After you have a verified copy of original media, you're ready to begin the analysis process. You can use the tools discussed in the following sections to perform many forensics functions. Your choice of tools depends on your specific needs. The following sections include common software and hardware tools and briefly discuss their capabilities.
As with the disk imaging tools, your choice of which tools to use depends on the following:
Operating system(s) supported
User interface preference
Price
Functionality/capabilities
Vendor loyalty
Several companies specialize in developing and providing forensic tools. These companies produce software and/or hardware with diverse functionality. Some suites of forensic software are tightly integrated and have mature user interfaces. Other forensic suites are little more than a collection of useful utilities. Consider the following tools and try out the ones you like. Your final choice of forensic tools should provide the functionality to perform the examinations you will encounter. Although all the bells and whistles are nice, get what you really need.
Guidance Software produces the EnCase product line. The products were originally developed for law enforcement personnel to carry out investigations. The product line has grown to support commercial incident response teams as well as law enforcement. The EnCase product is built around the general concept of the case. The first action you take is to create a case file. All subsequent activities are related to a case.
EnCase is an integrated Windows-based graphical user interface (GUI) suite of tools. Although the EnCase functionality is impressive, you will likely need another utility at some point. Fully integrated solutions can increase productivity, but don't hesitate to use another tool when you need it.
Here are just a few features of EnCase:
Enterprise Edition provides centralized monitoring and real-time investigation with no service interruptions
Snapshot enables investigators to capture volatile information including:
RAM contents
Running programs
Open files and ports
Organizes results into case files and manages case documents
Helps maintain the chain of custody
Provides tools for incident response team to respond to emerging threats
Supports real-time and postmortem examinations
EnCase provides the functionality to acquire and examine many types of evidence. The organization around a case provides the structure to keep information in order. All in all, EnCase is one of the premium suites of software you definitely want to evaluate when selecting your forensics tools. For more information on EnCase, visit the Guidance Software website at http://www.encase.com .
Another forensic suite that provides an integrated user interface is AccessData 's Forensic Toolkit (FTK). FTK runs in Windows operating systems and provides a very powerful tool set to acquire and examine electronic media. As discussed earlier in this chapter, FTK contains a disk imaging tool. This imaging tool provides one or more copies of primary evidence for analysis.
FTK provides an easy-to-use file viewer that recognizes over 270 types of files. FTK also provides full text indexing powered by dtSearch. We will cover dtSearch's features later in this chapter. The integrated file viewer and search capabilities provide the ability to find evidence on any device.
FTK works with media images created by several imaging utilities, including:
FTK
EnCase
SMART
SnapBack
SafeBack (not V3.0)
Linux dd
The searching capabilities of FTK include e-mail and Zip file analysis. FTK supports searching through many e-mail formats, including:
AOL
Netscape
Yahoo
EarthLink
Eudora
Hotmail
MSN
FTK can quickly examine archive files in different formats as well. Files these programs generated are supported:
PKZIP
WinZip
WinRAR
GZIP
TAR
All results are organized by case and are presented in the case content summary. For more information on FTK, visit the AccessData website at http://www.accessdata.com .
Maresware Computer Forensics software, developed by Mares and Company, is really a collection of tools useful to the forensic investigator . Like many of the forensics tools available, these tools were originally developed for law enforcement personnel. The tools in the set are the ones forensic examiners routinely use during an investigation.
Maresware features are similar to competitive products. The software provides tools to acquire and verify media images and examine the images. Core functionality includes searching and hidden file identification. The most notable difference from other forensic software suites is that the Maresware tools are stand-alone tools and can be called as needed. There is no set method or processing order you must follow. Maresware is flexible enough to allow you to use the tools you need in the order you need them.
Although the core functionality is similar to other competing products, at least four programs in the Maresware tool set bear individual description:
Declasfy A disk wiping program that overwrites the contents of physical media in compliance with U.S. Department of Defense (DoD) standards. The resulting media meets strict regulatory requirements for media reuse.
