Chap 3 - Current Computer Forensics Tools

TCF2043
Digital Investigation
CHAPTER 3:
CURRENT COMPUTER
FORENSICS TOOLS
Management & Science University
FISE
Evaluating Computer Forensics Tool

Needs
Some questions to ask when evaluating tools

include the following:
On which OS does the forensics tool run?

Is the tool versatile? For example, does it work in Windows 98,
XP, and Vista and produce the same results in all three OSs?
Can the tool analyze more than one file system, such as FAT,
NTFS, and Ext2fs?
Can a scripting language be used with the tool to automate
repetitive functions and tasks?
Does the tool have any automated features that can help
reduce the time needed to analyze data?
What is the vendors reputation for providing product support?
FISE
Types of Computer Forensics Tools
Computer forensics tools are divided into two major categories:

hardware and software.
Hardware Forensics Tools
range from simple, single purpose components to complete

computer systems and servers.
Single-purpose components can be devices, such as the ACARD
AEC-7720WP Ultra Wide SCSI-to-IDE Bridge, which is designed to
write-block an IDE drive connected to a SCSI cable.
Some examples of complete systems are Digital Intelligence F.R.E.D.
systems, DIBS Advanced Forensic Workstations, and Forensic
Computers Forensic Examination Stations and portable units.
To see photos of these tower and portable units, go to the Forensic
Computers Web site at www.forensic-computers.com and do a
search.
FISE
Lab Workstations
Ultimate Forensic Machine
Forensic Analysis Workstation

(Dual Six-Core Xeon)
Forensic Tower IV Dual Xeon Quad

Core
FISE
Forensic Mobile Workstation II
Forensic Air-Lite V MK III
Mobile Workstation
FISE
Software Forensics Tools
Software forensics tools are grouped into command-line

applications and GUI applications.
Some tools are specialized to perform one task, such as
SafeBack, a command-line disk acquisition tool from
New Technologies, Inc. (NTI).
Other tools are designed to perform many different
tasks.
For example, Technology Pathways Pro- Discover, XWays Forensics, Guidance Software EnCase, and
AccessData FTK are GUI tools designed to perform most
computer forensics acquisition and analysis functions.
FISE
Software Forensics Tools
Software forensics tools are commonly used to

copy data from a suspects drive to an image
file.
Many GUI acquisition tools can read all
structures in an image file as though the image
were the original drive.
Many analysis tools, such as ProDiscover,
EnCase, FTK, X-Ways Forensics, ILook, and
others, have the capability to analyze image
files.
FISE
Tasks Performed by Computer

Forensics Tools
All computer forensics tools, both hardware

and software, perform specific functions.
These functions are grouped into five major
categories:
1.
Acquisition
2.
Validation and discrimination
3.
Extraction
4.
Reconstruction
5.
Reporting
FISE

Forensics Tools
Acquisition
Acquisition, the first task in computer forensics investigations,

is making a copy of the original drive.
this procedure preserves the original drive to make sure it
doesnt become corrupt and damage the digital evidence.
Subfunctions in the acquisition category include the following:
Physical data copy

Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote acquisition
Verification
FISE

Forensics Tools
Acquisition
Some computer forensics software suites, such as

AccessData FTK and EnCase, provide separate tools for
acquiring an image.
However, some investigators choose to use hardware
devices, such as the Logicube Talon, VOOM HardCopy 3,
or ImageMASSter Solo III Forensic unit from Intelligent
Computer Solutions, Inc., for acquiring an image.
These hardware devices have their own built-in software
for data acquisition. No other device or program is
needed to make a duplicate drive; however, you still
need forensics software to analyze the data.
FISE
10
Hardware Devices for Data

