Introduction

to
Computer Forensic
Tools
 Foreword
• The goal of Computer forensics is to perform criminal investigations by
using evidence from digital data to find who was the responsible for
that particular crime.
• Forensic examiners need a range of forensic tools to
strengthen their investigation process.
• As more information is stored in digital form, it is very likely that the
evidence needed to prosecute the criminals is also in digital form
• In this module we look at the most popular forensic tools for
Conducting Computer Forensics Investigations. Both open source and
commercial tools are discussed.
2
 Objectives
• By the end of this module you will get an understanding of the;
• Steps for Conducting Computer Forensics Investigations
–Policies and Procedures
–Quality Assurance
• Tools used in the each of the phases of the investigation
–Hardware and Software

3
 Investigation phases
• Typical Steps for Conducting Computer Forensics
Investigations
• Acquisition
• Examination, Recovery
• Analysis
• Reporting, Presentation

4
 Investigation phases
1. Acquisition
• Analogous to crime scene in the “real world”
–Goal is to recover as much evidence without altering the crime
scene
• Investigator should document as much as possible
–Maintain Chain of Custody
• Determine if incident actually happened
• Fully document the hardware and software configuration of the examiner system
as well as the digital devices being examined. This includes boot settings, the
exact hardware configurations, log on passwords etc
5
 Investigation phases…
Acquisition
• What kind of system is to be investigated?
 Can it be shut down?
 Does it have to keep operating?
• Are there policies governing the handling of the incident?
• Is a warrant needed?
• Get most fleeting information first
– Running processes
– Memory
– Storage media
• Create 1:1 copies of evidence (imaging)
6
 Investigation phases…
Acquisition
• Hard drive
• Capture entire drive (imaging)
–Bit by bit copy.
RAM
–Volatile. Do not reboot
–Create a dump

7
 Investigation phases…
2. Examination and Recovery
• Goal is to extract data from the acquired evidence
• Always work on copies, never the original
– Must be able to repeat entire process from scratch
– Data, deleted data, “hidden” data
File systems
– Get files and directories
– Metadata: User IDs, Timestamps (MAC times),Permissions, …
–Some deleted files may be recovered
8
 Physical Extraction
• Data is extracted at the physical level without regard to any file
systems present on the drive.
• Keyword searching: Performing a keyword search across the physical
drive can be useful as it allows the examiner to discover & extract data
that may not be accounted for by the operating system and file system.
• File Carving: Using file utility programs to scan the physical drive and
help recover and extract useable files and data that may not be
accounted for by the operating system and file system.
• Looking at the Partition Table: The partition structure will help identify the
file systems present and determine if the entire physical size of the
hard drive is accounted for. (i.e If there is a 1Tb hard disk present, but partition
table only shows 900Gb then where is the missing 100Gb?) 9
 Logical Extraction
• Data from the drive is based on the file system(s) present on the drive.
• Steps may include:
 Extraction of the file system information to reveal characteristics such as directory
structure, file attributes, file names, date and time stamps, file size, and file location.
 Data reduction to identify and eliminate known files through the comparison of
calculated hash values to authenticated hash values.
 Extraction of files pertinent to the examination. Methods to accomplish this may be
based on file name and extension, file header, file content, and location on the drive
 Recovery of deleted files.
 Extraction of password-protected, encrypted, and compressed data.
 Extraction of file slack and unallocated space

10
 Investigation phases…
Recovery (1)
File deletion
• Most file systems only delete directory entries but not the data blocks associated
with a file.
• Unless blocks get reallocated the file may be reconstructed
– The earlier the better the chances
– Depending on fragmentation, only partial reconstruction may be possible
Slack space
• Unallocated blocks
–Mark blocks as allocated to fool the file system
• Unused space at end of files if it doesn’t end on block boundaries
• Unused space in file system data structures 11
 Investigation phases…
Recovery (2)
Steganography
• Data hidden in other data
• Unused or irrelevant locations are used to store information
• Most common in images, but may also be used on executable files, meta data,
file system slack space
Encrypted data
• Depending on encryption method, it might be infeasible to get to the information.
• Locating the keys is often a better approach.
• A suspect may be compelled to reveal the keys by law.