Brandit A utility that brands hard disks with identifying ownership information. This utility is useful to trace and identify stolen hard drives .
Bates_no This program assists in managing records and files by adding identifying numbers to document filenames. Identifying numbers, such as case-related numbers , makes it easier to group files together.
Upcopy A copy program that makes it easy to copy entire directories from a source location to a destination without changing any attributes or time/date stamps.
For more features or information on Maresware Computer Forensics software, visit the Mares and Company website at http://www.dmares.com/maresware/software.htm .
Paraben Forensics Tools, produced by Paraben Corporation, is another collection of stand-alone tools. The Paraben forensic product line is actually made up of 10 individual software tool sets that make up the entire forensic suite. Each of the products can be purchased individually, and the pricing structure provides discounts for purchasing multiple tools.
Paraben's tools are frequently used with personal digital assistants (PDAs) and cell phones. Although this company's other software products are fine products, examine Paraben's products first if you want to examine PDAs or cell phones. Paraben has extensive experience in cell phone and PDA forensics tools. PDA and cell phone forensics is an area that has its own nuances . Paraben knows the ropes and can share a lot of knowledge. Here is a brief list of the Paraben Forensics tools:
Forensic Replicator A disk imaging and verification tool. Details of this product were discussed earlier in this chapter.
Forensic Sorter A tool that classifies data into one of 14 different categories, making examinations more productive. Organized data is easier to handle in groups of like data.
Network E-mail Examiner A tool that examines network e-mail archives.
E-mail Examiner A tool that examines e-mail files from over 15 mail types.
Decryption Collection A set of tools that help recover passwords and decrypt encrypted data.
Text Searcher A fast tool that searches media for desired text strings.
Case Agent Companion A set of tools that includes a file viewer capable of viewing over 225 file formats, along with searching and reporting tools. The tools help an examiner organize examination results by case.
PDA Seizure A tool used to acquire, view, and reports on evidence from PDAs.
Cell Seizure A tool used to acquire, view, and report on evidence from cell phones.
For more information on any of the Paraben product line, visit the Paraben Forensic Tools website at
http://www.paraben-forensics.com/products.html.
The Coroner's Toolkit (TCT) is the first of two open source forensic software suites in our list. It was designed by Dan Farmer and Wieste Venema. TCT is a collection of programs written to support a postmortem analysis of Unix and Linux systems.
Unlike many other forensic tools, TCT was written more for incident response than law enforcement investigations. Due to its origins, TCT was not designed around the stringent requirements to produce and manage courtroom admissible evidence. As a result, it's up to you to manage your case files and properly maintain the chain of custody.
The documentation is straightforward and brutally honest. Because TCT is not encumbered by encouraging prospective buyers to purchase a product, the authors can cut right to the heart of operational details. In fact, they begin by telling you the most obvious shortcomings of TCT. That being said, the TCT tutorial provides a nice introductory primer on handling incidents and conducting investigations. Take a look at the tutorial at http://www.fish.com/tct/help-when-broken-into .
TCT includes four main features. Although other lesser programs are included with the package, these four features are core to TCT's functionality:
Information Capture The grave-robber program collects a large amount of information from a machine. It can take hours to run, and it returns a lot of information.
File Analysis The ils and mactime programs analyze and display access patterns of files from a historical perspective or from a running system.
Deleted File Recovery The unrm and lazarus programs support the recovery of deleted files and file fragments .
Cryptography Key Recovery The findkey program examines files and running processes to recover keys.
One of the key features that sets TCT apart from many other forensic tool sets is that is can operate on a live system and return information about live processes and open files. Although the high-end commercial packages support this type of real-time analysis, few others have the ability to examine volatile RAM. For more information on TCT, visit one of the two primary TCT websites at http://www.fish.com/tct or http://www.porcupine.org/forensics/tct.html .
