The Best DFIR tools

I visited a DFIR shop and as I was leaving, I asked one of the most experienced examiners in the shop, “ Hey, how do you like *x* tool new functions ?” and the answer was “ Never heard of *x* tool .”  For me, I use *x* tool often and assumed that everyone else does, or at least knows about it.  I was wrong. (I am not naming the *x*, but it can apply to any tool you use).  If you don’t know that a tool exists, you are not going to use it.

The DFIR.training tool database

My opinion is that looking for a DFIR tool that does a specific thing that you need for a specific analysis is either easy or impossible, depending on how you look at it.  If you only use the major name brands, you have an easy choice (because you only want to use a major name brand for everything).  If you are looking for a very specific tool to do a very specific thing, you may have no choice because of being unable to find it.  So, the DFIR.training tool list contains a lot, because maybe that one little tool you need might be there, sitting under the category you are looking.

Top 10 Lists

Often times, I find online lists of forensic software that are ‘best’ for your lab. You don’t have to look far to find lists that are something to the effect of the top ten free tools or the ten tools that you must have in your forensic toolbox. You can find suggestions, opinions, and even detailed scientific methods on how to choose a forensic tool.

Some warnings on pre-defined tool lists.

-They are not personalized to you. Others created the lists, based on their opinion and needs, or what they think you need.

-Lists are limited. A list with “The Top 10..” may not fit your needs, but maybe #11 would, if it were on the list.  Maybe #33 would be #1 for your needs, but #33 won’t be on someone else’s Top 10 list.

-Lists can be irrelevant. How can you compare RegRipper with EnCase on the same list?  Dissimilar tools compared with each other makes for an irrelevant list, but it is common to see.

When I see a list, I only look to see if there is a tool that I never heard of before, not that I accept it to be put on my personal Top 10 list because someone else says it should be.

Marketing

If you don’t know that a tool exists, you won’t ever use it, even if it would be perfect for your needs. I have found some gold in Github on more than one occasion, simply by searching Github in hopes of finding something that I need but can’t find elsewhere.  This takes a lot of time, but you can’t expect that a tool on Github has a marketing budget to get the word out.  You have to search for it..if you have time.

Commercial companies have marketing budgets and marketing operations. If they did not market their products, few would ever hear about them, fewer would purchase them, and eventually that company closes down.  This is a loss for everyone.  Word of mouth only goes so far.  Consider that I found a few tools in Github that could be huge commercial successes, but without substantial marketing, won’t make it into mainstream DFIR. Can you imagine if no commercial tool was ever marketed?  Where would you be right now with your tools if there was no marketing?

The Menu Method of Finding the Best DFIR Tool

Rather than a scientific method, or picking from a pre-defined list, I look at DFIR tools like I look at a menu.  If I am looking for breakfast, I look first at the breakfast menu for something that I may want.  Sometimes, I might choose from the lunch menu for breakfast because the lunch menu is what I want at that particular time.  The menu is simply an offering of things from which to choose.  Just as one food can be served at breakfast or dinner, one DFIR tool can be used for collection or analysis.  The menu is simply a guide.

If a particular menu doesn’t have what I want, I go to another restaurant and look at a different menu.  And if none of the menus have what I want, I have to learn to cook it myself.  The menu options in DFIR are your categories.  Some tools fit neatly in one category, others fit in several categories.

Your Top 10 DFIR Tool List

Looking for DFIR tools work the same way as deciding what to eat for lunch.  You consider your wants and needs to make a decision.  I am sure that you don’t decide what you want for lunch for the rest of the year.  You probably make a different decision, or at least go through the same decision-making process every day, because every day is different.

DFIR tool selection works the same.  Every case is like deciding what to eat for your next meal.  What kind of case is it? What do I need to do with the case?  What tools will best do that job in the case? Which tools do I prefer and do these tools match with the best tools for the job?  Unless you are tied to a specific tool for some reason, the choice is yours to make and not someone else’s.

Written by :Brett Shavers