Digital Forensics: Get Started with These 9 Open Source Tools
What Are Digital Forensics Tools?
Digital forensics is a branch of forensic science that involves recovering materials from digital devices, examining it, and using it to investigate cybersecurity incidents and computer crimes. Within digital forensics there are several sub-fields, including:
Forensic data analysis
Mobile device forensics
The forensic analysis process involves forensic imaging of systems under investigation, analysis of images, and creating a report of collected evidence. Digital forensics tools can help security analysts and investigators collect forensic data from computing devices, convert it into standard formats to enable analysis, and filter it to uncover relevant information.
Top Open Source Digital Forensics Tools
Here are some of the most common open-source tools used by digital forensics experts.
1. The Sleuth Kit
The Sleuth Kit (TSK) offers a variety of Windows-and Unix-based utilities and libraries for data extraction forensic analysis. It forms the basis of the well-known tool Autopsy, a graphical user interface (GUI) for command-line utilities packaged with TSK. It allows users to extract data from storage devices and disk drives.
TSK is an open source collection protected under general public, common public, and IP licensing. The software is actively developed and supported by an open source community.
The Sleuth Kit is compatible with NTFS, FAT/ExFAT, UFS 1/2, Ext2, Ext3, Ext4, HFS, ISO 9660, and YAFFS2 file systems in standalone or raw (dd), expert witness, or advanced forensic format (AFF). You can use the Sleuth Kit to check most Microsoft Windows and Apple Macintosh operating systems, as well as many Linux and certain UNIX computers.
The Sleuth Kit is available through the included command line tool or as a library built into other digital forensics tools such as log2timeline/plasmo and Autopsy.
Autopsy is computer software that facilitates the distribution of many of the open source programs and plug-ins used in TKS. The GUI displays forensic search results for underlying volumes, so investigators can more easily flag relevant pieces of data.
Autopsy file parsing capabilities include:
Hash all files and decompresses standard archives such as ZIP and JAR.
Extract EXIF values and major file systems such as FAT, ExFAT, NTFS, HFS+, Ext2/Ext3/Ext4, and YAFFS2 for analysis and to add keywords in an index.
Parse and catalog some specialized file formats such as email formats and contact files.
Users can search for recent activity in this index file and create a summarizing report in PDF or HTML format. If time is limited, users can use rules to enable analysis of the most important files first. In Autopsy, some images of these files may be saved in virtual hard disk format.
3. Digital Forensics Framework
Digital Forensics Framework (DFF) is an open source computer forensics solution. Professionals and non-experts use it to collect, store, and disclose digital evidence without compromising systems or data.
DFF provides a GUI developed with PyQt and traditional tree views, as well as a rich command line interface. Features such as recursive views, tags, real-time searches, and bookmarks are available.
DFF comes with common shell features such as completion, task management, and keyboard shortcuts. DFF can automate repetitive tasks by running batch scripts at startup. Advanced users and developers can script investigations using DFF directly in the Python interpreter.
In addition to source package and binary installers for Linux and Windows, DFF is also available in popular operating system distributions including Debian, Fedora, and Ubuntu.
4. Open Computer Forensics Architecture (OCFA)
Open Computer Forensics Architecture (OCFA) is an open source computer forensics framework for analyzing digital media in digital forensics laboratory environments. This framework was established by the Dutch police.
OCFA is a backend for the Linux platform. It uses a PostgreSQL database for datastores, custom content addressable stores or CarvFS-based datastores, and Lucene indexes. Due to licensing issues, the OCFA frontend is not open to the public.
The framework can integrate with additional open source forensics tools and includes modules for TKS, Scalpel, libmagic, Photorec, GNU Privacy Guard, exiftags, objdump, zip, 7-zip, gzip, bzip2, tar, rar, antiword, mbx2mbox, and qemu-img. OCFA is extensible to C++ or Java.
HashKeeper is a database application that is primarily of value to users who perform regular forensic checks on their computers.
HashKeeper uses the MD5 file signing algorithm to establish unique numeric identifiers (hash values) for "known-good" and "known-bad" files.
HashKeeper is designed to reduce the time required to scan digital media files. If the examiner defines the document as a known-good file, the examiner does not need to repeat the analysis.
HashKeeper compares a hash of a known-good file to a hash of a file on a computer system. If this value matches a file that is known to be healthy, the inspector can say with considerable certainty that the file on the computer system is healthy and does not need to be checked.
If these values match a file that is known to be bad, the inspector can say with considerable certainty that the file on the system being scanned is bad and needs further review.
6. Bulk Extractor
Bulk Extractor is an information extraction solution that scans files, directories, or disk images and extracts data without parsing file systems or file system structures. This allows parallel access to various parts of the disk, which is faster than regular tools.
Another advantage of Bulk Extractor is its ability to handle almost any format of digital media, including hard drives, optical drives, solid-state drives, camera cards, and smartphones. Its latest version can perform social network forensics, analyzing digital evidence to extract information such as addresses, credit card numbers, and URLs.
Other features include histogram creation based on compile word lists and frequently-used email addresses. This is useful for decryption.
All the information extracted can be processed manually or using one of four automated tools. One has a built-in contextual stop list (i.e., search terms marked by investigators) that excludes human error from digital forensic investigations. The software is available free of charge for Windows and Linux systems.
7. Computer-Aided Investigative Environment
Computer-Aided Investigative Environment (CAINE) is an open-source Ubuntu and Linux-based distribution created by Italian developers for digital forensics. CAINE provides interoperable software that integrates with existing security tools to provide a user-friendly GUI. Because it is open source, organizations can redistribute and modify Windows, Linux, and Unix systems as needed.
CAINE integrates software tools into modules through powerful scripting in a graphical interface environment. Its production environment is designed to provide forensic professionals with all the tools they need to conduct digital forensic research processes (storage, collection, inspection, and analysis).
Because CAINE is a live Linux distribution, it can be booted from removable media (flash drive) or CD and run from memory. It can also be installed on a physical or virtual machine. In real-time mode, CAINE can process datastore objects without starting a supporting operating system.
The latest version (11.0) is bootable with UEFI / UEFI + secure and legacy BIOS, enabling the use of CAINE in information systems booting legacy operating systems (e.g., Windows NT) and new platforms (Linux, Windows 10).
8. SANS Investigative Forensics Toolkit
SANS Investigative Forensics Toolkit (SIFT) is a suite of open source forensics and incident response technologies designed to conduct in-depth investigations in various digital environments. The toolkit securely scans the original disk and multiple file types and does it in a secure, read-only manner to preserve the evidence it finds.
SIFT has high flexibility and compatibility with raw evidence formats, expert witness format (E01), and advanced forensics format (AFF). It is based on Ubuntu and includes several individual tools (including some mentioned here) that forensic investigators can use for free. SIFT is updated regularly.
9. The Volatility Foundation
The Volatility Foundation is a non-profit organization that aims to advance the use of memory (RAM) analytics in the digital forensics community. The main software is an open source framework for malware detection and incident response using volatile memory forensics. This allows for the preservation of any evidence stored in memory, which could be lost in a system shutdown.
It is written in Python, supports most 64-bit and 32-bit systems, and can filter cache sectors, crash dumps, dynamic link libraries, network connections, registry files, ports, and process lists. The memory forensics tool is free to use, and its code is available on GitHub.