We will now briefly examine some, but not all, of the forensic resources and tools that are

employed in the law enforcement community.

The forensic aspects of the major operating systems will also be discussed. The tools will be examined on the basis of their major functional category including duplication, authentication, search, forensic analysis, and file viewing tools.

1. Operating Systems: MS-DOS WINDOWS BeOS Linux

one of the most widely known operating systems in existence.

Depending on the version, its strength is its relative simplicity and the fact is that only three files are really required to have a functional operating system COMMAND.COM, MSDOS.SYS, and IO.SYS.

most forensically invasive operating system. Windows versions have only recently been utilized for forensic duplication due to the development of hardware write blocking devices that prevent the operating system from altering the evidentiary magnetic media. Microsoft Windows, strength lies in its market pervasiveness and the fact that comprehensive forensic analysis tools like FTK and EnCase have been developed to run on it.

It is a high performance operating system similar in some ways to Linux that provides professional users and enthusiasts with a high performance environment to quickly and easily develop applications and content and is designed to facilitate the integration of new technologies. can be used for media acquisition because automatically attempt to mount magnetic media that is connected to it.

Just like BeOS, Linux can also be used for media acquisition. Linux also includes many powerful low level and file utilities that can be employed for forensic purposes. It natively incorporates support to be able to mount and analyze many different types of file systems both attached locally and over a network using a capability known as network block device. Very powerful OS from a forensic point of view.

2.

Duplication : many sector-imaging and duplication tools available. Safeback Snapback DatArrest EnCase and FastBloc ByteBack Disk Image Backup System (DIBSTM) VOGON evidential hardware Norton Ghost Dd ICS Image MASSter Solo 2 forensic systems

was designed as an evidence-processing tool with error-checking built into every phase of the evidence backup and restoration process. A command-line-based utility executed from a controlled boot disk has not changed all that significantly over the past 12 years and continues to be in use with many law enforcement and government agencies worldwide.

Command line-based imaging utility easy to use has particular strength in imaging SCSI disk drives

FastBloc is a hardware write blocking device that allows forensic acquisition of an IDE hard drive using EnCase in the Microsoft Windows environment which provides greatly increased acquisition speed.

command line forensic duplication utility. ByteBacks data recovery heritage is apparent in the number of data recovery features including the ability to rebuild lost data structures including partition and FATs.

is an integrated hardware and software imaging and analysis system. Unlike other forensic systems, it employs a SCSIMOD system to store evidentiary images

Vogon, another U.K. company, markets another integrated hardware and software imaging and analysis solution. The Vogon hardware adopts a different approach to other imaging systems in that it utilizes high capacity, 200 GB Hewlett Packard LTO Ultrium SCSI tape drives as the imaging media.

is a widely utilized commercial system backup and recovery program from Symantec. In standard use Ghost does not meet forensic requirements due to the fact that it does not produce a true image but instead interprets information from the master boot record and partition tables. With the employment of certain command line switches, particularly the image raw (IR) switch, however, Ghost can be utilized to create forensically sound clones and images.

dd is a low-level file utility and potentially the lowest-cost forensic imaging utility that is included with most distributions of UNIX and Linux.

is an integrated hand-held duplication system that is in use with the U.S. Secret Service and other law enforcement agencies around the world. It is capable of imaging and cloning multiple IDE and SCSI drives and maintains an audit trail of all device activities.

3. Authentication: is a critically important element of the forensic process and should take place at many stages. The various tools are: 1. Hash 2. Md5sum 3. Hashkeeper 4. National Software Reference Library

is a command line program that calculates a 32-bit cyclic redundancy check (CRC), 128bit md5 or 160-bit SHA-1 hash of a file supporting file signature analysis.

is a GNU implementation of the md5 algorithm for the UNIX and Linux operating system.

is a Microsoft Access database to maintain a record of md5 hash sets for forensic use. also maintains specialized hash sets related to child pornography and narcotics and is available only to law enforcement authorities

similar to Hashkeeper in that it provides a set of OWHF reference data derived from md5 that can be used to reduce the number of files that have to be reviewed or examined during an investigation.

