EX.

NO-01 Study of Computer Forensics and different tools

used for forensic investigation
Aim:
Study of Computer Forensics and different tools used for forensic investigation

Descriptions:
What Is Digital Forensics?
Digital forensics is the field of determining who was responsible for a digital
intrusion or other computer crime. It uses a wide range of techniques to gain
attribution to the perpetrator.
It relies upon the fundamental concept that whenever a digital intrusion or crime is
committed, the perpetrator inadvertently leaves a bit of themselves behind for the
investigator to find. These "bits" could be entries in log files, changes to the registry,
hacking software, malware, remnants of deleted files, etc. All of these can provide
clues and evidence to determine their identity and lead to the capture and arrest of
the hacker.
As a hacker, the more you know and understand about digital forensics, the better
you can evade the standard forensic techniques and even implement anti-forensic
measures to throw off the investigator.

The Digital Forensic Tools

Just like in hacking, there are a number of software tools for doing digital forensics.
For the hacker, becoming familiar with these tools and how they work is crucial to
evading them. Most digital forensic investigators rely upon three major commercial
digital forensic suites.
1. Guidance Software's EnCase Forensic
2. Access Data's Forensic Tool Kit (FTK)Prodiscover

Page | 1
These three suites are comprised of multiple tools and reporting features and can be
fairly expensive. While these suites are widely used by law enforcement, they use
the same or similar techniques as the free open-source suites without the fancy
interfaces.

By using the open-source and free suites, we can come to understand how such tools
as EnCase work without the expense. EnCase is the most widely used tool by law
+enforcement, but not necessarily the most effective and sophisticated. These tools
are designed for user-friendliness, efficiency, certification, good training, and
reporting.
There are a number of the free, open-source forensic suites, including the following
three.
1. The Sleuthkit Kit (TSK)
2. Helix
3. Knoppix

The Forensic Tools Available in BackTrack

In addition, there are a large number of individual tools that are available for digital
forensics, some of which are available in our BackTrack and Kali distributions.

Page | 2
Some of the better tools in BackTrack include the following, among many others.

 sleuthkit  rifiuti2  scalpel

 truecrypt  ptk  dc3dd
 hexedit  exiftool  driftnet
 autopsy  evtparse.pl  timestomp
 iphoneanalyzer  fatback

What Can Digital Forensics Do?

Digital forensics can do many things, all of which the aspiring hacker should be aware
of. Below is a list of just some of the things.
 Recovering deleted files, including emails
 Determine what computer, device, and/or software created the malicious file,
software, and/or attack
 Trail the source IP and/or MAC address of the attack
 Track the source of malware by its signature and components
 Determine the time, place, and device that took a picture
 Track the location of a cell phone enabled device (with or without GPS enabled)
 Determine the time a file was modified, accessed or created (MAC)
 Crack passwords on encrypted hard drives, files, or communication
 Determine which websites the perpetrator visited and what files he downloaded
 Determine what commands and software the suspect has utilized
 Extract critical information from volatile memory
 Determine who hacked the wireless network and who the unauthorized users are

Page | 3
And that' just some of the things you can do with digital forensics!

What Is Anti-Forensics?
Anti-forensics are techniques that can be used to obfuscate information and evade the
tools and techniques of the forensic investigator. Some of these techniques include the
following.
 Hiding Data: Hiding data can include such things as encryption and
steganography.
 Artefact wiping: Every attack leaves a signature or artefact behind. Sometimes
it's wise to attempt to wipe these artefacts from the victim machine so as to leave
no tell-tale trail for the investigator.
 Trail Obfuscation: A decent forensic investigator can trail nearly any remote
attack to an IP address and/or MAC address. Trail obfuscation is a technique that
leads them to another source of the attack, rather than the actual attack.
 Change the timestamp: Change the file timestamp (modify, access, and change)
to evade detection by forensic tools.

List of Forensic tool

Forensics Field Tools
Forensics Field Tools
FTKImager
Forensic disk imager and file recovery.
Log Parser Lizard GUI
Flexible and powerful log file parser. It also does much much more.
Noxcivis Field Toolkit
The Noxcivis Field Toolkit (NFT) is a free and open interface that allows forensic
examiners and collection teams to collect information from a computer.
Active@ Partition Recovery
Recover deleted partitions.
Autopsy

Forensics tool. Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit®
and other digital forensics tools. It can be used by law enforcement, military, and corporate
examiners to investigate what happened on a computer. You can even use it to recover photos
from your camera's memory card.

Page | 4
CAINE (Computer Aided Investigative Environment)

CAINE (Computer Aided Investigative Environment) is an Italian GNU/Linux live distribution

created as a project of Digital Forensics. CAINE represents fully the spirit of the Open Source
philosophy because the project is completely open, everyone could take the legacy of the previous
developer or project manager. The distro is open source, the Windows side (Wintaylor) is open
source and, the last but not the least, the distro is installable, so giving the opportunity to rebuild it
in a new brand version, so giving a long life to this project.
Capture-BAT Download Page | The Honeynet Project

Capture-BAT Download Page Capture BAT is a behavioural analysis tool of applications for the
Win32 operating system family. Capture BAT is able to monitor the state of a system during the
execution of applications and processing of documents, which provides an analyst with insights on
how the software operates even if no source code is available. Capture BAT monitors state
changes on a low kernel level and can easily be used across various Win32 operating system
versions and configurations.
cFAIR Technologies Tools
cFAIR Technologies Tools for forensics and eDiscovery
Digital Forensics Framework (DFF)
Open Source Digital investigation software DFF (Digital Forensics Framework) is a free and
Open Source computer forensics software built on top of a dedicated Application Programming
Interface (API). It can be used both by professional and non- expert people in order to quickly and
easily collect, preserve and reveal digital evidence without compromising systems
and data.

EnCase Forensic Imager

FREE software to capture a forensically sound copy of data.
Explorer Suite
Suite of executable file forensics utilities.
File and Partition Recovery Software

Free download Partition Recovery Software, Deleted Partition Recovery, Active Partition
Recovery Software. Realize partition data recovery with Free Partition Recovery Software, Free
Active Partition Recovery Software, Free Disk Partition Recovery Tool, Free NTFS Partition
Recovery Tool, Recovery Partition, Hard Disk Recovery, Drive Partition Recovery, Deleted
Partition Recovery and Hard Drive Partition Recovery Tool. Support FAT12, FAT16, FAT32,
VFAT, NTFS, NTFS5 and Windows 2000 Professional/XP/Vista/7/8 and so
on.

Page | 5