ImagingCapture Tools

Utilities

The dd utility is one of the original Unix utilities; however, it's now used in Linux and Windows as well. It has been around since the 1970s and is probably in every forensic investigator 's tool box. The free dd utility can make exact copies of disks that are suitable for forensic analysis, and it can be used as a means to build an evidence file. Because it is a command-line tool, it requires a sound knowledge of Unix/Linux and the Windows command-line syntax to be used properly. You can use dd to copy and convert magnetic tape formats, convert between ASCII and EBCDIC , swap bytes, and force to uppercase and lowercase. Modified versions of dd intended specifically for use as a forensic utility are also available. The dd copy command has special flags that make it suitable for copying devices, such as tapes.

dd utility

Copy and convert utility. Originally included with most versions of Unix and Linux, versions now exist for Windows as well.

ASCII

Stands for American Standard Code for Information Interchange. It is a single- byte character encoding scheme used for text-based data.

EBCDIC

Stands for Extended Binary Coded Decimal Interchange Code. It is a character encoding set used by IBM mainframes. Most computer systems use a variant of ASCII, but IBM mainframes and midrange systems, such as the AS/400, use this character set primarily designed for ease of use on punched cards.

WinHex is a universal hexadecimal editor for Windows 95/98/Me/NT/2000/ XP. WinHex has minimal system requirements, operates very fast, and needs little memory. It is an advanced tool for inspecting and editing various types of files, recovering deleted files or lost data from hard drives or from digital camera cards. The disk and memory imaging features include:

• Disk editor for both logical and physical disks, including hard disks, floppy disks, CD-ROM, DVD, Zip disks, and Compact Flash

• Supports FAT16, FAT32, NTFS, and CDFS filesystems

• RAM editor used to edit other processes' virtual memory

• Disk cloning

• Drive images that can be compressed or split into 650MB archives

Grave-Robber is part of The Coroner's Toolkit (TCT). The Coroner's Toolkit (TCT) is a collection of tools that are used for collecting and analyzing forensic data on a Unix system. Grave-Robber is a program that controls a number of other tools, all of which work to capture as much information as possible about a potentially compromised system and its files. Using it is an automated way to collect evidence. It gathers evidence, in this order:

• Memory

• Unallocated filesystem

• Netstat, arp, route

• Captures all process data

• Statistics and MD5 on all files and strings on directories

• Configurations and logs

  Note	Courts often accept evidence collected by tools that have been used in past trials. Tools such as The Coroner's Toolkit and commercially available forensic software are significant because the data collected by the tools is trusted and can be used as evidence.

The Incident Response Collection Report (IRCR) is similar to TCT. The program is a collection of tools that gathers and analyzes forensic data on Windows systems. Like TCT, most of the tools are oriented toward data collection rather than analysis. IRCR is simple enough that anyone can run the tool and forward the output to a forensic investigator for further analysis.

The Legal Imager and reaSsembly Application (LISA) is a DOS-based disk- imaging tool, suitable for making images of hard disk drives for forensic analysis. LISA can clone a drive, validate images on either CD or disk, image a series of floppy disks, or image single partitions. LISA also maintains a database of all located disks. It will also image local disks across networks. In terms of security, LISA utilizes a 32-bit CRC fingerprint for all imaging and rebuilding actions.

Commercial Software

EnCase is a commercial software package that enables an investigator to image and examine data from hard disks, removable media, and some PDAs. It enables examiners to acquire and analyze volatile data, image drives, verify the copy is exact using MD5 and CRC, and mount evidence files of hard drives and CDROMs as local drives. It also includes the ability to boot the mounted drive in VMware. Many law enforcement groups throughout the world use EnCase. If an investigation might be handed over to the police or used in a court of law, you should consider using EnCase.

SafeBack is a commercial computer forensics program also commonly used by law enforcement agencies. SafeBack is used to create bit stream backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition. It is used primarily for imaging the hard disks of Intel-based computer systems and restoring these images to other hard disks. It is a DOS-based program that can be run from a floppy disk and is intended only for imaging.

Access Data's Forensic Toolkit (FTK) takes a snapshot of the entire disk drive and copies every bit value for analysis. It provides a complete and thorough computer forensic examination of computer disk drives. Suppported filesystems include FAT 12/16/32, NTFS, NTFS compressed, and Linux ext2 and ext3. Like EnCase, it is a full suite of forensic applications.

ByteBack is a suite of tools requiring only a PC with a floppy drive and a DOS 5 or higher boot device. It allows you to block or write protect a device before performing any operation. It can be used to image a disk with a transfer rate of about 200MB per minute, and it supports DOS, Windows, Unix, and Linux filesystems.

The ILook Investigator is a set of computer forensic tools used to capture and analyze images created from computer system hard drives and other external storage media that run on Windows 2000 and Windows XP platforms. The newest version has two components . The IXimager is an imaging tool used to create an image from computers and related media. It is designed and constructed to follow forensic best practices.

ILook is provided free to qualifying agencies throughout the world. Eligible users must be involved in computer forensics and employed by one of the following:

• Law enforcement agency whose employees are sworn law enforcement officers

• Government intelligence agency

• Military agency with authority in criminal and or counter intelligence investigations

• Government, state, or other regulatory agency with a law enforcement mission

ILook is directly developed and supported by the IRS Criminal Investigation Division in conjunction with other federal agencies, including the FBI, ATF, and the Department of Defense.

Maresware is a set of programs frequently used by law enforcement, government intelligence agencies, computer forensics experts, and corporate internal security personnel. The NTIMAGE program was still in beta status as of January 2004. The NTIMAGE program is designed to create forensic images while running directly under the Windows NT, Windows 2000, and Windows XP operating systems so that it can image a drive when the system cannot be shut down. It has these additional capabilities:

• Creates a disk-to-disk clone or an output image file using either a single file or sections to write to CD

• Creates a compressed output file

• Creates a drive clone while simultaneously creating an image file

• Performs CRC32, MD5, SHA1, SHA2 (256-, 384-, 512-bit) hashes on the drive separate from the imaging, on specific sectors of the drive, or while imaging the drive

SnapBack DatArrest Forensic Suite is an easy-to- operate suite of tools used for forensic data seizures. It works on virtually all IBM-compatible computers and is used for making drive-to-drive or partition-to-drive images. It can perform the following copy methods :

• Server or PC hard drives to tape

• Server or PC hard drive to removable media

• Hard drive to hard drive

• Tape to tape

The captured image contains all system software, networking software, associated drivers, software applications, configurations, and data files as well as the BIOS settings for the system so that you have a complete copy of the drive including the operating system, applications, and all of the data.

PDA Tools

Palm dd ( pdd ) is a Windows-based tool for Palm OS memory-imaging and forensic analysis. The Palm OS Console mode is used to capture memory card information and to create a bit-for-bit image of the selected memory region.

PDAZap is a small application that, when placed on a SonyEricsson P800 (Symbian), will allow you to image the device's flash memory to a Sony Memory Stick Duo. This image in turn can be used by forensic investigators to analyze the data captured.

This is simply a list of the most common tools used to capture data for analysis. Remember that forensic tools come in many different shapes and sizes. The successful use of these tools stems from being able to identify the most appropriate tool for your environment and becoming familiar with them before the need for an investigation arises.