Forensic tools are something that are required to be updated on a regular basis. Whether because of patches, new hardware, or just a changing technological landscape, tools must be maintained in order to remain relevant. The ongoing support is just one of the reasons that the tools discussed in this article are the most used in the forensic community. The capabilities and usability of the tools are what we will discuss here today as to why these tools are some of the most used in my opinion.
Forensics is the retrieval, collection, and interpretation of computer data without the corruption of this data. Therefore the best tools should be able to contain discoverable unfiltered accounts of suspect’s data, activity, and electronic records. Guidance Software has developed a phenomenal product in which I discussed in week ones post (EnCase Forensic Imager, 2013). EnCase Forensic Imager is able to save forensic investigators hours and hours of counting through large amounts of forensic computer data that may or may not be relevant to the case in which they have. EnCase does this not just through the speed in which it can search and collect data, but also due to the built in automation. Of course it performs, but it is also one of the top sellers in the forensic community according to their website. Here is the kicker…. $$$$$. If you are looking for something to just get your hands dirty with, this is not the tool for you. This is for the organization who is looking for a new PRODUCT to write off on their taxes! For getting your hands dirty with a forensic tool kit, look no further than the next line.
SIFT (SANS Investigative Forensic Toolkit) has to come in second place (FREE). It comes in second place because it is an excellent combination of open source tools that are all updated and worked on by the community (Not to mention a pretty cool acronym). I am partial to Ubuntu or Linux based systems and this had a lot to do with me choosing it for my number two, along with the fact that anyone who takes a SANS Training course (more to come on these later) will get some serious hands on training with this toolkit. Some of these tools are world class and some of these tools are only usable on specific versions, but none the less because of the popularity of SANS certifications and the amount of people going through their certification process (myself included), I would say this is one of the top five forensic tools. This is an excellent example of how SANS practices what they preach(keep it up to date as well), and also promote what you preach. Click on the image to get over to the SIFT Install Directions on YouTube.
ProDiscover Forensics is going to end up as number three on the list. It will be categorized as one of the top tools used because of a few reason, the first being that it is a free tool. Free means lots of individuals are able to handle the steep price, and for the quality that comes along with it is acceptable. This tool specifically goes into preparing legal reports with all of the data that is relevant to the case, previewing all files along with their corresponding meta data, and cross reference of data to make sure nothing is hidden. (Shakeel, 2016). With this in mind it is an excellent tool for smaller organizations who are getting their Forensics organization either up and running or looking for new tools to expand upon their craft.
Xplico is tool number four, as it is a forensic tool that is used on networks to help reconstruct the contents of packets gained through Wireshark and similar sniffers (Shakeel, 2016). This tool can take these packets, and then output reconstructed data into multiple types of databases which makes it flexible and there is no size limit on the data entry which makes this tool excellent for any size investigation. This tool is automatically loaded into many of the main penetration testing Linux images such as Kali Linux by default which will make this one of the most well used tools on the market.
X-Ways Forensics will be one of our final contenders for most used forensic tools. This is a tool that is capable of running off of a usb drive and will make complete disk images that will identify lost and/or deleted partitions as well. This is a very popular tool as well, and it lives up to its name.
These in my opinion would be my top five forensic tools, I use Kali Linux frequently so this list is not including any packet sniffers such as Wireshark and web app analysis tools such as burp suite.
References and Tools:
Access Data. (2017). Retrieved June 5, 2017, from http://www.accessdata.com/
Arsenal Recon. (2017). Retrieved June 5, 2017, from http://arsenalrecon.com/apps/recon/
Carrier, B. (2017). Open Source Digital Forensics. Retrieved June 5, 2017, from http://www.sleuthkit.org/
EnCase Forensic Imager v7.06 User’s Guide [PDF]. (2013). Guidance Software Inc.
Guidance Software. (2017). Retrieved June 5, 2017, from https://www.guidancesoftware.com/encase-forensic?cmpid=nav_r
SANS Institute. (2017). SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3. Retrieved from sans.org: https://digital-forensics.sans.org/community/download
Shakeel, I. (2016, December 14). 7 Best Computer Forensics Tools. Retrieved May 18, 2017, from http://resources.infosecinstitute.com/7-best-computer-forensics-tools/#gref