Acquisition
ImageMASSter Solo III
VOOM HardCopy 3P
FISE
11

Forensics Tools
Acquisition
Other acquisition tools require combining hardware devices and

software programs to make disk acquisitions.
For example, Guidance Software has a DOS program, En.exe,
and a function in its Windows application, EnCase, for making
data acquisitions.
Making an acquisition with En.exe requires a PC running MSDOS, a 12-volt hard drive power connector (Molex, SATA, or one
specified for the hard drive youre acquiring), and a data cable,
such as an IDE (PATA), a SATA, or a SCSI connector cable.
The Windows EnCase application requires a write-blocker
device, such as FastBloc, to prevent Windows from accessing
and corrupting a suspect drive.
FISE
12

Forensics Tools
Acquisition
Two types of data-copying methods are used in software

acquisitions: physical copying of the entire drive and logical
copying of a disk partition.
Most software acquisition tools include the option of imaging an
entire physical drive or just a logical partition.
The situation dictates whether you make a physical or logical
acquisition.
One reason to choose a logical acquisition is drive encryption.
making a physical acquisition of a drive with whole disk
encryption results in unreadable data.
With a logical acquisition, however, you can still read and
analyze the files.
FISE
13

Forensics Tools
Acquisition
The
raw data format, typically created with the
UNIX/Linux dd command, is a simple bit-for-bit copy of a
data file, a disk partition, or an entire drive.
A raw imaging tool can copy data from one drive to
another disk or to segmented files.
Because its a true unaltered copy, you can view a raw
image files contents with any hexadecimal editor, such
as Hex Workshop or WinHex. Hexadecimal editors, also
known as disk editors (such as Norton DiskEdit), provide
a hexadecimal view and a plaintext view of the data
FISE
14
Viewing data
in a
hexadecimal
editor
FISE
15

Forensics Tools
Validation and Discrimination

Two issues in dealing with computer evidence are
critical.
First is ensuring the integrity of data being copiedthe
validation process.
Second is the discrimination of data, which involves
sorting and searching through all investigation data.
The process of validating data is what allows
discrimination of data.
Many forensics software vendors offer three methods
for discriminating data values.
FISE
16

Forensics Tools
These are the subfunctions of the validation and

discrimination function:
Hashing
Filtering
Analyzing file headers
Validating data is done by obtaining hash values.

As a standard feature, most forensics tools and many
disk editors have one or more types of data hashing.
How data hashing is used depends on the
investigation, but using a hashing algorithm on the
entire suspect drive and all its files is a good idea.
FISE
17

Forensics Tools
This method produces a unique hexadecimal value for data,

used to make sure the original data hasnt changed.
This unique value has other potential uses.
For example, in the corporate environment, you could create a
known good hash value list of a fresh installation of an OS, all
applications, and all known good images and documents
(spreadsheets, text files, and so on).
With this information, an investigator could ignore all files on
this known good list and focus on other files on the disk that
arent on this list. This process is known as filtering.
Filtering can also be used to find data for evidence in criminal
investigations or to build a case for terminating an employee.
FISE
18

Forensics Tools
The primary purpose of data discrimination is to remove good

data from suspicious data.
Good data consists of known files, such as OS files and common
programs (Microsoft Word, for example).
The National Software Reference Library (NSRL) has compiled a
list of known file hashes for a variety of OSs, applications, and
images
that
can
be
downloaded
from
www.nsrl.nist.gov/Downloads.htm (see Figure).
Several computer forensics programs can integrate known good
file hash sets, such as the ones from the NSRL, and compare
them to file hashes from a suspect drive to see whether they
match.
With this process, you can eliminate large amounts of data
quickly so that you can focus your evidence analysis.
FISE
19
The download page of the National Software Reference Library

FISE
20

Forensics Tools
You can also begin building your own hash sets.

