DFIR

Computer forensics is easily one of my favorite areas of information security. Having worked as an investigator for a number of years on both civil and criminal cases, I can say from personal experience that although the hours are long, and court testimony is at times stressful, it is extremely rewarding when you are able to put your finger on the evidence you are looking for. Incident response plays a big part in this, as in most cases you are utilizing forensics processes while responding to cyber-breaches – hence the term DFIR or Digital Forensics – Incident Response. I have included a list of some of the websites I frequent as well as other useful information. Essentially a good source of tools, checklists, etc. for responding for incidents and conducting forensic analysis.

Tools & Scripts

  • EVT Log Parser – EVT LogParser is a free event log parser that allows you to filter output according full text search in the message text.
  • Event Log Explorer – Event Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. Event Log Explorer greatly simplifies and speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others).
  • RDP Cache Forensics – RDP Bitmap is a puzzle like cache of photos. During the RDP session the system takes snapshots of the screen. These pics however are not the whole screen but rather only pieces of the screen. Chances are you will not have every piece either. This tool is not perfect, but it is a good start.
  • Highlighter – A utility designed primarily for security analysts and system administrators. Highlighter provides a user with three views of the file being analyzed: highlight interesting keywords and remove lines with “known good” content, full-content view that shows all content and the full structure of the file, rendered as an image that is dynamically editable through the user interface, histogram view that displays patterns in the file over time; usage patterns become visually apparent and provide the examiner with useful metadata that is not available in other text viewers/editors
  • PDBExtract – enables you to explore symbolic type information as extracted from Microsoft programming database files. This tool is primarily for reverse engineering of Windows-based applications and for exploring the internals of Windows kernel components.
  • Heap Inspector – is a heap visualization and analysis tool that collects a process’ heaps using both API and raw methods.