Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
- 1. Chapter 8: Common Forensic Tools
Overview
In this chapter, you'll learn more about:
· Explore disk imaging tools, forensic software tool sets, and
miscellaneous software tools
· Understand computer forensic hardware
· Assemble your forensic tool kit
The first steps in any investigation nearly always involve old-
fashioned detective work. As a forensic investigator, you need
to observe and record your observations first. Once you start
examining media contents, you'll need some tools to help you
find and make sense of stored data.
Forensic investigators and computer examiners need several
different types of tools to identify and acquire computer
evidence. Some evidence is hidden from the casual observer and
requires specialized tools to find and access. In this chapter,
we'll examine a sampling of some common and popular tools
available to carry out computer forensic tasks.
Disk Imaging and Validation Tools
After identifying the physical media that they suspect contains
evidence, forensic investigators must make sure media is
preserved before any further steps are taken. Preserving the
media is necessary to provide assurance the evidence acquired
is valid.
Chapter 3, "Computer Evidence," and Chapter 4, "Common
Tasks," both emphasize the importance of copying all media
first and then analyzing the copy. It's usually best to create an
exact image of the media and verify that it matches the original
before continuing the investigation. It's rare to examine the
original evidence for any investigation that might end up in
court. For other types of investigations, however, forensic
investigators might perform a targeted examination on the
original evidence. For example, assume the job is to examine a
user's home folder on a server for suspected inappropriate
- 2. material. It might be impossible or extremely difficult to create
a mirror image of the disk drive, but the disk can be scanned for
existing or deleted files while it is in use. Although examining
media while in use might not always be the best practice,
informal investigations use this technique frequently.
To Copy or Not to Copy?
Whenever possible, create a duplicate of the original evidence,
verify the copy, and then examine the copy. Always invest the
time and effort to copy original media for any investigation that
might end up in a court of law. If you are sure your
investigation will not end up in court, you might decide to
analyze the original evidence directly. This is possible and
desirable in cases where copying media would cause service
interruptions.
Your choice of tools to use depends on several factors,
including:
· Operating system(s) supported
Operating system(s) in which the tool runs
File systems the tool supports
· Price
· Functionality
· Personal preference
The following sections list some tools used to create and verify
media copies. Some products appear in two places in the
chapter. That's because several products play multiple roles.
This section lists several products that are part of larger
forensic software suites. While most suites of forensic software
handle image acquisition, this section highlights those tools
investigators tend to use most frequently.
Note
The list in this chapter is not exhaustive. There are many useful
tools not listed here; thus, the exclusion of any tool need not
- 3. diminish its merit. Where possible, web addresses and URLs
have been included for tools examined.
dd
The dd utility tool is a mainstay in UNIX/Linux environments.
This handy tool is installed with most UNIX/Linux distributions
and is used to copy and convert files. As briefly discussed in
Chapter 5, "Capturing the Data Image," dd is commonly used in
forensics to copy an entire UNIX/Linux environment. Using dd
you can specify the input and output file, as well as conversion
options. This utility uses two basic arguments:
· if specifies the input file
· of specifies the output file
The dd utility abides by operating system file size limits
(normally 2 GB) and truncates individual files larger than the
limit. (The 2 GB limit does not apply when using the dd utility
with device files.) Use caution when copying large files with
dd.
If you want only to copy files smaller than the maximum file
size, dd is a handy tool to keep in your forensic toolbox.
For example, to copy a simple file from a source (such as
/home/user/sn.txt) to a destination (such as /tmp/newfile), you
would issue the following command:
dd if=/home/user/sn.txt of=/tmp/newfile
Figure 8.1 shows the results of the above command.
Figure 8.1: Using the dd utility to copy a text file
Using similar syntax, an entire hard disk drive can easily be
copied. To copy a drive located at /dev/sdb to an image file
named /home/user/case1234img, use this command:
dd if=/dev/sdb of=/home/user/case1234img
Figure 8.2 shows the results of the above command.
Figure 8.2: Using the dd utility to copy an entire hard disk drive
The dd utility is already on any computer running UNIX or
Linux, and an Internet search produces a list of places to obtain
dd for Windows. Chrysocome provides a version of dd for
- 4. Windows at http://chrysocome.net/dd. Type man dd in UNIX or
Linux for a man (manual) page that documents the command
syntax.