Another feature to consider for hashing functions is hashing and
comparing sectors of data.
This feature is useful for identifying fragments of data in slack and free
disk space that might be partially overwritten.
An additional method of discriminating data is analyzing and verifying
header values for known file types.
Similar to the hash values of known files, many computer forensics
programs include a list of common header values.
With this
information, you can see whether a file extension is incorrect for the
file type.
Renaming file extensions is a common way to try to hide data, and you
could miss pertinent data if you dont check file headers.
For example, in the file header for ForensicData.doc, you see the
letters JFIF (see Figure).
FISE
21
FISE
22

Forensics Tools
Most forensics tools can identify

header values.
Searching and comparing file headers
rather than file extensions improves
the data discrimination function.
With this feature, you can locate files
that might have been altered
intentionally.
FISE
23

Forensics Tools
Extraction
The extraction function is the recovery task in a computing

investigation and is the most challenging of all tasks to master.
Recovering data is the first step in analyzing an investigations
data.
The following subfunctions of extraction are used in
investigations:
1.
Data viewing
2.
Keyword searching
3.
Decompressing
4.
Carving
5.
Decrypting
6.
Bookmarking
FISE
24

Forensics Tools
Many computer forensics tools include a data-viewing

mechanism for digital evidence.
How data is viewed depends on the tool.
Tools such as ProDiscover, X-Ways Forensics, FTK, EnCase,
SMART, ILook, and others offer several ways to view data,
including logical drive structures, such as folders and
files.
These tools also display allocated file data and
unallocated disk areas with special file and disk viewers.
Being able to view this data in its normal form makes
analyzing and collecting clues for the investigation easier.
FISE
25

Forensics Tools
A common task in computing investigations is searching

for and recovering key data facts.
Computer forensics programs have functions for
searching for keywords of interest to the investigation.
Using a keyword search speeds up the analysis process
for investigators, if used correctly; however, a poor
selection of keywords generates too much information.
For example, the name Ben is a poor search term
because it generates a large number of false positive
hits.
To reduce false-positive hits, you need to refine the
search scope.
FISE
26

Forensics Tools
One way is to search on combinations of
words, in which one word is within so many
words of the next.
For example, with FTKs Indexed Search
feature (see next Figure), you could search
for the word Ben within one word of the
word Franklin by entering Ben w/1
Franklin and narrow the search further with
the word Son as a separate entry in the
Search Term text box.
FISE
27
The Indexed Search feature in FTK

FISE
28

Forensics Tools
With some tools, you can set filters to select the file
types to search, such as searching only PDF documents.
Another function in some forensics tools is indexing all
words on a drive.
X-Ways Forensics and FTK 1.6x and earlier offer this
feature, using the binary index (Btree) search engine
from dtSearch.
FTK 2.0 also includes indexing but has switched to an
Oracle database and takes advantage of this database
programs indexing capabilities.
These features make instant lookup for keywords
possible, which speeds up analysis.
FISE
29

Forensics Tools
Another function to consider for extraction is the format

the forensics tool can read.
For example, FTK has a built-in function that reads and
indexes data from Microsoft .pst and. ost files;
EnCase has a third-party add-on that performs indexing
and analyzes Microsoft .pst files.
In addition, EnCase, X-Ways Forensics, and ProDiscover
enable you to create scripts for extracting data, but FTK
doesnt have this feature.
Keep in mind that you have to use a combination of
tools to retrieve and report on evidence from digital
devices accurately.
FISE
30

Forensics Tools
Part of the investigation process also involves reconstructing

fragments of files that have been deleted from a suspect
drive.
In North America, this reconstruction is referred to as
carving; in Europe, its called salvaging.
Investigators often need to be able to extract data from
unallocated disk space.
Locating file header information, as mentioned previously in
Validation and Discrimination, is a reliable method for
carving data.
Most forensics tools analyze unallocated areas of a drive or an
image file and locate fragments or entire file structures that
can be carved and copied into a newly reconstructed file.
FISE
31

Forensics Tools
Some investigators prefer carving fragmented

data manually with a command-line tool, but
advanced GUI tools, such as X-Ways Forensics,
EnCase, FTK, and ProDiscover, with built-in
functions for carving are used more commonly
now.
For example, the next Figure shows an option in
FTK for adding carved files to a case automatically.
Some tools, such as DataLifter and Davory, are
specifically designed to carve known data types
from exported unallocated disk space.
FISE
32
Datacarving
options in
FTK
FISE
33

