The goal of an initial incident response is to confirm whether or not an incident occurred in a system and collect the system’s volatile data that will no longer exist after the system is powered off. It is critical to use trusted tools as the tools on the victim’s system may have been modified by an attacker.
Live Forensic Toolkit, or LFT, is a free toolkit that consists of trusted files and tools for live incident response and computer Forensics on Windows computers.
The toolkit includes 36 applications and related library files and can be made to run directly from a CD/DVD/USB memory device. As performing operations on a live computer may modify the system, this toolkit is intended for professional forensic analysts and law enforcement who know exactly what they are doing.
Every single application included has passed a number of very intense tests to make sure that:
- no malware (virus, spyware...) is present in any application
- the host system is not modified in any way (registry, files...)
The toolkit also includes a good-looking yet informative menu, divided into sections, that allows the user to easily access every application included, also providing the original readme files of each application and giving some information about each piece of software, like author, version, description...etc.
This toolkit is completely free, as every single tool included has either GPL or general Freeware licenses. All the tools are included "as you download them" from their original website and no modification has been made to any of them. In a few cases, some files have been included in the toolkit to allow the applications to run from removable media.