VLC and Windows File Analyzer.
Kali Linux
Kali Linux is one of the most widely used computer security-related operating systems, both for pentesting and also for computer forensics, since inside we have a large number of pre-installed and configured tools to start a forensic analysis as soon as possible.
This operating system not only has a large number of forensic tools inside, but it also has a specific Live mode for forensic analysis, and it does not write anything at all to the hard drive or internal storage that we have on our computers. It also prevents that when we introduce a removable storage device, it is mounted automatically, but we will have to do it ourselves manually.
DEFT Linux and DEFT Zero
The DEFT Linux operating system is also specifically oriented to forensic analysis, it incorporates the vast majority of CAINE and Kali Linux tools, it is one more alternative that we have available and that we can use. The most remarkable thing about DEFT is that it has a large number of forensic tools ready to use.
DEFT Zero is a much lighter and reduced version of DEFT, it is oriented to exactly the same thing, but now we will need fewer resources to be able to use it without problems, in addition, it is compatible with both 32-bit and 64-bit systems, as well as UEFI systems.
Free Forensic Analysis Tools
Once we have seen all the computer and forensic oriented operating systems, we are going to see different free tools for performing forensic tasks. All the tools that we are going to teach you are completely free, and in fact, they are incorporated into these Linux distributions that we have just shown you.
Autopsy and The Sleuth Kit
The Autopsy tool is one of the most used and recommended, it will allow us to locate many of the open source programs and plugins, it is like a Unix library and Windows-based utilities, which greatly facilitates the forensic analysis of computer systems.
Autopsy is a graphical user interface that displays forensic search results. This tool is widely used by the police, the military and companies when they want to investigate what has happened in a team.
One of the most interesting aspects is that it is extensible, this means that users can add new plugins easily and quickly. It incorporates some tools by default such as PhotoRec to recover files, and it even allows extracting EXIF information from images and videos.
As for The Sleuth Kit , it is a collection of online command tools for investigating and analyzing the volume and file systems used in digital forensic investigations. With its modular design, it can be used to get the right data and find evidence. Also, it is compatible and works on Linux and runs on Windows and Unix platforms.
Magnet Encrypted Disk Detector
This tool works through the command line, it verifies in a quick and non-intrusive way the encrypted volumes on a computer, to know if they exist and later try to access them with other tools. The latest version available is 3.0, and it is recommended to use, in addition, it is recommended to use the Windows 7 operating system or higher. This tool allows us to detect physical disks encrypted with TrueCrypt, PGP, VeraCrypt, SafeBoot, or Microsoft‘s Bitlocker. Magnet Encrypted Disk Detector is completely free, but we will need to register on its official website to proceed with the download.
Magnet RAM Capture and RAM Capturer
Magnet RAM Capture is a tool that is designed to obtain the physical memory of the computer where we use it. By using it, we can recover and analyze very valuable data that is stored in RAM and not on a hard drive or SSD. It is possible that, in certain cases, we have to look for evidence directly in RAM, and we must remember that RAM is volatile and that it is erased every time we turn off the computer.
What can we find in RAM? Processes, programs running on the system, network connections, evidence of malware, user credentials and much more. This tool allows you to export raw, unprocessed memory data to later load this information into other tools specifically designed for it. Of course, this software is also free.
Another similar tool is RAM Capturer , we can dump the data from the RAM memory of a computer to a hard disk, pendrive or other removable storage device. This tool will allow us to access the user credentials of encrypted volumes such as TrueCrypt, BitLocker, PGP Disk or account login credentials for many webmail and social media services, since all this information is usually stored in RAM memory.
Magnet Process Capture
MAGNET Process Capture is a free tool that will allow us to capture the memory of individual processes of a system, that is, if we need to know the data that a certain process of our operating system is using, we can do it with this.
Magnet Web Page Saver and FAW
MAGNET Web Page Saver is an alternative to the previous one, and it is updated so we will have all the improvements. This tool is perfect for capturing how the web is at a certain moment, it is especially useful when we want to show a web, but we do not have an Internet connection. In addition, this tool allows captures of each page, we can indicate the URLs manually or importing them via text file or CSV, in addition, we can easily navigate the downloaded web.
FAW or Forensics Acquisition of Websites, is a tool that allows us to download complete web pages for subsequent forensic analysis, the requirements of this tool are very basic, so you can run it without problems. With this tool we can acquire evidence from web pages easily and quickly. Other interesting features are that we can decide which area of the web we want to analyze, we can capture the images, the HTML source code and it can even be integrated with Wireshark that we have seen previously.
SIFT
SIFT , which stands for SANS Investigative Forensic Toolkit, is a complete suite of forensic tools and one of the most popular open source incident response platforms. Regarding operating systems, we have a version available for use in virtual machines that uses Ubuntu LTS 16.04 in its 64-bit version, this version has undergone important changes, such as better memory use, automatic package update DFIR for response to computer incidents, incorporates the latest forensic and technical tools, as well as cross availability between Linux and Windows.
This tool is a really interesting and recommended all-in-one, all the tools are free, and they are designed to perform detailed digital forensic examinations supporting a wide variety of situations. One of the most remarkable aspects is that it is updated very frequently.
Volatility is another open source memory forensic application for incident response and malware analysis, this tool is built into SIFT. It enables researchers to analyze the runtime state of a device, by reading RAM. Volatility does not have many updates, but this framework is really powerful and is still with updates.