Forensics Tools
A major challenge in computing investigations is

analyzing, recovering, and decrypting data from
encrypted files or systems.
Encryption can be used on a drive, disk partition, or
file.
Many e-mail services, such as Microsoft Outlook,
provide encryption protection for .pst folders and
messages.
The types of encryption range from platform specific,
such as Windows Encrypting File System (EFS), to
third-party vendors, such as Pretty Good Privacy (PGP)
and GnuPG.
FISE
34

Forensics Tools
From an investigation perspective, encrypted files

and systems are a problem.
Many password recovery tools have a feature for
generating potential password lists for a password
dictionary attack.
FTK, for example, produces a list of possible
passwords for an encrypted file from a suspect drive.
AccessData has also created an advanced passwordcracking software suite called Distributed Network
Attack (DNA) that allows multiple machines to
attempt cracking a password.
FISE
35

Forensics Tools
After locating the evidence, the next task is
to bookmark it so that you can refer to it
later when needed.
Many forensics tools use bookmarks to insert
digital evidence into a report generator,
which produces a technical report in HTML or
RTF format of the examinations findings.
When the report generator is launched,
bookmarks are loaded into the report.
FISE
36

Forensics Tools
Reconstruction
The purpose of having a reconstruction feature in
a forensics tool is to re-create a suspect drive to
show what happened during a crime or an
incident.
Another reason for duplicating a suspect drive is
to create a copy for other computer investigators,
who might need a fully functional copy of the
drive so that they can perform their own
acquisition, test, and analysis of the evidence.
FISE
37

Forensics Tools
These are the subfunctions

of reconstruction:
1.
2.
3.
4.
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
FISE
38

Forensics Tools
There are several ways to re-create an image of a suspect drive.

Under ideal circumstances, the best and most reliable method is
obtaining the same make and model drive as the suspect drive.
If the suspect drive has been manufactured recently, locating an
identical drive is fairly easy. (and vise versa)
The simplest method of duplicating a drive is using a tool that
makes a direct disk-to-disk copy from the suspect drive to the
target drive.
Many tools can perform this task.
One free tool is the UNIX/Linux dd command, but it has a major
disadvantage: The target drive being written to must be
identical to the original (suspect) drive, with the same cylinder,
sector, and track count.
FISE
39

Forensics Tools
If an identical drive is unavailable, manipulating the drives

cylinders, sectors, and tracks to match the original drive might
be possible through your workstations BIOS.
For a disk-to-disk copy, both hardware and software duplicators
are available;
Hardware duplicators are the fastest way to copy data from one
disk to another.
Hardware duplicators, such as Logicube Talon, Logicube Forensic
MD5, and ImageMASSter Solo III Forensics Hard Drive Duplicator,
adjust the target drives geometry to match the suspect drives
cylinder, sectors, and tracks.
Software duplicators, although slower than hardware duplicators,
include SnapBack, SafeBack, EnCase, and X-Ways Forensics.
FISE
40

Forensics Tools
For image-to-disk and image-to-partition copies, many more tools

are available, but they are considerably slower in transferring
data.
The following are some tools that perform an image-to-disk copy:
1.
2.
3.
4.
5.
6.
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
X-Ways Forensics
All these tools have proprietary formats that can be restored only
by the same application that created them.
For example, a ProDiscover image (.eve format) can be restored
only by using ProDiscover.
FISE
41

Forensics Tools
Reporting
To complete a forensics disk analysis and examination,

you need to create a report.
Before Windows forensics tools were available, this
process required copying data from a suspect drive and
extracting the digital evidence manually.
The investigator then copied the evidence to a separate
program, such as a word processor, to create a report.
File data that couldnt be read in a word processor
databases, spreadsheets, and graphics, for example
made it difficult to insert nonprintable characters, such
as binary data, into a report.
FISE
42

Forensics Tools
Typically, these reports werent stored electronically

because investigators had to collect printouts from
several different applications to consolidate
everything into one large paper report.
Newer Windows forensics tools can produce
electronic reports in a variety of formats, such as
word processing documents, HTML Web pages, or
Acrobat PDF files.
These are the subfunctions of the reporting function:
Log reports
Report generator
FISE
43

Forensics Tools
As part of the validation process, often you need to

document the steps you took to acquire data from a
suspect drive.
Many forensics tools, such as FTK, ILook, and X-Ways
Forensics, can produce a log report that records
activities the investigator performed.
Then a built-in report generator is used to create a
report in a variety of formats.
The following tools are some that offer report
generators displaying bookmarked evidence:
EnCase, FTK, Ilook, X-Ways Forensics, and ProDiscover.

