PlainSight: Open Source Computer Forensics Software
PlainSight is a versatile computer forensics environment
that allows inexperienced forensic practitioners perform common tasks using
powerful open source tools.
We have taken the best open source forensic/security
tools, customized them, and combined them with an intuitive user interface to
create an incredibly powerful forensic environment.
With PlainSight you can perform operations such as:
·
Get hard disk and partition information
·
Extract user and group information
·
View Internet histories
·
Examine Windows firewall configuration
·
Discover recent documents
·
Recover/Carve over 15 different file types
·
Discover USB storage information
·
Examine physical memory dumps
·
Examine UserAssist information
·
Extract LanMan password hashes
·
Preview a system before acquiring it
Tools
Tools on the site are organized into the following
categories:
·
Bootable Environments: Use to boot a suspect
system into a trusted state.
·
Data Acquisition: Use to collect data from a
dead or live suspect system.
·
Volume System: Use to examine the data
structures that organize media, such as partition tables and disk labels.
·
File System: Use to examine a file system or
disk image and show the file content and other meta data.
·
Application: Use to analyze the contents of a
file (i.e. at the application layer).
·
Network: Use to analyze network packets and
traffic. This does not include logs from network devices.
·
Memory: Use to analyze memory dumps from
computers.
·
Frameworks: Frameworks used to build custom
tools.
Features
Device Information
·
Use hdparm and disktype to view hard disk and
partition details.
·
Use RegRipper to extract USB storage information
from registry.
·
Use RegRipper to extract Device Class
information from registry.
Operating System
·
Use RegRipper to retrieve current Windows
version from registry.
·
Use RegRipper to retrieve computer name version
from registry.
·
Use RegRipper to extract UserAssist information
from registry.
·
Use RegRipper to retrieve recent documents from
registry.
·
Use RegRipper to extract User and Group
information from registry.
·
Use BKhive and Samdump2 to extract XP/2000/NT
Passwords via SAM and SYSKEY.
Network
·
Use RegRipper to extract Windows firewall
configuration from registry.
Internet Histories
·
Use Pasco to recover Internet Explorer
histories.
·
Use Mork to recover FireFox/Netscape histories.
·
Use RegRipper to view typed URLs.
Volatile Memory Examination
Use The Volatility Framework to extract the below
information from physical memory samples:
·
Image date and time
·
Running processes
·
Open network sockets
·
Open network connections
·
DLLs loaded for each process
·
Open files for each process
·
Open registry handles for each process
·
A process' addressable memory
·
OS kernel modules
·
Mapping physical offsets to virtual addresses
(strings to process)
·
Virtual Address Descriptor information
·
Scanning examples: processes, threads, sockets,
connections, modules
·
Transparently supports a variety of sample
formats (ie, Crash dump, Hibernation, DD)
File Recovery / Carving
Use Foremost to recover file types. Including the below:
·
jpg
·
png
·
gif
·
bmp
·
mpg
·
wav
·
avi
·
wmv
·
mov
·
pdf
·
htm
·
ole
·
zip
·
rar
·
exe
Sensitive Data Audit
·
Use Spider to scan a system for sensitive data.
Misc
·
Run from CD or USB.
·
Save results in HTML and/or plain text.
·
Run against a disk image or local disks.
Posts
