Forensics Tools


After you have a verified copy of original media, you're ready to begin the analysis process. You can use the tools discussed in the following sections to perform many forensics functions. Your choice of tools depends on your specific needs. The following sections include common software and hardware tools and briefly discuss their capabilities.

As with the disk imaging tools, your choice of which tools to use depends on the following:

  • Operating system(s) supported

  • User interface preference

  • Price

  • Functionality/capabilities

  • Vendor loyalty

Software Suites

Several companies specialize in developing and providing forensic tools. These companies produce software and/or hardware with diverse functionality. Some suites of forensic software are tightly integrated and have mature user interfaces. Other forensic suites are little more than a collection of useful utilities. Consider the following tools and try out the ones you like. Your final choice of forensic tools should provide the functionality to perform the examinations you will encounter. Although all the bells and whistles are nice, get what you really need.

EnCase

Guidance Software produces the EnCase product line. The products were originally developed for law enforcement personnel to carry out investigations. The product line has grown to support commercial incident response teams as well as law enforcement. The EnCase product is built around the general concept of the case. The first action you take is to create a case file. All subsequent activities are related to a case.

click to expand

EnCase is an integrated Windows-based graphical user interface (GUI) suite of tools. Although the EnCase functionality is impressive, you will likely need another utility at some point. Fully integrated solutions can increase productivity, but don't hesitate to use another tool when you need it.

click to expand

Here are just a few features of EnCase:

  • Enterprise Edition provides centralized monitoring and real-time investigation with no service interruptions

  • Snapshot enables investigators to capture volatile information including:

    • RAM contents

    • Running programs

    • Open files and ports

  • Organizes results into case files and manages case documents

  • Helps maintain the chain of custody

  • Provides tools for incident response team to respond to emerging threats

  • Supports real-time and postmortem examinations

    click to expand

EnCase provides the functionality to acquire and examine many types of evidence. The organization around a case provides the structure to keep information in order. All in all, EnCase is one of the premium suites of software you definitely want to evaluate when selecting your forensics tools. For more information on EnCase, visit the Guidance Software website at http://www.encase.com .

Forensic Toolkit (FTK)

Another forensic suite that provides an integrated user interface is AccessData 's Forensic Toolkit (FTK). FTK runs in Windows operating systems and provides a very powerful tool set to acquire and examine electronic media. As discussed earlier in this chapter, FTK contains a disk imaging tool. This imaging tool provides one or more copies of primary evidence for analysis.

click to expand

FTK provides an easy-to-use file viewer that recognizes over 270 types of files. FTK also provides full text indexing powered by dtSearch. We will cover dtSearch's features later in this chapter. The integrated file viewer and search capabilities provide the ability to find evidence on any device.

click to expand

FTK works with media images created by several imaging utilities, including:

  • FTK

  • EnCase

  • SMART

  • SnapBack

  • SafeBack (not V3.0)

  • Linux dd

    click to expand

The searching capabilities of FTK include e-mail and Zip file analysis. FTK supports searching through many e-mail formats, including:

  • AOL

  • Netscape

  • Yahoo

  • EarthLink

  • Eudora

  • Hotmail

  • MSN

FTK can quickly examine archive files in different formats as well. Files these programs generated are supported:

  • PKZIP

  • WinZip

  • WinRAR

  • GZIP

  • TAR

    click to expand

All results are organized by case and are presented in the case content summary. For more information on FTK, visit the AccessData website at http://www.accessdata.com .

Maresware

Maresware Computer Forensics software, developed by Mares and Company, is really a collection of tools useful to the forensic investigator . Like many of the forensics tools available, these tools were originally developed for law enforcement personnel. The tools in the set are the ones forensic examiners routinely use during an investigation.

Maresware features are similar to competitive products. The software provides tools to acquire and verify media images and examine the images. Core functionality includes searching and hidden file identification. The most notable difference from other forensic software suites is that the Maresware tools are stand-alone tools and can be called as needed. There is no set method or processing order you must follow. Maresware is flexible enough to allow you to use the tools you need in the order you need them.

Although the core functionality is similar to other competing products, at least four programs in the Maresware tool set bear individual description:

Declasfy    A disk wiping program that overwrites the contents of physical media in compliance with U.S. Department of Defense (DoD) standards. The resulting media meets strict regulatory requirements for media reuse.

