15681_Forensic Resources and Tools

8/3/2019 15681_Forensic Resources and Tools

1/48


2/48

We will now briefly examine some, but not all,of the forensic resources and tools that are

employed in the law enforcement community.

The forensic aspects of the major operatingsystems will also be discussed.

The tools will be examined on the basis oftheir major functional category including

duplication, authentication, search, forensicanalysis, and file viewing tools.


3/48

1. Operating Systems: MS-DOS

WINDOWS

BeOS Linux


4/48

one of the most widely known operatingsystems in existence.

Depending on the version, its strength is itsrelative simplicity and the fact is that onlythree files are really required to have afunctional operating system

COMMAND.COM, MSDOS.SYS, and IO.SYS.


5/48

most forensically invasive operating system. Windows versions have only recently been

utilized for forensic duplication due to thedevelopment ofhardware write blockingdevices that prevent the operating systemfrom altering the evidentiary magnetic media.

Microsoft Windows, strength lies in its market

pervasiveness and the fact thatcomprehensive forensic analysis tools likeFTK and EnCase have been developed to runon it.


6/48

It is a high performance operating systemsimilar in some ways to Linux that providesprofessional users and enthusiasts with ahigh performance environment to quickly and

easily develop applications and content and isdesigned to facilitate the integration of newtechnologies.

can be used for media acquisition becauseautomatically attempt to mount magneticmedia that is connected to it.


7/48

Just like BeOS, Linux can also be used formedia acquisition.

Linux also includes many powerful low leveland file utilities that can be employed forforensic purposes.

It natively incorporates support to be able tomount and analyze many different types of

file systems both attached locally and over anetwork using a capability known as networkblock device.

Very powerful OS from a forensic point of

view.


8/48

2. Duplication : many sector-imaging andduplication tools available.

Safeback Snapback DatArrest

EnCase and FastBloc

ByteBack Disk Image Backup System (DIBSTM)

VOGON evidential hardware

Norton Ghost

Dd

ICS Image MASSter Solo 2 forensic systems


9/48

was designed as an evidence-processing toolwith error-checking built into every phase ofthe evidence backup and restoration process.

A command-line-based utility executed froma controlled boot disk has not changed allthat significantly over the past 12 years andcontinues to be in use with many lawenforcement and government agenciesworldwide.


10/48

Command line-based imaging utility easy to use

has particular strength in imaging SCSI disk

drives


11/48

FastBloc is a hardware write blocking devicethat allows forensic acquisition of an IDE harddrive using EnCase in the Microsoft Windowsenvironment which provides greatly increased

acquisition speed.


12/48

command line forensic duplication utility. ByteBacks data recovery heritage is apparent

in the number of data recovery featuresincluding the ability to rebuild lost datastructures including partition and FATs.


13/48

is an integrated hardware and softwareimaging and analysis system.

Unlike other forensic systems, it employs aSCSIMOD system to store evidentiary images


14/48

Vogon, another U.K. company, marketsanother integrated hardware and softwareimaging and analysis solution.

The Vogon hardware adopts a differentapproach to other imaging systems in that itutilizes high capacity, 200 GB HewlettPackard LTO Ultrium SCSI tape drives as theimaging media.


15/48

is a widely utilized commercial systembackup and recovery program fromSymantec.

In standard use Ghost does not meet forensicrequirements due to the fact that it does notproduce a true image but instead interpretsinformation from the master boot record andpartition tables.

With the employment of certain commandline switches, particularly the image raw (IR)switch, however, Ghost can be utilized to

create forensically sound clones and images.


16/48

dd is a low-level file utility and potentially thelowest-cost forensic imaging utility that isincluded with most distributions of UNIX andLinux.


17/48

is an integrated hand-held duplicationsystem that is in use with the U.S. SecretService and other law enforcement agenciesaround the world.

It is capable of imaging and cloning multipleIDE and SCSI drives and maintains an audittrail of all device activities.


18/48

3. Authentication: is a critically importantelement of the forensic process and should

take place at many stages. The various tools are:

1. Hash

2. Md5sum3. Hashkeeper

4. National Software Reference Library


19/48

is a command line program that calculates a32-bit cyclic redundancy check (CRC), 128-bit md5 or 160-bit SHA-1 hash of a filesupporting file signature analysis.


20/48

is a GNU implementation of the md5algorithm for the UNIX and Linux operatingsystem.


21/48

is a Microsoft Access database to maintain arecord of md5 hash sets for forensic use.

also maintains specialized hash sets relatedto child pornography and narcotics and isavailable only to law enforcement authorities


22/48

similar to Hashkeeper in that it provides a setof OWHF reference data derived from md5that can be used to reduce the number offiles that have to be reviewed or examined

during an investigation.


