Anyway, I think that is would be a great place to start throwing up information, discussion and links to free and open-source tools that folks are using for analyzing various files or formats. This can include general stuff (such as, does anyone have a good, free grep utility for Windows that doesn't use cygwin?)
Harlan then followed that post with a roundup of new free tools and utilities. He had also previously shared a number of freely offered blog posts on, well, free utilities that might benefit both the Windows forensic examiner (and sysadmins as well).
- Free Tools – The most recent “free tools” post over at Windows Incident Response blog. (10/23/09)
- Getting started, or forensic analysis on the cheap - Windows Incident Response blog. (02/20/08)
- Free Analysis - Windows Incident Response blog. (04/20/08)
- More Free Tools - Windows Incident Response blog. (05/25/09)
Anyway…I think his was a rhetorical question regarding the Windows grep utility, but I responded in the comments about my own personal freeware grep favorite…
- BareGrep - Free grep for Windows – Bare Metal Software. Great tool for advanced and complex system and file searching for only 246 kB in size but very fast and very advanced for the most demanding system-inspecting needs. Simply amazing. Oh yes. It’s a single non-installing exe file and fully portable. Works great on XP through Windows 7 systems. I’ve used it with great success to narrow my analysis on a few incident response assignments. It really saved the day.
Since then I have found and collected a few more freeware grep tools. Most are GUI-based but a few are command-line. Take your pick.
- File Hound 3.08 - (freeware) – JimmyTheFork.com. An updated version of his “Hound” grep tool. I spotted it mentioned over in this DonationCoder thread Hound: a grep-alike that searches inside PDFs. For a sample of the GUI see this Hound screenshot link. Fully portable, download, unzip and run the exe. I particularly like the fact that it is more intuitive to use and identify the result locations than the uber-powerful BareGrep utility.
- Windows Grep - (freeware) – brilliant app which ran great “portably” on my Windows 7 system. The GUI interface is very pleasant and modern (in a no-frills way). What stood out the strongest to me was the interactive “wizard” that runs first. It nicely guides n00bies through the basic steps of setting up a search pattern, a location, and other parameters before kicking off the search. Don’t be fooled. It’s got some advanced searching power for the experts to tap as well. The results are wonderfully displayed in an index format and the preview pane below highlights all the findings for very fast analysis. Good job Huw Millington! Most excellent tool.
- PRGrep - (freeware) – Another surprisingly well crafted GUI-based grep tool for Windows. Again, it seems to be portable. Not quite as user-friendly for the uninitiated, anyone who does grep work will pick its functions up quickly. Searching was fast and like Windows Grep, the display hits are nicely detailed and highlighted in the lower pane. It can plug into MS Office for Word/Excel file reading. I particularly liked the “old-school” format which makes copy/paste activity a breeze. PRGrep documentation is outstanding.
- GREP for Windows - A very flexible grep for windows – (freeware) - opbarns.com O. Patrick Barns did an 2006 update to Tim Charron’s "GREP for Windows" port. He cleaned up some bugs in that version as seem to relate to subdirectory searching with the "-S” argument. Yep. CLI only with this one, baby.
- Grep for Windows and GREP for Windows both of which seem to be the original CLI ports by Tim Charron of the GNU grep 2.0 allowing for sub-directory searching. Examples of syntax provided on the pages.
- GREP Command for Windows XP - Windows XP and DOS – Malektips.com – Tips to use of QGREP command. Note: it does require extraction from Windows 2003 Resource Kit. Syntax and expression usage documented there wonderfully as well. More info on the Win2003RK here. I’m guessing that if it works on XP, it should do OK on Vista and Windows 7 as well.
Curious News on Future Windows Resource Kits
Note that according to information and references in this Resource Kit – Wikipedia article…
In 2007 and 2008 respectively, Microsoft released the Windows Vista and Windows Server 2008 Resource Kits. Microsoft has also released resource kits for Group Policy, Windows security, Active Directory, Terminal Services and IIS 7. The Windows Vista Resource Kit ships with several sample VBScripts and few PowerShell scripts.
The Windows 7 Resource Kit was released on 14 September 2009 . Microsoft has announced that new unsupported resource kit tools will not be provided for current and future operating systems , however the PowerShell team has released a Resource Kit PowerShell Pack , a collection of PowerShell modules that adds over 700 scripts to those already present in Windows 7.
To be clear; the Resource Kits are alive and well, but it looks like the traditional “unsupported” tools and utilities that came with them, beloved by sysadmins world-wide, are now an endangered species.
See how it works?
Ask a question, get a slew of cool free utilities for the sysadmin and forensic pros alike!