Feb 15 2024

5 free digital forensics tools to boost your investigations

Category: Forensics,Security Toolsdisc7 @ 2:19 pm
5 free digital forensics tools to boost your investigations

Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and it’s a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack.

Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, here’s a list of great free solutions to get you started.

Autopsy

Autopsy is a digital forensics platform widely employed by law enforcement agencies, military personnel, and corporate investigators to examine and understand activities on a computer. Although Autopsy is designed to be cross-platform, the latest version is fully functional and tested only on Windows.

digital forensics tools

bulk_extractor

bulk_extractor is a high-speed tool for digital forensics analysis. It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. This is achieved without the need to parse file systems or their structures. The extracted data is saved in text files, which can be examined, searched, or utilized as inputs for further forensic investigations.

NetworkMiner

NetworkMiner, an open-source network forensics tool, specializes in extracting artifacts like files, images, emails, and passwords from network traffic captured in PCAP files. Additionally, it can capture live network traffic by sniffing a network interface.

Velociraptor

Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. At the press of a (few) buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision.

digital forensics tools

WinHex

WinHex is a versatile hexadecimal editor, proving especially useful in the areas of computer forensics, data recovery, low-level data processing, and IT security. It allows users to inspect and modify various file types, as well as recover deleted files or retrieve lost data from hard drives with damaged file systems or digital camera cards.

SABRENT USB 3.0 to SATA External Hard Drive Lay-Flat Docking Station | for 2.5 or 3.5in HDD, SSD

Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Forensics Tools

Sep 18 2023

Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Category: Forensics,Mobile Security,Security Toolsdisc7 @ 8:53 am
Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

  • Decrypt encrypted iOS backups.
  • Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
  • Extract installed applications from Android devices.
  • Extract diagnostic information from Android devices through the adb protocol.
  • Compare extracted records to a provided list of malicious indicators in STIX2 format.
  • Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
  • Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Mobile Verification Toolkit

Aug 27 2023

Windows Forensic

Category: Forensics,Information Securitydisc7 @ 4:09 pm

Windows Forensics, include the process of conducting or performing forensic investigations of systems which run on Windows operating systems, It includes analysis of incident response, recovery, and auditing of equipment used in executing any criminal activity.

Download Windows-ForensicDownload

Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides

Digital Forensics and Incident Response: Incident response tools and techniques for effective cyber threat response

Windows event log analysis and incident response guide

Diving Deeper Into Windows Event logs for Security Operation Center (SOC) – Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Digital Forensics, Malware Forensics, Windows Forensic

Feb 10 2023

Live Cyber Forensics Analysis with Computer Volatile Memory

Category: ForensicsDISC @ 10:28 am
Live Cyber Forensics Analysis with Computer Volatile Memory

The field of computer Forensics Analysis involves identifying, extracting, documenting, and preserving information that is stored or transmitted in an electronic or magnetic form (that is, digital evidence).

Forensics Analysis – Volatile Data:

  • The data that is held in temporary storage in the system’s memory (including random access memory, cache memory, and the onboard memory of system peripherals such as the video card or NIC) is called volatile data because the memory is dependent on electric power to hold its contents.
  • When the system is powered off or if power is disrupted, the data disappears.

How to Collect Volatile Data:

  • There are lots of tools to collect volatile memory for live forensics or incident response. In this, we are going to use Belkasoft live ram Capture Tool.
  • After the capture of live data of RANDOM ACCESS MEMORY, we will analyze it with Belkasoft Evidence Center Ultimate Tool.

Acquisition of live Volatile Memory:

Run the tool as an administrator and start the capture.

Belkasoft RAM Capture

Dump File Format:

After the successful capture of live Ram memory. The file is will be saved in the .mem extension.

Dumping File

Evidence File Analyser:

Belkasoft Evidence Center Ultimate Tool to analyze volatile memory.

Evidence Analyzer

A forensic examiner or Incident Responder should record everything about the physical device’s appearance, Case number, Model Number of Laptop or Desktop, etc.

Data Storage

Click the Ram Image and enter the path of the .mem file which is a live ram dump file.

Malicious Activities on the Public website

In the above picture, the attacker is trying for SQL Injection on Public Website.

Anonymous Vpn

In the above figure attacker installed and executed for hiding the source ip address.

Mail Inbox

The attacker has logged on with some public mail servers, and now forensic examiners are able to read inbox emails.

Recent File Accessed

Attackers last accessed file directory paths. The Forensics examiner will have priority to investigate this path for suspicious files.

Pictures

Recent Pictures downloaded from websites will be stored in the cache memory.

There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory.

This is a relatively new and fast-growing field many forensic analysts do not know or take the advantage of these assets.

Volatile memory may contain many pieces of information relevant to a forensic investigation, such as passwords, cryptographic keys, and other data.

Practical Memory Forensics: Jumpstart effective forensic analysis of volatile memory

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Forensics Analysis, Volatile Memory