Sometimes I plan on one kind of a lab, but then realize a huge knowledge gap, and the lab evolves into a completely different topic. While I was going to create a new VM with a set of basic tools that I can use on it (free, simple, nothing fancy), I realized a couple of things:
- What ARE some basic tools that I might want to get to port into that VM?
- Where’s the safe place to get them?
Here are some truths that I learned about digital forensic tools:
- Most have a steep learning curve. Knowing the foundational stuff will help a lot when trying out a new tool.
- You may have to research the tool, the developer, and how it performs before installing it.
- You must know how to use the terminal (Windows and Linux), commands and navigation, because a lot of great tools have no GUI. This is your life now: you live in CLI.
- Understand what you’re trying to do and make sure the tool you’re using ACTUALLY does that thing and does it correctly.
- Understand how it does the thing you’re trying to do (so you know whether it makes to use it). No, I don’t mean understand the code (although that’s something I wish I knew) but at least understand what’s it looking for, how it’s parsing it, and what the output is supposed to look like.
- You’ll probably spend more time learning how to use the tool and what the settings are than using it. At first, at least.
- It involves RTFM. Sorry, but that’s your life now. You will be reading a lot of manuals. There’s no way around it. And no, don’t feed it to your ChatGPT to summarize it, you need to know the dirty details.
- You’ll have to learn how to use GitHub. Yes, I know. When I opened it for the first time, I just stared at the page…and closed the browser tab.
- You’ll be spending a long time learning how to use them correctly, reading the settings, checking the manual, then probably googling “what does this setting actually mean??”.
- It’ll be frustrating, infuriating, and demoralizing when you first start. Veterans in the field will be tossing out tool names casually and you’ll always wonder if you’re being trolled or if there really IS a tool named CyberChef (there IS, it’s excellent, let him cook!)
- You’ll become a little paranoid about downloading anything from anywhere. You’ll find yourself hashing installer files and searching for them on VirusTotal.com (lab incoming). It’s fine. You’re evolving. You’re learning the value of “checking it twice”.
It’ll be a pain in the toad’s rear to learn the tools, how to use them, where to get them, what could go wrong. But when something “clicks”, there’s no other feeling quite like it. The day I got Microsoft’s Attack Surface Analyzer 1.0 working (no, not the current 2.0 version, but the original one), it felt incredible. It did “the thing” and the thing made sense (somewhat). Reading and understanding the results is a new learning cliff, that you’ll be climbing.
So, here’s my list of where you can find various digital forensic tools and information about them. Also, when in doubt – ask cyber community (Discord or Reddit).
https://aboutdfir.com/ – Their Tools section is still growing, but they have a ton of other excellent resources and blogs.
https://www.nirsoft.net/ – One man, over 20 years worth of tools and nonstop blogs. I’m humbled. Please donate, friends.
https://www.sans.org/tools – SANS got you covered.
https://ericzimmerman.github.io/#!index.md – The OG.
https://toolcatalog.nist.gov/index.php – A nice list by tool taxonomy. No, it doesn’t mean they’re all tested. It’s a catalog. If you’re interested in tool testing, check out: The Computer Forensics Tool Testing Program
https://www.sleuthkit.org/ – Brian Carrier’s tools (also check out CyberTriage AND free cyber training webinars on his other website
https://digitalcorpora.org/ – a library of disk images, files, network dumps, and scenarios to practice with.
https://www.magnetforensics.com/resources/magnet-ram-capture/ – Free RAM capture tool for Windows
https://www.sans.org/posters– A library of cheat sheets and posters to keep handy, so you’re not completely lost in a lab.
https://github.com/cugu/awesome-forensics?tab=readme-ov-file – again, you’re going to have to learn GitHub. It’s fine.