We recommend you access its official website where you will find all the details about this great tool.
Programs for hashing and checking integrity
HashMyFiles will help you calculate MD5 and SHA1 hashes and it works on almost all Windows operating systems, this tool is one of the most used by all to calculate these hashes and guarantee the integrity of all files, so if you change only one bit, it will also completely change the hash that we have. There are many other programs of this style, both for Windows and Linux, to name a few, in Windows we also have IgorWare Hasher , HashCheck , HashTools and many others, for Linux we have by default the md5sum and sha1sum installed in the operating system itself.
CrowdResponse
Crowdresponse is a Windows application from Crowd Strike, this tool will allow you to collect information from the operating system to respond to incidents that have occurred and any compromise to the security of the system. This program is portable, does not need installation, and all modules are integrated into the main application and external third-party tools are not required.
CrowdResponse is ideal for non-intrusive data collection from multiple systems when placed on the network. It also has other useful tools for investigators Shellshock Scanner, which will scan your network for a shellshock vulnerability and much more.
Exiftool
Any image and video incorporates EXIF data with all the image metadata, this free tool will help you read, write and edit meta information for various types of files. It is capable of reading EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc. This tool runs directly without installation, is portable, and is available for both Windows and macOS.
This tool is a standalone Perl library plus command line application for reading, writing, and editing meta-information in a wide variety of formats.
As you can see, it supports many different metadata formats and some of its features include its Geotags images of GPS tracking log files with time drift correction, and it also generates geotagged image tracking logs.
This tool is one of the most complete to see all the metadata of an image.
Browser History Capturer (BHC) and Browser History Viewer (BHV)
The Browser History Capture software allows us to capture the web browsing history of any Windows operating system, later, we can use the Browser History Viewer (BHV) which is a forensic software tool to extract and view the Internet history of the main web browsers of desk.
We can find both for free. These tools can be run from a USB stick and what it will basically do is capture the history of the main browsers: Chrome, Edge, Firefox and Internet Explorer. The history files are copied to a destination in their original format for further processing.
Paladin Forensic Suite
Paladin is an Ubuntu-based tool that simplifies the task of computer forensics. We will find a large number of tools in this suite to perform different tasks, the most remarkable thing is that it incorporates more than 100 very useful tools for investigating computer incidents. Thanks to Paladin, we can simplify and speed up forensic tasks. This software has a graphical user interface, it does not require the use of online commands, so it will greatly facilitate its use.
FTK Imager
FTK Imager is a forensic tool for Windows systems, it allows us to preview recoverable data from a disk of any type. You can also create perfect copies, called forensic images, of that data. Among its additional features and functions we have the possibility of creating hash files or mounting the disk images already created are another of the important advantages to mention.
Apparently AccessData FTK Imager looks like a very professional tool created only for advanced computer forensics experts. However, it is actually easier to use than it looks and could be used by more people.
Bulk_extractor
Bulk_extractor is a computer forensic tool that will allow us to scan the image of a disk, a file or a directory of files. The results we obtain can be easily inspected and analyzed with automated tools. One notable aspect is that this tool is very fast, unlike other similar programs, this is because it ignores the structure of the file system, so it can process different parts of the disk in parallel.
LastActivityView
LastActivityView is a portable software tool to view the last activity recorded on your PC. Regarding this application, there is an important aspect to mention, and that is that the Windows registry is no longer going to be updated. LastActivityView has a very good response time and is capable of detecting activity before its first run, in addition, it runs with a very low amount of CPU and RAM, so it will not affect the overall performance of your computer. That it consumes few resources is a very positive thing and to value.
FireEye RedLine
FireEye is an endpoint security tool that provides host investigation capabilities to users to find signs of malicious activity through memory and file scanning. In this case it should be noted that it is available on OS X and Linux.
Its main features include auditing and collecting all running processes and controls from memory, file system metadata, log data, event logs, network information, services, tasks and web history. We may also consider an in-depth analysis very useful, because it allows the user to establish the timeline and scope of an incident.
Wireshark and Network Miner
Wireshark is currently one of the best network protocol analyzers out there, it is the best known and most used, cross-platform (Windows, Linux, FreeBSD and more), and, of course, completely free. In this article we have spoken on many occasions about this important tool, and it is that we will be able to carry out a complete forensic analysis of the local network, snorting all the packages for further study. Wireshark allows us to perform a deep inspection of all captured packets, and has a graphical user interface to see everything in detail classified by layers (physical, link, network, transport and application layer). With the information that Wireshark captures, we can view the information with TShark through the command line. The most remarkable thing about Wireshark are the filters, and it is that we can filter a large capture so that it only shows us what we are interested in.
Network Miner is very similar to Wireshark, it is a network forensic analyzer for Windows, Linux and MAC OS X. This tool is used to detect OS, hostname, sessions, and what IP addresses and ports have been used in the capture of data. Network Miner can be used to analyze and even capture packets transferred through the network, we can detect operating systems of the computers on the network, open ports and much more.
These two tools will also allow us to obtain user credentials, digital certificates, information in plain text, and even decrypt communications if we crack them or have the decryption key. Network Miner has a free version, but also a paid version with which we can access all the advanced functionalities, such as the detection of the operating system, IP geolocation and much more.