As a cyber security professional, you will be tasked with creating and maintaining your company’s incident response plan. This includes understanding how to apply digital forensics on the fly. You need to be prepared for any type of scenario by building out your forensics toolkit. This should contain everything you need to document, isolate, copy and drill down into anything that may need to be reported on later.
The best digital forensics toolkit should be one made by professionals for professionals. SANS institute has written the novel when it comes to cyber security, why wouldn’t you have their forensics tool in your arsenal? Some of the key features you can expect from SIFT include a VMware ready application, cross compatibility between Linux/Windows and auto-DFIR package updates.SIFT covers tasks like time lining system logs, carving data files and even recalling the recycling bin.
Volatility provides cyber security professionals with a benchmark framework for assessing RAM on a computer. With the discovery of malware that exploits the RAM, the industry was forced to create a way to safeguard against it. This framework provides you with all the checks and balances used by law enforcement and military investigators alike.
Network intrusion detection, prevention and documentation is a very important piece of digital forensics and keeping track of your digital paper trail for evidence purposes. Xplico’s main focus is network forensics and is automatically included in tools like Kali Linux,BackTrack and Security Onion boot disc for ease of use. Xplico is able to retrace web page traffic, content and files to help determine their origin. Xplico is like a glorified Wireshark and tcpdump all in one.
Caine specialises in mobile forensics and data recovery, with its biggest feature being this custom GUI interface for on the fly forensics. Caine is commonly known as the “CSI Tool” from the hit TV series.
For those professionals that prefer the command line, Exiftool is for you. Its simple interface allows the ability for you to drag and drop any file type that needs to be extracted. This quick tool is essential for both in the field and in the office forensics.
This tool was created by the security giant Fire eye, known for its intelligence analysis program across the globe. Redline gives you the ability to ether collect or analyse imported data. Its main feature is memory/file analysis based on a specific host. It will then perform any of the popular forensics actions requested upon host image import as well as preserve the evidence trail.
Whether you are just learning cyber security forensics, or you are a seasoned professional, it is always a good idea to continue to refine your toolkit to ensure you have the industry's best solutions at your disposal. Forensics is a gentle giant and requires the utmost patience and skill to remain compliant with any legal or regulatory requirements that may be required by your company.