Brandit    A utility that brands hard disks with identifying ownership information. This utility is useful to trace and identify stolen hard drives .

Bates_no    This program assists in managing records and files by adding identifying numbers to document filenames. Identifying numbers, such as case-related numbers , makes it easier to group files together.

Upcopy    A copy program that makes it easy to copy entire directories from a source location to a destination without changing any attributes or time/date stamps.

For more features or information on Maresware Computer Forensics software, visit the Mares and Company website at http://www.dmares.com/maresware/software.htm .

Paraben

Paraben Forensics Tools, produced by Paraben Corporation, is another collection of stand-alone tools. The Paraben forensic product line is actually made up of 10 individual software tool sets that make up the entire forensic suite. Each of the products can be purchased individually, and the pricing structure provides discounts for purchasing multiple tools.

Paraben's tools are frequently used with personal digital assistants (PDAs) and cell phones. Although this company's other software products are fine products, examine Paraben's products first if you want to examine PDAs or cell phones. Paraben has extensive experience in cell phone and PDA forensics tools. PDA and cell phone forensics is an area that has its own nuances . Paraben knows the ropes and can share a lot of knowledge. Here is a brief list of the Paraben Forensics tools:

Forensic Replicator    A disk imaging and verification tool. Details of this product were discussed earlier in this chapter.

Forensic Sorter    A tool that classifies data into one of 14 different categories, making examinations more productive. Organized data is easier to handle in groups of like data.

Network E-mail Examiner    A tool that examines network e-mail archives.

E-mail Examiner    A tool that examines e-mail files from over 15 mail types.

Decryption Collection    A set of tools that help recover passwords and decrypt encrypted data.

Text Searcher    A fast tool that searches media for desired text strings.

Case Agent Companion    A set of tools that includes a file viewer capable of viewing over 225 file formats, along with searching and reporting tools. The tools help an examiner organize examination results by case.

PDA Seizure    A tool used to acquire, view, and reports on evidence from PDAs.

Cell Seizure    A tool used to acquire, view, and report on evidence from cell phones.

For more information on any of the Paraben product line, visit the Paraben Forensic Tools website at

http://www.paraben-forensics.com/products.html.

The Coroner's Toolkit (TCT)

The Coroner's Toolkit (TCT) is the first of two open source forensic software suites in our list. It was designed by Dan Farmer and Wieste Venema. TCT is a collection of programs written to support a postmortem analysis of Unix and Linux systems.

Unlike many other forensic tools, TCT was written more for incident response than law enforcement investigations. Due to its origins, TCT was not designed around the stringent requirements to produce and manage courtroom admissible evidence. As a result, it's up to you to manage your case files and properly maintain the chain of custody.

The documentation is straightforward and brutally honest. Because TCT is not encumbered by encouraging prospective buyers to purchase a product, the authors can cut right to the heart of operational details. In fact, they begin by telling you the most obvious shortcomings of TCT. That being said, the TCT tutorial provides a nice introductory primer on handling incidents and conducting investigations. Take a look at the tutorial at http://www.fish.com/tct/help-when-broken-into .

TCT includes four main features. Although other lesser programs are included with the package, these four features are core to TCT's functionality:

Information Capture    The grave-robber program collects a large amount of information from a machine. It can take hours to run, and it returns a lot of information.

File Analysis    The ils and mactime programs analyze and display access patterns of files from a historical perspective or from a running system.

Deleted File Recovery    The unrm and lazarus programs support the recovery of deleted files and file fragments .

Cryptography Key Recovery    The findkey program examines files and running processes to recover keys.

One of the key features that sets TCT apart from many other forensic tool sets is that is can operate on a live system and return information about live processes and open files. Although the high-end commercial packages support this type of real-time analysis, few others have the ability to examine volatile RAM. For more information on TCT, visit one of the two primary TCT websites at http://www.fish.com/tct or http://www.porcupine.org/forensics/tct.html .

The Sleuth Kit (TSK)

The Sleuth Kit (TSK) is the other open source forensic software suite on our list. Built on TCT, TSK is a collection of command-line tools that provides media management and forensic analysis functionality.

