Just as with every other step along the way, the forensic software used during the examination should be documented by its version and should be used in accordance with the vendor's licensing agreement. The software should also be properly tested and validated for its forensic use. Several papers are available that document the NIST and the Department of Justice testing of various tools. You can find these papers on their websites . The link for NIST is http://www.cftt.nist.gov/ and the link for the Department of Justice is http://www.ojp. usdoj .gov/nij/ sciencetech/cftt.htm . You also need to document all standard procedures and processes that you used, as well as any variations to or deviations from standard procedures. To reliably analyze any system, you must use unmodified, authentic tools. Remember, you should be prepared to testify to the authenticity and reliability of the tools that you use.
Be sure you have the proper tools to perform your investigation, including programs to collect evidence and perform forensic exams. Your tools should be on read-only media, such as a CD-R. In addition, make sure to have a set of tools for every operating system. Your set of tools should include the following:
A program such as ps or PsService for examining processes and services running
Programs such as arp and Netstat for examining the system state
Scripts or programs to automate evidence collection
A program for doing bit-to-bit copies
Programs for generating checksums to verify the image
Forensic tools come in many different shapes and sizes. Besides programs and scripts of capturing data, there are handheld forensic imaging tools such as the one shown previously in this chapter. The successful use of forensic tools stems from being able to identify which are the most appropriate for your environment and becoming familiar with them before the need for an investigation arises.
The dd utility is one of the original Unix utilities; however, it's now used in Linux and Windows as well. It has been around since the 1970s and is probably in every forensic investigator 's tool box. The free dd utility can make exact copies of disks that are suitable for forensic analysis, and it can be used as a means to build an evidence file. Because it is a command-line tool, it requires a sound knowledge of Unix/Linux and the Windows command-line syntax to be used properly. You can use dd to copy and convert magnetic tape formats, convert between ASCII and EBCDIC , swap bytes, and force to uppercase and lowercase. Modified versions of dd intended specifically for use as a forensic utility are also available. The dd copy command has special flags that make it suitable for copying devices, such as tapes.
Copy and convert utility. Originally included with most versions of Unix and Linux, versions now exist for Windows as well.
Stands for American Standard Code for Information Interchange. It is a single- byte character encoding scheme used for text-based data.
Stands for Extended Binary Coded Decimal Interchange Code. It is a character encoding set used by IBM mainframes. Most computer systems use a variant of ASCII, but IBM mainframes and midrange systems, such as the AS/400, use this character set primarily designed for ease of use on punched cards.
WinHex is a universal hexadecimal editor for Windows 95/98/Me/NT/2000/ XP. WinHex has minimal system requirements, operates very fast, and needs little memory. It is an advanced tool for inspecting and editing various types of files, recovering deleted files or lost data from hard drives or from digital camera cards. The disk and memory imaging features include:
Disk editor for both logical and physical disks, including hard disks, floppy disks, CD-ROM, DVD, Zip disks, and Compact Flash
Supports FAT16, FAT32, NTFS, and CDFS filesystems
RAM editor used to edit other processes' virtual memory
Drive images that can be compressed or split into 650MB archives
Grave-Robber is part of The Coroner's Toolkit (TCT). The Coroner's Toolkit (TCT) is a collection of tools that are used for collecting and analyzing forensic data on a Unix system. Grave-Robber is a program that controls a number of other tools, all of which work to capture as much information as possible about a potentially compromised system and its files. Using it is an automated way to collect evidence. It gathers evidence, in this order:
Netstat, arp, route
Captures all process data
Statistics and MD5 on all files and strings on directories
Configurations and logs
Courts often accept evidence collected by tools that have been used in past trials. Tools such as The Coroner's Toolkit and commercially available forensic software are significant because the data collected by the tools is trusted and can be used as evidence.
The Incident Response Collection Report (IRCR) is similar to TCT. The program is a collection of tools that gathers and analyzes forensic data on Windows systems. Like TCT, most of the tools are oriented toward data collection rather than analysis. IRCR is simple enough that anyone can run the tool and forward the output to a forensic investigator for further analysis.
