Win-LiFT Windows Based Live Forensics Tool

Brief Description

Win-LiFT 2.0 is a Windows Based Live Forensics Tool consisting of Win-LiFTImagerBuilder and Win-LiFT Analyzer. Live Forensics involves acquisition of volatile data from the Suspect's machine and analysis of the acquired data. Win-LiFT 2.0 enables volatile data acquisition using Win-LiFTImager, a tool that can be built with Win-LiFTImagerBuilder, and analysis using Win-LiFTAnalyzer.

Win-LiFT Windows Based Live Forensics Tool Products

i. Win-LiFTImageBuilder- Tool for Building Win-LiFTImager
Win-LiFTImagerBuilder is a tool which can be used to build Win-LiFTImager Tool on a USB/Hard disk device. Win-LiFTImagerBuilder is to be run in the Investigator's machine.


 

 

 

 

 

 

 

 

 

 

ii. Win-LiFTImager- Forensic Volatile Data Acquisition Tool
Win-LiFTImager is used for acquiring customized Live Forensics Data from Suspect's machine.


 

 

 

 

 

 

 

 

 

 

iii. Win-LiFTAnalyzer- Live Forensics Data Analysis Tool
Win-LiFTAnalyzer analyses the data collected by the Win-LiFTImager and creates a detailed report after analysis.

 

 

 

 

 

 

 

 

 

 

Main uses and domain

Acquisition of volatile data from the Suspect's machine and analysis of the acquired data

Features and Technical Specifications

i. Win-LiFTImageBuilder- Tool for Building Win-LiFTImager

  • Facility to enter case details

  • Facility to select/deselect the list of volatile artifacts to be collected from the Suspect's system.

  • Facility to select USB/Hard Disk drive to which the Win-LiFTImager tool is to be built.


ii. Win-LiFTImager- Forensic Volatile Data Acquisition Tool

  • Capturing following volatile artifacts from a running windows system to the USB device.

  • Running Processes

  • System Information Stored Passwords

  • System Users Screen Capture

  • Loaded Drivers

  • PC on/off Time

  • Network Neighbors

  • Network Status

  • Event logs

  • IP Configuration

  • Process Port Connections Open Files

  • Clipboard contents Services

  • Shared Resources Scheduled Jobs

  • Drive Information

  • Facility to take bit stream content of Physical Memory from Windows Systems. Capturing Registry Files from FAT and NTFS file systems from Windows XP & Windows7 systems.

  • Capturing Event log files.

  • MD5 hashing of all acquired files. Log and Report Generation.

iii. Win-LiFTAnalyzer- Live Forensics Data Analysis Tool

  • Analyze the volatile data captured by Win-LiFTImager from the suspect's system.

  • MD5 Hash Verification of acquired files.

  • Display forensic evidence acquired in List/Tree/Summary Views.

  • Registry Analysis to retrieve forensically relevant information.

  • Memory Analysis from Windows XP and Windows 7 RAM dump.

  • Event Log Analysis of .evt(Windows XP) and .evtx(Windows 7) files.

  • Gallery View of the screenshot & clipboard images.

  • Handling multiple case files simultaneously.

  • Keyword searching facility.

  • Text-Hex View of raw files with built in search and go to facility.

  • Facility to save partially/fully analyzed cases.

  • Bookmarking and Appending to report facility

  • Tree view of the Running process

  • Facility to save and print report

  • Detailed Report Generation

Platform required(if any)

Workstation with Windows OS 7/8/10

 Download Brochure

Contact Details for Techno Commercial Information

Smt. Ananthalakshmi Ammal R

Group Head, Cyber Security Group,

CDAC Thiruvananthapuram

Email- Lakshmi@cdac.in