DriveSpy
DriveSpy is a DOS-based disk imaging tool, developed by
Digital Intelligence, Inc. An extended DOS forensic shell,
DriveSpy provides an interface similar to the MS-DOS
command line, along with additional and extended commands.
The entire program is only 125 KB and easily fits on a DOS
boot floppy disk. Unfortunately, DOS boot floppy disks aren't
as common as they once were. Also, it takes some work to
prepare media to use DriveSpy. The payoff is usually worth the
effort. DriveSpy does a great job of capturing and searching
disk content. All you have to do is create a DOS bootable
device with the DriveSpy executable on it. The most common
portable boot devices are CD/DVDs and USB devices.
To create a DOS bootable device:
1 Start DriveSpy and use the DRIVES or V command to list the
drives and partitions attached to a computer. (See Figure 8.3.)
2 Choose a drive and partition for the investigation target from
the SYS> prompt.
3 Select Drive 3 from the D3 command.
4 Select partition 1 at the P1 command. The partition
information is displayed. (See Figure 8.4.)
Figure 8.3: Listing the drives on a system
Figure 8.4: Partition information
DriveSpy provides many functions necessary to copy and
examine drive contents. The program logs all activities,
optionally down to each keystroke. Logging can be disabled at
will. Forensic investigators can examine DOS and non-DOS
partitions and retrieve extensive architectural information for
hard drives or partitions. DriveSpy does not use operating
system calls to access files, and it does not change file access
dates.
- 5. DriveSpy also lets you perform the following tasks:
· Create a disk-to-disk copy (supports large disk drives).
· Create a MD5 hash for a drive, partition, or selected files.
· Copy a range of sectors from a source to a target, where
source and target can span drives or reside on the same drive.
· Select files based on name, extension, or attributes.
· Unerase files.
· Search a drive, partition, or selected files for text strings.
· Collect slack and unallocated space.
· Wipe a disk, partition, unallocated, or slack space.
DriveSpy provides basic command-line functionality and is
portable enough to carry on a simple boot device or media to
use at the scene. For pricing and more information, visit the
Digital Intelligence, Inc. Web site at
http://www.digitalintelligence.com/software/disoftware/drivesp
y/.
EnCase
The EnCase product family from Guidance Software is one of
the most complete forensic suites available. More of EnCase's
functionality and its different products are covered in the
"Forensic Tools" section later in this chapter. EnCase is also
included in this section owing to its drive duplication functions.
forensic suite
Set of tools and/or software programs used to analyze a
computer for collection of evidence.
In addition to providing tools and a framework in which to
manage a complete case, EnCase includes a drive duplicator
(also known as a drive imager). The drive imager creates an
exact copy of a drive and validates the image automatically (See
Figure 8.5 and Figure 8.6). It either creates complete images or
splits drive images to economize storage. EnCase copies
virtually any type of media, creating an identical image for
analysis. EnCase calls this static data support.
Figure 8.5: Using EnCase to select a drive for duplication
- 6. Figure 8.6: EnCase acquisition status message with an assigned
globally unique identifier (GUID) and MD5
Tip
EnCase Enterprise Edition also provides support for volatile
data. This feature snapshots Random Access Memory (RAM),
the Windows Registry, open ports, and running applications. It
provides potentially valuable information that disappears when
a computer is shut down.
Guidance Software also sells a complete line of hardware disk-
write blockers. Their Tableau products provide an extra measure
of assurance that no writes occur on a device. You can use the
hardware write blocker with EnCase or rely on EnCase's own
software write blocking to protect original media. Forensic
investigators can also use Tableau hardware write blockers with
non-EnCase software.
The EnCase products run on Windows workstation and server
operating systems. For more information on the EnCase product
line and specific system requirements, visit the Guidance
Software Web site at www.guidancesoftware.com.
Forensic Replicator
Forensic Replicator, from Paraben Forensic Tools, is another
disk imaging tool that accommodates many types of electronic
media. Forensic Replicator runs on the Windows operating
system. It provides an easy-to-use interface, as shown in Figure
8.7 and Figure 8.8, to select and copy entire drives or portions
of drives. It also handles most removable media, including
Universal Serial Bus (USB) micro drives. Forensic Replicator
stores media images in a format that the most popular forensic
programs can read.
