My-Tiny.Net :: Breaking Bad
Portable Forensics Fieldkit
This is a collection of Windows PortableApps for digital forensics.
PortableApps do not use the registry, so they can be run from a USB with minimal effect on the target system.
Most of these run as a normal user - because we may have to crack our way in to the Administrators group on a target system!
The exceptions are marked with [ ^ ]
Download:
zip 264mb - just unzip to your USB or Windows drive
iso 593mb - just double-click to mount
Install:
Windows insists on full paths in shortcuts, and that means this app needs to have its shortcut created.
To accomodate running from the ISO image, the shortcut is created on the desktop, and can then be copied or moved to wherever you want it.
Go to the Forensics FieldKit folder and doubleclick FFK-INSTALL.bat
This creates a shortcut on the desktop: Forensics Fieldkit
The shortcut will work as long as the drive letter and path stay the same;
if Windows mounts your usb/iso with a different drive letter, just run FFK-INSTALL.bat again.
Run:
Double-click to start an app. Close the window will minimise to the Taskbar, use File::Exit to completely quit.
(these settings can be changed under the Setup tab)
Extra tools for extracting forensically interesting artefacts from RAM images come separately:
- PhotoRec (v7.1)
note that image file extensions are limited to .dd .raw .img - rename .vmem images to .raw works fine -
Bulkextractor 1.1.5
packaged with jPortable and jPortable Launcher -
Mandiant Redline
packaged with Mandiant IOC editor for OpenIOC files and some sample IOCs to work with
iso 627mb - just double-click to mount
Install:
Go to the Forensics FK-RAM folder and doubleclick FKRAM-INSTALL.bat
This creates four shortcuts on the desktop:
FKRAM BEviewer
FKRAM Redline
FKRAM qPhotoRec
FKRAM IOCeditor
The shortcuts will work as long as the drive letter and path stay the same;
if Windows mounts your usb/iso with a different drive letter, just run FKRAM-INSTALL.bat again.
| Note: Windows 10 configuration tends to "drift" with its continuous updates, which can cause problems you never knew you had until some app will not start. This is a problem with Windows, not the app! Follow this procedure if the FieldKit will not start. |
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE
THIS SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THIS SOFTWARE IS WITH YOU. IN NO EVENT WILL
ANY COPYRIGHT HOLDER OR ANY OTHER PARTY BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL,
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS
SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF ANY PROGRAM TO OPERATE WITH ANY
OTHER PROGRAMS).
In the FieldKit, apps are organised into seven categories.
The FieldKit itself is:
| Portable Start Menu |
v3.7 © 2000 - 2021 Aignesberger Software GmbH
App Launcher: www.aignes.com/psmenu.htm |
| PopSel (Help Files) |
Freeware © 2003 - 2015 Horst Schaeffer
Sadly not all of these have helpfiles |
| NirCmd (install shortcuts) |
v2.86 © 2003 - 2019 Nir Sofer
A very capable command processor |
Report Tools
| AptEdit Lite |
v5.7.1 build 474 © 2000 - 2011 Brother Technology, Inc.
Easy text and hex view, plus text or binary compare files |
| OperaPortable |
v84.0.4316.31 © 1995 - 2022 Opera Norway AS
To avoid using the browser on the target system |
| Screen Recorder |
v1.0.3 © 2000 free-simple-apps
Opera Screen Recorder Extension |
| 7-Zip |
v19.00 Rev 3 © 1999 - 2018 Igor Pavlov
Opens practically every type of compressed file |
| Folder to ISO |
v3.1 © 2013 Karydis Anastasios
Simple ISO image file creator, useful for final archive of a case file |
| IrfanView |
v4.54 © 1996 - 2020 Irfan Skiljan
Opens practically every type of graphics file, basic editing capabilities |
