SlideShare a Scribd company logo

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx

Download as DOCX, PDF
C
christinemaritza

This document discusses common forensic tools used for disk imaging and validation. It describes several open source and commercial tools, including dd (a UNIX utility), DriveSpy (a DOS-based tool), EnCase, Forensic Replicator, FTK Imager, Norton Ghost, ProDiscover, SAW, and SMART. These tools are used to create forensic copies or images of storage drives and media that can be analyzed while preserving the original evidence. The document provides an overview of each tool's imaging capabilities and validation features.

Related slideshows

Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
Cis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer newCis 562 week 11 final exam – strayer new
Cis 562 week 11 final exam – strayer new
 
1 of 26
Chapter 8: Common Forensic Tools Overview In this chapter, you'll learn more about: · Explore disk imaging tools, forensic software tool sets, and miscellaneous software tools · Understand computer forensic hardware · Assemble your forensic tool kit The first steps in any investigation nearly always involve old- fashioned detective work. As a forensic investigator, you need to observe and record your observations first. Once you start examining media contents, you'll need some tools to help you find and make sense of stored data. Forensic investigators and computer examiners need several different types of tools to identify and acquire computer evidence. Some evidence is hidden from the casual observer and requires specialized tools to find and access. In this chapter, we'll examine a sampling of some common and popular tools available to carry out computer forensic tasks. Disk Imaging and Validation Tools After identifying the physical media that they suspect contains evidence, forensic investigators must make sure media is preserved before any further steps are taken. Preserving the media is necessary to provide assurance the evidence acquired is valid. Chapter 3, "Computer Evidence," and Chapter 4, "Common Tasks," both emphasize the importance of copying all media first and then analyzing the copy. It's usually best to create an exact image of the media and verify that it matches the original before continuing the investigation. It's rare to examine the original evidence for any investigation that might end up in court. For other types of investigations, however, forensic investigators might perform a targeted examination on the original evidence. For example, assume the job is to examine a user's home folder on a server for suspected inappropriate
material. It might be impossible or extremely difficult to create a mirror image of the disk drive, but the disk can be scanned for existing or deleted files while it is in use. Although examining media while in use might not always be the best practice, informal investigations use this technique frequently. To Copy or Not to Copy? Whenever possible, create a duplicate of the original evidence, verify the copy, and then examine the copy. Always invest the time and effort to copy original media for any investigation that might end up in a court of law. If you are sure your investigation will not end up in court, you might decide to analyze the original evidence directly. This is possible and desirable in cases where copying media would cause service interruptions. Your choice of tools to use depends on several factors, including: · Operating system(s) supported Operating system(s) in which the tool runs File systems the tool supports · Price · Functionality · Personal preference The following sections list some tools used to create and verify media copies. Some products appear in two places in the chapter. That's because several products play multiple roles. This section lists several products that are part of larger forensic software suites. While most suites of forensic software handle image acquisition, this section highlights those tools investigators tend to use most frequently. Note The list in this chapter is not exhaustive. There are many useful tools not listed here; thus, the exclusion of any tool need not
diminish its merit. Where possible, web addresses and URLs have been included for tools examined. dd The dd utility tool is a mainstay in UNIX/Linux environments. This handy tool is installed with most UNIX/Linux distributions and is used to copy and convert files. As briefly discussed in Chapter 5, "Capturing the Data Image," dd is commonly used in forensics to copy an entire UNIX/Linux environment. Using dd you can specify the input and output file, as well as conversion options. This utility uses two basic arguments: · if specifies the input file · of specifies the output file The dd utility abides by operating system file size limits (normally 2 GB) and truncates individual files larger than the limit. (The 2 GB limit does not apply when using the dd utility with device files.) Use caution when copying large files with dd. If you want only to copy files smaller than the maximum file size, dd is a handy tool to keep in your forensic toolbox. For example, to copy a simple file from a source (such as /home/user/sn.txt) to a destination (such as /tmp/newfile), you would issue the following command: dd if=/home/user/sn.txt of=/tmp/newfile Figure 8.1 shows the results of the above command. Figure 8.1: Using the dd utility to copy a text file Using similar syntax, an entire hard disk drive can easily be copied. To copy a drive located at /dev/sdb to an image file named /home/user/case1234img, use this command: dd if=/dev/sdb of=/home/user/case1234img Figure 8.2 shows the results of the above command. Figure 8.2: Using the dd utility to copy an entire hard disk drive The dd utility is already on any computer running UNIX or Linux, and an Internet search produces a list of places to obtain dd for Windows. Chrysocome provides a version of dd for
Windows at http://chrysocome.net/dd. Type man dd in UNIX or Linux for a man (manual) page that documents the command syntax. DriveSpy DriveSpy is a DOS-based disk imaging tool, developed by Digital Intelligence, Inc. An extended DOS forensic shell, DriveSpy provides an interface similar to the MS-DOS command line, along with additional and extended commands. The entire program is only 125 KB and easily fits on a DOS boot floppy disk. Unfortunately, DOS boot floppy disks aren't as common as they once were. Also, it takes some work to prepare media to use DriveSpy. The payoff is usually worth the effort. DriveSpy does a great job of capturing and searching disk content. All you have to do is create a DOS bootable device with the DriveSpy executable on it. The most common portable boot devices are CD/DVDs and USB devices. To create a DOS bootable device: 1 Start DriveSpy and use the DRIVES or V command to list the drives and partitions attached to a computer. (See Figure 8.3.) 2 Choose a drive and partition for the investigation target from the SYS> prompt. 3 Select Drive 3 from the D3 command. 4 Select partition 1 at the P1 command. The partition information is displayed. (See Figure 8.4.) Figure 8.3: Listing the drives on a system Figure 8.4: Partition information DriveSpy provides many functions necessary to copy and examine drive contents. The program logs all activities, optionally down to each keystroke. Logging can be disabled at will. Forensic investigators can examine DOS and non-DOS partitions and retrieve extensive architectural information for hard drives or partitions. DriveSpy does not use operating system calls to access files, and it does not change file access dates.
