What’s in my DFIR toolbox? | 2023

/ ChocolateCoat

You know what they say sharing is caring. So, I recently got a new system and had to get my usual tools back on the system. I figured this would be a great time to share with you all the tools I default to and why I use them.

If you work in DFIR, I don’t think too many of these will be much of a surprise but everyone loves to show off their collection right? Also, for context, this is my personal Windows system and I am not going to be sharing my professional work toolbox here. I also try to get as many free to low-cost tools as possible and some are just tools I like that are not DFIR related. If you want the TLDR, the tools are listed at the bottom, but you’ll still read the blog right? Right???

Tool Storage

Photo by Anete Lusina on Pexels.com

Firstly, I want to talk about an odd topic I kind of struggled with when I first started. Where the hell do I keep my tools? C Drive? Desktop? Program Files? Separate Drive? VM? Well, I’ve learned that it doesn’t really matter, but it sort of does.

One important tip, if you are potentially dealing with malware, then use a Virtual Machine (VM). Especially, if you are doing any kind of detonation or “sandboxing”. Now listen… I’ve run malware on barebones and I think just about everyone has even if they won’t admit it. But seriously, if you are handling malware just please use a VM, it will come back to bite you eventually. IF for some reason you don’t have the VM ready to host it, then ZIP and password protect the malware like your life depends on it.

Moving on, here’s my points to keep in mind when storing TOOLS on a system.

  • Make it easily visible, you will forget about it if you try to “bury” it in your filesystem.
  • Easily accessible from the command line, the less “/” you need to type the better.
  • Watch out for Anti-Virus (AV) trying to quarantine it.
  • If you can try to avoid “installing” it onto the OS, portable versions are handy and often easier to make configuration changes.

So what do I do? I will usually create a “DFIR” folder in my home directory. Easy to understand, easy to find, and separates from other programs.

DFIR Tools

Photo by Andri on Pexels.com

Here’s a quick screenshot of an example of my DFIR folder. This isn’t all the tools, but we’ll start here. Don’t judge me if anything isn’t on the latest version.

Andriller

  • A script to automate collecting various artifacts from Android devices via the Android Debugging Bridge

Arsenal Image Mounter

  • Great program that can mount almost any disk format as a local drive. Great for running triage scripts, malware scanning, or viewing data.

Browsing History Viewer

  • Collect or view browsing history. Most complete version I’ve used that can handle just about any web browser.

Eric Zimmerman (EZ) Tools

  • Gold standard DFIR tool collection. Multiple tools that parse the entire range of Windows forensic artifacts. Including some artifact viewing tools that just work better than the default Windows versions

Hayabusa

  • SIGMA based Windows Event Log parser. Creates really good timelines and rule matching to make hunting way easier.

KAPE

  • Triage collection and analysis tool that automates a lot of commonly used DFIR tools and especially the EZ tools.

Magnet Response

  • New triage tool released by Magnet recently, haven’t utilized it too much yet so TBD.

SDK Platform Tools

  • Mostly just use the Android Debugging Bridge (ADB) to connect to Android devices physically on Windows.

RegRipper

  • Registry analysis tool that creates nice report of important registry entries.

Velociraptor

  • Triage collection tool with a few extra capabilities to run in a server model to collect from multiple remote hosts.

xLEAPP

  • Collection of various “LEAPP” scripts to analyze outputs from several OS, particularly iOS and Android.

DFIR_Templates

  • My project of documentation templates related to DFIR 😊

Autopsy (Not pictured)

  • Forensic analysis suite similar that I tend to use for forensic images or larger raw collections. Listing this since it’s free compared to X-Ways or Encase.

Wireshark (Not pictured)

  • PCAP view, capture and analysis tool

Non-DFIR Tools

Photo by Soumil Kumar on Pexels.com

These are tools that I frequently use but are not specific to DFIR. However, I think they are still critical and can make life much easier.

Windows Subsystem for Linux (WSL)

  • Allows you to run a Linux distro in your Windows OS, without needing to spin up a separate VM.

Windows Terminal

  • Favorite way to use command line on Windows. Let’s you tab various instances of PowerShell, Command Prompt, Azure, and even WSL

Notepad++

  • Great for viewing basically any text based file as well as taking quick notes vs the default notepad.

VMWare Workstation

  • Run and manage VMs, Workstation is paid but you can get away with VMware Player for very basic VM management.

PowerToys

  • Several “experimental” functions made by Windows. They run great and do those small things you “wish you could do on Windows”. Trust me you need it.

7-ZIP

  • Better ZIP tool and can even handle other types of archiving such as tar natively.

MS Office or Google Docs

  • You already know, write stuff, present stuff, spreadsheet stuff.

Greenshot

  • A feature rich screenshotting tool, that works much better than built-in screenshot tools

Conclusion

So that’s it, pretty simple and tried to keep the list smaller. I’m positive I missed some amazing tools, but hopefully this will give you at least one new tool to keep in mind. Under this, I’ve listed out all the tools, information and how to get it below.

If you want a full list of multiple DFIR tools then check out https://awesomedfir.com/dfir-tooling.

Tool Summary

Tool NameAuthorCategoryDownload
AndrillerDen4ukCollectionhttps://github.com/den4uk/andriller
Arsenal Image MounterArsenal ReconMountinghttps://arsenalrecon.com/downloads
Browsing History ViewerNir SoferAnalysishttps://www.nirsoft.net/utils/browsing_history_view.html
EZ ToolsEric ZimmermanAnalysishttps://ericzimmerman.github.io/#!index.md
HayabusaYamato SecurityAnalysishttps://github.com/Yamato-Security/hayabusa
KAPEKROLLTriagehttps://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
Magnet ResponseMagnetTriagehttps://www.magnetforensics.com/resources/magnet-response/
SDK Platform ToolsGoogleCollectionhttps://developer.android.com/studio/releases/platform-tools
RegRipperHarlan Carvey (keydet89)Analysishttps://github.com/keydet89/RegRipper3.0
VelociraptorVelocidexTriagehttps://github.com/Velocidex/velociraptor
ALEAPPAlexis BrignoniAnalysishttps://github.com/abrignoni/ALEAPP
iLEAPPAlexis BrignoniAnalysishttps://github.com/abrignoni/iLEAPP
DFIR_TemplatesMe 😊Documentationhttps://github.com/chocolatecoat/DFIR-Templates
Windows Subsystem for Linux (WSL)WindowsLinuxhttps://learn.microsoft.com/en-us/windows/wsl/install
Windows TerminalWindowsCommand Linehttps://apps.microsoft.com/store/detail/windows-terminal/9N0DX20HK701
Notepad++Notepad++Documentationhttps://notepad-plus-plus.org/downloads/
VMWare WorkstationVMWareVirtualizationhttps://www.vmware.com/products.html
PowerToysWindowsEase of Usehttps://learn.microsoft.com/en-us/windows/powertoys/
7-ZIP7ZIPEase of Usehttps://www.7-zip.org/
MS OfficeWindowsDocumentation https://www.microsoft.com/en-us/download/office.aspx
Google DocsGoogleDocumentationhttps://docs.google.com/
GreenshotGreenshotDocumentationhttps://getgreenshot.org/

Take care of eachother,

Terryn Valikodath

Twitter: @CyberCoat

Mastodon: @ChocolateCoat@infosec.exchange

LinkedIn: terrynvalikodath

One thought on “What’s in my DFIR toolbox? | 2023

  1. Pingback: Week 14 – 2023 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s