Hi, I have a background in data recovery and am considering the shift to forensic analysis. So, I already have a set of tools for forensically sound cloning, file recovery and carving, text searching, and hex editors.
However, I need software to 1) reconstruct internet activity and 2) examine the registry in a forensically useful manner. Any recommendations outside the usual tools Encase, FTK and Prodiscover (none of which I wish to purchase at this stage)
Also, I have seen earlier posts on the problems with FTK2. Have accessdata managed to clean up their act on this one?
thanks!
What constitutes "forensically sound" examination of the Registry? I'd use RegRipper for the Registry
Keydet89, I wrote 'forensically useful' not 'forensically sound' for the registry. I think the meaning is clear on that one.
thanks for the rec on RegRipper. From what little I have seen, RegRipper seems to be highly regarded.
Hi stellar,
What do you mean by "reconstruct internet activity"?
From pcap file?
"reconstructing the internet activity" can be tricky,.. If you dont have proxy logs I would recommend Mandiant Web Historian to reconstruct the index.dat file. This is however limited to how long the browser is set up to keep history.
What browsers are you looking at reconstructing? I have a program that will pull out data from FF3 and Google Chrome.
Keydet89, I wrote 'forensically useful' not 'forensically sound' for the registry. I think the meaning is clear on that one.
Not really. What one person finds "forensically useful" someone else might not. Case in point…for a while I had someone asking me to write a plugin that mapped info in the enum\USB key to "other" information in the Registry…yet they could not articulate the usefulness or need.
For me, what is "forensically useful" depends upon the nature of the examination.
Hi guys, to answer your responses-
sigu, from the cached and history files on the user's computer, deleted or otherwise. (Im sorry but I dont know what pcap files are, so I did a quick read on wikipedia, and its probably not pcap that I'll look at)
sPARx, thanks I have had a look at Mandiant, which seems to be a good choice (and free?) I also found NetAnalysis and AntlerTek History Analyser both at a reasonable price.
MMachor, I guess at this point the common browsers IE and Firefox, although Chrome too if/when it becomes popular. Is your program something you have developed yourself?
Keydat89, yes really.
However, I need software to 1) reconstruct internet activity and 2) examine the registry in a forensically useful manner.
For internet activity analysis you can use
For Registry analysis you can give
Booth applications supports English (GUI and output).