DriveSpy also lets you perform the following tasks: · Create a disk-to-disk copy (supports large disk drives). · Create a MD5 hash for a drive, partition, or selected files. · Copy a range of sectors from a source to a target, where source and target can span drives or reside on the same drive. · Select files based on name, extension, or attributes. · Unerase files. · Search a drive, partition, or selected files for text strings. · Collect slack and unallocated space. · Wipe a disk, partition, unallocated, or slack space. DriveSpy provides basic command-line functionality and is portable enough to carry on a simple boot device or media to use at the scene. For pricing and more information, visit the Digital Intelligence, Inc. Web site at http://www.digitalintelligence.com/software/disoftware/drivesp y/. EnCase The EnCase product family from Guidance Software is one of the most complete forensic suites available. More of EnCase's functionality and its different products are covered in the "Forensic Tools" section later in this chapter. EnCase is also included in this section owing to its drive duplication functions. forensic suite Set of tools and/or software programs used to analyze a computer for collection of evidence. In addition to providing tools and a framework in which to manage a complete case, EnCase includes a drive duplicator (also known as a drive imager). The drive imager creates an exact copy of a drive and validates the image automatically (See Figure 8.5 and Figure 8.6). It either creates complete images or splits drive images to economize storage. EnCase copies virtually any type of media, creating an identical image for analysis. EnCase calls this static data support. Figure 8.5: Using EnCase to select a drive for duplication
Figure 8.6: EnCase acquisition status message with an assigned globally unique identifier (GUID) and MD5 Tip EnCase Enterprise Edition also provides support for volatile data. This feature snapshots Random Access Memory (RAM), the Windows Registry, open ports, and running applications. It provides potentially valuable information that disappears when a computer is shut down. Guidance Software also sells a complete line of hardware disk- write blockers. Their Tableau products provide an extra measure of assurance that no writes occur on a device. You can use the hardware write blocker with EnCase or rely on EnCase's own software write blocking to protect original media. Forensic investigators can also use Tableau hardware write blockers with non-EnCase software. The EnCase products run on Windows workstation and server operating systems. For more information on the EnCase product line and specific system requirements, visit the Guidance Software Web site at www.guidancesoftware.com. Forensic Replicator Forensic Replicator, from Paraben Forensic Tools, is another disk imaging tool that accommodates many types of electronic media. Forensic Replicator runs on the Windows operating system. It provides an easy-to-use interface, as shown in Figure 8.7 and Figure 8.8, to select and copy entire drives or portions of drives. It also handles most removable media, including Universal Serial Bus (USB) micro drives. Forensic Replicator stores media images in a format that the most popular forensic programs can read. Figure 8.7: Paraben's Forensic Replicator Acquisition Wizard Figure 8.8: Paraben's Forensic Replicator primary user interface Forensic Replicator also provides the ability to compress and split drive images for efficient storage. The ISO option allows
you to create CDs or DVDs from evidence drives that you can browse for analysis. This option makes drive analysis much easier and more accessible for general computers. Copies of the suspect drive don't need to be mounted on a dedicated forensic computer. Standard searching utilities can be used to search the CDs or DVDs. Forensic Replicator also offers the option of encrypting duplicate images for secure storage. Paraben also sells a FireWire or USB-to-IDE/SATA write blocker, called Paraben's Lockdown V3, as a companion product. For additional information about the Paraben forensic tools product line, see the "Forensic Tools" section later in this chapter. For more information on the Forensic Replicator product, visit the Paraben Web site at http://www.paraben- forensics.com/replicator.html. FTK Imager FTK (Forensic Toolkit) Imager from AccessData Corporation is a Windows-based set of forensic tools that includes powerful media duplication features. (See Figure 8.9.) This free imaging tool allows you to mount a forensic image of the suspect computer so that the suspect's image becomes a letter drive on the investigator's computer. Figure 8.9: AccessData FTK Imager FTK can create media images from many different source formats, including: · NTFS and NTFS compressed · FAT12, FAT16, and FAT32 · Linux ext2, ext3, and ext4 · HFS, HFS+, CDFS, and VXFS Figure 8.10 shows the image creation progress message. Figure 8.10: FTK Imager creating an image FTK generates CRC or MD5 hash values, as do most products in this category, for disk-copy verification. In addition, FTK provides full searching capability for media and images created
from other disk imaging programs. Image formats that FTK reads include: · EnCase · SMART · Expert Witness · ICS · Ghost · dd · Advanced Forensic Format (AFF) · AccessData Logical Image (ADI) For more information about FTK Imager, visit the AccessData Corporation Web site at www.accessdata.com. Norton Ghost Norton Ghost, from Symantec, is not strictly a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original. You can verify the copies you make and ensure each partition is an exact copy, but a complete drive image that Ghost creates commonly returns a different hash value than a hash of the original drive. This means that, although Ghost is a handy tool, it may not provide evidence that is admissible in a court of law. The most common uses for Ghost include backup/restore and creating installation images for multiple computers. Even though Ghost's primary use is not forensics, its utility merits a place in our list of useful tools. (See Figure 8.11.) Figure 8.11: Norton Ghost Norton Ghost is a Windows application and requires a Windows operating system. For more information on Norton Ghost, visit the Symantec Web site at http://us.norton.com/ghost. ProDiscover ProDiscover, from Technology Pathways, is another suite of forensic tools worth considering for your forensic toolkit. Like other forensic software suites, ProDiscover provides disk imaging and verification features. (See Figure 8.12.) ProDiscover can create a bit stream copy of an entire suspect
disk, including host protected hardware protected area (HPA) sections, to keep original evidence safe. The HPA is an area of a hard disk drive that the disk controller does not report to the BIOS or the operating system. Some disk drive manufacturers use the HPA to hide utilities from the operating system. (For more information, see Chapter 5.) Another interesting feature of ProDiscover is that it allows you to capture a disk image over a network without being physically connected to a suspect computer. Figure 8.12: Capturing a disk image with ProDiscover ProDiscover also automatically creates and records MD5 or SHA-1 hashes for evidence files to prove data integrity. Figure 8.13 shows the main project window. Figure 8.13: ProDiscover project Technology Pathways provides several different versions of ProDiscover, to meet specific forensic needs. As with other forensic suites, we cover additional features in a later section of this chapter. All Technology Pathways products include disk imaging and verification and require a Windows operating system. For more information on ProDiscover, visit the Technology Pathways Web site at www.techpathways.com. SMART Acquisition Workshop (SAW) The SMART Acquisition Workshop (SAW) product from ASR Data Acquisition & Analysis, LLC, is a stand-alone utility that creates forensic-quality images from storage devices. SAW runs on Windows, Linux, and Mac computers. Regardless of the operating system, SAW uses a GUI that makes creating images of evidence data easy. (See Figure 8.14.) Although SAW works as a stand-alone utility, it also works with another ASR Data utility, SmartMount. SmartMount uses image files from SAW and several other imaging tools, to ensure fast performance for many common forensic activities. ASR Data states that SmartMount exceeds competitors' performance by
running up to twenty times faster for searches, indexing, and analysis operations. Figure 8.14: SAW interface Even without SmartMount, SAW provides a solid method to create images of many different types of storage media using a straightforward GUI. For more information on SAW, visit the ASR Data Acquisitions & Analysis Web site at http://www.asrdata.com/forensic-software/saw/. SMART SMART comes from the same organization that produces the SAW utility, ASR Data Acquisition & Analysis, LLC. The suite comprises several tools integrated into a full-featured forensic software package. Two tools in the package are SMART Acquisition, which provides disk imaging, and SMART Authentication, which provides verification functionality. SMART runs in Linux and provides a graphical view of devices in a system (Figure 8.15). The first step in creating a disk image is to calculate a hash value for the source device. Figure 8.15: SMART displays devices in a system. After SMART generates and stores the hash value, it creates one or more device images. SMART can create multiple image files, use compression, split images to fit on smaller devices, and associate images with existing case files (Figure 8.16). Figure 8.16: Creating an image file with SMART For more information on SMART, visit the ASR Web site at http://www.asrdata.com/forensic-software/smart-for-linux/. WinHex WinHex, from X-Ways Software Technology AG, is a Windows- based universal hexadecimal editor and disk management utility. It supports recovery from lost or damaged files and general editing of disk contents. Its disk cloning feature is most relevant to this section. WinHex clones any connected disk (see Figure 8.17 and Figure
