Digital forensic tool demos - GRR, L2T Review, libvshadow, libevtx & TAPEWORM
17 Oct 2012
I was lucky enough to attend the Open Source Digital Forensic conference last month and had the chance to see a bunch of new tools being released. So I invited some of the authors to come and share them with us on DFIROnline.
Dave Nides - l2t Review - https://github.com/log2timeline/plaso
Dave has been slaving away on l2t Review for the past year or so. It is a really cool looking visualization tool for timelines. This is something that the world (well the world of DFIR at least) has been desperate for for many years. Check out his blog if you are not familiar with the project.
Joachim Metz - libyal - https://github.com/libyal/libyal/wiki/Overview
Anyone who has used linux as a forensics platform would have used one of Joachim's tools, most likely libewf, however you probably do not realize just how much he has contributed. Joachim has released so many libraries that google thought he was a bot and blocked his account for a bit! He has now created a new repository for all his efforts, Yet Another Library (libyal). For this session he will be demoing libvshadow and libevtx and giving an overview of some of his other projects.
Darren Bilby - GRR - https://github.com/google/grr
I first heard about GRR at DFRWS last year, it sounded like a great tool then and I am excited to see it is now in alpha testing. GRR has been developed by a bunch of googlers to manage their internal incident response. It works by installing a small agent on client systems which collect and send data back to the management/analysis system. You can read more about it on the site, but this looks like a really powerful tool. (Darren also gets extra awesomeness points for joining in from Zurich where it was the middle of the night).
Mike Wilkinson - TAPEWORM - https://github.com/mantarayforensics/mantaray
TAPEWORM is a joint project between the Leahy Center for Digital Investigation at Champlain College and TASC. It is the brainchild of Doug Koster and aims to automate the preprocessing of a hard drive image. It automates the execution of a number of open source tools, including volatility, log2timeline, the sleuthkit, regripper, exitfool and includes a "find the evidence" function that will find files of interest to the investigation.
Harlan Carvey was to demo his forensic scanner, which is another really nice piece of kit. Unfortunately he had to miss this one due to another commitment. Hopefully he will be able to demo it next year. In the meantime you should check it out: http://code.google.com/p/forensicscan...