12
 Investigation phases…
Recovery (3)
• Locating hidden or encrypted data is difficult and might even be impossible.
• Investigator has to look at other clues:
– Steganography software
– Crypto software
– Command histories
File residue
• Even if a file is completely deleted from the disk, it might still have left a trace:
– Web cache
– Temporary directories
– Data blocks resulting from a move
– Memory 13
 Investigation phases…
Recovery (4)
• Methodology differs depending on the objectives of the investigation:
– Locate contraband material
– Reconstruct events that took place
– Determine if a system was compromised
– Authorship analysis
Contraband material
• Locate specific files
– Databases of illegal pictures
– Stolen property
• Determine if existing files are illegal
– Picture collections, Music or movie downloads 14
 Investigation phases…
3. Analysis
• Analysis is the process of interpreting the extracted data to determine their
significance to the case. Various analytical methods exist, examples of which
include:-
–Timeframe,
–Data hiding,
–Application and file,
–Ownership and possession.
• Requires specific knowledge of file system and OS.
• Data may be encrypted, hidden, obfuscated(confusing in order to conceal the
truth)
• Obfuscation: Misleading file suffix, Misleading file name, Unusual location15
 Investigation phases…
Analysis
Event reconstruction
• Utilize system and external information
– Log files
– File timestamps
– Firewall/IDS information
• Establish timeline of events

16
 Investigation phases…
Analysis
The needle in the haystack
• Locating files:
– Storage capacity approaches the terabyte magnitude
– Potentially millions of files to investigate
• Event reconstruction:
– Dozens, hundreds of events a second
– Only last MAC times are available
– Insufficient logging
Compromised system
• If possible, compare against known good state
– Databases of “good” files 17
 Investigation phases…
Analysis
Compromised system
– Look for unusual file MACs
– Look for open or listening network connections (trojans)
– Look for files in unusual locations
Unknown executables
• Run them in a constrained environment
– Dedicated system
– Sandbox
– Virtual machine
• Might be necessary to disassemble and decompile
– May take weeks or months 18
 Investigation phases…
Analysis
Authorship analysis
• Determine who or what kind of person created file.
– Programs (Viruses, Tojans, Sniffers/Loggers)
– E-mails (Blackmail, Harassment, Information leaks)
• If actual person cannot be determined, just determining the skill level of the author
may be important.

19
 Investigation phases…
4. Presentation and Reporting
• An investigator that performed the analysis may have to appear in
court as an expert witness.
• For internal investigations, a report or presentation may be required.
• Challenge: present the material in simple terms so that a jury or CEO can
understand it.
–Investigator's Report: Forms the basis for legal proceedings
–Investigator's Findings: What should be found if someone else conducted
the same investigation

20
Forensic Laboratories
 Lab Security
• Physical security
– Keep unauthorized people out of critical areas
• Examination stations
• Evidence storage
– Keys, swipe cards, access codes
– Digital access control is better than keys
• Keeps an audit trail to support chain of custody
– Protection from fire, flood. etc.

22
 Chain of Custody
• Evidence must be signed in and out of storage
• Evidence log must be complete

23
 Work in Isolation
• Forensic examination computer should not be connected to
the Internet
• This avoids arguments over contamination by malware
• Evidence drives may contain malware
–Scan them with antivirus software

24
 Evidence Storage
• Data safety
– Protects evidence from tampering
– Fireproof and waterproof
• Evidence log
– Must record who entered, when, and what they removed
or returned
• Data storage lockers must be kept locked

25
Policies and Procedures
 Best Practices for Evidence Collection

• For proper evidence preservation, follow these procedures

in order (Do not use the computer or search for evidence)

 Photograph the computer and scene

 If the computer is off do not turn it on
 If the computer is on photograph the screen
 Collect live data - start with RAM image

27
 Best Practices for Evidence Collection

• Unplug the power cord from the back of the tower -

If the computer is a laptop and does not shut down
when the cord is removed then remove the battery
• Diagram and label all cords
• Document all device model numbers and serial
numbers
• Disconnect all cords and devices

28
 Best Practices for Evidence Collection

• Package all components (using anti-static evidence bags)

• Seize all additional storage media (create respective images and
place original devices in anti-static evidence bags)
• Keep all media away from magnets, radio transmitters and other
potentially damaging elements
• Collect instruction manuals, documentation and notes
• Document all steps used in the seizure

29
 Quality Assurance

• A well-documented system of protocols used to assure

accuracy and reliability
• Peer reviews of reports
• Evidence handling
• Case documentation
• Training of lab personnel

30
 Tool Validation

• Each tool, software or hardware, must be tested before use

on an actual case
• Validation is the confirmation by examination and the
provision of objective evidence that a tool, technique or
procedure functions correctly and as intended.
• Verification is the confirmation of a validation with
laboratories tools, techniques and procedures.

31
 Tool Requirements
• Usability - Present data at a layer of abstraction that is useful to an investigator

• Comprehensive - Present all data to investigator so that both inculpatory and exculpatory
evidence can be identified

• Accuracy - Tool output must be able to be verified and a margin of error must be given

• Deterministic - A tool must produce the same output when given the same rule set and
input data.

