Bento 2022.7 released: DFIR toolkit for first responders

Inviato da rebus il Ven, 15/07/2022 - 10:51

BentoYour forensic launcher box

A brand new release for Bento! I just published the release of july 2022.

So the latest release it's 2022.7: you can download it here and expect it returns this hash:

  • MD5: b7e4bd554b706e81f4e24a1006cdf4b9 *Bento-2022.7_public.7z

From previous release, all packages has been updated, including SyMenu itself. Then a special integration of WinTriage has been made, with direct collaboration from Securizame's developers. A special thanks to Lorenzo Martínez Rodríguez for his patience and readiness. Two new tools for automated triage has been added: one for Windows (the PowerShell script dfirt 1.0) and one for Linux (LinuxCatScale 1.3.1); in spite of my desire, Binalyze ACQUIRE has been removed, due to the limitations configured by Binalyze on their webserver that forbid automatic download of the tool via SPS.

As usual, due to licence limitations, I can't redistribute some softwares, so the public distribution of Bento must be completed by the end users following those step by step procedures:

1) SysInternals Suite

This suite is totally supported by SysMenu. Open the menu "Tools" -> "Get new apps" and inside the "SysMenu Suite" tab apply the search filter ":pub sysinternals", then check all applications and press "Apply all" button.

2) Magnet Forensics

EDD and MagnetRAMCapture can be downloaded from Magnet Forensics' website:

  • http://www.magnetforensics.com/free_tools/EncryptedDiskDetector
  • http://www.magnetforensics.com/free_tools/MagnetRAMCapture/

Once obtained, put the executable files in this directory:
\Bento\ProgramFiles\SPSSuite\BentoSuite

3) KAPE

KAPE tool is supported by SyMenu. Open the menu "Tools" -> "Get new apps" and inside the "SyMenu Suite" tab search for "KAPE", then check it and press "Apply all" button.

4) AccessData FTK Imager Lite, FTK Imager and FTK Imager Command Line

FTK Imager Lite is supported by SyMenu. Open the menu "Tools" -> "Get new apps" and inside the "SyMenu Suite" tab search for "FTK Imager Lite", then check it and press "Apply all" button.

FTK Imager Lite has been discontinued, but from AccessData's web site https://accessdata.com/product-download you can download FTK Imager, install it on a trusted workstation and then copy the content of C:\Program Files\AccessData\FTK Imager in \Bento\ProgramFiles\SPSSuite\BentoSuite\FTK Imager

From AccessData's web site https://accessdata.com/product-download you can also download FTK Imager Command Line Versions:

  • for Debian/Ubuntu
    • Put it inside \Bento\ProgramFiles\linux\ftkimager\debian
  • for Fedora
    • Put it inside \Bento\ProgramFiles\linux\ftkimager\fedora
  • for Mac OSX
    • Put it inside \Bento\ProgramFiles\macosx\ftkimager
  • for Windows
    • Put it inside \Bento\ProgramFiles\windows-cli\ftkimager

5) AChoir

Remember to run once AChoir BUILDER from Bento menu on a trusted workstation connected to Internet to complet that toolkit.

Etichette