TSK has a few features that deserve separate mention. In addition to general functionality, TSK supports Mac partitions and can analyze files from Mac file- systems. TSK has been tested to run on Mac OS X as well. TSK also has the ability to analyze volatile data on running systems in a manner similar to TCT.

The core toolkit contains six different types of tools.

File System Layer    The fsstat tool reports filesystem details, including inode numbers, block or cluster ranges, and super block details for Unix- based systems. For FAT filesystems, fsstat provides an abbreviated FAT table listing.

File Name Layer    The ffind and fls tools report allocated, unallocated , and deleted filenames.

Meta Data Layer    The icat, ifind, ils, and istat tools report on file meta data (file details) stored in filesystems.

Data Unit Layer    The dcat, dlc, dstat, and dcalc tools report file content information and statistics.

Media Management    The mmls tool provides information on the layout of a disk.

hfind    The hfind tool looks up hash values.

mactime    This tool uses fls and ils output to create timelines of file activity, such as create, access and write activity.

sorter    This tool sorts files based on file type.

For more information on TSK, visit the main TSK website at http://www.sleuthkit.org/sleuthkit/index.php .

Autopsy Forensic Browser

The Autopsy Forensic browser is a GUI front end for the TSK product discussed earlier. In addition to providing a graphical presentation of TSK tools, it also adds case management features to TSK. Like TSK, Autopsy runs in Unix/Linux and Mac OS X and provides a nice alternative to commercial Windows-based forensic tools.

click to expand

Here are a few features the Autopsy Forensic Browser adds to TSK:

Dead Analysis    Analyzes on a machine or device in a trusted environment

Live Analysis    Analyzes on a system that is up and running

Case Management    Organizes activities by case

Even Sequencer    Helps discern patterns by organizing system events chronologically

Notes    Offers easily accessible notes organized by case

Image Integrity    Verifies the integrity of any media images created for an investigation

Reports    Creates reports of activities, organized by case

Logging    Creates audit logs for activities, organized by case

click to expand

For more information on the Autopsy Forensic Browser, visit the Autopsy website at http://www.sleuthkit.org/autopsy/index.php .

ProDiscover

ProDiscover, from Technology Pathways, is another forensic suite of tools. Technology Pathways provides several different versions of ProDiscover, including Forensics, Investigator, Incident Response, Suite, and Windows, depending on your particular forensic needs. All ProDiscover products run in Windows operating systems and provide an integrated GUI for their forensic tools. The ProDiscover Suite combines the features of the entire family of forensic tools. Here are some notable features:

  • Allows live system examination

  • Identifies Trojans and other software intended to compromise the security of your system

  • Utilizes a remote agent that allows centralized examination and monitoring, along with encrypted network communication to secure analysis data

  • Creates a bit stream copy of an entire suspect disk, including hidden HPA sections (patent pending), to keep original evidence safe

  • Ensures integrity of acquired images using MD5 or SHA1 hashes

  • Supports FAT12, FAT16, FAT32, all NTFS, dynamic disk and software

RAID, and Sun Solaris UFS filesystems

  • Generates reports in eXtensible Markup Language (XML)

    click to expand

ProDiscover provides similar functionality to other full-featured forensic software suites listed in this section. Take a look at the full product line for a more detailed look at specific features. For more information on ProDiscover, visit the Technology Pathways website at http://www.techpathways.com/ DesktopDefault.aspx?tabindex=4 & tabid=12 .

Vogon Forensic Software

Vogon International provides imaging, processing, and investigative forensic tools. The company's software products provide integrated tools that provide the majority of the functions a computer forensic examiner requires. Vogon Forensic Software runs in the Windows operating system. Their software product line consists of:

  • Imaging software

  • Creates drive images with verification

  • Creates images from SCSI, IDE, and S-ATA hard disk drives.