• Verifiable - To ensure accuracy, one must be able to verify the output by having access to
the layer inputs and outputs. Verification can be done by hand or a second tool set.
32
 Documentation
• Case File
–Case submission forms
–Requests for assistance
–Chain of custody reports
–Examiner's notes
–Crime scene reports
–Examiner's final reports
–Copy of search warrant
–All collected in a case file
33
 Examiner Notes
• Must be detailed enough to enable another examiner to
duplicate the process
–Discussions with key players including prosecutors and investigators
–Irregularities found and actions taken
–OS versions & patches
–Passwords
–Changes made to the system by lab personnel and law enforcement
• It may be years before trial, and you will need to
understand your notes
34
 Examiner's Final Report
• Formal document delivered to prosecutors. investigators,
opposing counsel, etc.
• Remember the audience is nontechnical
• Avoid jargon, acronyms, and unnecessary details

35
 Examiner's Final Report Contents
• Identity of the reporting agency
• Case ID #
• Identity of the submitting person and case investigator
• Dates of receipt and report
• Detailed description of the evidence items submitted
–Serial numbers, makes, models, etc.
• Identity of the examiner
• Description of the steps taken during the examination process
• Results and conclusions
36
 Examiner's Final Report Sections
• Summary
–Brief description of the results
• Detailed findings
–Files pertaining to the request
–Files that support the findings
–Email, Web cache, chat logs, etc.
–Keyword searches
–Evidence of ownership of the device
• Glossary
37
 Hardware Tools
• Cloning devices
• Cell phone acquisition devices
• Write blockers
• Portable storage devices
• Adapters
• Cables
• Much more

38
 Cloners and Kits
• Hardware Cloners
– Faster, can clone multiple drives at once
– Provide write protection, hash authentication, drive wiping, audit trail…
• Crime scene kits
– Preloaded with supplies to collect digital evidence
– Pens, digital camera, forensically clean storage media, evidence bags, evidence
tape, report forms, markers…

39
Open source tools

40
 Autopsy
• Autopsy is a GUI-based open source digital forensic program to
analyze hard drives and smartphones efficiently.
• Autospy is used by thousands of users worldwide to investigate what happened on
the computer.

41
[Link]
 Autopsy
• It’s widely used by corporate examiners, military to investigate, and
some of the features are.
 Email analysis
 File type detection
 Media playback
 Registry analysis
 Photos recovery from memory card
 Extract geolocation and camera information from JPEG files
 Extract web activity from a browser
 Show system events in a graphical interface
 Timeline analysis
 Extract data from Android – SMS, call logs, contacts, etc.
 It has extensive reporting to generate in HTML, XLS file format.
42
 Encrypted Disk Detector

• Encrypted Disk Detector is a command-line tool that can quickly, and

non-intrusively, check for encrypted volumes on a computer system
during incident response.
• The decision can then be made to investigate further and determine whether a live
acquisition needs to be made in order to secure and preserve the evidence that
would otherwise be lost if the plug was pulled.
• It checks the local physical drives on a system for TrueCrypt, PGP or BitLocker
encrypted volumes.

• [Link] 43
 Wireshark

• Wireshark is a network capture and analyzer tool to see what’s

happening in your network. Wireshark will be handy to investigate the
network-related incident.

• [Link] 44
 Wireshark
• Features:
 It provides rich VoIP (Voice over Internet Protocol) analysis.
 Capture files compressed with gzip can be decompressed easily.
 Output can be exported to XML (Extensible Markup Language), CSV (Comma
Separated Values) file, or plain text.
 Live data can be read from the network, blue-tooth, ATM, USB, etc.
 Decryption support for numerous protocols that include IPsec (Internet Protocol
Security), SSL (Secure Sockets Layer), and WEP (Wired Equivalent Privacy).
 You can apply intuitive analysis, coloring rules to the packet.
 Allows you to read or write file in any format.

• [Link] 45
 Network Miner

• NetworkMiner is an open source Network Forensic Analysis Tool

(NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).
• NetworkMiner can be used as a passive network sniffer/packet
capturing tool in order to detect operating systems, sessions,
hostnames, open ports etc.

• [Link] 46
 NMAP

• NMAP (Network Mapper) is one of the most popular networks and

security auditing tools. - Nmap Free Security Scanner
• NMAP is supported on most of the operating systems, including
Windows, Linux, Solaris, Mac OS, etc.
• Nmap is a network mapper that has emerged as one of the most popular, free
network discovery tools on the market.
• Nmap can used by network administrators to map their networks.
• The program can be used to find live hosts on a network, perform port scanning,
ping sweeps, OS detection, and version detection.

• [Link] 47
 Volatility

• Volatility is the memory forensics framework.

• It used for incident response and malware analysis.
• With this tool, you can extract information from running processes,
network sockets, network connection, and registry hives.
• It also has support for extracting information from Windows crash dump files and
hibernation files.
• This tool is available for free under GPL license.

48
 Kali Linux Forensics Tools

• Kali Linux is a powerful Operating system especially designed for

Penetration Tester and Security Professionals.
• Most of its features and tools are made for security researchers and
pentesters but it has a separate “Forensics” tab and a separate
“Forensics” mode for Forensics Investigators.