|
PDF-XChange Viewer |
v2.5.322.10 © 2005 - 2019 Tracker Software
View and annotate PDF documents |
| HashMyFiles |
v2.37 © 2007 - 2020 Nir Sofer
Calculate MD5/SHA1/CRC32 hashes of files |
System Profile
| AutoRuns | v13.98 © 2002 - 2019 Mark Russinovich |
| InstalledAppView | v1.01 © 2019 - 2020 Nir Sofer |
| InstalledPackagesView | v1.05 © 2017 - 2019 Nir Sofer |
| WinUpdatesView | v1.14 © 2019 - 2020 Nir Sofer |
| SpecialFoldersView | v1.26 © 2008 - 2016 Nir Sofer |
| UserProfilesView | v1.10 © 2008 - 2015 Nir Sofer |
| DriveLetterView | v1.50 © 2011 - 2019 Nir Sofer |
| USBDeview | v3.01 © 2006 - 2020 Nir Sofer |
Event Log
| TurnedOnTimesView | v1.42 © 2013 - 2019 Nir Sofer |
| WinLogOnView | v1.35 © 2013 - 2020 Nir Sofer |
| LastActivityView | v1.35 © 2012 - 2019 Nir Sofer |
| RecentFilesView | v1.33 © 2007 - 2017 Nir Sofer |
| ExecutedProgramsList | v1.11 © 2015 - 2020 Nir Sofer |
| WifiHistoryView | v1.56 © 2016 - 2020 Nir Sofer |
| FullEventLogView | v1.58 © 2016 - 2020 Nir Sofer |
| EventLogSourcesView | v1.00 © 2013 Nir Sofer |
| EventLogChannelsView | v1.28 © 2016 - 2020 Nir Sofer |
Web Activity
| BrowserDownloadsView | v1.31 © 2019 - 2020 Nir Sofer |
| BrowsingHistoryView | v2.45 © 2012 - 2020 Nir Sofer |
| ChromeCacheView | v2.21 © 2008 - 2020 Nir Sofer |
| ChromeCookiesView | v1.61 © 2011 - 2020 Nir Sofer |
| EdgeCookiesView | v1.17 © 2018 - 2019 Nir Sofer |
| FBCacheView | v1.20 © 2013 - 2018 Nir Sofer |
| ImageCacheViewer | v1.20 © 2014 - 2018 Nir Sofer |
| myLastSearch | v1.65 © 2007 - 2015 Nir Sofer |
| MZCacheView | v2.01 © 2007 - 2020 Nir Sofer |
| MZCookiesView | v1.58 © 2004 - 2019 Nir Sofer |
File System
| File Manager |
4.0 © 1997-2019 ALTAP
Altap Salamander |
| FTK Imager |
4.5.0.3 © 2011-2020 AccessData Group
Create and examine disk image files |
| Recuva |
v1.53.1087 © 2016 Piriform Software
Recover deleted files |
| HxD |
2.4.0.0 © 2002-2020 Mael Horz
Binary File/Disk/RAM/virtual memory editor |
| SearchMyFiles |
v3.10 © 2009 - 2020 Nir Sofer
Search For Files And Folders + Duplicates Search |
| File Alyzer |
v2.0.5.57 © 2011 Safer-Networking Ltd
Detailed file metadata |
| Magic File Identifier |
v1.1.0 © 2021 Jacquelin POTIER
Windows GUI implementation of the Unix file command |
| grepWin |
v2.0.7 © 2018-2021 Stefan Küng
Select files with specified text / regular expression |
| TextScan |
v1.03 © 1998-2009 AnalogX
Find readable strings in binary files |
| ExifDataView |
v1.11 © 2012 - 2020 Nir Sofer
Displays EXIF data in .jpg image files |
| AlternateStreamView |
v1.56 © 2009 - 2019 Nir Sofer
View/Copy/Delete NTFS Alternate Data Streams |
Dynamic Analysis
| Process Hacker |
v2.39.124 © 2008-2016 Wen Jia Liu
Detailed view of processes and their activity |
| VMMap |
v3.31 © 2009 - 2020 Mark Russinovich
A process virtual and physical memory analysis utility |
| CurrPorts |
v2.63 © 2004 - 2020 Nir Sofer
Displays the list of all currently opened TCP/UDP ports |
| SimpleProgramDebugger |
v1.10 © 2014 - 2020 Nir Sofer
Displays events when attached to a process |
| Hibernation File |
v1.2.1.79 © 2016-2021 Arsenal Recon
Process hiberfil.sys for RAM analysis (BulkExtractor, Redline, etc.) |
Registry
| MJ RegWatcher |
v1.2.8.6 © 2013 - 2018 Mark Jacobs
Monitors and alerts on changes to registry keys, files, or folders |
| SpyMe Tools |
v1.5.0 © 2007 LC IBros Solutions
Registry and disk/directory list diff utility |
| OfflineRegistryFinder |
v1.11 © 2018 - 2020 Nir Sofer
Scan and search Registry Hives from snapshots/external drive |
| RegistryChangesView |
v1.26 © 2017 - 2020 Nir Sofer
Create and compare Registry snapshots (.reg files/shadow copy) |
| OfflineRegistryView |
v1.03 © 2018 - 2019 Nir Sofer
Read Registry files offline/from external drive |