4.

Search: Various search tools are encompasseddtSearch DiskSearch Pro Net threat Analyzer String Search grep File Extractor Foremost

Created by dtCorporation.
Its a full text search and retrieval engine for Windows environment. Makes use of indexes and is very fast

Created by New Technologies Inc.

Its a command line text search engine. is able to search through both active files, and free and unallocated space employing fuzzy logic technology. It is able to deal with embedded and encoded text formats and is able to search on up to 250 keywords simultaneously.

Was previously known as IP filter.

Created by New Technologies Inc. Its a command line search tool.

designed to detect text strings specifically related to Internet usage including e-mail, Web browsing and file downloads

Is a command line text search engine.

Designed to search data on the basis of keywords at the logical file system level.

It is a UNIX/Linux low-level, regular expression text string search utility that is extremely powerful.
It is able to search through active files, unallocated space or a hard drives at the raw device level

specifically designed to search through unallocated space on hard drives or contained in forensic image files at the binary level for hexadecimal values that represent specific file headers of interest to the computer forensic examiner. File Extractor is then able to sequentially extract an arbitrarily specified amount of data past the file header and write it to a file of the same type as the detected header. very useful for recovering deleted, partially overwritten files where the header is still intact, particularly graphics files.

provides a similar type of functionality as File Extractor, but for Linux. It is available as a separate package or as part of the FIRE forensic Linux distribution

5.

Analysis: available tools areExpert Witness Forensic Toolkit EnCase Ilook Investigator WinHex Curses Hexedit Automated Computer Examination System ForensiX Storage Media Archival and Recovery Tool Kit Datalifter v2.0 forensic support tools NetAnalysis

the first fully integrated forensic data acquisition and analysis program designed based on the specifications and requirements of the law enforcement community.
It was initially developed for the Macintosh platform but was then ported over to the Microsoft Windows environment

is a relatively new and fully integrated forensic data acquisition and analysis program that integrates a number of extremely powerful features not found in other forensic analysis suites including integrated dtSearch1 technology.

is a fully integrated forensic data acquisition and analysis program widely used in commercial forensics.

is designed to examine image files of seized computer systems that have been made with Safeback, dd, EnCase or any other utility.

No forensics toolkit is complete without a powerful hex editor program for low-level file analysis and WinHex, by Stefan Fleischmann from X-Ways AG, fills this role admirably.

A powerful hex editor program for the UNIX/Linux environment is [N] Curses Hexedit.

designed for the Microsoft Windows NT4 platform.

is a law enforcement only integrated forensic data acquisition and analysis program, designed for the Linux operating system

is a very powerful integrated forensic data acquisition and analysis program designed for the Linux and BeOS operating systems. combines sanitization, acquisition, authentication, and analysis.

is a suite of 10 tools supporting recovery and analysis of data from both cloned drives and sector image files.

is a forensic Internet history analysis tool currently in BETA testing. It supports analysis of browser use, file downloads etc.

6.

File Viewers Quick View Plus IRFANView32 Resplendent Registrar GUIDClean Unmozify

is probably the best known general file viewing utility available. It has support for almost all documents, presentations, and graphic formats making it an invaluable tool for the computer forensic examiner.

is a very fast 32-bit graphics viewer that supports almost all image formats that are in use on the Internet and plugins available that support many movie formats.

allows detailed examination of Microsoft Windows registry files with more advanced features.
It supports searching, bookmarking, and printing details of relevant keys

GUIDClean is a freeware program that allows detection and display of the Global Unique Identifiers (GUID) that Microsoft Windows 98 and some versions of Microsoft Word and Excel, prior to MS Office 2000, placed in documents. The GUID is based on the MAC address of the systems network card, if one is present, allowing tracking of documents to the system on which they were authored.

is an Internet browser offline viewer program that can be used to examine and reconstruct Web pages from browser history files and the cache directories of Internet Explorer and Netscape Navigator.