The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.
This description taken form http://www.foolmoon.net/security/wft/ wouldn’t be written better, and perfectly tell us what is the WFT. In another words, it is a light shell-program with config file that can run security tools and do it automatically and prepare html report. It supports Windows NT/2K/XP/2K3/VISTA/WIN7 and is commercial. Good presentation of this tools can be found here.
As we can read from support : The tools included in the default configuration file do not make any significant alterations of the system they are being run on.
This tool is a great framework for incident response, and intrusion detection. On the other hand can be used by administrator for problem handling .etc. What I would like to mention, is the fact of automatization. Very often we know what information we want to collect - it can be pslist, fport, handles .etc – and every time we want that data collected. So this part or incident response is repeatable and can be achieved with success – with WFT. What is more the output is great designed, we have it in html and in .txt mode. Developers did not forget about documentation. Every step taken by this soft is logged and this can be seen also in the standard output. Additionally, we can track all changes made be tools, and we are prompted that some extraction can take more or less time, and what alteration is being made (which .exes/.dlls are needed). Of course all activities and scripting are with a sound methodology, also computing MD5/SHA1 checksums.
In another presentation this sentence can be found : WFT should be run from a CD (or USB memory stick) to ensure the forensic integrity of the evidence it collects. In addition to the WFT binary, users will also need to copy any external programs it will be invoking to the CD / memory stick. Okay.. but what about remote forensics ? I would like to end here, next I will focus on remote methods of data acquisition, and how to do it, to keep sound methodology of data collection.
Brak komentarzy:
Prześlij komentarz