  • Provides audit trail of imaging activities

    click to expand
  • Processing software

  • Creates file hashes

  • Processes multiple image files in a session

  • Provides file identification and grouping

  • Automatically handles archive and compressed files

  • Investigative software

  • Supports fast and flexible text searches

  • Handles 19 file system formats, including most common Windows, Unix/

Linux, and Macintosh file systems

  • Logs all activities

  • Produces multiple views of suspect data and reports of activities and results

For more information on the Vogon International product line and pricing, visit the company's website at http://www.vogon-forensic-hardware.com/ .

click to expand

X-Ways Forensics

X-Ways Forensics, from X-Ways Software Technology AG, is a collection of several forensic tools that assist in examining media images. Compared to some of the other forensic suites in this section, it is a little more lightweight. However, it does provide a nice collection of forensic tools that include some large package features at a very reasonable price.

Some of the X-Ways features include:

  • Case management

  • Automatic activity logging

  • Automated reports in HyperText Markup Language (HTML)

  • A display of existing and deleted files, sorted by file type category

  • Gallery view for graphics

  • Skin color detection helps in isolating pictures that may contain pornography

  • File extension/file type mismatches detection

  • EnCase media image support (read)

This is only a short list of X-Ways features. For more information on this product, visit the X-Ways Software & Technology website at http://www.xways.net/forensics/index-m.html .

Miscellaneous Software Tools

In addition to drive imaging software and complete forensic software suites, many smaller tools and utilities that are of value to the computer examiner are available. No matter how many features your forensic suite of choice may be, you might have specific needs that require another special tool.

The following sections detail a few special-purpose tools that provide specific functionality. As with the previous sections, consider each of these tools and choose the best ones for your specific needs.

DiskJockey File Viewer

DiskJockey File Viewer, from Clear & Simple, is a general-purpose file viewer. It allows you to view files in over 220 formats (232 formats in the Deluxe Edition). You do not need to own the application that created the file to view it in DiskJockey. Forensic examiners can use DiskJockey to scan media and view files without having to open the files in a native application.

You can find many more details on DiskJockey by visiting the Clear & Simple website at http://www.clear-simple.com/ .

DriveSpy

We discussed DriveSpy in the 'Disk Imaging and Validation Tools' section. It is included here as well to remind you that DriveSpy does a lot more than just duplicate drives. For instance, it allows you to select files based on name, extension, or attributes. It also allows you to view the sectors and clusters in its builtin hex viewers . Another useful DriveSpy feature is a search engine that allows you to search a partition or drive for specific text strings. DriveSpy provides basic command-line functionality that is portable enough to carry on a single floppy disk and use at the scene. After you create an image of a drive, DriveSpy can assist you in examining the image's contents.

The discussion in the 'Disk Imaging and Validation Tools' section covered some of its features. For pricing and more information, visit the Digital Intelligence, Inc. website at http://www.digitalintel.com/drivespy.htm .

dtSearch

After you create an image of suspect media, you'll need to search it for possible evidence. You'll need some tool to assist you in your search efforts. The dtSearch product line, from dtSearch Corporation, provides several solutions that allow you to search gigabytes of text in a short amount of time. Although not strictly a forensic tool, dtSearch provides the tool to perform a necessary forensic function.

The dtSearch website lists several features that set the product apart, including:

  • Offers over 12 search options, including indexed, unindexed, felded, and full-text search options

  • Converts results to HTML with search results highlighted (makes it easy to see search results context)

  • Supports distributed searching for high performance

    click to expand

The dtSearch product line includes several different products for different needs, including:

dtSearch Desktop    Searches stand-alone machines

dtSearch Network    Searches across networks

dtSearch Web    Supports instant text searching for online documents

dtSearch Publish    Publishes an instant searchable database on CD/DVD

For the forensic examiner, the Desktop and Network products provide the capability to find possible evidence on multiple machines. For more detailed product information, visit the dtSearch Corporation website at http://www.dtsearch.com/ .

Quick View Plus File Viewer

Quick View Plus, from Avantstar, is a general-purpose file viewer, similar to DiskJockey. Quick View Plus allows you to view files in over 225 formats. Quick View Plus also allows you to view parts of files and print them or cut and paste into your own applications.

From a forensic perspective, Quick View Plus provides examiners the ability to search many types of files for text strings and view the results in the context of the original file.

You can find many more details on Quick View Plus by visiting the Avantstar website at http://www.avantstar.com/solutions/quick_view_plus .