FISE
44
Computer Forensics Software Tools
Whether you use a suite of tools or a taskspecific tool, you have the option of
selecting one that enables you to analyze
digital evidence.
Computer
Forensics
Tools have 3 types:
1.
2.
3.
Software
Command-Line Forensics Tools

UNIX/Linux Forensics Tools
Other GUI Forensics Tools
FISE
45
Command-Line Forensics Tools
Used mostly for old Pcs.

The first tools that analyzed and extracted data from floppy
disks and hard disks were MS-DOS tools for IBM PC file systems.
One of the first MS-DOS tools used for computer investigations
was Norton DiskEdit.
This tool used manual processes that required investigators to
spend considerable time on a typical 500 MB drive.
One advantage of using command-line tools for an investigation
is that they require few system resources because theyre
designed to run in minimal configurations.
In fact, most tools fit on bootable media (floppy disk, USB drive,
CD, or DVD).
FISE
46
UNIX/Linux Forensics Tools
The *nix platforms have long been the primary command-line

OSs.
However, with GUIs now available with *nix platforms, these OSs
are becoming more popular with home and corporate end users.
Some of the popular tools are:
SMART
SMART is designed to be installed on numerous Linux

versions, including Gentoo, Fedora, SUSE, Debian, Knoppix,
Ubuntu, Slackware, and more.
You can analyze a variety of file systems with SMART; for a

list of file systems or to download an evaluation ISO image
for SMART and SMART Linux, go to www.asrdata2.com.
FISE
47
SMART includes several plug-in utilities.

This modular approach makes it possible to
upgrade SMART components easily and quickly.
Another useful option in SMART is the hex viewer.
Hex values are color-coded to make it easier to
see where a file begins and ends.
SMART also offers a reporting feature.
Everything you do during your investigation with
SMART is logged, so you can select what you
want to include in a report, such as bookmarks.
FISE
48
Helix
One of the easiest suites to use because of its user interface.

Whats unique about Helix is that you can load it on a live
Windows system, and it loads as a bootable Linux OS from a
cold boot.
Its Windows component is used for live acquisitions.
some international courts have not accepted live acquisitions
as a valid forensics practice.
During corporate investigations, often you need to retrieve
RAM and other data, such as the suspects user profile, from
a workstation or server that cant be seized or turned off.
Thats why Helix is used.
FISE
49
The Helix menu

FISE
50
BackTrack
is another Linux Live CD used by many security professionals and

forensics investigators.
It includes a variety of tools and has an easy-to-use interface.
Autopsy and Sleuth Kit
Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser
interface for accessing Sleuth Kits tools.
Knoppix-STD
Knoppix Security Tools Distribution (STD) is a collection of tools for

configuring security measures, including computer and network
forensics.
it doesnt allow you to alter or damage the system youre
analyzing.
FISE
51
The Knoppix-STD information

window in Windows
FISE
52

Several software vendors have introduced forensics
tools that work in Windows.
These GUI tools have also simplified training for
beginning examiners;
Most GUI tools are put together as suites of tools.
For example, the largest GUI tool vendors
Technology Pathways, AccessData, and Guidance
Softwareoffer tools that perform most of the tasks.
As with all software, each suite has its strengths and
weaknesses.
FISE
53
GUI tools have several advantages, such as
ease of use.
the capability to perform multiple tasks.
no requirement to learn older OSs.
Their disadvantages
excessive resource requirements (needing large amounts of RAM,