49
 Kali Linux Forensics Tools

• Kali Linux comes with pre-installed popular forensics applications and

toolkits.
• Bulk Extractor
• Bulk Extractor is a rich-featured tool that can extract useful information like Credit
Card Numbers, Domain names, IP Addresses, Emails, Phone Numbers and URLs
from evidence Hard-drives/files found during Forensics Investigation.
• Dumpzilla
• Dumpzilla is a cross-platform command line tool written in Python 3 language
which is used to dump Forensics related information from web browsers. It doesn’t
extract data or information, just displays it in terminal which can be piped, sorted
out and stored in files using Operating System commands.
50
 Paladin

• PALADIN forensic suite – the world’s most famous Linux forensic suite
is a modified Linux distro based on Ubuntu available in 32 and 64 bit.
• The entire suite consists of over, data leak, modification of existing data, malicious
software like spyware and malware.
• Paladin is a forensic tool designed by Sumuri, which is a modified Linux
distribution based on Ubuntu.
• Paladin has an easy to use Graphical User Interface (GUI) that offers a complete
solution for triage, imaging, examination, and reporting.
• This Digital forensics software provides more than 100 useful tools for
investigating any malicious material.
• [Link]
51
 Paladin
• Features:
• It provides both 64-bit and 32-bit versions.
• This tool is available on a USB thumb drive.
• This toolbox has open-source tools that help you to search for the required
information effortlessly.
• This tool has more than 33 categories that assist you in accomplishing a cyber
forensic task.

52
 The Sleuth Kit

• The Sleuth Kit is a collection of command-line tools to investigate and

analyze volume and file systems to find the evidence.
• The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-
based utilities for extracting data from disk drives and other storage so
as to facilitate the forensic analysis of computer systems.

• [Link] 53
 The Sleuth Kit

 Features:
 You can identify activity using a graphical interface effectively.
 This application provides analysis for emails.
 You can group files by their type to find all documents or images.
 It displays a thumbnail of images to quick view pictures.
 You can tag files with the arbitrary tag names.
 The Sleuth Kit enables you to extract data from call logs, SMS,
contacts, etc.
 It helps you to flag files and folders based on path and name.
54
 CAINE

• CAINE (Computer Aided Investigate Environment) is a Linux distro

that offers the complete forensic platform which has more than 80
tools for you to analyze, investigate, and create an actionable report.

• CAINE is a professional open-source forensic platform that integrates

powerful scripts into its GUI.
• The tool is an Italian GNU/Linux live distribution, which offers an operational
environment for forensic investigative processes, including preservation,
collection, examination, and analysis.

55
 Oxygen Forensic Suite

Oxygen Forensic Suite is a nice software to gather evidence from a

mobile phone to support your case.
This tool helps in gathering device information (including manufacturer,
OS, IMEI number, serial number), contacts, messages (emails, SMS,
MMS), recover deleted messages, call logs and calendar information.
It also lets you access and analyze mobile device data and documents.
It generates easy to understand reports for better understanding.

[Link] 56
 Xplico

• Xplico is great forensic tools to extract the internet, intranet and

network applications, this smart tool collect the packets and help
forensic team to identify applications running and who is use it lifetime.
• This makes Xplico a useful tool for network administrators in large
corporations that have numerous employees exchange large amounts
of data, It is smart intelligent administrator’s tool
• Xplico is an open-source forensic analysis app. It supports HTTP( Hypertext
Transfer Protocol), IMAP (Internet Message Access Protocol), and more.

• [Link]
57
 Xplico
 Features:
 You can get your output data in the SQLite database or MySQL
database.
 This tool gives you real time collaboration.
 No size limit on data entry or the number of files.
 You can easily create any kind of dispatcher to organize the extracted
data in a useful way.
 It is one of the best open source forensic tools that support both IPv4
and IPv6.
 You can perform reserve DNS lookup from DNS packages having
58
input files.
 Crowdstrike

• Crowdstrike is digital forensic software that provides threat

intelligence, endpoint security, etc.
• It can quickly detect and recover from cybersecurity incidents. You can
use this tool to find and block attackers in real time.
• Features:
• It is one of the best cyber forensics tools that help you to manage system
vulnerabilities.
• It can automatically analyze malware.
• You can secure your virtual, physical, and cloud-based data center.

