The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Windows Forensic Toolchest

Posted by Xavier Ashe on May 22, 2006

The Windows Forensic
Toolchest (WFT) was written to provide an automated incident response
[or even an audit] on a Windows system and collect security-relevant
information from the system. It is essentially a forensically enhanced
batch processing shell capable of running other security tools and
producing HTML based reports in a forensically sound manner. A
knowledgeable security person can use it to help look for signs of an
incident (when used in conjunction with the appropriate tools). WFT is
designed to produce output that is useful to the user, but is also
appropriate for use in court proceedings. It provides extensive logging
of all its actions along with computing the MD5 checksums along the way
to ensure that its output is verifiable. The primary benefit of using
WFT to perform incident responses is that it provides a simplified way
of scripting such responses using a sound methodology for data
collection. Click here for a screen capture of WFT's main screen.

The
Windows Forensic Toolchest (WFT) was written to be forensically sound
and has been validated through my efforts to complete the SANS GIAC Certified Forensic Analyst (GCFA) practical assignment. If you have ever seen Incident Response Collection Report (IRCR), then Windows Forensic Toolchest is substantially equivalent in base functionality. IRCR claims to be “similar to The Coroner's Toolkit (TCT)
by Dan Farmer & Wietse Venema”, but it essentially serves as a
wrapper program to automate the running of several other command line
programs for the purpose of taking a “snapshot of the system in the
past”. The Windows Forensic Toolchest (WFT) was born based on my desire
to have a tool that surpassed IRCR in flexibility, while being
forensically sound in its implementation. Click here for a screen capture of WFT running.

Download WFT from Fool Moon Software and Security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: