As I was putting together the list of command line tools to make Windows terminal more meaningful, I found myself wanting to list some GUI utilities because I love them so. In order to keep that post focused on the command line, I decided to move the GUI part of the list here. So, below is a list of small, free utilities that I use frequently in forensics and incident response analysis.
The entire SysInternals Suite is worth having. Several of the command line tools in there are part of my automated collection scripts. Among the GUI tools, the two that I use most constantly are Process Monitor, Process Explorer, and Autoruns. I wrote my own autoruns enscript a while back. The whole reason I stopped development on it because of an update to Autoruns that made it possible to run it against offline system. Process Monitor is a staple in dynamic analysis of malware.
FTK Imager – http://accessdata.com/product-download
AccessData has provided this tool for free and it has since become a staple in so many forensics kits. I use it for image creation more than any other imager, and I love the image mounting capabilities it has.
NirSoft – http://launcher.nirsoft.net/
NirSoft has a huge collection of free utilities (over 180!) that are frequently very helpful in forensics/incident response. Most of them are GUI, but I try not to hold that against them. You can cherry pick the tools you need, or download the Launcher to get of them in one download.
MiTeC – http://www.mitec.cz/
MiTeC has a collection of free utilities that are extremely useful for analyzing specific artifacts. I’m particularly fond of their SQLite query tool for browsing the innards of the many sqlite files I extract from images and the Windows File Analyzer for reading prefetch files, thumbnail databases, and others.
Moonsols produces several very impressive tools. Their memory acquisition tool is especially awesome. It is lightweight, easy command line interface, and rock solid stability make it ideal for scripting.
Triforce – https://www.gettriforce.com/products/
The $USNJrnl contains such an amazingly huge treasure trove of forensic awesomeness, if you aren’t peeking in there at least every once in a while you are just plain wrong. There are only a few ways to make sense of the data in there and Triforce knocks the socks off all of the others.
RegRipper – http://regripper.wordpress.com/
I don’t use this very often (usually opting for one of the GUI browsing tools that aren’t free), but it is really hard to deny the power of the profiles and plugins that make it so rr can do near automated pulls of just the keys that are interesting. It’s a great way to triage a system when you first get on it in order to look for that foothold that leads you elsewhere.
In retrospect, this probably should be over in the command line list, but I already posted that and I’m moving on! Log Parser is so amazingly powerful, you could write an entire book on it. Actually, they did. Great book btw.
Above are all free (and many accept donations for their hard work, so please pay anyway) tools that I use frequently enough that you will find them on just about every forensic workstation I’ve used. There are several others that aren’t free that I use constantly (WinHex is top of that list) that I’ve avoided listing because I’m trying to focus on the free stuff that anyone can procure.
I have one directory that I toss all of these into. Yes, it is a mess in there. But, it allows me to keep that one folder up to date, then on any workstation that I plan on doing analysis I can just copy that folder in, add it to the path, and I’m off. That folder consists of everything above, everything from the command line post, and a few paid utilities.
I’m frequently asked by college students or others who are just starting out how they can get started without having to spend $15,000 on software. Get everything in these two posts and you are well equipped to handle a large variety of exams.
Anyone else have any great, can’t-live-without freeware tools that I forgot to mention? Comment and I’ll add them to the list.