• [Link]
59
 SIFT: SANS Investigative Forensic Toolkit
• SIFT (SANS investigative forensic toolkit) workstation
• SIFT is a suite of forensic tools you need and one of the most popular open
source incident response platform.
• The SIFT Workstation is a collection of tools for forensic investigators

• [Link] 60
 SIFT Capabilities

• Windows (MSDOS FAT, VFAT, • File carving

NTFS) • Analyzing file systems
• Mac (HFS) • Web history
• Solaris (USF) • Recycle bin
• Linux (ext2/3/4) • Memory
• Timeline

61
 SIFT Capabilities
• Evidence Image Support
– Expert Witness (E01)
– RAW (dd)
– Advanced Forensic Format (AFF)

62
 SIFT
• Features:
• It can work on a 64-bit operating system.
• This tool helps users to utilize memory in a better way.
• It automatically updates the DFIR (Digital Forensics and Incident
Response) package.
• You can install it via SIFT-CLI (Command-Line Interface) installer.
• This tool contains numerous latest forensic tools and techniques.

63
 SIFT Capabilities

• The Sleuth Kit (File system Analysis Tools)

• log2timeline (Timeline Generation Tool)
• ssdeep & md5deep (Hashing Tools)
• Foremost/Scalpel (File Carving)
• WireShark (Network Forensics)
• Vinetto ([Link] examination)
• Pasco (IE Web History examination)
• Rifiuti (Recycle Bin examination)
• Volatility Framework (Memory Analysis)
• DFLabs PTK (GUI Front-End for Sleuthkit)
• Autopsy (GUI Front-End for Sleuthkit)
• PyFLAG (GUI Log/Disk Examination) 64
 RAM Capturer

• RAM Capturer by Belkasoft is a free tool to dump the data

from a computer’s volatile memory. It’s compatible with
Windows OS.
• Memory dumps may contain encrypted volume’s password and login
credentials for web-mails and social network services.

• [Link]
65
 Forensic Acquisition of Websites (FAW)
• Forensic Acquisition of Websites (FAW) is a way to forensically acquire
a website or webpage as it is viewed by the user.
• FAW preserves what is publicly available at the time.
• It is a helpful tool in non-solicitation cases as it will preserve the evidence before it
can be taken down by the user.
• In order to capture a webpage with FAW, the investigator must go to the webpage
in a live environment.

66
 Forensic Acquisition of Websites…
• This tool would be used in a scenario where an investigator may want
to take a screenshot of a webpage as evidence of a crime such as
cyber terrorism, narcotics sales, cyberbullying, etc.
• For example, an active investigation of a narcotics dealer may be ongoing, where
his or her social media presence is being monitored.
• If the suspect tweets about the latest substance he has for sale, then that tweet
and the entire page it is viewed on may be captured with FAW.
• FAW allows the investigator to take a screenshot of the tweet, at the same time
also recording many other useful artifacts, such as iFrames, advertisments, links,
and streaming data.
• FAW records and logs every action within the tool for forensic documentation
purposes. 67
 X-Ways Forensics

• X-Ways is software that provides a work environment for computer

forensic examiners.
• This program is supports disk cloning and imaging.
• It enables you to collaborate with other people who have this tool.

• [Link] 68
 X-Ways Forensics

• Features:
• It has ability to read partitioning and file system structures inside .dd image files.
• You can access disks, RAIDs (Redundant array of independent disk), and more.
• It automatically identifies lost or deleted partitions.
• This tool can easily detect NTFS (New Technology File System) and ADS
(Alternate Data Streams).
• X-Ways Forensics supports bookmarks or annotations.
• It has the ability to analyze remote computers.
• You can view and edit binary data by using templates.
• It provides write protection for maintaining data authenticity.
69
 HashMyFiles
• HashMyFiles can help to calculate the MD5 and SHA1 hashes. It
works on almost all the latest Windows OS.
• HashMyFiles is a great little tool that will easily hash multiple files with multiple
algorithms.
• Hash algorithms used are MD5, SHA1, CRC32, SHA-256, SHA-215, and SHA-
384.
• Hashing is extremely useful in providing a way to check if programs or files are the
same, and have not been changed from the original.

• [Link] 70
 DEFT
• DEFT: Digital Evidence and
Forensics Toolkit
• The Linux distribution includes many
popular and useful utilities for
computer forensics, incident
response, penetration testing, and
security analysis

• [Link]
71
 DEFT
• DEFT Extra is also available on windows. The GUI is
indicated below

72
 ExifTool
• ExifTool helps you to read, write, and edit meta information for a
number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF,
GeoTIFF, Photoshop IRB, FlashPix, etc
• One of the best tool for Extracting Meta data from a image file including GPS,
Camera Information, It is user-friendly and convenient because of its simple
command-line utilized easy to use

• [Link] 73
 Helix3
• Helix is a Ubuntu live CD customized for computer forensics
• It allows you to quickly Detect, Identify, Analyze, Preserve and Report
giving you the evidence to reveal the truth and protect your business.
• This tool can collect data from physical memory, network connections, user
accounts, executing processes and services, scheduled jobs, Windows Registry,
chat logs, screen captures, SAM files, applications, drivers, environment variables
and Internet history.