The Sleuth Kit (TSK) is the other open source forensic software suite on our list. Built on TCT, TSK is a collection of command-line tools that provides media management and forensic analysis functionality.
TSK has a few features that deserve separate mention. In addition to general functionality, TSK supports Mac partitions and can analyze files from Mac file- systems. TSK has been tested to run on Mac OS X as well. TSK also has the ability to analyze volatile data on running systems in a manner similar to TCT.
The core toolkit contains six different types of tools.
File System Layer The fsstat tool reports filesystem details, including inode numbers, block or cluster ranges, and super block details for Unix- based systems. For FAT filesystems, fsstat provides an abbreviated FAT table listing.
File Name Layer The ffind and fls tools report allocated, unallocated , and deleted filenames.
Meta Data Layer The icat, ifind, ils, and istat tools report on file meta data (file details) stored in filesystems.
Data Unit Layer The dcat, dlc, dstat, and dcalc tools report file content information and statistics.
Media Management The mmls tool provides information on the layout of a disk.
hfind The hfind tool looks up hash values.
mactime This tool uses fls and ils output to create timelines of file activity, such as create, access and write activity.
sorter This tool sorts files based on file type.
For more information on TSK, visit the main TSK website at http://www.sleuthkit.org/sleuthkit/index.php .
The Autopsy Forensic browser is a GUI front end for the TSK product discussed earlier. In addition to providing a graphical presentation of TSK tools, it also adds case management features to TSK. Like TSK, Autopsy runs in Unix/Linux and Mac OS X and provides a nice alternative to commercial Windows-based forensic tools.
Here are a few features the Autopsy Forensic Browser adds to TSK:
Dead Analysis Analyzes on a machine or device in a trusted environment
Live Analysis Analyzes on a system that is up and running
Case Management Organizes activities by case
Even Sequencer Helps discern patterns by organizing system events chronologically
Notes Offers easily accessible notes organized by case
Image Integrity Verifies the integrity of any media images created for an investigation
Reports Creates reports of activities, organized by case
Logging Creates audit logs for activities, organized by case
For more information on the Autopsy Forensic Browser, visit the Autopsy website at http://www.sleuthkit.org/autopsy/index.php .
ProDiscover, from Technology Pathways, is another forensic suite of tools. Technology Pathways provides several different versions of ProDiscover, including Forensics, Investigator, Incident Response, Suite, and Windows, depending on your particular forensic needs. All ProDiscover products run in Windows operating systems and provide an integrated GUI for their forensic tools. The ProDiscover Suite combines the features of the entire family of forensic tools. Here are some notable features:
Allows live system examination
Identifies Trojans and other software intended to compromise the security of your system
Utilizes a remote agent that allows centralized examination and monitoring, along with encrypted network communication to secure analysis data
Creates a bit stream copy of an entire suspect disk, including hidden HPA sections (patent pending), to keep original evidence safe
Ensures integrity of acquired images using MD5 or SHA1 hashes
Supports FAT12, FAT16, FAT32, all NTFS, dynamic disk and software
RAID, and Sun Solaris UFS filesystems
Generates reports in eXtensible Markup Language (XML)
ProDiscover provides similar functionality to other full-featured forensic software suites listed in this section. Take a look at the full product line for a more detailed look at specific features. For more information on ProDiscover, visit the Technology Pathways website at http://www.techpathways.com/ DesktopDefault.aspx?tabindex=4 & tabid=12 .
Vogon International provides imaging, processing, and investigative forensic tools. The company's software products provide integrated tools that provide the majority of the functions a computer forensic examiner requires. Vogon Forensic Software runs in the Windows operating system. Their software product line consists of:
Imaging software
Creates drive images with verification
Creates images from SCSI, IDE, and S-ATA hard disk drives.
