For all the *newbs* that are just getting into Forensics or eDiscovery, I figure I’d share what some of my favorite tools that I normally use in the field or in the lab. For those of you in college, you might know many of these. For the rest, I hope this serves you well. Many of these are software tools and the rest area bits of hardware that I have or want to have in my bag-O-tricks.
A disclaimer though: all these tools are of my preference and does not mean its the best tool for every job. As always, check your work & check your tools.
Tableau TD-2 or Voom Hardcopy III – I’d use either of these. They have made my life in the field SO much easier. Its a portable hardware imaging tool that has built-in write-blocking features and are super FAST. On top of that, you can use a usb keyboard and enter in all your collection detail so it is saved in your output of choice (E01, DD, Raw, etc..).
Tableau Imager – Its a simple imaging software tool written by Tableau that is easy to use. The main reason I choose to use this tool is because it contains a detailed view of the drive you are collecting which is great for exporting.
EnCase v6x, EnCase v7x – Collections with EnCase are easy and allows you to preview your data while you are collecting it. This can be done with write-blockers or over a network connection (Enterprise version).
Forensic Computers – Their FRED (forensic workstations) systems are a great asset for the investigator who has a small lab and needs a lot of horsepower. Be prepared to spend $$, but these are a good investment. They come all pre-configured with tools and goodies.
EnCase v7, EnCase v6x. – Outside the collection realm, the EnCase name stands on its own as a powerful & versatile tool that allows for forensic analysis of all kinds. Version 7 is a big change to the previous user interface and I (like many) was a hard sell to change over. However; recently I’ve seen the benefits of v7 and think there is a good future for it in my investigations. I’ll still use v6, but now I have two good options to choose from.
DT Search – My preferred indexing tool of choice. Easy to use, quick & powerful.
RegRipper – A widely known tool that will quickly parse though registry hives and export them to easily readable text files.
Paraben P2 Commander – Many of Paraben’s tools are good at email analysis. P2 Commander is one of my go-to’s.
EnCase Command Center – for Ediscovery & Cyber Security enterprise projects. Its a beast of its own, but very powerful suite of tools that can be used in the largest of corporations.
Splunk – If you have firewall logs, event logs, and Lincoln logs (get it?!), then I’d use this to index and search them.
Aid4Mail – The easiest tool to search & convert email of all (and unknown) formats.
So this is just Part 1. I plan to do a Part 2, but would love to hear some feed back from the community. All comments & questions are welcome.
Till next time…