You asked, here we are. YaSfDFIRI: yet another setup for DFIR investigations
I was bombarded with inquiries about my personal investigation setup. I'm not a big fan of this type of blog post because the message it could convey is about "push-the-button" forensics.
***Nothing could be more wrong!***
But, I'll try to explain why I use one tool over another and, most importantly, how I strike the right balance between budget and performance. So, let's get started.
First and foremost, the most important tool you will require is.............................. 🧠YOUR BRAIN🧠. An investigator must not limit himself to simply reading the output of a tool, but must also be able to contextualize that data, understand where it was extracted from, understand the value of that data, and determine whether or not what he is reading is correct. As a result, the analyst / investigator must be intimately familiar with the characteristics and internals of the systems under investigation. Unfortunately, in this context (digital investigations, incident responses, and so on), making mistakes can have disastrous consequences for a person or a company.
PS: I'd like to state unequivocally that this article is not sponsored by anyone and that the points raised are entirely my own. Over the years, I've had the opportunity to experiment with a wide range of tools (both commercial and non-commercial), but the relentless rise in prices forced me to pick the best combination. Each tool has its own unique features and strengths, but as previously stated, my goal was to put together a setup that provided the best cost-benefit ratio.
Discovery and navigation of forensic images and endpoints systems
I begin by introducing the first tool as the "Prince of Tools" in the forensics field: X-Ways Forensics.
Price: €2,409 + VAT (1 year, regular dongle)
Pro: in a nutshell, it was devastating. Devastating in many ways, including the price, the speed at which it processes images and discs, and the fact that it is portable.
Con: it does not manage encrypted disks or encrypted files directly.
This is the one tool I cannot live without. I'm thinking about creating a section on this site dedicated to X-Ways forensics tips and tricks. Do yourself a favor, save your money and hurry up to buy a license.
When it comes to analyzing USB peripherals that have been connected to a system, the quickest method is to use USB Detective.
Price: €367,37 + VAT
Pro: in-depth analysis starting from multiple Windows artifacts.
Con: not as robust on macOS and * unix systems.
When we need to mount a forensic image or a disk (for example, to decrypt an encrypted copy or disk), Arsenal Image Mounter is the best solution.
Price: €692,88 + VAT
Examination of individual Windows artifacts
There are no comparisons to be made when we land on this field: Eric Zimmerman's tools are the only ones that should be used on a Windows environment.
Do you need to investigate system events? No worries, EvtxECmd is here to help.
Do you wish to delve into a prefetch file? Any commercial tool will not make you regret using PECmd.
Do you require the ability to view a csv file containing a timeline or the output of a parsing with the previous tools? Timeline Explorer is a wonderful tool.
Price: €0, however, those who wish to support Eric's work should keep in mind that they can do so through GitHub Sponsor, Paypal, or Patreon.
Remember that indexing a forensic image or a disk can take hours and hours and hours, so knowing where to look for information can save you a lot of time.
Index_time (hours) >>> take_single_artifact_and_process_them (minutes)
Examination of individual macOS artifacts
If we wanted to reverse what was said for Windows in a macOS environment, the tool that I believe could save your time and money is mac_apt by Yogesh Khatri.
Analysis of a memory dump
In this case, the only tools I suggest practice with are Volatility v2 and the new Volatility v3 (with which I am particularly satisfied).
In addition to Wireshark, the usual must have, I recommend to put beside Brim.
I frequently need to analyze massive amounts of log files. Depending on the search to be performed and the number of files present, I will occasionally choose whether to use X-Ways Forensics (mentioned above) or the ELK stack.
This topic deserves its own blog post, but for now, I'll just say that Cellebrite is the best acquisition tool and Oxygen Forensics is the best analysis tool.
If you need to experiment on iOS devices, I highly recommend Corellium's excellent service.
Price: expensive, very expensive
I hope this post has been useful to those who have sought my advice and that it can serve as a good starting point for your own personal setup. 🖖🏻🖖🏻