recommendation for Forensics tools (opensource & those below US$5k)

Any tools to recommend?  Especially those that run on Windows.

Especially looking at tools that:
a) check which files have been compromised & when it took place &  if it has spread further
b) can trace how ransomwares come in (via Flash player, Adobe pdf reader, MS Office or ???)
c) inspect malicious payloads (that passed thru our NIDS & firewalls)
d) anything low-cost & free from Fireeye?  Think I saw something from Fireeye before.
     We ever contemplate engaging them for Compromise Assessment

If Linux is required, will need to dual-boot that laptop but problem is that laptop has
Hard Disk encryption on it so this is going to be an issue
sunhuxAsked:
Who is Participating?
 
btanExec ConsultantCommented:
a) check which files have been compromised & when it took place &  if it has spread further
It seems to means that you need have some hash signature to detect tampering. Change of its state (many file IO with read below seconds) aggressive may means ransomware as well attempting encryption, or having to make it disappear like secure wipe will render it unrecoverable. For this few scenario, you need the controls to be in place like appl whitelisting, anti-ransomware and anti-exploit at the endpoint. Not really a forensic as you can turn on audit trail for object changes. Free is to use Windows native protection...

b) can trace how ransomwares come in (via Flash player, Adobe pdf reader, MS Office or ???)
Most common are phishing email attachment, USB drive, malicious URL or drive by download on compromised website visited. To detect such vector go back again to the control and their log generated to capture their data points recorded. There are tools to analysis PDF and DOC which if the intent stays within forensic tool solely then I suggest you have check existing control and review the audit trail and if there are log piping to central SOC for oversight. The same event traverses thru the various device and endpoint can have the log sent over to CSC for a overall situation picture.

c) inspect malicious payloads (that passed thru our NIDS & firewalls)
Likely are those password protected or the real zero day without any patch or those innocent looking document carrying macro that is activated if open up to run. User interaction is need. More on education per se instead of tool but the latter can still be considered if having a denotation centre.

d) anything low-cost & free from Fireeye?  Think I saw something from Fireeye before.
     We ever contemplate engaging them for Compromise Assessment
They have Mandiant so such managed security service for incident investigation should not be an issue, but you need to build your inhouse IR team too. I know FE has IOCFinder too but this context go towards artefact search for more compromised endpoint and etc..
1
 
Michael HulseTechieCommented:
One of the best out there is X-Ways Forensics - X-Ways Forensics Tool It also falls under $1,000
0
 
masnrockCommented:
As far as FireEye goes, Redline might have been the software you were thinking of. I have done analysis using it to figure out how systems have been compromised.

Cisco AMP for Endpoints would be worth a look, but it is subscription based. I forget the cost off the top of my head, but it may easily surpass your cost threshold for the number of systems you want to support.
1
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
furunoCommented:
>>>One of the best out there is X-Ways Forensics - X-Ways Forensics Tool It also falls under $1,000

I've heard about this tool before. So what is the killer feature(s) of X-Ways Forensics?
0
 
masnrockCommented:
FireEye Endpoint Security *might* be a product to look at as well, but I wouldn't know the cost. Both that and Cisco AMP for Endpoints should cover a, b, and d for sure. Since I work more with AMP, I'd tell you that it actually can also inspect software on a workstation for vulnerabilities. We actually tested some in the wild exploits with MS Office, and some of them AMP actually intercepted and quarantined the file. Some other cases, could not say what would've happened given that we associated some files with Notepad as a protection in our Windows 10 rollout.
1
 
btanExec ConsultantCommented:
For author advice
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.