Security Ripcord

While at Defcon 16 I had the chance to sit down with Monty McDougal.  It started out more as a quick lunch to catch up with Monty as I had not seen him in quite a while.  But after catching up with him he told me that he had made some significant modifications to his WINDOWS FORENSIC TOOLCHEST™ (WFT).  The last time I had worked with WFT it was at version 1.01 and Monty did not have time to devote to updating the tool with some of the new features that were rolling around in his head.  I knew that this disappointed him at the time because the tool had received such a good response from the SANS community.  Well, after speaking with Monty and looking at some of the updates that he has implemented I can see that he has been able to devote more than a little time to this excellent tool.

If you are not familiar with WFT, here is a brief overview from Monty’s website FoolMoon.net.

The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.

Actually, WFT is a lot more developed than this description.  WFT provides the user with a repeatable method to deploy many security and administrative tools designed to gather information about a Windows Operating System (OS).  These tools include tools present on specific OSes, tools provided through Windows Resource Kits, third-party tools, and even some tools (or soon to be) that Monty has written to include within WFT.  Monty goes to great lengths to respect all user agreements and licensing associated with each tool employed by WFT.  In version 3.0 the ability to automatically download tools and validate integrity is built directly into the toolchest’s functionality.  Updates to locations and code modifications are handled by an automated toolchest update process.  Although these methods of acquiring tools work when Internet access is available it is not always the case that connectivity will be available.  Monty has taken this into considetion and provided the WFT update capabilities to utilize the Helix Incident Response & Computer Forensics CD-ROM as a source for the tools.

I was very surprised when Monty mentioned that he is now charging for the use of WFT.  In the FAQ on his site, Monty explains why he has moved to the commercial model.

What happened to the free version of Windows Forensic Toolchest™ (WFT)?

After providing WFT for free to the security community for nearly 4 years, I have decided to make version 3.x a commercial product. WFT is still available for download, but the downloaded version is restricted to specific uses identified within its license. WFT has consumed several hundred hours of development and support over the last few years, and while $100 is a modest amount, it will help motivate me to continue to develop and support WFT (since the donation model did not work out at all). There is also a new WFT Pro version in development which will include several additional features useful in an enterprise environment along with a new GUI. Pricing for this version will be slightly higher, but will also include WFT. Paid WFT users will of course receive 100% upgrade credit towards the upcoming Pro version. I have no plans of supporting the 1.x or 2.x code bases in the immediate future and will instead be focusing on bringing new features to version 3.x.

At the time I am writing this post the restricted version is no longer available for download and I can only assume that WFT has gone completely commercial at this time.  This means it is very likely that it will no longer be available via the Helix CD-ROM which was one of the original ways to obtain this tool.  Persons who have versions of WFT on their current Helix CD-ROMs will also find out that their version is broken due to a WFT update script.  When I questioned Monty about this he told me that the Helix update script was necessary to force Helix users to up-to-date versions of WFT because he could not support the questions he was getting about out-of-date versions.  He did assure me, however, that although the script on the current version of Helix is broken, he will be releasing a patch soon, which should be available on his website.  If you do not find it there (I did not at the time of writing this post) you can attempt to contact Monty and I am sure he will get back to you as soon as his busy travel schedule permits.  Unfortunately, it may be the case that he has dropped support for Helix altogether, but this has not been confirmed.

One of the things that Monty did show me while we were talking about WFT was the new Graphical User Interface (GUI).  This GUI will be provided as a part of a PRO version of WFT.  Currently the toolchest is controlled via a detailed configuration file.  The GUI will give the user complete control over which tools are run and how/when the tools are updated.  He was very excited that he was nearing the conclusion of this milestone as it was going to permit him to pursue some other key features that he has been considering.  These features include reporting tool outputs to a remote system, rewrites of certain tools so they do not have to be downloaded, and new tools that provide unique features.

It is unfortunate that I did not get a chance to test drive the new version of WFT before writing this article.  I am hoping that I can convince my new colleagues to consider putting WFT into our toolkit for Live Response.  Having this tool would simplify so many aspects of scripting, tool maintenance, and tool and output hashing for verification and validation.  Yes, most of what WFT can do can be done by hand, but as I have mentioned before, having a repeatable process that is the same everytime is critical to providing a consistent and professional incident response.

I would like to wish Monty and WFT the best of luck in the future.  I am looking forward to their continued success.

Go forth and do good things,

Don C. Weber

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.