The advent of the GDPR in Europe and the CCPA in the United States have raised emphasis on PII processing, and on data breaches increasing every. This is where a minor but not less important field of IT comes into play, where it is absolutely indispensable in identifying damage, its authors and the type of attack carried out: Digital Forensics. This forensic science makes possible to collect and analyze evidence from various types of sources and media, as well as, to analyze the vulnerabilities of networks and systems, proposing to reduce the risk that such accidents may occur in the future through systems hardening. The tools’ selection is essential to carry out this investigative work, sometimes for functionality, other times because it is compliant and recognized by the authorities.
Let’s dig deeper with a list of the most famous and used tools for DFIR and Vulnerability Analysis tools:
1 – AUTOPSY
It is one of the most used DFIR tool in the world, recognized by government and military authorities worldwide. It uses various open source tools, such as fdisk, and is based on the renowned digital forensics software Sleuth Kit. It allows you to extract information from various types of data sources.
2 – WIRESHARK
Perhaps one of the most famous tools for the protocols and ip packets analysis, totally open source and equipped with powerful features to detect compliance violations and types of attacks such as covert channels.
3 – NMAP
Another of the most famous free tools available on the network, Nmap allows you to scan networks and protocols, detect open ports and services, so that you can identify improvement opportunities for the security of your network.
4 – MAGNET RAM CAPTURE
An important source of evidence is given by the content of the and various volatile memories. This is where MAGNET RAM CAPTURE comes into play, capable of extracting all the data contained therein. Last but not least, it is also recognized by many government authorities from various countries.
5 – HASHMYFILES
Ever heard of integrity check and non repudiation? They are carried out by hashing the digital files via MD5 or SHA1 hashes. HASHMYFILES gives you the possibility of calculating and verifying the hash of files, so that you can verify that they have not been altered or tampered. It is not very user friendly but it is also completely free.
6 – SIFT
When it comes to cyber security, one of the largest organizations is the SANS Institute (SysAdmin, Audit, Networking, and Security), where there are many articles and documents useful in the field of cyber, as well as numerous tools for security and DFIR. One of these is certainly SIFT (SANS investigative forensic toolkit), which is a complete suite of forensic analysis tools. It contains tools for analysis and reporting, widely used by CSIRTs for post-incident investigations, as well as for forensic investigations.
7 – SLEUTH KIT
We now come to Sleuth Kit, perhaps one of the oldest tools for forensic investigation, an open source project on which the aforementioned Autopsy itself is also based. It is recognized by almost all western civil and military justice organizations.
8 – TESTDISK
Excellent for recovering deleted or corrupted files, it can recover various file deletions, from various sources. The recovery operations can take long and even a lot more space than the size of the original media. This software is also completely free and open source, the only flaw is that is a command line utility. It is also part of the various tools included in Autopsy.
9 – PALADIN FORENSIC SUITE
Thanks to SUMURI, who made available this other splendid Ubuntu-based tool, Paladin Forensic Suite. It is a real toolbox for forensic investigators, containing more than 90 tools to carry out various activities in the DFIR field.
10 – CAIN
CAIN is an instrument that has been available for many years now, created by the Italian Massimiliano Montoro and Sean Babcock. Initially used as a tool for recovering Microsoft passwords, it has evolved over time by providing password cracking, wep cracking functionality and also used to verify the absence of cached or insecure passwords.