Text Search Plus

Text Search Plus, from New Technologies Inc., is a DoD-tested and certified text-searching tool. This tool was designed specifically for forensic examiners. Although other search tools were developed for a general market, Text Search Plus started off as a forensic tool.

Text Search Plus provides the following features beyond most general-purpose searching tools:

  • Searches files, slack space, and unallocated file space

  • Is approved for use in classified facilities

  • Searches at the logical level (filesystem) or physical level (disk sectors)

  • Searches up to 120 search strings at one time

Text Search Plus operates in DOS and is small enough to fit on a DOS boot floppy disk. Many commercial examiners, government, law enforcement, military, and intelligence agencies use the product. For more product details, visit the New Technologies Inc. website at http://www.forensics-intl.com/txtsrchp.html .

ThumbsPlus File Viewer

ThumbsPlus File Viewer, from Cerious Software Inc., is a general-purpose file viewer and editor. It allows you to view files in many formats. A good file-viewing tool makes browsing through several graphics files far easier. ThumbsPlus makes it easy to collect and browse most common graphic formats.

click to expand

You can find many more details on ThumbsPlus by visiting the Cerious website at http://www.cerious.com/ .

Hardware

Up to this point, we have ignored the fact that all software tools must run on hardware of some type. Although forensic tools run on general-purpose machines, using dedicated computers for forensics investigations is often advisable. Using dedicated hardware decreases the possibility of accidental contamination by nonforensic applications.

Although actual evidence contamination cannot occur to the primary media when analyzing an image of the original media, other applications can possibly affect the evidence image you are examining. Your forensic machine probably has special-purpose hardware elements such as a disk-write blocker, keystroke logger, or multiple format disk controllers.

Because forensic examination computers tend to support special-purpose hardware and software, several companies offer hardware devices and complete computer systems that are built from the ground up as forensic hardware devices. Some of the systems can be expensive, but if you need a prebuilt forensic hardware platform the cost is probably justified. Carefully consider your needs based on:

  • Where will you analyze media?

    • At the scene

    • In the lab

  • How often do you use forensic software?

  • What type of operating system and hardware must you analyze?

  • Will the evidence you collect be presented in a court of law?

Answers to these questions will help you to decide whether you need special- purpose forensic hardware and what features you need. The following sections describe some forensic hardware providers.

Forensic Recovery of Evidence Device

Digital Intelligence, Inc. produces a line of specially designed forensic workstations called Forensic Recovery of Evidence Device (F.R.E.D.). The company offers several different F.R.E.D. options, depending on your specific needs. Each system in the F.R.E.D. line is a purpose-built computer for forensic analysis. Whether you need a portable lab or a full-featured system that supports nearly every known hard drive interface, there is probably a F.R.E.D. computer that will satisfy your requirements.

In addition to the F.R.E.D. product line, Digital Intelligence, Inc. sells a line of other forensic hardware including:

  • Forensic hardware kits with write blockers, power supplies , and interface cables

  • The 'shadow' device that caches all writes as a suspect's system boots

  • Stand-alone write blockers

  • Imaging chassis

Digital Intelligence, Inc. provides a complete line of hardware for forensic examiners. For more information on the Digital Intelligence, Inc. product line and pricing, visit the company's website at http://www.digitalintel.com/ .

Vogon Forensic Hardware

Vogon International provides purpose-built forensic hardware, including both specialist imaging systems, forensic workstations through to scalable custom laboratory solutions. Vogon offers a range of forensic solutions for differing needs. Their product line includes:

  • Imaging systems for IDE, SCSI, S-ATA, and PCMCIA and RAID

  • A range of laboratory-based imaging and processing systems

  • Custom high-end enterprise imaging systems

  • Automated systems for high-volume forensic imaging and processing

  • Password-cracking hardware for hard disk drives

  • Integrated network-based forensic solutions

  • Custom forensic solutions

    click to expand

(Photograph Courtesy of Vogon International 2004)

click to expand

(Photograph Courtesy of Vogon International 2004)

For more information on the Vogon International product line, visit the company's website at http://www.vogon-forensic-hardware.com/index.php .




Computer Forensics JumpStart
Computer Forensics JumpStart
ISBN: 0470931663
EAN: 2147483647
Year: 2004
Pages: 153

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net