Archives For Tool Review

I recently attended a presentation by Phil Hagen named “SQL Ginsu” and it reminded me of just how important SQL can be for data reduction.  I previously wrote a How-To on Log Parser and recently saw a great article on using Log Parser to assist with reviewing the massive amounts of data we can pull from Windows 7 Volume Shadow Copies (link here).  It all led me to remember the Microsoft Log Parser Toolkit book sitting on my shelf and my intention to write a book review.  In short, I found the book to be very informative and relevant.  It should be required reading for any incident responder or forensic analyst.  The review follows.

From my five-star Amazon book review:

My only regret with this book is that I didn’t read it much earlier in my career.  Log Parser is a must have tool for every forensics professional and incident responder.  Imagine having the ability to take almost any chunk of data and quickly search it using SQL-based grammar.  Given the sheer amount of data the average security professional must analyze, Log Parser is perhaps even more relevant today than it was ten years ago.  Gabriele Giuseppini is the creator of Log Parser and he and his co-authors do a superb job of teaching the tool and demonstrating its often overwhelming feature set.  What could be a very dry manual turns out to be very engaging through copious use of real-world examples that can be used immediately to jump start your investigations.  A model for how technical books should be approached.

Note: This post originally appeared on the SANS Forensics blog

As memory forensics has become better understood and more widely accomplished, tools have proliferated.  More importantly, the capabilities of the tools have greatly improved.  Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner.  Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.   We are also seeing novel ways to attack the problem.  One of the more interesting developments I have been following lately is the advent of live memory analysis.

I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change.  The idea itself could be as controversial as creating a memory image was just a few years ago.  Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system?  Shouldn’t we still be pulling the plug?  What would they say if we now told them we were going to play “Find the Hacker” on that same live system?  Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal.  And the benefits are great:

  • Inclusion of the system pagefile, providing a more complete picture of memory
  • Digital signature checks of process and driver executables
  • More accurate heuristics matching
  • Faster triage capability

Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers.  Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image.  Convinced yet?  If so, here is how to perform a live memory analysis with the new free tool, Redline:

Continue Reading…

Note: This post originally appeared on the SANS Forensics blog

As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher.  But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge.  Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes.   Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

Continue Reading…

. @ has a good device for write-blocking media cards -> http://bit.ly/hw5vwk
@chadtilbury
Chad Tilbury

Note: This post originally appeared on the SANS Forensics blog

Welcome to part two of my FTK v3 review.  If you have not read the first post, it can be found here.  Forensic suites are notoriously difficult to review because of the sheer number of features they include.  We are lucky within the computer forensic community to have multiple vendors operating in a highly competitive environment.  As such, the core forensic suites continue to add functionality.  I have chosen to highlight a few of the new(er) features within Access Data’s Forensic Toolkit (FTK).  I interact with a lot of folks who are building forensic capabilities within their organizations, often with a limited budget.  With the new additions to FTK, I find myself recommending it more and more.  For the typical forensic shop it really does have a lot of bang for the buck.  Here are two additional “value-adds” that I didn’t have room to cover in my first post:

Continue Reading…

Note: This post originally appeared on the SANS Forensics blog

When it comes to computer forensic tools, I consider myself to be somewhat of a late adopter.  I love to play with the latest tool release, but when it comes to what I’m actually going to use in my lab, I prefer to have a mature product.  It takes too much time to test and validate tools to waste time on buggy or incomplete versions.  So, I finally made the jump (back) to Access Data’s Forensic Toolkit (FTK) in its 3.1 version.  Like many forensic professionals I know, I sat out the “lost generation” of FTK v2.  However, if you haven’t taken a look recently, version 3 will likely surprise you.

I don’t expect tool suites to solve all of my forensic problems, but I do appreciate the breadth of capabilities they can provide in one package.  FTK v3 excels at facilitating keyword searches, graphics review, email archive parsing, compound file extraction, and has an excellent collection of built-in file viewers.  I have neither the blog space nor the energy to go into each of these, but I would put FTK at the top of my tool list for any of these activities.  However, I would like to cover a few of the new or updated features I have found useful.

Continue Reading…

Note: This post originally appeared on the SANS Forensics blog

Autoruns from Sysinternals is one of my favorite (free) tools.  It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware.  It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon.  It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars.  Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system.  This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running.  However, in a dead computer forensics environment, its usefulness was hampered by this limitation.  The painful workaround was to boot the forensic image using something like Live View or Guidance’s Physical Disk Emulator, and run Autoruns on the booted system. Continue Reading…

Tableau ImagerTableau Imager: First Look

I haven’t paid much attention to write blocking technology for the last few years.  As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy.  But I spent some time with Tableau’s founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market.  We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business.  With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious.   If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation.  That’s why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Continue Reading…