Forensics on a budget.

I understand, it is a matter of building your own tool kit of mostly free tools or paying for the luxury of a suite that may or may not suit my needs.

I understand, it is a matter of building your own tool kit of mostly free tools or paying for the luxury of a suite that may or may not suit my needs.

And/or going midway, they are not absolute "this or that".

But you said you were focused on Data Recovery, not on actual forensics.

I mean, X-Ways is Commercial, the "full" investigator or forensics are not exactly cheap
http//www.x-ways.net/order.html
but Winhex Specialist is IMHO affordable.

As well (still about Data Recovery), DMDE is Commercial, but the price is very low, and the freeware version is not crippled at all, so you can make practice before spending the money for a Professional license
http//dmde.com/editions.html

jaclaz

I understand, it is a matter of building your own tool kit of mostly free tools or paying for the luxury of a suite that may or may not suit my needs.

And/or going midway, they are not absolute "this or that".

But you said you were focused on Data Recovery, not on actual forensics.

I mean, X-Ways is Commercial, the "full" investigator or forensics are not exactly cheap
http//www.x-ways.net/order.html
but Winhex Specialist is IMHO affordable.

As well (still about Data Recovery), DMDE is Commercial, but the price is very low, and the freeware version is not crippled at all, so you can make practice before spending the money for a Professional license
http//dmde.com/editions.html
jaclaz

my interest is forensics. my point was data recovery is a valuable skill for many reasons.

So my question Community, Is it better to bite the bullet and fully embrace linux do to the suite of free tools? Or are any of the packages I mentioned above worthwhile? I really want to learn more but dropping 2-3 grand on EC council or infosec is out of the question. I am currently testing in a VMBox,

Suggestions, advice, encouragement and discouragement are all welcome =)

There is nothing at all wrong with embracing Linux…if that's the direction you want to go, I fully endorse doing so.

As far as suggestions go, to what end? What is your goal?

If you want to become better/more capable at analyzing Windows systems, start by going to the DFIR tools site and looking at any of the sites that offer challenges, particularly those that include images (system images, memory dumps, etc.). _How_ the image is collected isn't the issue…there are a lot of ways to do this; imaging a drive via a write blocker, live image, VM, etc. The key to the challenge is to develop your own analysis process.

Do you _need_ as suite of tools? Well, the question really is, to do what? Look for solutions to addressing different problems. The vast majority of the analysis that I've done of late starts with opening an image in FTK Imager and extracting files, which I then parse into a timeline.

Some good sources of information on Windows systems artifacts are "Windows Forensic Analysis", 3rd and 4th editions. No, I'm not suggesting that you purchase the books…if you can find them at a library, that would suffice.

There's a lot of really good information on analyzing memory images using Volatility; a great way to do this is to dump the memory (or hibernation file) from your own system, or download one of the available images.

There are a lot of fantastic resources available, but what I've found to be the key is to start with a small, achievable goal.

SIFT + Autopsy / TSK = 99% of the way there. There is no need for overly expensive tools that usually do a worse job than the open-source ones. It takes as long to learn how to use the open-source tools as it does the commercial ones.

For data recovery I would first use bulk_extractor for some of the automated stuff https://github.com/simsong/bulk_extractor. And then scapel for more specific files you want to recover. https://github.com/sleuthkit/scalpel.