Unit: Forensic Tools and Electronic Evidence Processing

1. Introduction to Forensic Tools

1.1 Meaning

Forensic tools are software or hardware used by digital forensic experts to identify, preserve, analyze, and
present digital evidence collected from computers, mobiles, or networks in a legally acceptable manner.

These tools are designed to ensure:

 Integrity of evidence (no tampering).

 Reproducibility of results (can be verified by other experts).

 Documentation of process (for court presentation).

1.2 Need for Forensic Tools

 Cybercrimes (like hacking, phishing, data theft) leave digital traces.

 These traces need scientific recovery and proper preservation to be used as evidence in court.

 Manual investigation is insufficient — forensic tools automate and validate evidence analysis.

1.3 Categories of Forensic Tools

Category Description Example Tools

Disk Forensics Recover and analyze data from hard drives EnCase, FTK, Autopsy

Network Forensics Capture and analyze network traffic Wireshark, NetworkMiner

Mobile Forensics Extract and analyze data from smartphones Cellebrite UFED, Oxygen

Memory (RAM) Forensics Examine volatile data from live systems Volatility, Belkasoft RAM Capturer

Cloud Forensics Analyze data stored in cloud environments Magnet AXIOM Cloud, CloudCheckr

Database Forensics Inspect databases for manipulation or leaks SQL Forensic Analyzer, ApexSQL

Email Forensics Track phishing, forgery, or fraud in emails MailXaminer, Paraben Email Examiner

2. Usage of Slack Space and Disk Imaging Tools

2.1 What is Slack Space?

 In a computer’s storage, data is stored in clusters (fixed-size units).

 When a file doesn’t completely fill a cluster, the remaining space is called slack space.

 This space may still contain fragments of previously deleted files.

Example:
A cluster can hold 8 KB.
If a 6 KB file is saved, 2 KB of leftover space remains — that’s slack space.

Importance in Forensics:
  Hackers often hide data here to avoid detection.

 Deleted or residual data can be retrieved from slack space to uncover crucial evidence.

Tools for Slack Space Analysis:

 Autopsy/Sleuth Kit: Can analyze unused clusters.

 WinHex: Allows viewing slack and unallocated spaces.

 Hex Workshop: Shows hidden data at the byte level.

2.2 Disk Imaging

Definition:

Disk imaging is the process of creating an exact bit-by-bit copy of a storage device (hard disk, pen drive,
memory card, etc.).
The image contains every piece of information, including deleted and hidden files.

Purpose:

 To analyze data without altering the original evidence.

 To preserve the evidence for legal admissibility.

 To recreate the suspect’s device later if needed.

Key Principles:

1. Always use write blockers while imaging to prevent accidental writing.

2. Generate hash values (MD5/SHA-1) before and after imaging to confirm data integrity.

3. Document every step (date, tool used, investigator’s name).

Common Disk Imaging Tools:

Tool Type Features

FTK Imager Freeware Creates E01 images, previews drives, calculates hash values

EnCase Imager Commercial Advanced imaging, evidence verification

dd (Linux Command) Open Source Creates raw images (dd if=/dev/sda of=/mnt/[Link])

Guymager Open Source (Linux) GUI-based imaging with compression options

Clonezilla Free Used for full disk cloning and backups

3. Data Recovery Techniques

3.1 Meaning

Data recovery in forensics refers to retrieving deleted, damaged, hidden, or lost data from digital devices for
investigation purposes.

3.2 Common Scenarios:

 Accidental deletion of files

  Formatting of drives

 System crashes

 Intentional wiping or concealment by offenders

3.3 Methods of Data Recovery

Method Description Example Tools

Reconstructs files from raw data using file headers and

File Carving Scalpel, Foremost
footers

Unallocated Space
Examines unused space for deleted data remnants Autopsy, X-Ways
Analysis

Extracts details like timestamps, file authors, modification

Metadata Recovery FTK, EnCase
dates

Restores old versions of files saved automatically by

Shadow Copy Recovery ShadowExplorer
Windows

R-Studio, ReclaiMe
RAID Recovery Recovers data from RAID-configured disks
Pro

3.4 Real Example:

If a suspect deletes incriminating photos, forensic tools like Autopsy can recover them from unallocated or
slack space because only file references are deleted, not the actual content.

