Top 50 Tools That Help You To Investigate a Security Breach
In order to successfully investigate incidents of information security, you must have practical skills in working with tools for extracting digital artifacts. This article will provide a list of useful links and tools for collecting digital evidence.
- The main objective in carrying out such work is the use of methods and tools for preserving (unchanging), collecting and analyzing digital material evidence, in order to restore the events of the incident.
The main scope of forensic application is the analysis and investigation of events in which computer information appears as an object of encroachment, a computer as an instrument for committing a crime, as well as any digital evidence.
To fully collect and analyze information, various highly specialized utilities are used, which will be discussed below. We have to tell you that when carrying out work on the conclusion of the security breaches, it will most likely be considered the availability of certain certificates and software conformances (FSTEC license). In this case, you will have to use combined methods to collect and analyze information or write conclusions and conclusions based on the data obtained from uncertified sources
- DFF – Digital Forensics Framework is an open source platform for data extraction and research.
- PowerForensics – PowerForensics is a utility written in PowerShell, designed to examine hard disks.
- The Sleuth Kit – The Sleuth Kit (TSK) is a C library and a collection of command-line tools that allow you to explore disk images.
- GRR – GRR Rapid Response: A tool for investigating and analyzing incidents.
- MIG – Mozilla InvestiGator – distributed real-time platform for investigation and analysis of incidents.
Working with images (creation, cloning)
- DC3DD – an improved version of the console utility dd.
- ADULAU/DCFLDD is another advanced version of dd.
- FTK Imager – FTK Imager- viewing and cloning media in a Windows environment.
- Guymager – viewing and cloning media in a Linux environment.
- Bstrings is an improved version of the popular strings utility.
- Bulk_Extractor – identify email, IP addresses, phones from files.
- Floss this utility uses advanced static analysis methods to automatically de-fool the data from binary malware files.
- Photorec – utility for data and image files.
Working with RAM
- InVtero.net – a framework that is characterized by high speed of operation.
- KeeFarce – extract KeePass passwords from memory.
- Rekall – analysis of RAM dumps, written in python.
- Volatility – Volatility Framework is a set of utilities for a comprehensive analysis of physical memory images.
- VolUtility is the web interface for the Volatility framework.
- SiLK Tools – tools for traffic analysis to facilitate security analysis of large networks.
- Wireshark – the most famous network sniffer.
Windows artifacts (extract files, download history, USB devices, etc.)
- FastIR Collector – an extensive collection of information about the Windows system (registry, file system, services, autoload, etc.)
- FRED is a cross-platform Windows registry analyzer.
- MFT-Parsers – a comparison sheet for MFT-Mars (MFT – Master File Table).
- MFTExtractor is an MFT parser.
- NTFS journal parser – parser of NTFS logs.
- NTFS USN Journal parser is a USN log parser.
- RecuperaBit – recovery of NTFS data.
- Python-NTFS – analysis of NTFS data.
Exploring OS X
- OSXAuditor – OS X auditor.
- Chrome-URL-dumper – extract information from Google Chrome.
- Hindsight – analysis of the history of Google Chrome / Chromium.
Time interval analysis
- 0xED – HEX editor OS X.
- Hexinator – Windows version of Synalyze It.
- HxD is a small and fast HEX editor.
- iBored is a cross-platform HEX editor.
- Synalyze It! – HEX editor in times.
- wxHex Editor is a cross-platform HEX editor with file comparison.
- CyberChef is a multi-tool for encoding, decoding, compressing and analyzing data.
- DateDecode – converting binary data.
- 010 Editor Templates – timetables for the editor 010.
- Contruct formats – a parser of various kinds of files in python.
- HFSPlus Grammars – HFS + constituents for Synalysis
- Sleuth Kit file system grammars – components for various file systems.
- Synalyse It! Grammars are the file components for Synalyze It!
- WinHex Templates – file components for WinHex and X-Ways
Disk Image Processing
- Imagemounter – a command-line utility for quickly mounting disk images
- Labewf – Libewf library and utilities for accessing and processing EWF, E01 formats.
- Xmount – converting disk images.
To conduct research and collection of digital evidence, one must adhere to the principles of invariability, integrity, completeness of information and its reliability. To do this, you must follow the recommendations for the software and the methods of investigation.