8.18) and verifies the process using checksums or hash calculations. Figure 8.17: Starting the clone process in WinHex Figure 8.18: The Clone Disk dialog box in WinHex WinHex provides many features beyond disk imaging and verification. You can use WinHex to examine, and optionally edit, disk contents. You can also search disks for text strings using WinHex's search engine. Its support for various data types and its ability to view data in different formats make WinHex a valuable forensic tool. For more information on WinHex and its additional capabilities, visit the X-Ways Software Technology Web site at http://www.x-ways.net/winhex/. Forensic Tools After you make a verified copy of original media, you're ready to begin analysis. The tools discussed in the following sections can perform many forensic functions. Your choice of tools depends on specific investigative needs. The following sections include common software and hardware tools and cover their capabilities. As with disk imaging tools, your choice of tools to use depends on the following: · Operating system(s) supported · User interface preferences · Budget · Functionality/capabilities · Vendor loyalty Software Suites Several companies specialize in developing and providing forensic tools. These companies produce software and/or hardware with diverse functionality. Some suites of forensic software are tightly integrated and have mature user interfaces. Other forensic suites are little more than collections of useful
utilities. Consider the following tools and try out the ones you like. Your final choice of forensic tools should enable you to perform the examinations you will encounter. Although bells and whistles are nice, it's more important to get the tools you really need. EnCase Guidance Software produces the EnCase product line. EnCase was originally developed for law enforcement personnel to carry out investigations. This product line has grown to support commercial incident response teams as well. The general concept of a case is central to the EnCase product. The first action you take is to create a case file. All subsequent activities (see Figure 8.19, Figure 8.20, and Figure 8.21) relate to a case. Figure 8.19: EnCase interface Figure 8.20: Using EnCase to search for keywords Figure 8.21: Viewing IP addresses with EnCase EnCase is an integrated Windows-based GUI tool suite. Even though the EnCase functionality is impressive, you are likely to need other utilities at some point. Fully integrated solutions can increase productivity, but don't hesitate to use another tool when you need it. Here are just a few features of EnCase: · Snapshot enables investigators to capture volatile information including: RAM contents Running programs Open files and ports · Organizes results into case files and manages case documents · Helps maintain the chain of custody · Provides tools for incident response teams to respond to emerging threats · Supports real-time and postmortem examinations
EnCase provides the functionality to acquire and examine many types of evidence. The organization around a case provides the structure to keep information in order. Overall, EnCase is one of the premium suites of software you definitely should evaluate when selecting forensic tools. For more information on EnCase, visit the Web site at www.guidancesoftware.com. Forensic Toolkit (FTK) Another forensic suite that provides an integrated user interface is AccessData's Forensic Toolkit (FTK) (Figure 8.22). FTK runs in Windows operating systems and provides a powerful tool set to acquire and examine electronic media. Figure 8.22: FTK Evidence Processing options As discussed in "Disk Imaging and Validation," earlier in this chapter, FTK contains a disk imaging tool. This imaging tool provides one or more copies of primary evidence for analysis. FTK provides an easy-to-use file viewer that recognizes nearly 300 types of files. It also provides full text indexing powered by dtSearch (we cover dtSearch features later in this chapter in the "Miscellaneous Software Tools" section). FTK's integrated file viewer and search capabilities enable it to find evidence on most devices. FTK works with media images created by several imaging utilities, including: 5 FTK 6 EnCase 7 SMART 8 dd Search capabilities include e-mail and archive file analysis. FTK also enables users to quickly examine files in many different formats. Results are organized by case and presented in a case content summary. For more information on FTK, visit the AccessData Web site at www.accessdata.com. The Sleuth Kit (TSK) The Sleuth Kit (TSK) is a popular, free, open source forensic software suite. TSK is a collection of command-line tools that
provides media management and forensic analysis functionality. TSK has a few features that deserve separate mention. TSK supports Mac partitions and analyzes files from Mac file systems. It also runs on Mac OS X. TSK can analyze volatile data on running systems. The core TSK toolkit contains five different types of tools. · File System Tools File System Layer The fsstat tool reports file system details, including inode Numbers (file system data structures that contain file information), block or cluster ranges, and super block details for UNIX-based systems. For FAT file systems, fsstat provides an abbreviated FAT table listing. File Name Layer The ffind and fls tools report allocated, unallocated, and deleted filenames. Meta Data Layer The icat, ifind, ils, and istat tools report on file metadata (file details) stored in file systems. Data Unit Layer The blkcat, blkls, blkstat, and blkcalc tools report file content information and statistics. File System Journal The jcat and jls tools report journal information and statistics. · Volume System Tools The mmls, mmstat, and mmcat tools provide information on the lay-out of disks or other media. · Image File Tools The img_stat, and img_cat tools provide details and content information for image files. · Disk Tools The disk_sreset, and disk_stat tools detect and remove an HPA on an ATA disk. · Other Tools hfind The hfind tool looks up hash values. mactime This tool uses fls and ils output to create timelines of file activity, such as create, access and write activity. sorter This tool sorts files based on file type. sigfing This tool searches for a binary value in a file, starting at a specific offset location.
For more information on TSK, visit the TSK Web site at www.sleuthkit.org. ProDiscover Technology Pathways provides two different versions of the ProDiscover tool suite: Forensics and Incident Response (IR), depending on your particular forensic needs. (ProDiscover IR is shown in Figure 8.23 and Figure 8.24.) Both ProDiscover products run in Windows with an integrated GUI. Figure 8.23: Using ProDiscover IR to add comments to a file Figure 8.24: Search results in ProDiscover IR Here are some notable ProDiscover features: · Allows live system examination · Identifies Trojan horse programs and other software intended to compromise system security · Utilizes a remote agent that allows centralized examination and monitoring, along with encrypted network communication to secure analysis data · Creates a bit stream copy of an entire suspect disk, including hidden HPA sections, to keep original evidence safe · Ensures integrity of acquired images using MD5 or SHA-1 hashes · Supports FAT12, FAT16, FAT32, all NTFS versions, Linux ext2/ext3, and Sun Solaris UFS file systems · Generates reports in eXtensible Markup Language (XML) ProDiscover provides functionality similar to other full-featured forensic software suites listed in this section. Technology Pathways also offers a free version of ProDiscover Basic. ProDiscover Basic is a complete GUI-based computer forensic software package. It include the ability to image, preserve, analyze, and report on evidence found on a computer disk drive. This version is freeware and may be used and shared free of charge. Take a look at the full product line for more details on specific features. To learn more about ProDiscover, visit the Technology
Pathways Web site at www.techpathways.com. SIFT The SANS Investigative Forensic Toolkit (SIFT) is a collection of open source (and freely available) forensic utilities. SANS originally developed SIFT as a toolkit for students in the SANS Computer Forensic Investigations and Incident Response course. The students liked the toolkit so much that word spread and SANS decided to repackage and release it to the public. SIFT is available either as a VMware virtual machine or as an ISO image to create a bootable CD. It provides the ability to examine disks and images created using other forensic software. This toolkit allows users to examine the following file systems: · Windows (FAT, VFAT, NTFS) · Mac (HFS) · Solaris (UFS) · Linux (ext2/ext3) SIFT tools support the following evidence image formats: · Raw (dd) · Expert Witness (E01) · Advanced Forensic Format (AFF) SIFT includes these individual tools: · The Sleuth Kit (TSK file system analysis) · Log2timeline (generates timelines) · Ssdeep and md5deep (generates hashes) · Foremost/Scalpel (file carving) · Wireshark (network analysis) (http://www.wireshark.org/) (See Figure 8.25.) Figure 8.25: Wireshark Network Analyzer · Vinetto (thumbs.db analysis) · Pasco (Internet Explorer history analysis) · Rifiuti (examines Recycle Bin) · Volatility Framework (memory forensics) · DFLabs (GUI front end for TSK) · Autopsy (GUI front end for TSK) · PyFLAG (log and disk analysis)
· Guymager (GUI imager for evidence acquisition) Figure 8.26: Guymager open source forensic manager SANS also provides users with documentation (including a series of "how-to" tutorials) on using SIFT in a forensic investigation. For more information on SIFT, visit the SANS Web site at https://computer- forensics2.sans.org/community/downloads/. X-Ways Forensics X-Ways Forensics, from X-Ways Software Technology AG, is a collection of forensic tools that assist in examining media images. Compared to other forensic suites in this section, it's a little more lightweight. However, it does provide several forensic tools that include some large package features at a very reasonable price. Some of the main X-Ways features include: · Case management · Automatic activity logging · Automated reports in HyperText Markup Language (HTML) · A display of existing and deleted files, sorted by file type category · Gallery view for graphics · Skin color detection helps in isolating pictures that may contain pornography · File extension/file type mismatches detection · EnCase media image support (read) This list only covers a few of the many features of X-Ways. For more information on this product, visit the X-Ways Software Technology Web site at http://www.x-ways.net/forensics/. Miscellaneous Software Tools In addition to drive imaging software and complete forensic software suites, there are many targeted tools and utilities that are of value to computer forensic investigators. No matter how many features your forensic suite of choice may have, your investigation might have specific needs that require other special tools.