for example)
producing inconsistent results because of the type of OS used,
such as Windows Vista 32-bit or 64-bit systems.
that they create investigators dependence on using only one tool.
In some situations, GUI tools dont work and a command-line tool
is required.
FISE
54
Computer Forensics Hardware Tools
Technology
changes
rapidly,
and
hardware
manufacturers
have
designed
most
computer
components to last about 18 months between failures.
For this reason, you should schedule equipment
replacements periodicallyideally, every 18 months if
you use the hardware fulltime.
Most computer forensics operations use a workstation 24
hours a day for a week or longer between complete
shutdowns.
Forensics hardware covers the following issues:
Forensic Workstations
Using a Write-Blocker
FISE
55
The more diverse your investigation environment, the more

options you need.
In general, forensic workstations can be divided into the
following categories:
Stationary workstationA tower with several bays and
many peripheral devices
Portable workstationA laptop computer with a built-in
LCD monitor and almost as many bays and peripherals as
a stationary workstation
Lightweight
workstationUsually a laptop computer
built into a carrying case with a small selection of
peripheral options
FISE
56
When considering options to add to a basic

workstation, keep in mind that PCs have
limitations on how many peripherals they can
handle.
The more peripherals you add, the more
potential problems you might have, especially
if youre using an older version of Windows.
You must learn to balance what you actually
need with what your system can handle.
FISE
57
The first item you should consider for a forensic workstation is

a write-blocker.
Writeblockers protect evidence disks by preventing data from
being written to them.
Software and hardware write-blockers perform the same
function but in a different fashion.
Software write-blockers, such as PDBlock from Digital
Intelligence, typically run in a shell mode (for example, DOS).
PDBlock changes interrupt 13 of a workstations BIOS to
prevent writing to the specified drive. If you attempt to write
data to the blocked drive, an alarm sounds, advising that no
writes have occurred.
FISE
58
Hardware write-blockers are ideal for GUI forensics tools.

They prevent the OS from writing data to the blocked drive.
Hardware write-blockers act as a bridge between the suspect
drive and the forensic workstation.
In the Windows environment, when a write-blocker is installed on
an attached drive, the drive appears as any other attached disk.
You can navigate to the blocked drive with any Windows
application.
When you copy data to the blocked drive or write updates to a file
with Word, Windows shows that the data copy is successful.
However, the write-blocker actually discards the written datain
other words, data is written to null.
FISE
59
When you restart the workstation and examine the blocked drive,
you wont see the data or files you copied to it previously.
Many vendors have developed write-blocking devices that connect
to a computer through FireWire, USB 2.0, SATA, and SCSI
controllers.
Most of these write-blockers enable you to remove and reconnect
drives without having to shut down your workstation, which saves
time in processing the evidence drive.
For more information on write-blocker specifications, visit
www.cftt.nist.gov. The following vendors provide write-blocking
devices:
www.digitalintelligence.com
www.forensicpc.com
FISE
60
ULTRAKIT that
contain various
types of WriteBlockers
FISE
61
Validating and Testing Forensics

Software
Now that you have selected some tools to
use, you need to make sure the evidence
you recover and analyze can be admitted in
court.
To do this, you must test and validate your
software.
The following discuss validation tools
available at the time of this writing and how
to develop your own validation protocols.
FISE
62
Using National Institute of Standards

and
The National Institute of Standards and Technology publishes
Technology (NIST) Tools
articles, provides tools, and creates procedures for testing
and validating computer forensics software.
Software should be verified to improve evidence admissibility
in judicial proceedings.
NIST sponsors the Computer Forensics Tool Testing (CFTT)
project to manage research on computer forensics tools.
For additional information on this testing project, visit
www.cftt.nist.gov.
NIST has created criteria for testing computer forensics tools.
The criteria are based on standard testing methods and ISO
17025 criteria for testing items that have no current
standards.
FISE
63

and
Your lab must meet the following criteria and keep accurate
Technology
(NIST)
Tools
records so that when new software and hardware become
available, testing standards are in place for your lab:
1.
Establish categories for computer forensics tools
Group computer forensics software according to
categories, such as forensics tools designed to retrieve
and trace e-mail.
2.
Identify computer forensics category requirementsFor
each category, describe the technical features or
functions a forensics tool must have.
3.
Develop test assertionsBased on the requirements,
create tests that prove or disprove the tools capability
to meet the requirements.
FISE
64

and
Identify
test casesFind
create types of cases to
Technology
(NIST)orTools
4.
investigate with the forensics tool, and identify

information to retrieve from a sample drive or other
media.
5.
6.
For example, use the image of a closed case file created with a
trusted forensics tool to test a new tool in the same category
and see whether it produces the same results.
Establish a test methodConsidering the tools

purpose and design, specify how to test it.
Report test resultsDescribe the test results in a report
that complies with ISO 17025, which requires accurate,
clear, unambiguous, and objective test reports.
FISE
65

and
In addition, NIST created the National Software Reference
Technology (NIST) Tools
Library (NSRL) project with the goal of collecting all
known hash values for commercial software and OS files.
The primary hash NSRL uses is SHA-1, which generates a
known set of digital signatures called the Reference Data
Set (RDS).
SHA-1 provides better accuracy than other hashing
methods, such as MD5 or CRC-32.
The purpose of collecting known hash values is to reduce
the number of known files, such as OS or program files,
included in a forensics examination of a drive so that only
unknown files are left
FISE
66
Using Validation Protocols
After retrieving and examining evidence data with one

tool, you should verify your results by performing the
same tasks with other similar forensics tools.
For example, after you use one forensics tool to retrieve

disk data, you use another to see whether you retrieve the
same information.
Investigators must be confident in a tools capability to

produce consistent and accurate findings during analysis.
Understanding how the tool works is equally important.
One way to compare results and verify a new tool is by
using a disk editor, such as Hex Workshop or WinHex, to
view data on a disk in its raw format.
FISE
67
1.
2.
3.
Disk editors typically show files, file headers, file slack, RAM
slack, and other data on the physical disk.
Disk editors are reliable and capable of accessing sectors of
the digital evidence to verify your findings.
If you decide to use a Computer Forensics
Examination Protocol, use the recommended steps as
the following:
First, conduct your investigation of the digital evidence with one GUI tool.
Then perform the same investigation with a disk editor to verify that the
GUI tool is seeing the same digital evidence in the same places on the
test or suspect drives image.
If a file is recovered, obtain the hash value with the GUI tool and the disk
editor, and then compare the results to verify whether the file has the
same value in both tools.
FISE
68
Many investigators in both the public

and private sectors use FTK and
EnCase as their choice of flagship
forensics software suites, but they
dont rely on them solely;
investigators software libraries often
include other forensics utilities to
supplement these tools capabilities.
FISE
69
Computer Forensics Tool Upgrade

Protocol
In addition to verifying your results by using two disk-analysis tools,

you should test all new releases and OS patches and upgrades to
make sure theyre reliable and dont corrupt evidence data.
New releases and OS upgrades and patches can affect the way
your forensics tools perform.
If you determine that a patch or upgrade isnt reliable, dont use it
on your forensic workstation until the problem has been fixed.
If a problem exist, such as not being able to read old image files
with the new release or the disk editor generating errors after you
apply the latest service pack, you can file an error report with the
vendor.
In most cases, the vendor addresses the problem and provides a
new patch, which you should check with another round of
validation testing.
FISE
70
Computer Forensics Tool Upgrade

