DFIR Training Blog



Some DFIR tools are terrible…

Some DFIR tools are terrible…if not used correctly.

I saw an engaging discussion online about tool choices that inspired this post about tools. I particularly enjoyed how someone gave an example of how tools are referred. I changed the example a little, but the more I look at it, the more I can remember this happening all the time:

Person 1: What tool can I use for “X”?

Person 2: Use this one.

Person 3: No, this one is better.

Person 4: But I like this other one better.

Person 5: That one sucks. Use this one instead.

Person 6: Why don’t you write your own tool?

Person 7: What’s wrong with my tool?

Person 1: Uh...thx?

This is great advice if:

-The question included specific details of the issue to be solved, and

-The tool(s) recommended can do the task, and

-The user knows how to use the tool.

This is bad advice if:

-The question was poorly framed, or

-The tools suggested don’t fit the need because the need was not described accurately, or

-The user doesn’t know how to effectively use the tool.

I also see complaints online about some DFIR tools, like:

-Why doesn’t this tool do encryption?

-How come email is so difficult to do with this tool?

-Why is the reporting so bad with this tool?

-How come this tool doesn’t find what I need it to find?

-Who validated this tool?

The solution to all of this is simple:

-Clearly define your forensic problem.

-Choose a tool designed to handle that problem.

-Use the tool correctly.

The things to not do:

-Don’t use a tool without knowing how to use that tool.

-Don’t use a tool without personally making sure that it works.

-Don’t use a tool that is not designed to do what you want it to do.

This all sounds so easy, but with the wide range of software available, it is easy to be overwhelmed with choices. Sometimes we fall in love with one tool and want it to do everything, even things that it may not be best suited to do or maybe not even designed to do at all. Sometimes we avoid a tool just because we don’t like the interface design.  And many times we use tools without fully understanding what they are doing, what they are capable of doing, and just as important, what the tools are incapable of doing.

-Clearly define your forensic problem.

   * Which OS, artifacts, etc…

   * Desired output (depth of analysis, reporting, etc…).

-Choose a tool designed to handle that problem.

   * Round peg in a round hole (don’t force a tool to do what it is not designed to do).

   * Updated, maintained, used by the community, good reputation, etc…

-Use the tool correctly.

   * Read the manual and/or take a class in that tool, and/or ask someone for guidance.

   * Test it.

   * Use it as designed for the problem designed to handle.

I have found that tools may have the same generic name and claim to do the same generic thing but are actually extremely far apart in what the tools actually do. Without knowing the scope and limitations of tools, you can miss everything in an analysis and not even know it. Or you can miss something so glaringly simple as to discredit your entire analysis, just because you didn’t employ an appropriate tool or maybe didn’t use an appropriate tool correctly. To be clear, asking for tool suggestions is the best way to find what tool you need unless the question isn't framed correctly.

So, when I see questions like “What tool does this generic-thing-I-need best?”, I know exactly what is going to happen next…

SANS has a recent video on tools that has some pretty good info worth taking a look at:


Written by :Brett Shavers

{rscomments option="com_rsblog" id="34"}