23/48

4. Search: Various search tools areencompassed-

dtSearch DiskSearch Pro

Net threat Analyzer

String Search

grep

File Extractor

Foremost


24/48

Created by dtCorporation.

Its a full text search and retrieval engine forWindows environment.

Makes use of indexes and is very fast


25/48

Created by New Technologies Inc.

Its a command line text search engine.

is able to search through both active files,and free and unallocated space employingfuzzy logic technology.

It is able to deal with embedded and encodedtext formats and is able to search on up to250 keywords simultaneously.


26/48

Was previously known as IP filter.

Created by New Technologies Inc.

Its a command line search tool.

designed to detect text strings specifically

related to Internet usage including e-mail,Web browsing and file downloads


27/48

Is a command line text search engine.

Designed to search data on the basis ofkeywords at the logical file system level.


28/48

It is a UNIX/Linux low-level, regularexpression text string search utility that isextremely powerful.

It is able to search through active files,unallocated space or a hard drives at the rawdevice level


29/48

specifically designed to search through

unallocated space on hard drives or containedin forensic image files at the binary level forhexadecimal values that represent specificfile headers of interest to the computerforensic examiner.

File Extractor is then able to sequentiallyextract an arbitrarily specified amount of data

past the file header and write it to a file of thesame type as the detected header.

very useful for recovering deleted, partiallyoverwritten files where the header is still

intact, particularly graphics files.


30/48

provides a similar type of functionality as FileExtractor, but for Linux.

It is available as a separate package or as partof the FIRE forensic Linux distribution


31/48

5. Analysis: available tools are-

Expert Witness

Forensic Toolkit EnCase

Ilook Investigator

WinHex

Curses Hexedit Automated Computer Examination System

ForensiX

Storage Media Archival and Recovery ToolKit

Datalifter v2.0 forensic support tools

NetAnalysis


32/48

the first fully integrated forensic dataacquisition and analysis program designedbased on the specifications and requirementsof the law enforcement community.

It was initially developed for the Macintoshplatform but was then ported over to theMicrosoft Windows environment


33/48

is a relatively new and fully integratedforensic data acquisition and analysisprogram that integrates a number ofextremely powerful features not found in

other forensic analysis suites includingintegrated dtSearch1 technology.


34/48

is a fully integrated forensic data acquisitionand analysis program widely used incommercial forensics.


35/48

is designed to examine image files of seizedcomputer systems that have been made withSafeback, dd, EnCase or any other utility.


36/48

No forensics toolkit is complete without apowerful hex editor program for low-level fileanalysis and WinHex, by Stefan Fleischmannfrom X-Ways AG, fills this role admirably.


37/48

A powerful hex editor program for theUNIX/Linux environment is [N] CursesHexedit.


38/48

designed for the Microsoft Windows NT4platform.


39/48

is a law enforcement only integrated forensicdata acquisition and analysis program,designed for the Linux operating system


40/48

is a very powerful integrated forensic dataacquisition and analysis program designedfor the Linux and BeOS operating systems.

combines sanitization, acquisition,

authentication, and analysis.


41/48

is a suite of 10 tools supporting recovery andanalysis of data from both cloned drives andsector image files.


42/48

is a forensic Internet history analysis toolcurrently in BETA testing.

It supports analysis of browser use, filedownloads etc.


43/48

6. File Viewers

Quick View Plus

IRFANView32 Resplendent Registrar

GUIDClean

Unmozify


44/48

is probably the best known general fileviewing utility available.

It has support for almost all documents,presentations, and graphic formats making itan invaluable tool for the computer forensicexaminer.


45/48

is a very fast 32-bit graphics viewer thatsupports almost all image formats that are inuse on the Internet and plugins available thatsupport many movie formats.


46/48

allows detailed examination of MicrosoftWindows registry files with more advancedfeatures.

It supports searching, bookmarking, andprinting details of relevant keys


47/48

GUIDClean is a freeware program that allowsdetection and display of the Global UniqueIdentifiers (GUID) that Microsoft Windows 98and some versions of Microsoft Word and

Excel, prior to MS Office 2000, placed indocuments.

The GUID is based on the MAC address of thesystems network card, if one is present,allowing tracking of documents to the systemon which they were authored.


48/48

is an Internet browser offline viewer programthat can be used to examine and reconstructWeb pages from browser history files and thecache directories of Internet Explorer and

Netscape Navigator.

Documents

15681_Forensic Resources and Tools