You may want to pay attention to Arsenal Recon

You may want to pay attention to Arsenal Recon

There are some forensic apps that come out and you just know that they will become an integral part of most everyone’s forensic tool kit over time (sometimes right away).

I have seen this with several tools over the years in the broad spectrum of DFIR, but in particular where digital forensics is concerned, I have seen several single-purpose, small tools come out and become major players in the field, with a few of the small tools evolving into full-fledged forensic suites.

Short version: Arsenal’s tools are a must-have in a forensic analyst’s toolbox.

Plus, if you want a chance to win the tools, enter your info in the following form. Drawing is on Nov 29 and you don’t have to be present to win (you do have to answer your email to claim the win on the day of the drawing, otherwise, failure to answer the winning email means the win goes to the runner up!

Drawing is closed.

What if you don't win?

Check back at dfir.training for a discount code for 20% off your license purchase of Arsenal's tools. This discount is a little different because you can apply it to any length of subscription, meaning, if you choose a longer subscription, it's 20% off the entire subscription. In other words, you can take 20% off a year and then full price for additional years, or 20% off all the years if you buy a longer subscription.

You can also search for how often Arsenal gives discounts and you most likely won't find much...at all.  As in, this is a rare opportunity to get 20% off.

That is what I see happening with Arsenal’s tools.

There is no way to do justice in talking about the details of Arsenal’s forensic tools.  Just the Image Mounter alone has a ton of features with some of those features being totally awesome. Mounting volume shadow copies, booting images into virtual machines, and bypassing Windows’ passwords are simply cool features in a solid forensic tool.  Both Hibernation Recon and Registry Recon fare just as good in their respective features.  The reconstruction of active memory is just plain cool with Hibernation Recon.

About yet another registry tool, Registry Recon is not, as in, it is not just another registry tool.  It is a full-fledged registry analysis tool in its own right and like both Image Mounter and Hibernation Recon, a great addition to a forensic toolbox.

Forensic tool sweet spots

I’m not a software developer, nor work for a software company. But based on my experience as a long-time forensic software consumer, I have noticed that there is a sweet spot of forensic tool development. Some of the sweet spots last longer than others, but generally, there is a time period of catching a tool at a time where the responsiveness of the developer, functionality of the tool, and usefulness are at its best. Some tools grow extraordinarily huge as companies with support failing to keep up or features not growing with the needs of the community. I love the sweet spots of the tools that do so much with development standing behind it with new features released regularly. Arsenal Recon is there now.

Sometimes, companies grow in size and customers while maintaining their “small” beginnings in terms of support, improvement, and responsiveness to the needs of its users. These are the tools that your support email is answered in the same day, or maybe minutes after sending it. Other times, it doesn’t work out that well where you can have a great tool with great support at a great price.

My toolbox

Here’s how I judge which tools stay in my toolbox: I renew their licenses .

That’s it. Tools that I use, I keep current. I keep the maintenance current. I rarely question if I have the latest update because I constantly use the tools and keep updates current.

Tools that I stop using for any reason, gradually are removed from my list. I don’t renew them, update them, or think about them once they fall to the side in favor of a better* tool. As of now, Arsenal’s tools are in the top shelf of my toolbox, along with a few others that are constantly and consistently used.

Tools that I don’t use

There are a ton of tools that I don’t use. Mostly because there are so many forensic applications, and with the massive number of IR and ediscovery tools, it is physically impossible for me to use or need them all. On top of that, I don’t do every job in forensics or incident response or ediscovery.  For that, I don’t touch a lot of tools and don’t have much to comment unless I get my hands on something to test and use.

Other tools that I don’t use are those that don’t work. These are the tools that a marketing flyer brags about what the tool does, but after testing or using, finding out that the marketing wasn’t exactly correct. I don’t talk about those tools much because I hope that they get better, and occasionally give them another try to check on development.

Check out Arsenal

Forensic software developers that maintain a blog or news release  generally make my list of checking out. Arsenal is one ( https://arsenalrecon.com/insights) where it’s not commercials, but actual “how to” tutorials in forensics, like launching virtual machines from BitLockered disk images . Yes, there is a blog post on doing that .

I’m giving away Arsenal’s tools to one winner, but that doesn’t mean you should neglect checking out the tools to see if any of your needs. I can say that if you do forensics, Arsenal’s tools will not only save you time, but also do some things that other tools just can’t do. That in itself is pretty cool and a good reason to take a look.

https://arsenalrecon.com/products/

 

*better as in, better for me.

Written by :Brett Shavers