The following sections cover a few special-purpose tools. As with previous sections, consider each of these tools and choose the best ones for your forensic needs. DriveSpy DriveSpy was introduced earlier in the "Disk Imaging and Validation Tools" section. It's included here as well to remind you that DriveSpy does a lot more than just duplicate drives. For instance, you can: · Select files based on name, extension, or attributes · View the sectors and clusters in built-in hex viewers. · Search a partition or drive for specific text strings DriveSpy provides basic command-line functionality that is portable enough to carry on a single floppy disk and use at the scene of a forensic investigation. After an image of a drive is created, DriveSpy also assists you in examining image content. For pricing and more information, visit the Digital Intelligence, Inc. Web site at http://www.digitalintelligence.com/software/disoftware/drivesp y/. dtSearch After you create an image of suspect media, you'll need to search it for possible evidence. The dtSearch product line, from dtSearch Corporation, provides solutions that enable you to search terabytes of text in a short time. Although not strictly a forensic tool, dtSearch (Figure 8.27) supports a highly necessary forensic function. Figure 8.27: dtSearch The dtSearch products offer the following features: · Over 25 search options, including indexed, unindexed, field content searching for supported file types, and full-text search options · Convert results to HTML, XML, or PDF, with search results highlighted (exposes the search results context) · Support for distributed searching for high performance The dtSearch product line includes several different products
for different forensic investigative needs, including: · dtSearch Desktop Searches stand-alone machines · dtSearch Network Searches across networks · dtSearch Spider Extends a local search to a remote Web site · dtSearch Web Supports instant text searching for online documents · dtSearch Publish Publishes an instant searchable database on CD/DVD · dtSearch Engine Empowers developers to add dtSearch's functionality to applications For a forensic examiner, the Desktop and Network products provide the capability to find possible evidence on multiple machines. For more detailed product information, visit the dtSearch Corporation Web site at www.dtsearch.com. NetAnalysis NetAnalysis, from Digital Detective, is a software utility that recovers and then analyzes Internet browser artifacts. NetAnalysis (Figure 8.28) empowers investigators to search and analyze browser history from suspect computers. Even if a user deletes all browser history, NetAnalysis can still recover much of that deleted content and reconstruct past actions. Figure 8.28: NetAnalysis NetAnalysis enables investigators to reconstruct visited Web sites from locally cached data. It can read several standard forensic image formats, including images generated by EnCase. The Auto Investigate function helps investigators save time by automatically identifying suspicious Web sites that may contain specific content, such as child pornography. It also analyzes search terms, user IDs, and passwords it finds on the suspect computer. NetAnalysis helps investigators recover and identify the most valuable information to an investigation. Using NetAnalysis to find questionable browsing activity is much easier than performing a manual analysis. NetAnalysis also allows users to develop standard key terms and queries to share and use with
other investigations. For more detailed product information, visit the Digital Detective Web site at http://www.digital- detective.co.uk/netanalysis.asp. Quick View Plus File Viewer Quick View Plus, from Avantstar, is a general-purpose file viewer. Quick View Plus (Figure 8.29) allows you to view files in over 300 formats. Quick View Plus also allows you to view parts of files and print them or cut and paste into your own applications. Figure 8.29: Quick View Plus file viewer From a forensic perspective, Quick View Plus provides examiners the ability to search many types of files for text strings and view the results in the context of the original file. Find more details on Quick View Plus by visiting the Avantstar Web site at www.avantstar.com. ThumbsPlus File Viewer ThumbsPlus File Viewer, from Cerious Software Inc., is a general-purpose file viewer and editor. It allows you to view files in many formats. A good file-viewing tool makes browsing through several graphics files far easier. ThumbsPlus (Figure 8.30) makes it easy to collect and browse most common graphic formats. Figure 8.30: ThumbsPlus Pro You can find many more details on ThumbsPlus by visiting the Cerious Web site at http://www.cerious.com/featuresv7.shtml. Paraben Tools Paraben Corporation provides a wide array of forensic tools. The Forensic Replicator was introduced earlier. In this section, you'll learn about three additional Paraben tools. At the end of the Paraben Tools section, be certain to follow the link to learn about other forensic tools offered by Paraben. Device Seizure Paraben's Device Seizure (Figure 8.31 and Figure 8.32) is a
software tool that enables investigators to acquire and analyze data from over 2,400 different mobile devices. This includes mobile phones, PDAs, and GPS devices. Paraben also sells hardware accessories that work with Device Seizure to allow you to physically connect to all supported mobile devices. Figure 8.31: Paraben's Device Seizure Welcome Wizard Figure 8.32: Paraben's Device Seizure main screen Device Seizure acquires and organizes a large amount of mobile data, including: · Active and deleted text messages · Phonebook entries from memory and the SIM card · Call history with call details · PDA common information (calendar, to-do list, etc.) · File system contents · GPS information · E-mail information Device Seizure can also translate GPS coordinates into Google Earth data. This makes it easy to present evidence in a form that anyone can easily see and understand. Paraben designed Device Seizure to be a solid forensic tool for mobile device investigations. Chat Stick Paraben provides several consumer products for home and corporate use, such as the Chat Stick. The Chat Stick is a USB thumb drive that comes preloaded with software. Using the Chat Stick is easy. Simply insert the Chat Stick in a USB port on a target computer. The Chat Stick software automatically launches and lets you search for chat logs from most popular instant message (IM) software, including: · Yahoo · MSN · ICQ · Trillian · Skype
· Hello · Miranda Chat Stick identifies chat logs and copies these logs to the USB thumb drive. From there, Chat Stick software (Figure 8.33) allows users to view and create reports on all IM conversations. Figure 8.33: Paraben's Chat Stick software Chat stick makes it easy for parents to check up on IM activities on home computers. Businesses also use Chat Stick to ensure their employees uphold their acceptable use policies for computer equipment at work. Paraben Porn Stick Paraben's Porn Stick is another consumer product distributed on a USB thumb drive. The Porn Stick contains preloaded software that searches a target computer for suspicious images— specifically pornography. As with the Chat Stick, the Porn Stick software automatically launches when the thumb drive is plugged into a USB port. Users can search one or more drives on the target computer for suspicious images. The Porn Stick stores thumbnails of suspicious images on the USB thumb drive. Images can be previewed once the scan is finished. To make the process more palatable, the Porn Stick blurs image thumbnails. You can select any image and use the mouse pointer to see a small portion of the unblurred image (see Figure 8.34). This feature makes it difficult to "accidentally" view objectionable material. Figure 8.34: Detection results from Paraben's Porn Stick software The Porn Stick is a consumer product that home and business users typically purchase. As with the Chat Stick, parents can use it at home and businesses can use it in the office to check for acceptable use policy violations. For more information on any Paraben products, visit their Web site at www.paraben.com.
Snagit Snagit, from TechSmith Corporation, is a full-featured tool designed to capture and manage screenshots. Sometimes, the best way to document the state of evidence is to save an image from the screen. Snagit (Figure 8.35) makes it easy to take screenshots using over 40 different methods. You can record any aspect of what's on a computer monitor. Figure 8.35: Snagit Once you take a screenshot, Snagit allows you to edit it (see Figure 8.36) and add features to highlight specific areas on that image. Snagit also helps in sharing, cataloging, and storing screenshot images. Snagit can help to simplify any investigation. Figure 8.36: Snagit Editor For more information on Snagit, visit the TechSmith Web site at http://www.techsmith.com/snagit/. Hardware Up to this point, we've ignored the requirement that all software tools must run on hardware of some type. Although forensic tools run on general-purpose machines, using dedicated computers for forensic investigations is often advisable. Using dedicated hardware decreases the possibility of accidental contamination by nonforensic applications. Although actual evidence contamination cannot occur on the original evidence when analyzing an image of the original, other applications might affect the evidence image copy you are examining. Your forensic machine probably has special-purpose hardware elements such as a disk-write blocker, keystroke logger, or multiple format disk controllers. Because forensic examination computers tend to support special-purpose hardware and software, several companies offer hardware devices and complete computer systems built from the ground up to serve as forensic hardware devices. Some of these systems can be expensive, but if you need a prebuilt forensic
hardware platform, the cost is probably justified. Carefully consider your needs based on: · Where will you analyze media? · At the scene · In the lab · How often do you use forensic software? · What type of operating system and hardware must you analyze? · Will the evidence you collect be presented in a court of law? Answers to these questions will help you to decide whether you need special-purpose forensic hardware and what features you need. The following sections describe the products offered by some forensic hardware providers. Cellebrite Cellebrite produces a line of forensic hardware for use in mobile device forensics. Their Universal Forensic Extraction Device (UFED) enables forensic investigators to extract information from more than 3,600 mobile devices, including phones and GPS units. UFED is used by militaries, law enforcement agencies, governments, and intelligence agencies around the world to extract information from mobile devices during investigations. UFED comes in multiple versions to support user-specific requirements. The UFED system includes over 100 different connectors that allow investigators to attach any type of mobile device. UFED software supports many features investigators need, including: · Extract existing and deleted phone data · Call history · Text messages · Contacts · Images · Geotags · Search, reconstruct, and analyze phone data · Integrate GPS information with Google Maps and Google Earth
For more information on Cellebrite UFED products, visit the Web site at http://www.cellebrite.com/forensic-products.html. ICS Solo 4 Intelligent Computer Solution s (ICS) specializes in data duplication hardware. They produce a line of forensic acquisition products for both field and lab use. Their forensic products use high-speed hardware and hardware write blockers to duplicate evidence media. Instead of using software tools to create images of evidence media, ICS provides hardware to accomplish the same task. The tool also has the ability to capture video played on Web sites. The main advantage to using hardware data acquisition is increased speed. ICS products transfer data at rates up to 18 GB/min. That is far faster than any software image acquisition. ICS products, such as the ICS Solo-4 (Figure 8.37), provide a convenient method to extract images from a suspect computer, even without removing its hard drive(s). Photograph Courtesy of Intelligent Computer