4. Vulnerability Assessment Tools

4.1 Definition

Vulnerability assessment involves scanning computer systems, networks, or applications to find weaknesses
or misconfigurations that could be exploited.

4.2 Role in Forensics

 Helps investigators identify how an attacker gained access.

 Used in incident response to prevent repeated intrusions.

 Supports digital evidence correlation by matching exploited vulnerabilities.

4.3 Common Tools

Tool Function Description

Nmap Network scanning Discovers live hosts, open ports, and services.

Nessus Vulnerability detection Finds software bugs and security flaws.

OpenVAS Open-source vulnerability scanner Provides detailed reports and CVE-based findings.

Metasploit Exploitation testing Tests security by simulating attacks.

Wireshark Network packet analysis Captures live traffic and detects intrusions.
Example:
After a cyberattack, a forensic expert may use Nmap to check which ports were open on the target machine
and Metasploit to replicate the intrusion.

5. Forensic Software: EnCase and FTK Tools

5.1 EnCase Forensic

Developer: Guidance Software (now OpenText).

Use: Standard professional forensic suite used by law enforcement worldwide.

Key Features:

 Acquires and preserves digital evidence (creates .E01 images).

 Analyzes file systems like NTFS, FAT, exFAT, HFS+.

 Recovers deleted or hidden files.

 Provides keyword search, bookmarking, and report generation.

 Maintains a complete chain of custody.

Example Workflow:

1. Create an image of the suspect’s drive.

2. Analyze file structure, documents, and internet history.

3. Export evidence and generate a report.

5.2 FTK (Forensic Toolkit)

Developer: AccessData.
Use: Known for its speed and database-driven indexing.

Key Features:

 Rapid searching of huge datasets.

 File decryption (password recovery supported).

 Email and chat log analysis.

 Registry and web history analysis.

 Visual representation of user activity timelines.

FTK Imager (standalone tool) is used to:

 Create forensic images in .E01, .AD1, or raw formats.

 Preview drives and files without altering data.

 Verify hash values.

Example Use:
Investigators use FTK to analyze a suspect’s laptop for illegal downloads, chat history, and hidden folders.
5.3 Comparison Between EnCase and FTK

Criteria EnCase FTK

Developer Guidance Software AccessData

Interface Graphical & scriptable Database-driven GUI

Speed Slower indexing Faster indexing

Imaging Format E01 E01, AD1, RAW

Best For Law enforcement & corporate audits Large data analysis and keyword searches

6. Anti-Forensics Techniques and Countermeasures

6.1 Meaning

Anti-forensics refers to techniques used by offenders to hide, alter, or destroy evidence and mislead
investigators.

6.2 Common Techniques

Type Description Example

Data Hiding Encrypting files, hiding partitions VeraCrypt, BitLocker

Steganography Hiding messages inside images/audio Steghide, OpenStego

File Wiping Overwriting data multiple times CCleaner, Eraser

Timestamp Alteration Changing file creation/access times Timestomp utility

Log Tampering Deleting system or application logs Event log modification

Encryption & Obfuscation Making files unreadable AES-based tools

6.3 Countermeasures

 Hash Verification: Compare pre- and post-analysis hash values to detect tampering.

 File Signature Analysis: Identify mismatched extensions (e.g., .jpg file actually being .exe).

 Steganalysis Tools: Tools like StegExpose or Stegdetect can reveal hidden data.

 Event Log Correlation: Cross-check logs from multiple systems to detect deletion.

 Chain of Custody Maintenance: Document every access and tool used on the evidence.

 Memory Forensics: Capture live data before shutdown to detect volatile information (Volatility
framework).

Conclusion

Digital forensic tools play a critical role in ensuring scientific, reliable, and court-admissible analysis of
electronic evidence.
From imaging drives to recovering deleted files, from identifying vulnerabilities to countering anti-forensic
methods — the combination of tools like EnCase, FTK, Autopsy, and Wireshark forms the backbone of
modern cyber investigations.