Protocol
the test best way is to build a test hard disk to store data in
unused space allocated for a file, also known as file slack.
You can then use a forensics tool to retrieve it.
If you can retrieve the data with that tool and verify your
findings with a second tool, you know the tool is reliable.
As computer forensics tools continue to evolve, you should
check the Web for new editions, updates, patches, and
validation tests for your tools.
Always validate what the hardware or software tool is doing as
opposed to what its supposed to be doing. Be confident and
knowledgeable about the capabilities of your forensics toolbox.
Remember to test and document why a tool does or doesnt
work the way its supposed to.
FISE
71
Chapter Summary
acquisition The process of creating a duplicate image of data;

one of the five required functions of computer forensics tools.
brute-force attack The process of trying every combination
of charactersletters, numbers, and special characters
typically found on a keyboardto find a matching password or
passphrase value for an encrypted file.
Computer Forensics Tool Testing (CFTT) A project
sponsored by the National Institute of Standards and
Technology to manage research on computer forensics tools.
discrimination The process of sorting and searching through
investigation data to separate known good data from
suspicious data; along with validation, one of the five required
functions of computer forensics tools.
FISE
72
Chapter Summary
extraction The process of pulling relevant data from an image

and recovering or reconstructing data fragments; one of the
five required functions of computer forensics tools.
keyword search A method of finding files or other information
by entering relevant characters, words, or phrases in a search
tool.
National Software Reference Library (NSRL) A NIST project
with the goal of collecting all known hash values for commercial
software and OS files.
password dictionary attack An attack that uses a collection
of words or phrases that might be passwords for an encrypted
file. Password recovery programs can use a password dictionary
to compare potential passwords to an encrypted files password
or passphrase hash values.
FISE
73
Chapter Summary
reconstruction The process of rebuilding data files;

one of the five required functions of computer
forensics tools.
validation The process of checking the accuracy of
results; along with discrimination, one of the five
required functions of computer forensics tools.
write-blocker A hardware device or software
program that prevents a computer from writing data
to an evidence drive. Software write-blockers typically
alter interrupt 13 write functions to a drive in a PCs
BIOS. Hardware write-blockers are usually bridging
devices between a drive and the forensic workstation.
FISE
74
THE END
FISE
75

Chap 3 - Current Computer Forensics Tools

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chap 3 - Current Computer Forensics Tools

Hochgeladen von

Copyright:

Verfügbare Formate

TCF2043

Evaluating Computer Forensics Tool

Some questions to ask when evaluating tools

On which OS does the forensics tool run?

Types of Computer Forensics Tools

Computer forensics tools are divided into two major categories:

range from simple, single purpose components to complete

Ultimate Forensic Machine

Forensic Analysis Workstation

Forensic Tower IV Dual Xeon Quad

Forensic Mobile Workstation II

Forensic Air-Lite V MK III

Management & Science University

Software Forensics Tools

Software forensics tools are grouped into command-line

Software Forensics Tools

Software forensics tools are commonly used to

Tasks Performed by Computer

All computer forensics tools, both hardware

Tasks Performed by Computer

Acquisition, the first task in computer forensics investigations,

Physical data copy

Tasks Performed by Computer

Some computer forensics software suites, such as

Hardware Devices for Data

ImageMASSter Solo III

Management & Science University

Tasks Performed by Computer

Other acquisition tools require combining hardware devices and

Tasks Performed by Computer

Two types of data-copying methods are used in software

Tasks Performed by Computer

Tasks Performed by Computer

Validation and Discrimination

Tasks Performed by Computer

These are the subfunctions of the validation and

Validating data is done by obtaining hash values.

Tasks Performed by Computer

This method produces a unique hexadecimal value for data,

Tasks Performed by Computer

The primary purpose of data discrimination is to remove good

The download page of the National Software Reference Library

Tasks Performed by Computer

You can also begin building your own hash sets.

Tasks Performed by Computer

Most forensics tools can identify

Tasks Performed by Computer

The extraction function is the recovery task in a computing

Tasks Performed by Computer

Many computer forensics tools include a data-viewing

Tasks Performed by Computer

A common task in computing investigations is searching

Tasks Performed by Computer

The Indexed Search feature in FTK

Tasks Performed by Computer

Tasks Performed by Computer

Another function to consider for extraction is the format

Tasks Performed by Computer

Part of the investigation process also involves reconstructing

Tasks Performed by Computer

Some investigators prefer carving fragmented

Tasks Performed by Computer

A major challenge in computing investigations is

Tasks Performed by Computer