Free Live response CDROMS (Deft)

Posted on Updated on

Since Helix has gone commercial, I’ve been looking for a replacement. The forensic wiki has the best list of live CDROM’s that I’ve found.

This will be a multi-part post that will cover the windows live response portion of DEFT and CAIN, then move onto the boot-able Linux OS and finally how to create your own live CDROM.

DEFT V.4 (Extra)

  • Interface
    • Easy to use and move around
    • Icons are large
    • Tab flows and categories are appropriate

Notable Tools

  • Imaging
    • FTK Imager
    • ZeroView
  • Ram Dumping
    • Winen 6.11.2 (32 and 64-bit)
    • MDD 1.3
    • win32dd v1.1.20080818
  • Collecting/Analyzing system information
    • WFT
    • Password Recovery
      • IE,Firefox,Crome,Mail and Wireless
    • Web Browser History
      • IE,Firefox,Opera,Crome
    • FileAlyzer (good for malware)
    • File Browser
    • Picture Scanner
  • Notable Utilities
    • Hashview
    • Sysinternal
    • AVIScreen
    • Hoversnap
    • Hashcalc
    • PC On/off time
    • Built-in file and picture browser.

Initial Memory Footprint~ 40K


  • Lots of different tools that offer a lot of flexibility.
  • Gui designs works well.
  • The most popular memory imaging tools including Winen 64-bit.
  • It has the zeroview utility, which allows  responder to tell if whole disk encryption is used.


  • WFT was expired and the tools directory needed did not exist on the CDROM.
  • Some utilities are not in English.
  • No automated collection of running information.

Overall this is a great live CDROM.  The only downfall is that WFT was expired and no other automated collection was available on the CDROM.

Note: This was tested on a Vista 64-bit PC.

Make sure when you do live response, you understand what changes the utilities makes to the system. In future post, I’ll talk about strategies on how to reduce changes to the system.


One thought on “Free Live response CDROMS (Deft)

    […] with all your collection tools is critical to having a great start to a incident.  I’ve previously talked about a couple freely available ones, but now I’m we are going to cover what the basic […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s