So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn’t understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there were not letting the examiner/analyst/investigator (whatever you wanna call ourselves!) to really cull the data in a way that allowed us to understand it on its own terms. I found this out the fun way while doing my GCFA gold paper. Many tools were only reporting the $STANDARD_INFO attribute and not even showing us the $FILE_NAME one. That last attribute are temporal timestamps according to Brian Carrier and many other people who are much smarter than me. Those are extremely important to those of us who may deal with cases of timestomping. Why? Well, that timestamp “may” not be changed and still reflect the actual timestamps for at least Creation. That is HUGE if a person were to rollback the time.
Now, my caveat. This is not a bash at any software vendor out there. In fact, I have always advocated for using many of those vendors for the quick triage, or if you are going to be giving the case over for someone to review. They won’t know what they may be looking at if you just dump out CLI information to them, depending on the information.
A little about me quickly as well. When I first got into forensics, I really didn’t know too much. My first Masters didn’t really hit on a lot of things I would consider to be enlightening. We were not knee deep into any type of software. So when I first got started, command line really intimidated me. And remember, my mentor was very command line savvy.
So where am I now? I could almost do everything in command line for a DFIR case at this point. I will send the shout outs at the end of the blog w/ links to those I do endorse as great folks to do business with along with learn from.
Here is the reason for the change. Many of the best tools in my experience have been Open Source material. Yes, AccessData and X-Ways are amazing when it comes to just pushing a button and letting the software do the work for ya. But it is a completely other realm when you can roll your sleeves up and do it all from a command line prompt and either get the same results, or maybe even more. For example, Eric Zimmerman, who is a SANS Instructor, and a fellow mentor of mine, has designed some of the most comprehensive tools out there in my opinion for Windows Analysis. And they are free. I’ve yet to honestly see a tool that will do what his tools do.
This is how you can save THOUSANDS of dollars in your office. And if I were to talk about one vendor that will charge ya, but is worth it: it is TZworks. I will not post photos up of the results of that tool because I have not checked with them in advance for permission, but I can attest to their accuracy and speed. They are great and very responsive to your requests.
And it goes without saying that the SANS SIFT is the bees knees. If you have not taken FOR508, you should! I don’t even care if you take the cert or not. But you’ll learn so much about what you can do in that VM environment that you could justify your training just by removing some of the software tools you’re relying on now. Not to mention that while FOR526 and FOR572 have some tweaks to that environment, it is all still pretty much the same at its core.
But here is the whole premise to this post: you don’t need to rely on some fancy GUI tool to do your job. We, as forensic folks, need to be able to understand what we are looking at. Things like EXIFTOOL will tell you more about metadata than almost any other tool I’ve even seen. Yet its free. The issue comes that it feels like folks are afraid to use options to get the desired function. As such, I’ll most likely start with Eric’s tools and work down…but my goal is to help everyone feel much more comfortable as they walk around in command line. I assure you, it is not as nearly as scary as you think it is. And my hope is, by the end of the year EVERYONE who reads this is using command line to do their investigations.
I forgot to get the list in here of folks I do owe a lot to for my command line affection! Because some of these folks are not actively blogging, I’ve elected to add their twitter handles instead. This folks I considered integral in my ability to learn command line either through their own tools or explanation of methods that can be done via commands that are much faster or cleaner than GUI interfaces: