My Top 10 DFIR Tools (2023)
06/20/2023
This free toolset provides DFIR analysts with the ability to analyze various artifacts, such as Windows Registry hives, event logs, prefetch files, and shortcut files, to uncover system activities, user behavior, and potential indicators of compromise. These tools combined with KAPE (Kroll Artifact Parser and Extractor) will take you from collection to analysis within minutes. Compared to where we came from years ago with full disk collection and data processing with expensive forensic suites, Eric's tools have changed the game for quick forensic analysis.
If you are going to spend money on one commercial forensics tool, I recommend you go with X-Ways Forensics. I find myself solving investigations within minutes of opening an image in X-Ways without spending hours processing it. This is a huge advantage over other commercial forensic tools which require you to process the data before the investigation can begin. Another thing I love about this tool is its timeline view. As with most DFIR analysts, timeline analysis is one of the best ways to get a clear picture of what occurred on a system by collaborating multiple forensic artifacts in one view, and X-Ways does a fantastic job presenting that timeline.
When it comes to memory analysis, MemProcFS has become my go to tool for quick and accurate results. I still love Volatility, however MemProcFS has made memory forensics less painful by mounting memory images to a virtual file system where all the data can be explored immediately, instead of running individual queries against the image one by one. Sure, you can write a shell script to automate those Volatility commands, however, MemProcFS is just flat out faster at getting to those results. Another great feature of this tool is its forensic mode which will do things like find evil processes, run yara scans, create CSV timelines, and much more.
Performing forensics at scale has always been a difficult thing to achieve for most shops until this amazing open-source tool was developed by Mike Cohen. Although my use case is more targeted deployments, the ability to deploy Velociraptor to thousands of systems within minutes is trivial. Once you have your agents deployed, you can perform memory analysis, review prefetch, analyze the $J, run a KAPE collection, perform yara scans, and so much more. The most impressive part about this tool is how fast you get back results. Prior to Velociraptor, If I wanted to perform MFT analysis, I would need to collect the MFT from the specified device, run a parsing tool like MFTECMD, and then open the results in Timeline Explorer. With Velociraptor, within a couple clicks I can run a MFT hunt which will automatically parse the MFT on the target system and present the results in a table format inside the Velociraptor console within minutes.
When working an incident, network telemetry is a crucial source of evidence for identifying initial access, command and control, lateral movement, or data exfiltration, and Zeek/Bro logs can provide that level visibility. Ideally you would have a solution in your environment to collect this data and then send it to a SIEM, however, Zeek can be used for targeted collections as well. Let's say you have a host in your environment believed to be infected with malware. You perform a packet capture with TCPDump overnight which resulted in a 50 GB PCAP. Rather than load that huge PCAP into WireShark (And wait hours!), you can run Zeek against it which will output nicely formatted logs files (DNS, HTTP, FTP, etc.) for you to analyze.
Besides X-Ways, Log2Timeline (Plaso) is my go-to timeline analysis tool. A great workflow that I've been recently using processes collections with Log2Timeline and then automatically uploads the results to TimeSketch for analysis. This workflow will allow you to analyze multiple timelines in one interface which can help speed up investigations involving multiple hosts.
Arsenal Image Mounter is the standard for mounting forensic images as far as I'm concerned. One workflow that seems to work well at finding malware is mounting an image with AIM and scanning directories with AV (I know it's dumb, but it works). Another amazing feature this tool provides is the ability to spin up a forensic image into a virtual machine so you can navigate the computer exactly how the user would see it (sticky notes they have on their desktop would be cool to find). Unfortunately, this feature is part of the paid version, however I don't believe it is too expensive.
To my knowledge, there aren't many tools outside of UAC, CyLR, and AutoLLR for performing Linux triage collections, however out of the three, UAC is the most frequently updated. This tool runs relatively fast depending on which command line arguments you have chosen (the bodyfile option can take a long time), and it gives you the ability to dump memory. If a bodyfile is generated during your UAC collection, it can be used to create a timeline by parsing it with a tool like mactime from the Sleuthkit.
Bulk Extractor is not a tool that I use every day, however in certain situations where I am deep diving a memory image, it does a fantastic job at producing readable output for analysis. One of my favorite use cases for this tool is to extract PCAPs out of memory which can be used to analyze C2 traffic or identify exploitation attempts.
10. Hayabusa
Finding evil in the endless pool of Windows event logs on any given system is an extremely daunting task for DFIR analysts, however Hayabusa has made this endeavor a little bit easier! This tool uses Sigma rules to identify suspicious events and categorizes them based on severity (Informational, Low, Medium, High, Critical). This can help bring your attention to something like a suspicious service that was installed or encoded PowerShell commands being run.
Honorable mention: Chainsaw is another Sigma based event-log analysis tool which also does a great job at locating evil within Window event logs.
Steven Petronio, GCFE, GNFA