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx

More Related Content

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx

  • 1. Chapter 8: Common Forensic Tools Overview In this chapter, you'll learn more about: · Explore disk imaging tools, forensic software tool sets, and miscellaneous software tools · Understand computer forensic hardware · Assemble your forensic tool kit The first steps in any investigation nearly always involve old- fashioned detective work. As a forensic investigator, you need to observe and record your observations first. Once you start examining media contents, you'll need some tools to help you find and make sense of stored data. Forensic investigators and computer examiners need several different types of tools to identify and acquire computer evidence. Some evidence is hidden from the casual observer and requires specialized tools to find and access. In this chapter, we'll examine a sampling of some common and popular tools available to carry out computer forensic tasks. Disk Imaging and Validation Tools After identifying the physical media that they suspect contains evidence, forensic investigators must make sure media is preserved before any further steps are taken. Preserving the media is necessary to provide assurance the evidence acquired is valid. Chapter 3, "Computer Evidence," and Chapter 4, "Common Tasks," both emphasize the importance of copying all media first and then analyzing the copy. It's usually best to create an exact image of the media and verify that it matches the original before continuing the investigation. It's rare to examine the original evidence for any investigation that might end up in court. For other types of investigations, however, forensic investigators might perform a targeted examination on the original evidence. For example, assume the job is to examine a user's home folder on a server for suspected inappropriate
  • 2. material. It might be impossible or extremely difficult to create a mirror image of the disk drive, but the disk can be scanned for existing or deleted files while it is in use. Although examining media while in use might not always be the best practice, informal investigations use this technique frequently. To Copy or Not to Copy? Whenever possible, create a duplicate of the original evidence, verify the copy, and then examine the copy. Always invest the time and effort to copy original media for any investigation that might end up in a court of law. If you are sure your investigation will not end up in court, you might decide to analyze the original evidence directly. This is possible and desirable in cases where copying media would cause service interruptions. Your choice of tools to use depends on several factors, including: · Operating system(s) supported Operating system(s) in which the tool runs File systems the tool supports · Price · Functionality · Personal preference The following sections list some tools used to create and verify media copies. Some products appear in two places in the chapter. That's because several products play multiple roles. This section lists several products that are part of larger forensic software suites. While most suites of forensic software handle image acquisition, this section highlights those tools investigators tend to use most frequently. Note The list in this chapter is not exhaustive. There are many useful tools not listed here; thus, the exclusion of any tool need not
  • 3. diminish its merit. Where possible, web addresses and URLs have been included for tools examined. dd The dd utility tool is a mainstay in UNIX/Linux environments. This handy tool is installed with most UNIX/Linux distributions and is used to copy and convert files. As briefly discussed in Chapter 5, "Capturing the Data Image," dd is commonly used in forensics to copy an entire UNIX/Linux environment. Using dd you can specify the input and output file, as well as conversion options. This utility uses two basic arguments: · if specifies the input file · of specifies the output file The dd utility abides by operating system file size limits (normally 2 GB) and truncates individual files larger than the limit. (The 2 GB limit does not apply when using the dd utility with device files.) Use caution when copying large files with dd. If you want only to copy files smaller than the maximum file size, dd is a handy tool to keep in your forensic toolbox. For example, to copy a simple file from a source (such as /home/user/sn.txt) to a destination (such as /tmp/newfile), you would issue the following command: dd if=/home/user/sn.txt of=/tmp/newfile Figure 8.1 shows the results of the above command. Figure 8.1: Using the dd utility to copy a text file Using similar syntax, an entire hard disk drive can easily be copied. To copy a drive located at /dev/sdb to an image file named /home/user/case1234img, use this command: dd if=/dev/sdb of=/home/user/case1234img Figure 8.2 shows the results of the above command. Figure 8.2: Using the dd utility to copy an entire hard disk drive The dd utility is already on any computer running UNIX or Linux, and an Internet search produces a list of places to obtain dd for Windows. Chrysocome provides a version of dd for
  • 4. Windows at http://chrysocome.net/dd. Type man dd in UNIX or Linux for a man (manual) page that documents the command syntax. DriveSpy DriveSpy is a DOS-based disk imaging tool, developed by Digital Intelligence, Inc. An extended DOS forensic shell, DriveSpy provides an interface similar to the MS-DOS command line, along with additional and extended commands. The entire program is only 125 KB and easily fits on a DOS boot floppy disk. Unfortunately, DOS boot floppy disks aren't as common as they once were. Also, it takes some work to prepare media to use DriveSpy. The payoff is usually worth the effort. DriveSpy does a great job of capturing and searching disk content. All you have to do is create a DOS bootable device with the DriveSpy executable on it. The most common portable boot devices are CD/DVDs and USB devices. To create a DOS bootable device: 1 Start DriveSpy and use the DRIVES or V command to list the drives and partitions attached to a computer. (See Figure 8.3.) 2 Choose a drive and partition for the investigation target from the SYS> prompt. 3 Select Drive 3 from the D3 command. 4 Select partition 1 at the P1 command. The partition information is displayed. (See Figure 8.4.) Figure 8.3: Listing the drives on a system Figure 8.4: Partition information DriveSpy provides many functions necessary to copy and examine drive contents. The program logs all activities, optionally down to each keystroke. Logging can be disabled at will. Forensic investigators can examine DOS and non-DOS partitions and retrieve extensive architectural information for hard drives or partitions. DriveSpy does not use operating system calls to access files, and it does not change file access dates.
  • 5. DriveSpy also lets you perform the following tasks: · Create a disk-to-disk copy (supports large disk drives). · Create a MD5 hash for a drive, partition, or selected files. · Copy a range of sectors from a source to a target, where source and target can span drives or reside on the same drive. · Select files based on name, extension, or attributes. · Unerase files. · Search a drive, partition, or selected files for text strings. · Collect slack and unallocated space. · Wipe a disk, partition, unallocated, or slack space. DriveSpy provides basic command-line functionality and is portable enough to carry on a simple boot device or media to use at the scene. For pricing and more information, visit the Digital Intelligence, Inc. Web site at http://www.digitalintelligence.com/software/disoftware/drivesp y/. EnCase The EnCase product family from Guidance Software is one of the most complete forensic suites available. More of EnCase's functionality and its different products are covered in the "Forensic Tools" section later in this chapter. EnCase is also included in this section owing to its drive duplication functions. forensic suite Set of tools and/or software programs used to analyze a computer for collection of evidence. In addition to providing tools and a framework in which to manage a complete case, EnCase includes a drive duplicator (also known as a drive imager). The drive imager creates an exact copy of a drive and validates the image automatically (See Figure 8.5 and Figure 8.6). It either creates complete images or splits drive images to economize storage. EnCase copies virtually any type of media, creating an identical image for analysis. EnCase calls this static data support. Figure 8.5: Using EnCase to select a drive for duplication
  • 6. Figure 8.6: EnCase acquisition status message with an assigned globally unique identifier (GUID) and MD5 Tip EnCase Enterprise Edition also provides support for volatile data. This feature snapshots Random Access Memory (RAM), the Windows Registry, open ports, and running applications. It provides potentially valuable information that disappears when a computer is shut down. Guidance Software also sells a complete line of hardware disk- write blockers. Their Tableau products provide an extra measure of assurance that no writes occur on a device. You can use the hardware write blocker with EnCase or rely on EnCase's own software write blocking to protect original media. Forensic investigators can also use Tableau hardware write blockers with non-EnCase software. The EnCase products run on Windows workstation and server operating systems. For more information on the EnCase product line and specific system requirements, visit the Guidance Software Web site at www.guidancesoftware.com. Forensic Replicator Forensic Replicator, from Paraben Forensic Tools, is another disk imaging tool that accommodates many types of electronic media. Forensic Replicator runs on the Windows operating system. It provides an easy-to-use interface, as shown in Figure 8.7 and Figure 8.8, to select and copy entire drives or portions of drives. It also handles most removable media, including Universal Serial Bus (USB) micro drives. Forensic Replicator stores media images in a format that the most popular forensic programs can read. Figure 8.7: Paraben's Forensic Replicator Acquisition Wizard Figure 8.8: Paraben's Forensic Replicator primary user interface Forensic Replicator also provides the ability to compress and split drive images for efficient storage. The ISO option allows
  • 7. you to create CDs or DVDs from evidence drives that you can browse for analysis. This option makes drive analysis much easier and more accessible for general computers. Copies of the suspect drive don't need to be mounted on a dedicated forensic computer. Standard searching utilities can be used to search the CDs or DVDs. Forensic Replicator also offers the option of encrypting duplicate images for secure storage. Paraben also sells a FireWire or USB-to-IDE/SATA write blocker, called Paraben's Lockdown V3, as a companion product. For additional information about the Paraben forensic tools product line, see the "Forensic Tools" section later in this chapter. For more information on the Forensic Replicator product, visit the Paraben Web site at http://www.paraben- forensics.com/replicator.html. FTK Imager FTK (Forensic Toolkit) Imager from AccessData Corporation is a Windows-based set of forensic tools that includes powerful media duplication features. (See Figure 8.9.) This free imaging tool allows you to mount a forensic image of the suspect computer so that the suspect's image becomes a letter drive on the investigator's computer. Figure 8.9: AccessData FTK Imager FTK can create media images from many different source formats, including: · NTFS and NTFS compressed · FAT12, FAT16, and FAT32 · Linux ext2, ext3, and ext4 · HFS, HFS+, CDFS, and VXFS Figure 8.10 shows the image creation progress message. Figure 8.10: FTK Imager creating an image FTK generates CRC or MD5 hash values, as do most products in this category, for disk-copy verification. In addition, FTK provides full searching capability for media and images created