Provides audit trail of imaging activities
Processing software
Creates file hashes
Processes multiple image files in a session
Provides file identification and grouping
Automatically handles archive and compressed files
Investigative software
Supports fast and flexible text searches
Handles 19 file system formats, including most common Windows, Unix/
Linux, and Macintosh file systems
Logs all activities
Produces multiple views of suspect data and reports of activities and results
For more information on the Vogon International product line and pricing, visit the company's website at http://www.vogon-forensic-hardware.com/ .
X-Ways Forensics, from X-Ways Software Technology AG, is a collection of several forensic tools that assist in examining media images. Compared to some of the other forensic suites in this section, it is a little more lightweight. However, it does provide a nice collection of forensic tools that include some large package features at a very reasonable price.
Some of the X-Ways features include:
Case management
Automatic activity logging
Automated reports in HyperText Markup Language (HTML)
A display of existing and deleted files, sorted by file type category
Gallery view for graphics
Skin color detection helps in isolating pictures that may contain pornography
File extension/file type mismatches detection
EnCase media image support (read)
This is only a short list of X-Ways features. For more information on this product, visit the X-Ways Software & Technology website at http://www.xways.net/forensics/index-m.html .
In addition to drive imaging software and complete forensic software suites, many smaller tools and utilities that are of value to the computer examiner are available. No matter how many features your forensic suite of choice may be, you might have specific needs that require another special tool.
The following sections detail a few special-purpose tools that provide specific functionality. As with the previous sections, consider each of these tools and choose the best ones for your specific needs.
DiskJockey File Viewer, from Clear & Simple, is a general-purpose file viewer. It allows you to view files in over 220 formats (232 formats in the Deluxe Edition). You do not need to own the application that created the file to view it in DiskJockey. Forensic examiners can use DiskJockey to scan media and view files without having to open the files in a native application.
You can find many more details on DiskJockey by visiting the Clear & Simple website at http://www.clear-simple.com/ .
We discussed DriveSpy in the 'Disk Imaging and Validation Tools' section. It is included here as well to remind you that DriveSpy does a lot more than just duplicate drives. For instance, it allows you to select files based on name, extension, or attributes. It also allows you to view the sectors and clusters in its builtin hex viewers . Another useful DriveSpy feature is a search engine that allows you to search a partition or drive for specific text strings. DriveSpy provides basic command-line functionality that is portable enough to carry on a single floppy disk and use at the scene. After you create an image of a drive, DriveSpy can assist you in examining the image's contents.
The discussion in the 'Disk Imaging and Validation Tools' section covered some of its features. For pricing and more information, visit the Digital Intelligence, Inc. website at http://www.digitalintel.com/drivespy.htm .
After you create an image of suspect media, you'll need to search it for possible evidence. You'll need some tool to assist you in your search efforts. The dtSearch product line, from dtSearch Corporation, provides several solutions that allow you to search gigabytes of text in a short amount of time. Although not strictly a forensic tool, dtSearch provides the tool to perform a necessary forensic function.
The dtSearch website lists several features that set the product apart, including:
Offers over 12 search options, including indexed, unindexed, felded, and full-text search options
Converts results to HTML with search results highlighted (makes it easy to see search results context)
Supports distributed searching for high performance
The dtSearch product line includes several different products for different needs, including:
dtSearch Desktop Searches stand-alone machines
dtSearch Network Searches across networks
dtSearch Web Supports instant text searching for online documents
dtSearch Publish Publishes an instant searchable database on CD/DVD
For the forensic examiner, the Desktop and Network products provide the capability to find possible evidence on multiple machines. For more detailed product information, visit the dtSearch Corporation website at http://www.dtsearch.com/ .
Quick View Plus, from Avantstar, is a general-purpose file viewer, similar to DiskJockey. Quick View Plus allows you to view files in over 225 formats. Quick View Plus also allows you to view parts of files and print them or cut and paste into your own applications.
From a forensic perspective, Quick View Plus provides examiners the ability to search many types of files for text strings and view the results in the context of the original file.