Figure 8.7: Paraben's Forensic Replicator Acquisition Wizard
Figure 8.8: Paraben's Forensic Replicator primary user interface
Forensic Replicator also provides the ability to compress and
split drive images for efficient storage. The ISO option allows
- 7. you to create CDs or DVDs from evidence drives that you can
browse for analysis. This option makes drive analysis much
easier and more accessible for general computers. Copies of the
suspect drive don't need to be mounted on a dedicated forensic
computer. Standard searching utilities can be used to search the
CDs or DVDs. Forensic Replicator also offers the option of
encrypting duplicate images for secure storage.
Paraben also sells a FireWire or USB-to-IDE/SATA write
blocker, called Paraben's Lockdown V3, as a companion
product.
For additional information about the Paraben forensic tools
product line, see the "Forensic Tools" section later in this
chapter. For more information on the Forensic Replicator
product, visit the Paraben Web site at http://www.paraben-
forensics.com/replicator.html.
FTK Imager
FTK (Forensic Toolkit) Imager from AccessData Corporation is
a Windows-based set of forensic tools that includes powerful
media duplication features. (See Figure 8.9.) This free imaging
tool allows you to mount a forensic image of the suspect
computer so that the suspect's image becomes a letter drive on
the investigator's computer.
Figure 8.9: AccessData FTK Imager
FTK can create media images from many different source
formats, including:
· NTFS and NTFS compressed
· FAT12, FAT16, and FAT32
· Linux ext2, ext3, and ext4
· HFS, HFS+, CDFS, and VXFS
Figure 8.10 shows the image creation progress message.
Figure 8.10: FTK Imager creating an image
FTK generates CRC or MD5 hash values, as do most products in
this category, for disk-copy verification. In addition, FTK
provides full searching capability for media and images created
- 8. from other disk imaging programs. Image formats that FTK
reads include:
· EnCase
· SMART
· Expert Witness
· ICS
· Ghost
· dd
· Advanced Forensic Format (AFF)
· AccessData Logical Image (ADI)
For more information about FTK Imager, visit the AccessData
Corporation Web site at www.accessdata.com.
Norton Ghost
Norton Ghost, from Symantec, is not strictly a forensic tool, but
it does provide the ability to create disk copies that are almost
exact copies of the original. You can verify the copies you make
and ensure each partition is an exact copy, but a complete drive
image that Ghost creates commonly returns a different hash
value than a hash of the original drive. This means that,
although Ghost is a handy tool, it may not provide evidence that
is admissible in a court of law. The most common uses for
Ghost include backup/restore and creating installation images
for multiple computers. Even though Ghost's primary use is not
forensics, its utility merits a place in our list of useful tools.
(See Figure 8.11.)
Figure 8.11: Norton Ghost
Norton Ghost is a Windows application and requires a Windows
operating system. For more information on Norton Ghost, visit
the Symantec Web site at http://us.norton.com/ghost.
ProDiscover
ProDiscover, from Technology Pathways, is another suite of
forensic tools worth considering for your forensic toolkit. Like
other forensic software suites, ProDiscover provides disk
imaging and verification features. (See Figure 8.12.)
ProDiscover can create a bit stream copy of an entire suspect
- 9. disk, including host protected hardware protected area (HPA)
sections, to keep original evidence safe. The HPA is an area of
a hard disk drive that the disk controller does not report to the
BIOS or the operating system. Some disk drive manufacturers
use the HPA to hide utilities from the operating system. (For
more information, see Chapter 5.)
Another interesting feature of ProDiscover is that it allows you
to capture a disk image over a network without being physically
connected to a suspect computer.
Figure 8.12: Capturing a disk image with ProDiscover
ProDiscover also automatically creates and records MD5 or
SHA-1 hashes for evidence files to prove data integrity. Figure
8.13 shows the main project window.
Figure 8.13: ProDiscover project
Technology Pathways provides several different versions of
ProDiscover, to meet specific forensic needs. As with other
forensic suites, we cover additional features in a later section of
this chapter.
All Technology Pathways products include disk imaging and
verification and require a Windows operating system. For more
information on ProDiscover, visit the Technology Pathways
Web site at www.techpathways.com.
SMART Acquisition Workshop (SAW)
The SMART Acquisition Workshop (SAW) product from ASR
Data Acquisition & Analysis, LLC, is a stand-alone utility that
creates forensic-quality images from storage devices. SAW runs
on Windows, Linux, and Mac computers. Regardless of the
operating system, SAW uses a GUI that makes creating images
of evidence data easy. (See Figure 8.14.)