74
 WindowsSCOPE

• WindowsSCOPE considered one of the best tools for incident

response.
• A GUI-based memory forensic capture and analysis toolkit. Allows for
the import of standard WinDD memory dumps which are then
automatically reverse engineered and presented in an easy-to-view
format for forensic analysis in a central location.
• Applications include digital forensics, memory forensics, cyber crime investigation,
cyber defense, cyber attack detection, cyber analysis, and other reverse
engineering activities.

75
 Encase
• Encase is an application that helps you to recover evidence from hard
drives.
• It allows you to conduct an in-depth analysis of files to collect proof like
documents, pictures, etc.
• Manufactured and sold by Guidance Software.
• Widely recognized and accepted.

76
[Link]
 Encase
• Features:
• You can acquire data from numerous devices, including mobile phones, tablets,
etc.
• It is one of the best mobile forensic tools that enables you to produce complete
reports for maintaining evidence integrity.
• You can quickly search, identify, as well as prioritize evidence.
• Encase-forensic helps you to unlock encrypted evidence.
• It is one of the best digital forensics tools that automates the preparation of
evidence.
• You can perform deep and triage (severity and priority of defects) analysis.

•
77
[Link]
 EnCase
• Features :
• Court-validated Logical Evidence File format.
• Advanced search options.
• Internet and email support.
• Multiple viewers.
• Instant message analysis.
• Support for most system files.
• Multiple acquisition options.

78
 FTK Imager
• FTK Imager is a forensic toolkit i developed by AccessData that can be used to get
evidence. It can create copies of data without making changes to the original
evidence. This tool allows you to specify criteria, like file size, pixel size, and data
type, to reduce the amount of irrelevant data.

• [Link] 79
 FTK Imager
• Features:
 It provides a wizard-driven approach to detect cybercrime.
 This program offers better visualization of data using a chart.
 You can recover passwords from more than 100 applications.
 It has an advanced and automated data analysis facility.
 FTK Imager helps you to manage reusable profiles for different investigation
requirements.

80
[Link]
 Magnet RAM Capture

• You can use Magnet RAM capture to capture the physical

memory of a computer and analyze artifacts in memory.
• Magnet RAM Capture is designed to capture the physical memory of a
suspect's computer
• It supports the Windows operating system.

• [Link] 81
 Magnet RAM Capture

• Features:
• You can run this app while minimizing overwritten data in memory.
• It enables you to export captured memory data and upload it into
analysis tools
• This app supports a vast range of Windows operating systems.

82
[Link]
 Registry Recon
• Registry Recon is a computer forensics tool used to extract,
recover, and analyze registry data from Windows OS.
• This program can be used to efficiently determine external
devices that have been connected to any PC.
• Features:
• It supports Windows XP, Vista, 7, 8, 10, and other operating systems.
• This tool automatically recovers valuable NTFS data.
• You can integrate it with the Microsoft Disk Manager utility tool.
• This program rebuilds the active registry database.

[Link]
83
 RedLine

• RedLine is a popular tool for memory and file analysis.

• It collects information about running processes on a host, drivers from
memory and gathers other data like meta data, registry data, tasks,
services, network information and Internet history to build a proper
report.

• [Link]
84
 ProDiscover Forensic

• ProDiscover Forensic is a computer security app that allows you to locate all the
data on a computer disk. It can protect evidence and create quality reports for the
use of legal procedures.
• Features:
 This product supports Windows, Mac, and Linux file systems.
 You can preview and search for suspicious files quickly.
 This Digital forensics software creates a copy of the entire suspected disk to keep the original
evidence safe.
 This tool helps you to see internet history.
 You can import or export .dd format images.
 It enables you to add comments to evidence of your interest.
 ProDiscover Forensic supports VMware to run a captured image.
• [Link] 85
 Cell Phone Forensic Tools
• BitPim is a robust open-source application that was not built for forensic purposes.
BitPim is designed to work with CDMA phones that are produced by several
vendors, including LG and Samsung, among others. BitPim can recover data such
as the phonebook, calendar, wallpapers, ring tones, and file system
• [Link]

• Oxygen Forensic Suite is a forensic program specifically designed for cell phones.
It’s a tool that supports more than 2,300 devices. It extracts data such as
phonebook, SIM card data, contact lists, caller groups, call logs, standard and
custom SMS/MMS/e-mail folders, deleted SMS messages, calendars, photos,
videos, JAVA applications, and GPS locations
• [Link]

• Paraben Corporation offers several hardware and software products targeted to

mobile device forensics. In addition to cell phones, their tools also support GPS
86
 Cell Phone Forensic Tools

 AccessData’s MPE+ supports more than 3,500 phones. It’s an on-scene, mobile
forensic recovery tool that can collect call history, messages, photos, voicemail,
calendars, and events. It can analyze and correlate multiple phones and
computers using the same interface videos
 [Link]
• EnCase Smartphone Examiner is an EnCase tool designed to review and collect
data from smartphones and tablet devices. It collects data from Blackberrys, iTune
backups, and SD cards. Once the information is collected, it is easily imported into
the EnCase Forensic suite for continued investigation
[Link]

