Of the tools I plan on talking about today, one is more on the archaic-but-useful side, while the other is just plain useful and a bit creepy, and the last is something that I have actually been working on in the open-source community. When it comes to forensics, that is kind of the nature of a number of the tools still in use by professionals... New tools come out, but a lot of the time forensics experts like using open-source(i.e. cheap/free) tools and suites!
Autopsy
One of these open-source and sweet tools (see what I did there? ;) ) is Autopsy. Autopsy is an older program that is available for both Windows and Unix operating systems, and is even included in a few Linux distros (like Kali and SIFT). Autopsy is something that I have been using to reconstruct damaged filenames/filetypes, to look through files to see if they have been tampered with, and frankly to see files and file structures at a more microscopic level.
That being said, like I have already mentioned, Autopsy is a little bit dated. It is nice that the program at least has a GUI, but it definitely takes a little bit of time to get used to. The screenshot below shows a little bit what it is like to use the tool. You can tell just in the toolbar above the files how many options you have once you have started the case- you can do file analysis, search for keywords in all of the files, get metadata and look through hex code, etc. Truly, Autopsy has an array of tools for cyber forensics that just take a little bit of getting used to in order to fully grasp the benefits of the program. This basic tutorial is great for helping beginners to get started:
http://digital-forensics.sans.org/blog/2009/05/11/a-step-by-step-introduction-to-using-the-autopsy-forensic-browser
Data Echo
Data Echo is another tool used by some professionals today (particularly by some consultants on the Brigham Young University (BYU) network) and is the free version of a more powerful tool owned by Solera Networks. Ironically, it was actually released to the public by a member of the Solera team accidentally, and because of that slip-up we can all enjoy this product.
Data Echo is a tool that can help users recreate a TCP session using capture packet data. You can either do this live, using WireShark or another capturing utility, or you can analyze saved .pcap files as well. Honestly, this program is a bit creepy. If you are a network administrator and are capturing packets on a co-workers computer, you could essentially recreate their browsing sessions and email usage. Yea. Creepy.
But effective! Especially if you are using it for forensic and/or criminal investigations. This tool doesn't really have a learning curve on it either. You literally load it up, and either start capturing packets with it using the included packet capturing utility, or load in a saved .pcap file for analysis. This program can be found at
http://sourceforge.net/projects/data-echo/.
TCPDShark
The last tool I will bring up is actually a project that I am currently working on using Git (source-code sharing software) and CodePlex (a Microsoft creation for fostering open-source tools- I know, kind of counter-intuitive... It's a traaaaaaap). This tool is a plugin for WireShark called TCPDShark. As I have mentioned above, WireShark is a forensic tool used to capture packets over a network. TCPDStat is an older tool that is Unix-based and is used to take packet data and analyze it, giving the user statistics. Since TCPDStat is Unix-based, a
BYU student decided to create a version of the program that works on Windows.
Written in the LUA coding language, TCPDShark fulfills the same function as TCPDStat by giving packet data analytics, specifically what percentage of packets captured are of each different protocol (http, https, ARP, etc). Using this information, the program then goes a step further and gives some suggestions of percentages that may be worrying to a user, and gives an explanation of why.
