Announcing Google Groups Forensic Utilities Artifacts ForumI know this is going to be a SHOCKER to many... But here goes:
AChoir isn't the only Live Response/Triage/Live Acquisition tool.I'll wait for you to get a glass of water and sit down.There are many excellent Live Response tools/scripts, and many of them actually use the same Free and Open Source utilities to gather forensic artifacts. These are well known utility programs from SysInternals, Nirsoft, and others.
Asking - What else do these utilities do?When using software to gathering digital artifacts (especially in cases where the examiner knows that there are likely to be questions), there are a number of things examiners worry about. Among them are:
- Does this program change anything on the subject drive or in then endpoint's memory?
- If it does, what exactly is added, changed, or deleted?
- How does that affect the system?
- Do these changes constitute contamination? Do they modify the artifacts or the system itself in any way?
- Can I prove that these changes don't contaminate the artifacts? How do I prove it?
The only real way to know the answer these questions is by testing the software and documenting all changes that it makes to the system. This can be a long and complex process. As it stands today, I am not aware of any central place where these tests are documented.
Just like my original reason for writing AChoir: To provide a free and open Live Acquisition scripting tool/framework, so examiners didn't have to keep re-inventing the wheel. So too, I think a common place to document each forensic tool, and what artifacts they create - will help the entire DFIR community.
What does this look like?I think there are some standard things we should ask about each utility program:
- What is the program name?
- Where does the program come from?
- What is the Version?
- What is the Hash Value?
- What artifacts does it create? Where are they created: Memory, Registry, Files?
- What, if anything, does the program change?
- How does that impact non-repudiation?
Instead of writing a whole databasey thing to track those answers (and others). I think the best way to start is using the good old, tried and true, Discussion Forum. I have chosen Google Groups to do that. It may be that in the future a more formal system could be set up. but for now, I think it makes sense to use something simple to start testing, and sharing what we know.
Caveat Emptor: THERE IS NO SUBSTITUTE for doing your own testing.
Not necessarily because you can't trust another person's tests - but because when YOU do the tests, YOU understand the process, and can explain it when YOU are asked.
Having said that, a forum where the DFIR community can collaborate, verify, and correct forensic utility program testing will make everyone's job easier, and more accurate.
I have already seeded the forum with my favorite utilities. It can be found at: https://groups.google.com/forum/#!forum/forensic-utilities-artifacts
If you have already tested these, or other forensic utilities, please consider sharing your results and participating in the forum.