87
 Cell Phone Forensic Tools

•
The Cellebrite Universal Forensic Extraction Device (UFED) is a stand-alone,
selfcontained hardware device used to extract phonebooks, images, videos, SMS,
MMS, call history, and much more. It supports more than 2,500 phones and is
designed to extract information at the scene. It also has a SIM card reader and
cloner. As an interesting aside, Cellebrite devices (the nonforensic versions) can
be found in many cell phone stores.
• They’re used to transfer a customer’s data from one device to another
• [Link]

88
 Other Tools
• Mac Tools
–Softblock
–Macquisition
–Blacklight
–BlackBag
–Mac Marshall

89
Commercial vs Open source Software
 Software
• Software used in digital forensic analysis comes in
two varieties:
 Commercial software
 Open-source software
• In either case, the software is typically used for copying data from a suspect’s
disk drive (or other data source) to an image file, and then analyzing the data
without making any changes to the original source.
Advantages of commercial forensic software:
 Proven admissibility in court (for major brands).
 Dedicated technical support.
 Strict quality control for forensic accuracy.
 Often comes with an easy point-and-click graphical user interface.
 Better documentation.
 Greater availability of training and supplemental materials. 91
 Software
Disadvantages of commercial forensic software:
• High initial cost.
• Cost of annual licensing / maintenance.
• Licensing often done through USB keys or “dongles” which can be
lost or damaged.
• Customer may need to be a member of a restricted group of
customers (such as law enforcement or academia) to receive best
pricing and functionality.

92
 Software
Advantages of open-source forensic software:
• Lower initial cost
• Open-source software is often free.
• It is possible to create your own forensic software from
source code, incorporating only the features you need.
• Fewer (if any) licensing issues.
Disadvantages of open-source forensic software:
• Little (if any) vendor support on free software.
• Perceived as less standardized and reliable, therefore less
likely to produce admissible results.
• Often uses command-line interface instead of the point-and-
click interface familiar to Windows users

93
 Software

What does forensic software do?

• Disk imaging
• Data recovery
• Integrity checking
• Remote access
• Password recovery
• Permanent file deletion
• Searching and sorting
94
 S/W Standards and Testing
• How do we know if our forensic software is good?
• The National Institute of Standards and Technology tests forensic
software and hardware through its Computer Forensics Tool Testing
Project.
• Download CFTT test results and thousands of pages of related NIST
research at [Link]
• Whether commercial or open‐source, forensic software should meet
these criteria:
• Should be accepted by law enforcement, security professionals, and
the legal community.
• Should be able to export image files to multiple platform formats.
• Should have efficient storage capabilities.
• Should be fully functional when launched from portable computing
platforms (such as laptops). 95
 Computer Forensic Tools: Hardware
 Hardware categories
 Hardware types
 Methods for duplicating hard drives
 Forensic workstation concerns
 Hardware

• The hardware tools needed for a successful forensic

analysis can be divided into two categories, incident
response and laboratory.

• Incident response tools would include the hand tools, cabling,

identification supplies, and other items necessary to perform an
investigation at the scene of an incident.
• Laboratory tools would include the devices and accessories necessary
to perform an analysis, under controlled conditions, of evidence retrieved
from an incident scene

97
 Hardware.. Incident Response
• UltraKit: Includes write-blockers, cables, adapters, and
power supplies necessary for obtaining evidence during
incident response.

98
 Hardware.. Incident Response

• Faraday cage:
• Is a container that isolates wireless devices from radio frequency
signals that could compromise data.
• The Faraday cage can prevent some laptop PCs, mobile phones,
and smartphones from being remotely “wiped” of data or
otherwise locked down by wireless instructions.
• In an emergency, a Faraday cage can be improvised by
wrapping a wireless device in several layers of aluminum foil.

99
 Hardware… Incident Response
• The Wireless StrongHold Bag.
• A Faraday cage built into an evidence bag for the safe
collection of wireless devices in incident response.