The Legal Imager and reaSsembly Application (LISA) is a DOS-based disk- imaging tool, suitable for making images of hard disk drives for forensic analysis. LISA can clone a drive, validate images on either CD or disk, image a series of floppy disks, or image single partitions. LISA also maintains a database of all located disks. It will also image local disks across networks. In terms of security, LISA utilizes a 32-bit CRC fingerprint for all imaging and rebuilding actions.
EnCase is a commercial software package that enables an investigator to image and examine data from hard disks, removable media, and some PDAs. It enables examiners to acquire and analyze volatile data, image drives, verify the copy is exact using MD5 and CRC, and mount evidence files of hard drives and CDROMs as local drives. It also includes the ability to boot the mounted drive in VMware. Many law enforcement groups throughout the world use EnCase. If an investigation might be handed over to the police or used in a court of law, you should consider using EnCase.
SafeBack is a commercial computer forensics program also commonly used by law enforcement agencies. SafeBack is used to create bit stream backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition. It is used primarily for imaging the hard disks of Intel-based computer systems and restoring these images to other hard disks. It is a DOS-based program that can be run from a floppy disk and is intended only for imaging.
Access Data's Forensic Toolkit (FTK) takes a snapshot of the entire disk drive and copies every bit value for analysis. It provides a complete and thorough computer forensic examination of computer disk drives. Suppported filesystems include FAT 12/16/32, NTFS, NTFS compressed, and Linux ext2 and ext3. Like EnCase, it is a full suite of forensic applications.
ByteBack is a suite of tools requiring only a PC with a floppy drive and a DOS 5 or higher boot device. It allows you to block or write protect a device before performing any operation. It can be used to image a disk with a transfer rate of about 200MB per minute, and it supports DOS, Windows, Unix, and Linux filesystems.
The ILook Investigator is a set of computer forensic tools used to capture and analyze images created from computer system hard drives and other external storage media that run on Windows 2000 and Windows XP platforms. The newest version has two components . The IXimager is an imaging tool used to create an image from computers and related media. It is designed and constructed to follow forensic best practices.
ILook is provided free to qualifying agencies throughout the world. Eligible users must be involved in computer forensics and employed by one of the following:
Law enforcement agency whose employees are sworn law enforcement officers
Government intelligence agency
Military agency with authority in criminal and or counter intelligence investigations
Government, state, or other regulatory agency with a law enforcement mission
ILook is directly developed and supported by the IRS Criminal Investigation Division in conjunction with other federal agencies, including the FBI, ATF, and the Department of Defense.
Maresware is a set of programs frequently used by law enforcement, government intelligence agencies, computer forensics experts, and corporate internal security personnel. The NTIMAGE program was still in beta status as of January 2004. The NTIMAGE program is designed to create forensic images while running directly under the Windows NT, Windows 2000, and Windows XP operating systems so that it can image a drive when the system cannot be shut down. It has these additional capabilities:
Creates a disk-to-disk clone or an output image file using either a single file or sections to write to CD
Creates a compressed output file
Creates a drive clone while simultaneously creating an image file
Performs CRC32, MD5, SHA1, SHA2 (256-, 384-, 512-bit) hashes on the drive separate from the imaging, on specific sectors of the drive, or while imaging the drive
SnapBack DatArrest Forensic Suite is an easy-to- operate suite of tools used for forensic data seizures. It works on virtually all IBM-compatible computers and is used for making drive-to-drive or partition-to-drive images. It can perform the following copy methods :
Server or PC hard drives to tape
Server or PC hard drive to removable media
Hard drive to hard drive
Tape to tape
The captured image contains all system software, networking software, associated drivers, software applications, configurations, and data files as well as the BIOS settings for the system so that you have a complete copy of the drive including the operating system, applications, and all of the data.
Palm dd ( pdd ) is a Windows-based tool for Palm OS memory-imaging and forensic analysis. The Palm OS Console mode is used to capture memory card information and to create a bit-for-bit image of the selected memory region.
PDAZap is a small application that, when placed on a SonyEricsson P800 (Symbian), will allow you to image the device's flash memory to a Sony Memory Stick Duo. This image in turn can be used by forensic investigators to analyze the data captured.
This is simply a list of the most common tools used to capture data for analysis. Remember that forensic tools come in many different shapes and sizes. The successful use of these tools stems from being able to identify the most appropriate tool for your environment and becoming familiar with them before the need for an investigation arises.