Focus on PlainSight the Open Source Computer Forensics
PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.
The team have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.
With PlainSight you can perform operations such as:
- Get hard disk and partition information
- Extract user and group information
- View Internet histories
- Examine Windows firewall configuration
- Discover recent documents
- Recover/Carve over 15 different file types
- Discover USB storage information
- Examine physical memory dumps
- Examine UserAssist information
- Extract LanMan password hashes
- Preview a system before acquiring it
Tools inside
Device Information
- Use hdparm and disktype to view hard disk and partition details.
- Use RegRipper to extract USB storage information from registry.
- Use RegRipper to extract Device Class information from registry.
Operating System
- Use RegRipper to retrieve current Windows version from registry.
- Use RegRipper to retrieve computer name version from registry.
- Use RegRipper to extract UserAssist information from registry.
- Use RegRipper to retrieve recent documents from registry.
- Use RegRipper to extract User and Group information from registry.
- Use BKhive and Samdump2 to extract XP/2000/NT Passwords via SAM and SYSKEY.
Network
- Use RegRipper to extract Windows firewall configuration from registry.
Internet Histories
- Use Pasco to recover Internet Explorer histories.
- Use Mork to recover FireFox/Netscape histories.
- Use RegRipper to view typed URLs.
Volatile Memory Examination
Use The Volatility Framework to extract the below information from physical memory samples:
- Image date and time
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
- Open registry handles for each process
- A process’ addressable memory
- OS kernel modules
- Mapping physical offsets to virtual addresses (strings to process)
- Virtual Address Descriptor information
- Scanning examples: processes, threads, sockets, connections, modules
- Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
File Recovery / Carving
Use Foremost to recover file types. Including the below:
- jpg
- png
- gif
- bmp
- mpg
- wav
- avi
- wmv
- mov
- htm
- ole
- zip
- rar
- exe
Sensitive Data Audit
- Use Spider to scan a system for sensitive data.
Misc
- Run from CD or USB.
- Save results in HTML and/or plain text.
- Run against a disk image or local disks.
More information, demo and download http://www.plainsight.info/