Forensics Software

‚  < ‚  Free Open Study ‚  > ‚  

Specialized tools are available for the acquisition of the forensics media, the recovery of data from that media, and the searching and cataloging of that data. An investigation team should be trained in the use of a standard suite but should be familiar with other tools as well. Case law on the admissibility of software is mixed. At one time, the investigator would be asked to personally validate the source code of the tools used. Many of the tools discussed in this chapter do not provide their source code. However, the vendors might be willing to provide expert testimony if requested or might be able to provide other information (such as case precedents ) if this is an issue. Some forensics training courses and texts refer to "generally accepted forensics tools." However, there does not seem to be a consensus in the investigative community (at least at the time of this writing) as to what those generally accepted tools are. The best advice is to use commercially available tools that have a track record of successful use in litigation and prosecution , and to not rely on custom or internally developed techniques unless the investigator is prepared to personally testify as to their effectiveness and reliability.

Product Information

Nothing in this section or chapter is intended to act as an endorsement of any particular product. Information on these products is current as of the time of writing, is provided for informational purposes only, and is not intended to be exhaustive. Other competing products might also be available, and product specifications are subject to change without notice.

Media Acquisition Tools

When acquiring the media for examination, there are two major considerations. First, the software must make an exact, bit-by-bit copy.Without this, any evidence in deleted files will be lost. It will also be extremely difficult to defend the evidence in any proceedings unless an exact copy is obtained. Second, the software must not modify the original data in any way. Most media-acquisition tools accomplish both objectives by loading a trusted operating system that is used to copy the data from the original disk to a destination drive or drives .

  • Hardware-copying devices. Although it is possible to use a dedicated drive-copying machine, these generally are not recommended. They usually are limited as to the size or characteristics of the disks they can clone, so they are not as flexible as software-copying tools. However, if an organization has such a machine (possibly used for building and distributing desktop PC configurations), it could be used to make a copy.

  • Disk-cloning software. A number of readily available tools can clone a hard disk, or a partition, from one disk to another. These are generally sold not as forensics tools but as tools used when upgrading or replacing a disk drive. For example, DriveCopy by PowerQuest (www.powerquest.com) "can easily copy the entire contents of your old hard drive to your new one. DriveCopy copies every setting, preference, and byte of data, including hidden files. No more guessing or worrying if everything was copied ." [2] The issue with tools like this is that they might not make an exact, bit-by-bit copy. This can make it difficult to defend the sanctity of the evidence. However, they can be useful in certain circumstances (for example, if the evidence disk needs to be replaced so that the suspect can continue working).

    [2] DriveCopy Product Specification Sheet, http://a480.g.akamai.net/7/480/2667/6d12701a048fb0/www.powerquest.com/drivecopy/DC3_EI_spec.pdf.

  • SafeBack. SafeBack (www.forensics-intl.com) was developed specifically to make exact imaged copies for forensics purposes. It enables the investigator to copy the drive to another drive or to removable storage (such as ZIP disks or tape). The image then can be either examined directly using some search tools or restored to a target hard disk for examination. The tool can image any file system, provided the drive is running on (or can be mounted on) an X86-based system because the tool addresses the drive at the partition level, not the file system. SafeBack certifies that the copy it makes is an exact, bit-by-bit copy of the original. The tool streams the data from the source drive to the target. This bit stream can then be restored to another drive (provided, of course, that the target is at least as large as the original).

Search Tools

Searching the evidence requires both a capable search tool and a careful plan on what to search for. File viewers are invaluable during the search phase. File viewers include those bundled as part of other suites (such as Norton Utilities) as well as dedicated viewers such as QuickView Plus.

Disk editors can also be useful during search and analysis. Norton Disk Editor has been the de facto standard for years . Hex editors are useful to examine file fragments for text strings.

Some other software tools can be used during the search phase as well. For example, the file search capability within Windows can be used to find files containing text strings. The grep utility (available in UNIX and NT) also provides this capability.

Any tool that examines the drive at the operating system level, however, will modify the data. This means, for example, that a tool can be used to find certain files and examine them, but the date and time stamps will not be reliable after the files have been viewed .

Some specialized search tools have been developed for law enforcement use to search and categorize images. These are generally used to search for pornography on seized systems. They are not available to the general public, but the investigator might see them if assisting a law enforcement agency.

  • DiskSearch Pro. DiskSearch (www.forensics-intl.com) is a text search program used to search evidence drives for strings of text embedded within files. It also provides the capability to search both deleted files and file slack . DiskSearch supports all types of FAT file systems.

Integrated Suites

A number of integrated software suites provide the capability to acquire data, perform searches, and produce reports .

  • Byte Back. Byte Back (www.toolsthatwork.com) provides the capability to write-protect the evidence media during acquisition. It also provides analysis of the physical and logical structure of the disk. It enables the analyst to do rudimentary searches of the evidence for certain data and enables files to be viewed as either HEX or ASCII. Byte Back supports FAT16, FAT32, and NTFS drives. (Note: Most, if not all, of these suites can acquire data from other file systems but cannot do analysis on those systems.)

  • DriveSpy. DriveSpy (www.digitalintel.com) also provides the capability to block any writes to the evidence disk during acquisition. The tool calculates an MD5 hash of the disk to verify that the final copy is exactly the same as the original evidence. The software also provides some search capabilities, both at the physical and the logical layers . DriveSpy supports FAT disks only.

  • EnCase. EnCase (www.guidancesoftware.com) is arguably the most widely used forensics software suite, at least for Windows. The tool enables the investigator to copy the original disks (which are write-protected during the process) to multiple files using a proprietary compression algorithm. These files can then be either analyzed directly using the tool or used to create a clone of the original disk. Each file is hashed during creation, and the hash is verified during the analysis portion. The tool has extensive keyword searching capabilities and also allows for certain file viewing plug-ins (for example, to view graphics files). EnCase supports FAT16, FAT32, NTFS, Linux (EXT2), and Macintosh (HFS and HFS+).The tool also has an extensive reporting capability.

  • Expert Witness. Expert Witness (www.asrdata.com) enables the investigator to make an exact, bit-by-bit copy of the original evidence.The tool supports multiple file systems for Macintosh, including HFS, HFS+, FAT12, FAT16, UFS, ISO9660, and EXT2. It accesses the drives at a level below the file system.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net