Digital Forensics Tools/Distros
I was researching digital forensics distros/platforms and came across several. Which ones are the best to use? most recognized? I know there are many tools for different forensics analysis but I am talking about the overall distros.
Digital Forensics Framework
Sleuth kit +Autopsy
SANS SIFT (this is distro is based on SANS courses)
EnCase (has certification) Tools require license/fees
AccessData FTK (has certification)
Kali Linux (distro has autopsy, Digital Forensics Framework, volatility, and others)
Aside from EnCase, most of these tools are freeware. So whats the verdict here? people use one? two? multiples of these tools during investigations? Any recommended books or courses?
Thanks!
Digital Forensics Framework
Sleuth kit +Autopsy
SANS SIFT (this is distro is based on SANS courses)
EnCase (has certification) Tools require license/fees
AccessData FTK (has certification)
Kali Linux (distro has autopsy, Digital Forensics Framework, volatility, and others)
Aside from EnCase, most of these tools are freeware. So whats the verdict here? people use one? two? multiples of these tools during investigations? Any recommended books or courses?
Thanks!
Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
2020 Goals:
Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
2020 Goals:
Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
Comments
-
iBrokeIT
GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
Nirsoft (NirSoft - freeware utilities: password recovery, system utilities, desktop utilities) and Sysinternals are both large collections of tools that come in handy in various circumstances.
Use the best tool for the job, you aren't going to find a one size fits all cases platform.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA | eCPPT | eWPT | eCTHP
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security -
JasminLandry
Member Posts: 601
I don't know that much about forensics but I have used CAINE in the past for a project at school CAINE Live USB/DVD - computer forensics digital forensics -
PJ_Sneakers
CompTIA, EC-Council, ISACA, (ISC)², Microsoft USAMember Posts: 880 ■■■■■■□□□□
It depends on the forensics you are doing. Live box? Dead box? PC? Mac? Android? iOS? Blackberry? Different tools for different tasks. In forensics there is no best tool, especially when you are talking about automated software packages.
Also, it depends on how much money you have.
What is your goal here? -
Verities
Member Posts: 1,162
DEFT (Digital Evidence & Forensics Toolkit) Linux is commonly used by law enforcement:
DEFT Linux - Computer Forensics live CD | -
cyberguypr
Senior Member Mod Posts: 6,912 Mod
As PJ said, what is the end goal? My shop is EnCase heavy but we have other "lighter" tools that we use when the incident doesn't need the full power of EnCase. There are many ways to get to what you want and once you find it you may need other tools to validate it.