Although SAW works as a stand-alone utility, it also works with
another ASR Data utility, SmartMount. SmartMount uses image
files from SAW and several other imaging tools, to ensure fast
performance for many common forensic activities. ASR Data
states that SmartMount exceeds competitors' performance by
- 10. running up to twenty times faster for searches, indexing, and
analysis operations.
Figure 8.14: SAW interface
Even without SmartMount, SAW provides a solid method to
create images of many different types of storage media using a
straightforward GUI. For more information on SAW, visit the
ASR Data Acquisitions & Analysis Web site at
http://www.asrdata.com/forensic-software/saw/.
SMART
SMART comes from the same organization that produces the
SAW utility, ASR Data Acquisition & Analysis, LLC. The suite
comprises several tools integrated into a full-featured forensic
software package. Two tools in the package are SMART
Acquisition, which provides disk imaging, and SMART
Authentication, which provides verification functionality.
SMART runs in Linux and provides a graphical view of devices
in a system (Figure 8.15). The first step in creating a disk image
is to calculate a hash value for the source device.
Figure 8.15: SMART displays devices in a system.
After SMART generates and stores the hash value, it creates one
or more device images. SMART can create multiple image files,
use compression, split images to fit on smaller devices, and
associate images with existing case files (Figure 8.16).
Figure 8.16: Creating an image file with SMART
For more information on SMART, visit the ASR Web site at
http://www.asrdata.com/forensic-software/smart-for-linux/.
WinHex
WinHex, from X-Ways Software Technology AG, is a Windows-
based universal hexadecimal editor and disk management
utility. It supports recovery from lost or damaged files and
general editing of disk contents. Its disk cloning feature is most
relevant to this section.
WinHex clones any connected disk (see Figure 8.17 and Figure
- 11. 8.18) and verifies the process using checksums or hash
calculations.
Figure 8.17: Starting the clone process in WinHex
Figure 8.18: The Clone Disk dialog box in WinHex
WinHex provides many features beyond disk imaging and
verification. You can use WinHex to examine, and optionally
edit, disk contents. You can also search disks for text strings
using WinHex's search engine. Its support for various data types
and its ability to view data in different formats make WinHex a
valuable forensic tool.
For more information on WinHex and its additional capabilities,
visit the X-Ways Software Technology Web site at
http://www.x-ways.net/winhex/.
Forensic Tools
After you make a verified copy of original media, you're ready
to begin analysis. The tools discussed in the following sections
can perform many forensic functions. Your choice of tools
depends on specific investigative needs. The following sections
include common software and hardware tools and cover their
capabilities.
As with disk imaging tools, your choice of tools to use depends
on the following:
· Operating system(s) supported
· User interface preferences
· Budget
· Functionality/capabilities
· Vendor loyalty
Software Suites
Several companies specialize in developing and providing
forensic tools. These companies produce software and/or
hardware with diverse functionality. Some suites of forensic
software are tightly integrated and have mature user interfaces.
Other forensic suites are little more than collections of useful
- 12. utilities. Consider the following tools and try out the ones you
like. Your final choice of forensic tools should enable you to
perform the examinations you will encounter. Although bells
and whistles are nice, it's more important to get the tools you
really need.
EnCase
Guidance Software produces the EnCase product line. EnCase
was originally developed for law enforcement personnel to carry
out investigations. This product line has grown to support
commercial incident response teams as well.
The general concept of a case is central to the EnCase product.
The first action you take is to create a case file. All subsequent
activities (see Figure 8.19, Figure 8.20, and Figure 8.21) relate
to a case.
Figure 8.19: EnCase interface
Figure 8.20: Using EnCase to search for keywords
Figure 8.21: Viewing IP addresses with EnCase
EnCase is an integrated Windows-based GUI tool suite. Even
though the EnCase functionality is impressive, you are likely to
need other utilities at some point. Fully integrated solutions can
increase productivity, but don't hesitate to use another tool
when you need it.
