Chapter 25: Generalized Editors and Viewers

OVERVIEW

Despite the growing popularity and acceptance of tool suites produced by Guidance, Paraben, AccessData, and ASR Data, it is still important for the investigator to understand the internals of the automated operations these tool suites have built in. Corollaries for why can be drawn from everything from pharmaceuticals to reactor operations. Having operated reactors for more than half a dozen years , this author can attest that a monkey can do the job. Except for when things go wrong and they do. Amazingly, things go wrong during investigations, too. And if that's not enough, you'll be questioned about and expected to explain file carving, deleted files, file slack , unallocated space, sectors, clusters, etc. As you use and understand these tools, these definitions will become second nature.

An investigator could come to an incorrect conclusion without the means to view suspicious files properly. For example, imagine an analyst who depends on an image viewer to provide the proper results for a file named image.tiff. If the file image.tiff is actually an MP3 music file, it won't be displayed correctly in an image viewer or rendered correctly inside of Windows Explorer. Therefore, a more powerful viewer must be utilized. Lucky for the analyst, such viewers are available.

This chapter is dedicated to the editors and viewers used during a typical forensic analysis. These viewers are defined as generic in the sense that they support many different file types. Some of the viewers presented will even support an unlimited number of file formats. Moreover, even though "editing" is not typically performed during an investigation, this chapter will illustrate that editors, too, can add powerful features to the analyst's tool kit.