  • 8. from other disk imaging programs. Image formats that FTK reads include: · EnCase · SMART · Expert Witness · ICS · Ghost · dd · Advanced Forensic Format (AFF) · AccessData Logical Image (ADI) For more information about FTK Imager, visit the AccessData Corporation Web site at www.accessdata.com. Norton Ghost Norton Ghost, from Symantec, is not strictly a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original. You can verify the copies you make and ensure each partition is an exact copy, but a complete drive image that Ghost creates commonly returns a different hash value than a hash of the original drive. This means that, although Ghost is a handy tool, it may not provide evidence that is admissible in a court of law. The most common uses for Ghost include backup/restore and creating installation images for multiple computers. Even though Ghost's primary use is not forensics, its utility merits a place in our list of useful tools. (See Figure 8.11.) Figure 8.11: Norton Ghost Norton Ghost is a Windows application and requires a Windows operating system. For more information on Norton Ghost, visit the Symantec Web site at http://us.norton.com/ghost. ProDiscover ProDiscover, from Technology Pathways, is another suite of forensic tools worth considering for your forensic toolkit. Like other forensic software suites, ProDiscover provides disk imaging and verification features. (See Figure 8.12.) ProDiscover can create a bit stream copy of an entire suspect
  • 9. disk, including host protected hardware protected area (HPA) sections, to keep original evidence safe. The HPA is an area of a hard disk drive that the disk controller does not report to the BIOS or the operating system. Some disk drive manufacturers use the HPA to hide utilities from the operating system. (For more information, see Chapter 5.) Another interesting feature of ProDiscover is that it allows you to capture a disk image over a network without being physically connected to a suspect computer. Figure 8.12: Capturing a disk image with ProDiscover ProDiscover also automatically creates and records MD5 or SHA-1 hashes for evidence files to prove data integrity. Figure 8.13 shows the main project window. Figure 8.13: ProDiscover project Technology Pathways provides several different versions of ProDiscover, to meet specific forensic needs. As with other forensic suites, we cover additional features in a later section of this chapter. All Technology Pathways products include disk imaging and verification and require a Windows operating system. For more information on ProDiscover, visit the Technology Pathways Web site at www.techpathways.com. SMART Acquisition Workshop (SAW) The SMART Acquisition Workshop (SAW) product from ASR Data Acquisition & Analysis, LLC, is a stand-alone utility that creates forensic-quality images from storage devices. SAW runs on Windows, Linux, and Mac computers. Regardless of the operating system, SAW uses a GUI that makes creating images of evidence data easy. (See Figure 8.14.) Although SAW works as a stand-alone utility, it also works with another ASR Data utility, SmartMount. SmartMount uses image files from SAW and several other imaging tools, to ensure fast performance for many common forensic activities. ASR Data states that SmartMount exceeds competitors' performance by
  • 10. running up to twenty times faster for searches, indexing, and analysis operations. Figure 8.14: SAW interface Even without SmartMount, SAW provides a solid method to create images of many different types of storage media using a straightforward GUI. For more information on SAW, visit the ASR Data Acquisitions & Analysis Web site at http://www.asrdata.com/forensic-software/saw/. SMART SMART comes from the same organization that produces the SAW utility, ASR Data Acquisition & Analysis, LLC. The suite comprises several tools integrated into a full-featured forensic software package. Two tools in the package are SMART Acquisition, which provides disk imaging, and SMART Authentication, which provides verification functionality. SMART runs in Linux and provides a graphical view of devices in a system (Figure 8.15). The first step in creating a disk image is to calculate a hash value for the source device. Figure 8.15: SMART displays devices in a system. After SMART generates and stores the hash value, it creates one or more device images. SMART can create multiple image files, use compression, split images to fit on smaller devices, and associate images with existing case files (Figure 8.16). Figure 8.16: Creating an image file with SMART For more information on SMART, visit the ASR Web site at http://www.asrdata.com/forensic-software/smart-for-linux/. WinHex WinHex, from X-Ways Software Technology AG, is a Windows- based universal hexadecimal editor and disk management utility. It supports recovery from lost or damaged files and general editing of disk contents. Its disk cloning feature is most relevant to this section. WinHex clones any connected disk (see Figure 8.17 and Figure
  • 11. 8.18) and verifies the process using checksums or hash calculations. Figure 8.17: Starting the clone process in WinHex Figure 8.18: The Clone Disk dialog box in WinHex WinHex provides many features beyond disk imaging and verification. You can use WinHex to examine, and optionally edit, disk contents. You can also search disks for text strings using WinHex's search engine. Its support for various data types and its ability to view data in different formats make WinHex a valuable forensic tool. For more information on WinHex and its additional capabilities, visit the X-Ways Software Technology Web site at http://www.x-ways.net/winhex/. Forensic Tools After you make a verified copy of original media, you're ready to begin analysis. The tools discussed in the following sections can perform many forensic functions. Your choice of tools depends on specific investigative needs. The following sections include common software and hardware tools and cover their capabilities. As with disk imaging tools, your choice of tools to use depends on the following: · Operating system(s) supported · User interface preferences · Budget · Functionality/capabilities · Vendor loyalty Software Suites Several companies specialize in developing and providing forensic tools. These companies produce software and/or hardware with diverse functionality. Some suites of forensic software are tightly integrated and have mature user interfaces. Other forensic suites are little more than collections of useful
  • 12. utilities. Consider the following tools and try out the ones you like. Your final choice of forensic tools should enable you to perform the examinations you will encounter. Although bells and whistles are nice, it's more important to get the tools you really need. EnCase Guidance Software produces the EnCase product line. EnCase was originally developed for law enforcement personnel to carry out investigations. This product line has grown to support commercial incident response teams as well. The general concept of a case is central to the EnCase product. The first action you take is to create a case file. All subsequent activities (see Figure 8.19, Figure 8.20, and Figure 8.21) relate to a case. Figure 8.19: EnCase interface Figure 8.20: Using EnCase to search for keywords Figure 8.21: Viewing IP addresses with EnCase EnCase is an integrated Windows-based GUI tool suite. Even though the EnCase functionality is impressive, you are likely to need other utilities at some point. Fully integrated solutions can increase productivity, but don't hesitate to use another tool when you need it. Here are just a few features of EnCase: · Snapshot enables investigators to capture volatile information including: RAM contents Running programs Open files and ports · Organizes results into case files and manages case documents · Helps maintain the chain of custody · Provides tools for incident response teams to respond to emerging threats · Supports real-time and postmortem examinations
  • 13. EnCase provides the functionality to acquire and examine many types of evidence. The organization around a case provides the structure to keep information in order. Overall, EnCase is one of the premium suites of software you definitely should evaluate when selecting forensic tools. For more information on EnCase, visit the Web site at www.guidancesoftware.com. Forensic Toolkit (FTK) Another forensic suite that provides an integrated user interface is AccessData's Forensic Toolkit (FTK) (Figure 8.22). FTK runs in Windows operating systems and provides a powerful tool set to acquire and examine electronic media. Figure 8.22: FTK Evidence Processing options As discussed in "Disk Imaging and Validation," earlier in this chapter, FTK contains a disk imaging tool. This imaging tool provides one or more copies of primary evidence for analysis. FTK provides an easy-to-use file viewer that recognizes nearly 300 types of files. It also provides full text indexing powered by dtSearch (we cover dtSearch features later in this chapter in the "Miscellaneous Software Tools" section). FTK's integrated file viewer and search capabilities enable it to find evidence on most devices. FTK works with media images created by several imaging utilities, including: 5 FTK 6 EnCase 7 SMART 8 dd Search capabilities include e-mail and archive file analysis. FTK also enables users to quickly examine files in many different formats. Results are organized by case and presented in a case content summary. For more information on FTK, visit the AccessData Web site at www.accessdata.com. The Sleuth Kit (TSK) The Sleuth Kit (TSK) is a popular, free, open source forensic software suite. TSK is a collection of command-line tools that
  • 14. provides media management and forensic analysis functionality. TSK has a few features that deserve separate mention. TSK supports Mac partitions and analyzes files from Mac file systems. It also runs on Mac OS X. TSK can analyze volatile data on running systems. The core TSK toolkit contains five different types of tools. · File System Tools File System Layer The fsstat tool reports file system details, including inode Numbers (file system data structures that contain file information), block or cluster ranges, and super block details for UNIX-based systems. For FAT file systems, fsstat provides an abbreviated FAT table listing. File Name Layer The ffind and fls tools report allocated, unallocated, and deleted filenames. Meta Data Layer The icat, ifind, ils, and istat tools report on file metadata (file details) stored in file systems. Data Unit Layer The blkcat, blkls, blkstat, and blkcalc tools report file content information and statistics. File System Journal The jcat and jls tools report journal information and statistics. · Volume System Tools The mmls, mmstat, and mmcat tools provide information on the lay-out of disks or other media. · Image File Tools The img_stat, and img_cat tools provide details and content information for image files. · Disk Tools The disk_sreset, and disk_stat tools detect and remove an HPA on an ATA disk. · Other Tools hfind The hfind tool looks up hash values. mactime This tool uses fls and ils output to create timelines of file activity, such as create, access and write activity. sorter This tool sorts files based on file type. sigfing This tool searches for a binary value in a file, starting at a specific offset location.
  • 15. For more information on TSK, visit the TSK Web site at www.sleuthkit.org. ProDiscover Technology Pathways provides two different versions of the ProDiscover tool suite: Forensics and Incident Response (IR), depending on your particular forensic needs. (ProDiscover IR is shown in Figure 8.23 and Figure 8.24.) Both ProDiscover products run in Windows with an integrated GUI. Figure 8.23: Using ProDiscover IR to add comments to a file Figure 8.24: Search results in ProDiscover IR Here are some notable ProDiscover features: · Allows live system examination · Identifies Trojan horse programs and other software intended to compromise system security · Utilizes a remote agent that allows centralized examination and monitoring, along with encrypted network communication to secure analysis data · Creates a bit stream copy of an entire suspect disk, including hidden HPA sections, to keep original evidence safe · Ensures integrity of acquired images using MD5 or SHA-1 hashes · Supports FAT12, FAT16, FAT32, all NTFS versions, Linux ext2/ext3, and Sun Solaris UFS file systems · Generates reports in eXtensible Markup Language (XML) ProDiscover provides functionality similar to other full-featured forensic software suites listed in this section. Technology Pathways also offers a free version of ProDiscover Basic. ProDiscover Basic is a complete GUI-based computer forensic software package. It include the ability to image, preserve, analyze, and report on evidence found on a computer disk drive. This version is freeware and may be used and shared free of charge. Take a look at the full product line for more details on specific features. To learn more about ProDiscover, visit the Technology
  • 16. Pathways Web site at www.techpathways.com. SIFT The SANS Investigative Forensic Toolkit (SIFT) is a collection of open source (and freely available) forensic utilities. SANS originally developed SIFT as a toolkit for students in the SANS Computer Forensic Investigations and Incident Response course. The students liked the toolkit so much that word spread and SANS decided to repackage and release it to the public. SIFT is available either as a VMware virtual machine or as an ISO image to create a bootable CD. It provides the ability to examine disks and images created using other forensic software. This toolkit allows users to examine the following file systems: · Windows (FAT, VFAT, NTFS) · Mac (HFS) · Solaris (UFS) · Linux (ext2/ext3) SIFT tools support the following evidence image formats: · Raw (dd) · Expert Witness (E01) · Advanced Forensic Format (AFF) SIFT includes these individual tools: · The Sleuth Kit (TSK file system analysis) · Log2timeline (generates timelines) · Ssdeep and md5deep (generates hashes) · Foremost/Scalpel (file carving) · Wireshark (network analysis) (http://www.wireshark.org/) (See Figure 8.25.) Figure 8.25: Wireshark Network Analyzer · Vinetto (thumbs.db analysis) · Pasco (Internet Explorer history analysis) · Rifiuti (examines Recycle Bin) · Volatility Framework (memory forensics) · DFLabs (GUI front end for TSK) · Autopsy (GUI front end for TSK) · PyFLAG (log and disk analysis)
  • 17. · Guymager (GUI imager for evidence acquisition) Figure 8.26: Guymager open source forensic manager SANS also provides users with documentation (including a series of "how-to" tutorials) on using SIFT in a forensic investigation. For more information on SIFT, visit the SANS Web site at https://computer- forensics2.sans.org/community/downloads/. X-Ways Forensics X-Ways Forensics, from X-Ways Software Technology AG, is a collection of forensic tools that assist in examining media images. Compared to other forensic suites in this section, it's a little more lightweight. However, it does provide several forensic tools that include some large package features at a very reasonable price. Some of the main X-Ways features include: · Case management · Automatic activity logging · Automated reports in HyperText Markup Language (HTML) · A display of existing and deleted files, sorted by file type category · Gallery view for graphics · Skin color detection helps in isolating pictures that may contain pornography · File extension/file type mismatches detection · EnCase media image support (read) This list only covers a few of the many features of X-Ways. For more information on this product, visit the X-Ways Software Technology Web site at http://www.x-ways.net/forensics/. Miscellaneous Software Tools In addition to drive imaging software and complete forensic software suites, there are many targeted tools and utilities that are of value to computer forensic investigators. No matter how many features your forensic suite of choice may have, your investigation might have specific needs that require other special tools.
