An open-source Digital Forensics tool kit

4 minute read

Archived post - this post was written in January 2016, and as such, may contain out-of-date information. Use at own risk.

Introduction

We have been exploring a range of options to extend our Digital Forensics capability as part of an Incident Response process.

Digital Forensics is the process of recovering and investigating data from digital devices. The techniques and tools used in this field can be very useful when used as part of a wider ‘cyber incident’ response plan.

We love free and open source tools - especially for Digital Forensics where licensing costs can be prohibitively expensive. Accordingly, we have put together a free/open source tool kit which we have been busy experimenting with before we use it ‘in the field’!

Tool Setup

To ensure security of data once recovered, we use an encrypted portable HDD. When unencrypted, this then contains 3 encrypted ‘virtual’ disks which can be locked/unlocked when needed:

  • ‘Tools’ - containing everything needed to take a forensic image of system RAM and/or HDD
  • ‘RAM Dump’ - where the forensic RAM capture of a system can be saved
  • ‘HDD Dump’ – where the forensic HDD image of a system can be saved

Once initial incident response has been completed (e.g. RAM capture and/or HDD imaging) then the portable HDD is connected to an off-network ‘forensic machine’ for further forensic analysis and reporting.

Initial Response - Off or On?

If a system is already powered off, keep it off – the contents of RAM will have already been lost. Proceed to acquisition of the HDD.

However, if a system is still powered on, it will still be holding potentially useful information in RAM – such as active network connections, running programs and processes, and even encryption keys. Information like this can be very useful when dealing with incidents like malware infection. A ‘live’ acquisition of the HDD might also be considered.

RAM Capture – Magnet RAM Capture Download (with email address)

This program is self-contained and can be run from a USB thumb drive or external hard drive. It provides a minimal but useful GUI interface – the most useful option being able to choose where to save the RAM image – this could be on the ‘HDD Dump’ virtual disk, or a network location, if desired.

Be aware, dumping RAM will change data on the system under examination, and there is a danger the evidence may be inadmissible if needed in court. Only use RAM dumps if necessary, and extensively document every action taken. Honourable mention for MoonSols DumpIt. This utility comes second because of the lack of output directory options

HDD Acquisition – FTK Imager Lite Download

If a system is powered-on, a decision needs to be taken whether to image the system ‘live’ (which will change data, but can be useful in crypto-malware type situations), or to ‘pull the plug’ and image the hard drive with a forensic write blocker (to prevent changing data). Whichever method is used, ensure a thorough record is kept of all actions taken.

FTK Imager Lite allows selecting of specific disks to image, along with specifying a file type to save as, and a location such as the ‘HDD Dump’ drive, or a network location. The RAW format ‘dd’ is the most widely-compatible when saving. If a system is BitLocker-enabled, this makes imaging the disk slightly harder. However, imaging can be done with BitLocker still enabled, and decrypted after, or after decrypting the powered-on computer NB: this changes data.

Examination of RAM - Volatility Download

Volatility is both free and open-source, and provides a command-line framework for analysing the contents of a RAM dump. It provides profiles for reading RAM dumps from Windows/Linux/OSX systems, and runs either portable or installed. Running this from a high-spec analysis machine is recommended to make examination quicker. Volatility can do the following, given a RAM dump file:

  • Show running processes
  • Extract running .exe files
  • List active network connections
  • List loaded DLLs
  • Recover encryption keys
  • And much more…

Volatility also has many user-created plugins and extra libraries for enhanced functionality - available for free.

Using Volatility, interesting network connections or potentially-malicious programs can be displayed from the RAM dump. Suspicious .exe files could even be extracted and put into a sandbox/analysis environment if needed.

RAM capture and HDD image video on YouTube

Examination of HDD - Autopsy Download

The free program Autopsy has an excellent array of tools and features to recover and examine data from a forensic image. It also has a wide range of plugins and modules for expanded functionality. Offering comparable functionality to very expensive commercial forensic suites, Autopsy includes:

Keyword searching

  • Deleted file recovery
  • Web artifacts
  • File type sorting
  • File mismatch detection
  • HTML/XML reporting format
  • And much more…

Autopsy can be invaluable in uncovering details such as last changed files, piecing together a timeline of system activity, and examining a system without changing important data. Any recovered data which may warrant further examination can then be extracted and placed into an external analysis engine or sandbox.

RAM capture and HDD image video on YouTube

Reporting

Reporting can then be done using the various tools included in Volatility and Autopsy. This might include details of suspect files or processes found, and results of further follow-up examination of these using other tools.

In addition, all actions taken during incident response should be documented – the more thoroughly the better. This could be anything from a notebook and a pen to something more ‘high tech’ such as a body-worn HD camera.

Conclusion

We are very appreciative of the free and/or open source programs used in this guide, which enable even a small organisation to have Digital Forensics capabilities. Whist this blog post provides a rough guide to which open source tools can be used, our tool kit and our capabilities are still evolving and this guide may change.

Updated: