HBGary has announced the availability of FGET.exe, its latest free forensic tool, to the general public. FGET, short for “Forensic Get,” is a network-capable forensic data acquisition tool. Its primary function is collecting sets of forensically interesting files from one or more remote windows machines. FGET starts off by creating a local repository folder @ C:\FGETREPOSITORY\ and from there it will automatically create named sub-folders, one for each machine you run FGET against. By default, FGET is able to obtain a forensically sound copy of any file on the system, including those that are locked and in use (pagefiles, registry hives, etc.). FGET can also be used to fetch NTFS special files that aren’t normally accessible thru the live operating system such as the $MFT, and system restore point data. FGET is also fully capable of bringing back a copy of a deleted file, assuming the file’s FILERECORD data hasn’t been overwritten or reused.
Default Captured Dataset
By default FGET collects the following set of data for each targeted machine:
- Full user list - complete with NTUSER.dat file copies
- Complete contents of the windows prefetch directory
- Complete contents of the windows\system32\config\ directory including registry hives, event logs, and the system SAM database
- BONUS: HBGARY ActiveDefense Customers can also fetch a copy of the last physical memory image taken of the remote machine by appending the “+mem” option to the command line.
For more information or to download the tool, visit http://www.hbgary.com/community/free-tools/#fget.