You can find many more details on Quick View Plus by visiting the Avantstar website at http://www.avantstar.com/solutions/quick_view_plus .
Text Search Plus, from New Technologies Inc., is a DoD-tested and certified text-searching tool. This tool was designed specifically for forensic examiners. Although other search tools were developed for a general market, Text Search Plus started off as a forensic tool.
Text Search Plus provides the following features beyond most general-purpose searching tools:
Searches files, slack space, and unallocated file space
Is approved for use in classified facilities
Searches at the logical level (filesystem) or physical level (disk sectors)
Searches up to 120 search strings at one time
Text Search Plus operates in DOS and is small enough to fit on a DOS boot floppy disk. Many commercial examiners, government, law enforcement, military, and intelligence agencies use the product. For more product details, visit the New Technologies Inc. website at http://www.forensics-intl.com/txtsrchp.html .
ThumbsPlus File Viewer, from Cerious Software Inc., is a general-purpose file viewer and editor. It allows you to view files in many formats. A good file-viewing tool makes browsing through several graphics files far easier. ThumbsPlus makes it easy to collect and browse most common graphic formats.
You can find many more details on ThumbsPlus by visiting the Cerious website at http://www.cerious.com/ .
Up to this point, we have ignored the fact that all software tools must run on hardware of some type. Although forensic tools run on general-purpose machines, using dedicated computers for forensics investigations is often advisable. Using dedicated hardware decreases the possibility of accidental contamination by nonforensic applications.
Although actual evidence contamination cannot occur to the primary media when analyzing an image of the original media, other applications can possibly affect the evidence image you are examining. Your forensic machine probably has special-purpose hardware elements such as a disk-write blocker, keystroke logger, or multiple format disk controllers.
Because forensic examination computers tend to support special-purpose hardware and software, several companies offer hardware devices and complete computer systems that are built from the ground up as forensic hardware devices. Some of the systems can be expensive, but if you need a prebuilt forensic hardware platform the cost is probably justified. Carefully consider your needs based on:
Where will you analyze media?
At the scene
In the lab
How often do you use forensic software?
What type of operating system and hardware must you analyze?
Will the evidence you collect be presented in a court of law?
Answers to these questions will help you to decide whether you need special- purpose forensic hardware and what features you need. The following sections describe some forensic hardware providers.
Digital Intelligence, Inc. produces a line of specially designed forensic workstations called Forensic Recovery of Evidence Device (F.R.E.D.). The company offers several different F.R.E.D. options, depending on your specific needs. Each system in the F.R.E.D. line is a purpose-built computer for forensic analysis. Whether you need a portable lab or a full-featured system that supports nearly every known hard drive interface, there is probably a F.R.E.D. computer that will satisfy your requirements.
In addition to the F.R.E.D. product line, Digital Intelligence, Inc. sells a line of other forensic hardware including:
Forensic hardware kits with write blockers, power supplies , and interface cables
The 'shadow' device that caches all writes as a suspect's system boots
Stand-alone write blockers
Imaging chassis
Digital Intelligence, Inc. provides a complete line of hardware for forensic examiners. For more information on the Digital Intelligence, Inc. product line and pricing, visit the company's website at http://www.digitalintel.com/ .
Vogon International provides purpose-built forensic hardware, including both specialist imaging systems, forensic workstations through to scalable custom laboratory solutions. Vogon offers a range of forensic solutions for differing needs. Their product line includes:
Imaging systems for IDE, SCSI, S-ATA, and PCMCIA and RAID
A range of laboratory-based imaging and processing systems
Custom high-end enterprise imaging systems
Automated systems for high-volume forensic imaging and processing
Password-cracking hardware for hard disk drives
Integrated network-based forensic solutions
Custom forensic solutions
(Photograph Courtesy of Vogon International 2004)
(Photograph Courtesy of Vogon International 2004)
For more information on the Vogon International product line, visit the company's website at http://www.vogon-forensic-hardware.com/index.php .