homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Work Study
    • Teach for SANS
    • Partnerships
    • Sponsorship Opportunities
    • Join the Community
  • About
    • About SANS
    • Instructors
    • Mission
    • Initiatives
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. Digital Forensics on a (less than) Shoestring Budget - Part 2
Ken Pryor

Digital Forensics on a (less than) Shoestring Budget - Part 2

January 17, 2011

In my last post, I talked about the various ways one can find training resources to assist in getting started in the field of digital forensics. In this post, I will go over some of the free and low cost software you can use and related information.

A few years ago when I was first starting to learn about forensics, I requested a license for the ILook program, which was free to law enforcement at the time. I never got comfortable with the software and never wound up using it on a case. I always thought I'd get some training, but before that could happen the free ILook went the way of the Dodo and I had to find something else to learn with.

After completing the NW3C courses I described in the last post, I felt like I had a better idea of the types of software tools I needed. Cruising around the net and reading what others had to say on the various forums and blogs helped immensely. I strongly encourage those just getting started to stay up with those resources. The tools I describe below are ones I personally use(d). Other free tools besides these are out there and I have linked to a list of them later in this post.

A collection of tools I learned about early on was The Sleuth Kit (TSK). TSK is, to me anyway, the king of free forensics software packages. It is currently at version 3.2 and is continually maintained by Brian Carrier. Most any investigation you perform can involve this collection of programs, which includes file system and volume tools. From the Sleuth Kit features page: "Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. It runs on Windows and Unix platforms." TSK has more capabilities than can be covered in a single blog post, so I hope you'll check it out, read the docs and test it for yourself.

TSK is used extensively in the SANS Computer Forensic Investigation and Incident Response course, and that was where I became most familiar with it. Another resource is Barry Grundy's LinuxLEO website. Barry not only provides a well-written, informative guide to using Linux and TSK in forensics, he also has training materials available for download so you can actually perform the exercises in the guide. His work was a huge benefit to me as I was getting started and I still refer to parts of it today. The most recent guide is two years old as of this post, but it still contains very relevant and helpful information.

The Autopsy browser is a nice, free add-on for the Sleuth Kit. If you don't like working at the command line, Autopsy may be your answer. There is no direct support for using Autopsy in Windows, so you'll have to use a Unix based OS or other work-arounds suggested on the site.

A newer entry on the scene for graphically working with TSK is the PTK browser. Like Autopsy, it provides a graphical front-end for TSK, but does it using Ajax and provides a few more features. A free version is available for non-professional use as well as a commercial version. I've had somewhat mixed results with an older version of PTK with regards to stability, but have not tried it for quite some time.

If you're looking for a graphical Windows solution to work with, but aren't ready shell out the cash for a forensic package, I suggest you check out the free version of ProDiscover. ProDiscover Basic is available on the Technology Pathways website at the bottom of the linked page. It is a stripped down version of their commercial packages and provides a nice environment for doing some basic investigation work. For someone just learning, it may be just what you need.

If I was to pick a "co-king" of free tools, I would have to pick RegRipper. I use this tool on nearly every case. Created and maintained by Harlan Carvey, this tool parses the registry hive files and provides information that could make your case. It comes with both a GUI and a command line version. A large number of plug-ins are included with the tool and more can be found on other sites to parse the registry files for the information you want. Not only that, you can also write your own plug-ins if you know Perl. If you do that, I hope you'll share your creations with the community. It's through such sharing that tools like this can continue to grow and help everyone. Harlan also maintains a large list of free tools on his blog.

Mark McKinnon, one of the co-authors of the Case Leads articles on this blog, is also the owner of Redwolf Computer Forensics. Mark creates some excellent software, both free and commercial. His commercial Drive Prophet software is a tool I frequently use in my work and his free software tools are some of my favorites, too. His Internet browser investigation software provides great information, as do his Prefetch and Recycle Bin tools. I have tested most of Mark's free tools and found them to be of high quality

David Kovar offers his AnalyzeMFT software for free. It does an excellent job of parsing the Master File Table and providing you with a complete report on its contents. David says his inspiration to create the tool was MFT Ripper by Mark Menz, which is another fine MFT parser. MFT Ripper offers both a free basic version as well as a low cost professional edition. Both produce similar reports and both are quite useful.

If you don't want to deal with downloading and installing everything, here's another idea. Go to the SANS Computer Forensics and Incident Response site and download the SANS SIFT Kit, in which you'll find pretty much everything you'll need to perform an investigation. The SIFT is available as a VMWare image (also works in VirtualBox) and as a live CD iso. The SIFT Kit includes the Sleuth Kit, Autopsy, PTK, RegRipper, AnalyzeMFT and much, much more. If you are looking for a single, forensic toolkit for learning and real world application, SIFT is your solution. Rob Lee created the SIFT and actively maintains and upgrades it.

As you can see, there are a plethora of free and low cost forensic tools out there for your use. Don't get hung up on the fact they are free, all are excellent choices and would be worth paying for. The thing to remember is that the most important forensic tool you have is your brain. These software tools provide you with the information you ask for, nothing more. It's up to you to analyze and understand the information produced with these tools.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
DFIR_FOR509_Countdown_Social4.jpg
Digital Forensics and Incident Response, Cloud Security
April 9, 2021
NEW FOR509: Enterprise Cloud Forensics & Incident Response - Beta coming June 2021
The new Enterprise Cloud Forensics course brings examiners up to speed with the rapidly changing world of enterprise cloud
SANS DFIR
read more
Blog
3_Min_Max_(58).png
Digital Forensics and Incident Response
March 30, 2021
3MinMax Series Topic Review - Apple Acquisition
Apple devices that we must be aware of in order to perform forensic acquisitions
370x370_Kevin-Ripa.jpg
Kevin Ripa
read more
Blog
3_Min_Max_(56).png
Digital Forensics and Incident Response
March 30, 2021
3MinMax Series Topic Review - Using KAPE in Forensics
KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically
370x370_Kevin-Ripa.jpg
Kevin Ripa
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn