Open-Source Digital Forensics Software

This paper will discuss four important open-source tools used in digital forensics and incident response investigations. The tools covered will be: Nmap/Zenmap, NetworkMiner, Dumpzilla, and Ophcrack. 

Nmap/Zenmap

Nmap (and its GUI counterpart, Zenmap) are active network enumeration tools. They allow you to send specially crafted packets to network devices and listen for the responses. Based on these responses, the tools will determine basic network enumeration information, like OS guessing, open ports, and even open services. Nmap is the CLI version, and Zenmap is the GUI version. I personally prefer command line, because I believe it is faster, but many people are more comfortable on a GUI than in CLI. When testing Nmap on Google’s DNS server, it comes back with the open ports and some service fingerprinting to let us know more about the machines we are enumerating. I was able to see that the DNS server has port 53 and 443 up, however other ports may have been blocked by the firewall from replying to my nmap scan. This tool can be used in investigations to help enumerate a network, but keep in mind that it can often be noisy and bring unwanted attention to yourself. 

I used the option: -sCV to specify that I want default scripts to run and I want to do service enumeration. There are a lot of options you can use, some of which are more aggressive and will get you more information, others that are slow and stealthy to avoid detection. 

Zenmap is the GUI counterpart to nmap, performing the same functionality only in a graphical interface. The interface is simple to use, and uses common parlance for the types of scans you want to do, while also showing you the command that nmap will run in the backend. This isn’t a bad way to learn different kinds of scans and how they interact. The output will look something like this:

NetworkMiner

Sometimes, active enumeration is not an option. Actively touching a network can negatively affect network performance and sometimes even bring down machines. This is where NetworkMiner comes in. NetworkMiner is a passive network sniffer used to detect OS, hostname, and other features of network machines. After running it on my machine and surfing the web for a short while, these were my results:

Where WireShark focuses on network traffic, making that the forefront of what a user sees, NetworkMiner seems to focus more on enumeration. When I look my results, they are contained in the IP that interacted with/on my network. I expanded the IP of my device and saw that it guessed Windows, which is correct. It probably does this based on the TTL of the packets. Although I would not use this tool for real-world network diagnosis, it may be another tool in your arsenal for enumerating a network and putting together a more detailed network map. 

Dumpzilla

Dumpzilla is a tool used to scrape traffic information from Firefox browser (along with other, lesser used browsers.) This is an incredibly useful, and dangerous, tool if it can get on a victim machine. I ran the tool and got results from an older profile of Firefox I used to use in 2021: 

It is kind of scary seeing that a tool can extract exactly what I put into a search bar on my browser, but thinking from a red team perspective, it can serve extremely useful during a penetration test to try and find possible sites to use for a watering hole attack. In terms of Incident Response, this tool allows an investigator to quickly gather browsing data from a host machine. A script can be written to download the tool onto the machine, run the script on all Firefox profiles on the machine, transfer the results back to the investigator, and then remove the tool from the machine. 

Ophcrack

Ophcrack is a free Windows password cracker that uses rainbow tables to accomplish its goals. Rainbow tables are basically precomputed tables storing hashed strings. This can be checked against password hashes to find a result. One downside of rainbow tables is that quite a large amount of storage is usually needed for them. When you download the program, you also need to download the tables you want. To emphasize my point before about storage size, one table I saw was around 3 Gb, which isn’t exactly small for a password cracker. After running the tool with the XP free fast rainbow table, it couldn’t crack the “test” password I provided it:

This is quite disappointing, but I believe with more rainbow tables and proper password hashes, this tool could be useful for getting into a computer.