Thursday, October 29, 2009

FTK 3.01 and IEF

I realize that there are many who are still sore over the troubles with v2.0 of FTK. But I've been using v3.01 (x64) for a few weeks now, and I'm quite impressed. While there are a few of the nagging issues that continue to annoy me (lack of ability to use "sweeping bookmarks"), the product seems to have integrated several other features that make up for these other small annoyances. First of all, it's MUCH faster. Remember trying to sort a column in v1.8x - no more! The time to sort a column, remove checkmarks, load images.... everything seems to move much faster. I like the integration of Registry reporting, indexed search results and the flexible reporting options. The carving and sorting of files into various categories is impressive. If only you could find a way to make it easier for an investigator to go through thousands of HTML pages in search for emails, banking artifacts, etc!

Admittedly, I installed FTK onto a new clean machine but colleagues in our office have upgraded from v2.0x and are also seeing similar advantages.

My suggestion to Accessdata - more research and whitepapers ie: Vista Registry, more information on using FTK for Mac analysis, etc.

Overall, very impressed by these significant upgrades and improvements.

Also, take a look at Jad's site. He's been busy working on his program, Internet Evidence Finder and has made some significant improvements - now up to v2.07. A quick poll at our last office meeting - over 1/2 of our investigators are using his product. Keep it coming Jad- much appreciated!

Caine v1.0

I see that CAINE has released v1.0 today - from it's previous 0.5 release. From an initial view, it appears that many of the included programs have been updated. Overall, it has a nice selection of tools, including those used for both acquisition and analysis (Sleuthkit 3.01, MDD, Autopsy 2.21, Winen, Win32DD and probably about another 50 tools). Clear instructions on how to create a bootable USB drive as well.

The mounting policy claimed by the program states that it is the "same as Helix" and when the user clicks on a drive, it will mount as read-only. If the user mounts in terminal, it will mount "rw" by default unless the necessary "ro" commands are included.

Not sure how you feel about these all-inclusive tool sets, but like SIFT, it's nice to have all the necessary tools in a bootable CD or VM. Reboot and your workspace is clear.

Downloading v1.0 right now......let's take it for a spin!

Monday, October 12, 2009

NirLauncher package

NirSoft tools has introduced a new "front-end tool" allowing approx 100 of their tools to be run from a GUI console. The tool, named NirLauncher, can be run from a directory created on a USB thumbdrive. The tool qualifies if the program can be run on a 32 and/or 64 bit system and allows you to integrate SysInternals tools into the program. At this time, they warn against using the product in "Run as Administrator" mode in Vista and Windows7 until a bug has been fixed. Nice addition to a fantastic tool set! Be sure to read the comments on his blog for additional tips and reviews from readers.

Sunday, October 11, 2009

Live Forensics just got a little easier....

Matthieu Suiche has released his latest version of his imaging tool "win32dd" (v. 1.3 final). Up until now, I've been using FastDump Pro and Winen as my imaging tools, largely because of the robustness and wide range of OS's, >4GB and 32vs64 bit platform support. With the release of Matthieu's latest tools (which I see has been under beta testing), you can be assured that this tool will also be making it to my list of memory acquisition tools. All this and MD5, SHA1 and SHA256 support.

What I find intriguing about this new product is the fact that you have the option of generating a "blue screen" or send a system into hibernation.

Matthieu has a great slide presentation titled "Challenges of Windows physical memory acquisition and exploitation". The presentation was given at Shakacon2009.

With the enhanced abilities of these tools, I'm interested in finding solutions to faster acquisition times using USB drives. Any comments? (ie: Thumbdrives with fast i/o times, external USB 2.5" drive, SSD, how about a SD card with 30MB/Sec transfer speed?) With larger and larger acquisitions, the time at scene is becoming an issue.