100
 Hardware… Incident Response
• Other essential hardware for incident response:
• Write-blockers
• External hard drives
• USB drives, floppy disks and external floppy drive
• Portable network hub or network switch
• Network cables
• Straight-through cable will allow connection to a hub.
• Crossover cable will bypass a hub or switch in a direct PC-to-PC
connection.
• Evidence inventory logs
• Evidence identification tape, labels, and stickers
• Evidence bags (paper and antistatic)

101
 Hardware… Incident Response
• Other essential hardware for incident response…
• Crime scene tape
• Gloves
• Nonmagnetic hand tools
• Cameras (photo and video)

102
 Hardware… Laboratory
• In the digital forensic laboratory, Forensic workstations are
customized computer systems that contain the equipment
necessary for analysis of suspect computers.
• In addition to standard PC components such as motherboards,
hard drives, and memory, forensic workstations may include:
 Disk duplicators
 Disk erasers
 Write-blockers
• A modern forensic laboratory
workstation

103
 Hardware… Laboratory
• There are three generally accepted methods for duplicating
hard drives
 Dedicated forensic duplication systems
 System-to-system imaging
 Imaging on the original system
Disk Imaging on a Dedicated Forensic System
• Platform specifically built and designed to accommodate
numerous types of hard drive connections.
• Specialized bit‐level imaging software transfers an exact
copy of the contents of the original hard drive (or other data
source) to one or more blanks.

104
 Hardware… Laboratory
Disk Imaging on a Dedicated Forensic System…
• Typically, an investigator will make more than one copy of the
suspect hard drive using this method.
 If the forensic analysis is correct, the investigation should produce the
same results on identical copies of the drive.
• Example: Tableau Forensic Duplicator
Provides disk-to-disk and
disk-to-file duplication.
Wipes disks to remove all traces
of previous data on lab workstation
hard drives.
Creates cryptographic hashes. 105
 Cellebrite UFED
• Cellebrite is an Israeli digital forensics company that provides tools for
collection, analysis, and management of digital data.
• Cellebrite offers a number of commercial digital forensics tools, but its Cellebrite
UFED (Universal Forensic Extraction Device) claims to be the industry standard
for accessing digital data.
• The main UFED offering focuses on mobile devices, but the general UFED
product line targets a range of devices, including drones, SIM and SD cards, GPS,
cloud and more.
• The UFED platform claims to use exclusive methods to maximize data extraction
from mobile devices.

106
 Hardware… Laboratory

System‐to‐System Disk Imaging

• This method uses two separate computer systems –the suspect and
a specialized forensics imaging system.
• Depending on the type of drives and connections available, both
systems are booted from CD‐ROM, DVD, USB drive, or floppy disk
which loads the imaging software.
• Data is transferred between the computers using serial, parallel,
Ethernet, or USB ports.
• This method can be slow, and is often not suited to on‐the scene
incident response.

107
 Hardware… Laboratory

Disk Imaging on the Original System

• Uses the original (suspect) computer to perform the disk imaging transfer
process.
• A blank drive matching the original hard drive’s capacity and configuration
is added to the system.
• A forensic boot disk is used to create a bit‐level image of the original disk.
• This method is typically used in on‐the‐scene incident response when it is
impractical to transport a computer to the investigator’s laboratory.

108
 Concerns
• To avoid the possibility of data contamination, digital forensic
workstations are typically not connected to the Internet or any
computer outside of the laboratory’s secure network.
• Never check e-mail, surf the Internet, or perform typical IT duties on a
forensic workstation. Viruses and spyware will seriously compromise
your investigation!
• Under no circumstances should peer-to-peer file sharing
applications be allowed on the same network as the forensic
workstation.

109
 Concerns
• Evidence on Removable Media:
 Removable media is normally imaged using a dedicated forensics
system. This allows multiple images to be stored on a local hard drive.
 Duplicate copies can be burned from those images. As with any other
kind of digital evidence, original source material should be handled
as little as possible.
 CDs and DVDs are the easiest and safest to handle since they are
usually in read-only mode. When dealing with handwritten labels on CDs
and DVDs, consider that the disk may be mislabeled and you are
actually dealing with a re-writable disk.

110
 Digital Forensics Hardware Tools
• Technology changes rapidly
• Hardware eventually fails
–Schedule equipment replacements periodically
• When planning your budget consider:
–Amount of time you expect the forensic workstation to be running
–Failures
–Consultant and vendor fees
–Anticipate equipment replacement
111
 Forensic Workstations
• Carefully consider what you need
• Categories
–Stationary workstation
–Portable workstation
–Lightweight workstation
• Balance what you need and what your system can handle
–Remember that RAM and storage need updating as technology
advances

112
 Forensic Workstations
• Police agency labs
– Need many options
– Use several PC configurations
• Keep a hardware library in addition to your software library
• Private corporation labs
– Handle only system types used in the organization

113
 Forensic Workstations
• Building a forensic workstation is not as difficult as it sounds
• Advantages
– Customized to your needs
– Save money
• Disadvantages
– Hard to find support for problems
– Can become expensive if careless
• Also need to identify what you intend to analyze

114
 Forensic Workstations
• Some vendors offer workstations designed for digital forensics
• Examples

– F.R.E.D. Forensic Recovery of Evidence Device unit from Digital Intelligence

– Hardware mounts from Forensic PC
• Having vendor support can save you time and frustration when you have problems
• Can mix and match components to get the capabilities you need for your forensic
workstation

115
End

116