PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.
We have taken the best open source forensic/security tools, customized them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.
With PlainSight you can perform operations such as:
· Get hard disk and partition information
· Extract user and group information
· View Internet histories
· Examine Windows firewall configuration
· Discover recent documents
· Recover/Carve over 15 different file types
· Discover USB storage information
· Examine physical memory dumps
· Examine UserAssist information
· Extract LanMan password hashes
· Preview a system before acquiring it
Tools on the site are organized into the following categories:
· Bootable Environments: Use to boot a suspect system into a trusted state.
· Data Acquisition: Use to collect data from a dead or live suspect system.
· Volume System: Use to examine the data structures that organize media, such as partition tables and disk labels.
· File System: Use to examine a file system or disk image and show the file content and other meta data.
· Application: Use to analyze the contents of a file (i.e. at the application layer).
· Network: Use to analyze network packets and traffic. This does not include logs from network devices.
· Memory: Use to analyze memory dumps from computers.
· Frameworks: Frameworks used to build custom tools.
· Use hdparm and disktype to view hard disk and partition details.
· Use RegRipper to extract USB storage information from registry.
· Use RegRipper to extract Device Class information from registry.
· Use RegRipper to retrieve current Windows version from registry.
· Use RegRipper to retrieve computer name version from registry.
· Use RegRipper to extract UserAssist information from registry.
· Use RegRipper to retrieve recent documents from registry.
· Use RegRipper to extract User and Group information from registry.
· Use BKhive and Samdump2 to extract XP/2000/NT Passwords via SAM and SYSKEY.
· Use RegRipper to extract Windows firewall configuration from registry.
· Use Pasco to recover Internet Explorer histories.
· Use Mork to recover FireFox/Netscape histories.
· Use RegRipper to view typed URLs.
Volatile Memory Examination
Use The Volatility Framework to extract the below information from physical memory samples:
· Image date and time
· Running processes
· Open network sockets
· Open network connections
· DLLs loaded for each process
· Open files for each process
· Open registry handles for each process
· A process' addressable memory
· OS kernel modules
· Mapping physical offsets to virtual addresses (strings to process)
· Virtual Address Descriptor information
· Scanning examples: processes, threads, sockets, connections, modules
· Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
File Recovery / Carving
Use Foremost to recover file types. Including the below:
Sensitive Data Audit
· Use Spider to scan a system for sensitive data.
· Run from CD or USB.
· Save results in HTML and/or plain text.
· Run against a disk image or local disks.