  • 18. The following sections cover a few special-purpose tools. As with previous sections, consider each of these tools and choose the best ones for your forensic needs. DriveSpy DriveSpy was introduced earlier in the "Disk Imaging and Validation Tools" section. It's included here as well to remind you that DriveSpy does a lot more than just duplicate drives. For instance, you can: · Select files based on name, extension, or attributes · View the sectors and clusters in built-in hex viewers. · Search a partition or drive for specific text strings DriveSpy provides basic command-line functionality that is portable enough to carry on a single floppy disk and use at the scene of a forensic investigation. After an image of a drive is created, DriveSpy also assists you in examining image content. For pricing and more information, visit the Digital Intelligence, Inc. Web site at http://www.digitalintelligence.com/software/disoftware/drivesp y/. dtSearch After you create an image of suspect media, you'll need to search it for possible evidence. The dtSearch product line, from dtSearch Corporation, provides solutions that enable you to search terabytes of text in a short time. Although not strictly a forensic tool, dtSearch (Figure 8.27) supports a highly necessary forensic function. Figure 8.27: dtSearch The dtSearch products offer the following features: · Over 25 search options, including indexed, unindexed, field content searching for supported file types, and full-text search options · Convert results to HTML, XML, or PDF, with search results highlighted (exposes the search results context) · Support for distributed searching for high performance The dtSearch product line includes several different products
  • 19. for different forensic investigative needs, including: · dtSearch Desktop Searches stand-alone machines · dtSearch Network Searches across networks · dtSearch Spider Extends a local search to a remote Web site · dtSearch Web Supports instant text searching for online documents · dtSearch Publish Publishes an instant searchable database on CD/DVD · dtSearch Engine Empowers developers to add dtSearch's functionality to applications For a forensic examiner, the Desktop and Network products provide the capability to find possible evidence on multiple machines. For more detailed product information, visit the dtSearch Corporation Web site at www.dtsearch.com. NetAnalysis NetAnalysis, from Digital Detective, is a software utility that recovers and then analyzes Internet browser artifacts. NetAnalysis (Figure 8.28) empowers investigators to search and analyze browser history from suspect computers. Even if a user deletes all browser history, NetAnalysis can still recover much of that deleted content and reconstruct past actions. Figure 8.28: NetAnalysis NetAnalysis enables investigators to reconstruct visited Web sites from locally cached data. It can read several standard forensic image formats, including images generated by EnCase. The Auto Investigate function helps investigators save time by automatically identifying suspicious Web sites that may contain specific content, such as child pornography. It also analyzes search terms, user IDs, and passwords it finds on the suspect computer. NetAnalysis helps investigators recover and identify the most valuable information to an investigation. Using NetAnalysis to find questionable browsing activity is much easier than performing a manual analysis. NetAnalysis also allows users to develop standard key terms and queries to share and use with
  • 20. other investigations. For more detailed product information, visit the Digital Detective Web site at http://www.digital- detective.co.uk/netanalysis.asp. Quick View Plus File Viewer Quick View Plus, from Avantstar, is a general-purpose file viewer. Quick View Plus (Figure 8.29) allows you to view files in over 300 formats. Quick View Plus also allows you to view parts of files and print them or cut and paste into your own applications. Figure 8.29: Quick View Plus file viewer From a forensic perspective, Quick View Plus provides examiners the ability to search many types of files for text strings and view the results in the context of the original file. Find more details on Quick View Plus by visiting the Avantstar Web site at www.avantstar.com. ThumbsPlus File Viewer ThumbsPlus File Viewer, from Cerious Software Inc., is a general-purpose file viewer and editor. It allows you to view files in many formats. A good file-viewing tool makes browsing through several graphics files far easier. ThumbsPlus (Figure 8.30) makes it easy to collect and browse most common graphic formats. Figure 8.30: ThumbsPlus Pro You can find many more details on ThumbsPlus by visiting the Cerious Web site at http://www.cerious.com/featuresv7.shtml. Paraben Tools Paraben Corporation provides a wide array of forensic tools. The Forensic Replicator was introduced earlier. In this section, you'll learn about three additional Paraben tools. At the end of the Paraben Tools section, be certain to follow the link to learn about other forensic tools offered by Paraben. Device Seizure Paraben's Device Seizure (Figure 8.31 and Figure 8.32) is a
  • 21. software tool that enables investigators to acquire and analyze data from over 2,400 different mobile devices. This includes mobile phones, PDAs, and GPS devices. Paraben also sells hardware accessories that work with Device Seizure to allow you to physically connect to all supported mobile devices. Figure 8.31: Paraben's Device Seizure Welcome Wizard Figure 8.32: Paraben's Device Seizure main screen Device Seizure acquires and organizes a large amount of mobile data, including: · Active and deleted text messages · Phonebook entries from memory and the SIM card · Call history with call details · PDA common information (calendar, to-do list, etc.) · File system contents · GPS information · E-mail information Device Seizure can also translate GPS coordinates into Google Earth data. This makes it easy to present evidence in a form that anyone can easily see and understand. Paraben designed Device Seizure to be a solid forensic tool for mobile device investigations. Chat Stick Paraben provides several consumer products for home and corporate use, such as the Chat Stick. The Chat Stick is a USB thumb drive that comes preloaded with software. Using the Chat Stick is easy. Simply insert the Chat Stick in a USB port on a target computer. The Chat Stick software automatically launches and lets you search for chat logs from most popular instant message (IM) software, including: · Yahoo · MSN · ICQ · Trillian · Skype
  • 22. · Hello · Miranda Chat Stick identifies chat logs and copies these logs to the USB thumb drive. From there, Chat Stick software (Figure 8.33) allows users to view and create reports on all IM conversations. Figure 8.33: Paraben's Chat Stick software Chat stick makes it easy for parents to check up on IM activities on home computers. Businesses also use Chat Stick to ensure their employees uphold their acceptable use policies for computer equipment at work. Paraben Porn Stick Paraben's Porn Stick is another consumer product distributed on a USB thumb drive. The Porn Stick contains preloaded software that searches a target computer for suspicious images— specifically pornography. As with the Chat Stick, the Porn Stick software automatically launches when the thumb drive is plugged into a USB port. Users can search one or more drives on the target computer for suspicious images. The Porn Stick stores thumbnails of suspicious images on the USB thumb drive. Images can be previewed once the scan is finished. To make the process more palatable, the Porn Stick blurs image thumbnails. You can select any image and use the mouse pointer to see a small portion of the unblurred image (see Figure 8.34). This feature makes it difficult to "accidentally" view objectionable material. Figure 8.34: Detection results from Paraben's Porn Stick software The Porn Stick is a consumer product that home and business users typically purchase. As with the Chat Stick, parents can use it at home and businesses can use it in the office to check for acceptable use policy violations. For more information on any Paraben products, visit their Web site at www.paraben.com.
  • 23. Snagit Snagit, from TechSmith Corporation, is a full-featured tool designed to capture and manage screenshots. Sometimes, the best way to document the state of evidence is to save an image from the screen. Snagit (Figure 8.35) makes it easy to take screenshots using over 40 different methods. You can record any aspect of what's on a computer monitor. Figure 8.35: Snagit Once you take a screenshot, Snagit allows you to edit it (see Figure 8.36) and add features to highlight specific areas on that image. Snagit also helps in sharing, cataloging, and storing screenshot images. Snagit can help to simplify any investigation. Figure 8.36: Snagit Editor For more information on Snagit, visit the TechSmith Web site at http://www.techsmith.com/snagit/. Hardware Up to this point, we've ignored the requirement that all software tools must run on hardware of some type. Although forensic tools run on general-purpose machines, using dedicated computers for forensic investigations is often advisable. Using dedicated hardware decreases the possibility of accidental contamination by nonforensic applications. Although actual evidence contamination cannot occur on the original evidence when analyzing an image of the original, other applications might affect the evidence image copy you are examining. Your forensic machine probably has special-purpose hardware elements such as a disk-write blocker, keystroke logger, or multiple format disk controllers. Because forensic examination computers tend to support special-purpose hardware and software, several companies offer hardware devices and complete computer systems built from the ground up to serve as forensic hardware devices. Some of these systems can be expensive, but if you need a prebuilt forensic
  • 24. hardware platform, the cost is probably justified. Carefully consider your needs based on: · Where will you analyze media? · At the scene · In the lab · How often do you use forensic software? · What type of operating system and hardware must you analyze? · Will the evidence you collect be presented in a court of law? Answers to these questions will help you to decide whether you need special-purpose forensic hardware and what features you need. The following sections describe the products offered by some forensic hardware providers. Cellebrite Cellebrite produces a line of forensic hardware for use in mobile device forensics. Their Universal Forensic Extraction Device (UFED) enables forensic investigators to extract information from more than 3,600 mobile devices, including phones and GPS units. UFED is used by militaries, law enforcement agencies, governments, and intelligence agencies around the world to extract information from mobile devices during investigations. UFED comes in multiple versions to support user-specific requirements. The UFED system includes over 100 different connectors that allow investigators to attach any type of mobile device. UFED software supports many features investigators need, including: · Extract existing and deleted phone data · Call history · Text messages · Contacts · Images · Geotags · Search, reconstruct, and analyze phone data · Integrate GPS information with Google Maps and Google Earth
  • 25. For more information on Cellebrite UFED products, visit the Web site at http://www.cellebrite.com/forensic-products.html. ICS Solo 4 Intelligent Computer Solution s (ICS) specializes in data duplication hardware. They produce a line of forensic acquisition products for both field and lab use. Their forensic products use high-speed hardware and hardware write blockers to duplicate evidence media. Instead of using software tools to create images of evidence media, ICS provides hardware to accomplish the same task. The tool also has the ability to capture video played on Web sites. The main advantage to using hardware data acquisition is increased speed. ICS products transfer data at rates up to 18 GB/min. That is far faster than any software image acquisition. ICS products, such as the ICS Solo-4 (Figure 8.37), provide a convenient method to extract images from a suspect computer, even without removing its hard drive(s). Photograph Courtesy of Intelligent Computer