Freeware and open-source tools
The range of freeware and open source resources continues to grow, offering tools for everything from simple add-ons to existing systems to wide-ranging, comprehensive forensic tool kits.
Most of the tools are written for Linux systems, building on the utilities already available, and are generally command line driven. This makes it possible to create quite complex scripts to automate large parts of the forensic procedures, something that is not often easy to do with Windows offerings.
Those who have difficulties with the command line interface can always contact the numerous user communities on the internet for help, or ask a friendly programmer to write the scripts for them.
The most impressive, complete system, available from a number of sources, is the Forensic Incident Response Environment (F.I.R.E.), formerly known as biatchux. It is a downloadable ISO image file that can then be subsequently burned onto a CD-Rom. F.I.R.E. provides tools to investigate Windows, Linux and Solaris systems, and can safely run on Windows or Linux systems.
Windows users get a nice graphical interface, although the forensic programs are still command line tools, as are their Linux counterparts. The Windows components range from a simple command line packet sniffer to an almost complete set of Unix-like tools for the Windows environment.
There are tools to probe the recesses of the different flavors of Windows systems, hashing tools, scanners and password crackers. The collection includes sets of static binary files for the supported systems that are "clean," read-only versions of the various utilities and used in preference to those on the host system – since these may have been compromised. The Linux side of the house offers an extensive selection of useful tools, such as a root kit detector and a number of Linux utilities and a copy of the Autopsy and Sleuth Kit systems.
We tested the Linux root kit detector on a freshly installed Red Hat system and on a copy of a live Linux system as well. The test system was given a clean bill of health but the live system was not.
However, there have been instances of obtaining false positive results, so this was not taken as conclusive evidence. F.I.R.E. has not been updated for a while, although it is still an active project, and the range of tools for the various supported systems is impressive.
Other tools provide extensions to existing capabilities, or concentrate on certain aspects of forensic investigation. Several will integrate with the EnCase product. Sometimes, the freeware provider also offers commercial products.
The Digital Detective website, for example, offers a selection of freeware tools for various forensic purposes, but also a commercial internet browser history analyzer, "NetAnalysis", with highly developed searching and analysis capabilities. The free software on offer includes a number of plug-ins for EnCase systems. There are also freestanding tools such as an MD5 hash generator and an html viewer that can use Internet Explorer plug-ins to give a fast rendering of any stored html page.
The Sleuth Kit software, together with its Autopsy graphical interface, provides a well-developed forensic system that is easy to use, and also has good evidence gathering and reporting capabilities. Although the software was originally developed for Unix systems, it can also analyse file systems from other OSs, including FAT, NTFS, ext2 and ext3.
This can also locate streamed NTFS files, and conduct searches using hash databases. File systems can be searched for keywords using simple strings or regular expressions. Extensive case management is available, with full event logging, and the system can include time-based events from external sources such as firewall and security logs, helping to build up a picture of the exact sequence of events.
Another source of forensic tools is Foundstone Inc. which, as well as its commercial products, provides free utilities for both Windows and Linux systems. Cookie analysis on both systems and Windows Recycle Bin analysis are just some of the tools available, while its free forensic toolkit can detect hidden files and locate streamed files on NTFS volumes, and audit file access and security properties.
It is certainly possible to build a respectable forensic tool kit from freeware, and produce results that compare with their commercial counterparts. A court might find it more difficult to accept forensic evidence produced by these tools than evidence produced by recognized commercial products, but this is more a matter of legal precedent than of forensic accuracy.
In any case, there are plenty of other uses for such a toolkit. Recovering deleted files, rescuing data from dead systems and cracking lost passwords are just some of them. You could even get past the password the user has put on his machine's BIOS, without having to take the machine apart to do so.