Here are just a few features of EnCase:
· Snapshot enables investigators to capture volatile information
including:
RAM contents
Running programs
Open files and ports
· Organizes results into case files and manages case documents
· Helps maintain the chain of custody
· Provides tools for incident response teams to respond to
emerging threats
· Supports real-time and postmortem examinations
- 13. EnCase provides the functionality to acquire and examine many
types of evidence. The organization around a case provides the
structure to keep information in order. Overall, EnCase is one
of the premium suites of software you definitely should evaluate
when selecting forensic tools. For more information on EnCase,
visit the Web site at www.guidancesoftware.com.
Forensic Toolkit (FTK)
Another forensic suite that provides an integrated user interface
is AccessData's Forensic Toolkit (FTK) (Figure 8.22). FTK runs
in Windows operating systems and provides a powerful tool set
to acquire and examine electronic media.
Figure 8.22: FTK Evidence Processing options
As discussed in "Disk Imaging and Validation," earlier in this
chapter, FTK contains a disk imaging tool. This imaging tool
provides one or more copies of primary evidence for analysis.
FTK provides an easy-to-use file viewer that recognizes nearly
300 types of files. It also provides full text indexing powered by
dtSearch (we cover dtSearch features later in this chapter in the
"Miscellaneous Software Tools" section). FTK's integrated file
viewer and search capabilities enable it to find evidence on
most devices.
FTK works with media images created by several imaging
utilities, including:
5 FTK
6 EnCase
7 SMART
8 dd
Search capabilities include e-mail and archive file analysis.
FTK also enables users to quickly examine files in many
different formats. Results are organized by case and presented
in a case content summary. For more information on FTK, visit
the AccessData Web site at www.accessdata.com.
The Sleuth Kit (TSK)
The Sleuth Kit (TSK) is a popular, free, open source forensic
software suite. TSK is a collection of command-line tools that
- 14. provides media management and forensic analysis functionality.
TSK has a few features that deserve separate mention. TSK
supports Mac partitions and analyzes files from Mac file
systems. It also runs on Mac OS X. TSK can analyze volatile
data on running systems.
The core TSK toolkit contains five different types of tools.
· File System Tools
File System Layer The fsstat tool reports file system details,
including inode Numbers (file system data structures that
contain file information), block or cluster ranges, and super
block details for UNIX-based systems. For FAT file systems,
fsstat provides an abbreviated FAT table listing.
File Name Layer The ffind and fls tools report allocated,
unallocated, and deleted filenames.
Meta Data Layer The icat, ifind, ils, and istat tools report on
file metadata (file details) stored in file systems.
Data Unit Layer The blkcat, blkls, blkstat, and blkcalc tools
report file content information and statistics.
File System Journal The jcat and jls tools report journal
information and statistics.
· Volume System Tools
The mmls, mmstat, and mmcat tools provide information on the
lay-out of disks or other media.
· Image File Tools
The img_stat, and img_cat tools provide details and content
information for image files.
· Disk Tools
The disk_sreset, and disk_stat tools detect and remove an HPA
on an ATA disk.
· Other Tools
hfind The hfind tool looks up hash values.
mactime This tool uses fls and ils output to create timelines of
file activity, such as create, access and write activity.
sorter This tool sorts files based on file type.
sigfing This tool searches for a binary value in a file, starting at
a specific offset location.
- 15. For more information on TSK, visit the TSK Web site at
www.sleuthkit.org.
ProDiscover
Technology Pathways provides two different versions of the
ProDiscover tool suite: Forensics and Incident Response (IR),
depending on your particular forensic needs. (ProDiscover IR is
shown in Figure 8.23 and Figure 8.24.) Both ProDiscover
products run in Windows with an integrated GUI.
Figure 8.23: Using ProDiscover IR to add comments to a file
Figure 8.24: Search results in ProDiscover IR
Here are some notable ProDiscover features:
· Allows live system examination
· Identifies Trojan horse programs and other software intended
to compromise system security
· Utilizes a remote agent that allows centralized examination
and monitoring, along with encrypted network communication
to secure analysis data
· Creates a bit stream copy of an entire suspect disk, including
hidden HPA sections, to keep original evidence safe
· Ensures integrity of acquired images using MD5 or SHA-1
hashes
· Supports FAT12, FAT16, FAT32, all NTFS versions, Linux
ext2/ext3, and Sun Solaris UFS file systems
· Generates reports in eXtensible Markup Language (XML)
ProDiscover provides functionality similar to other full-featured
forensic software suites listed in this section.
Technology Pathways also offers a free version of ProDiscover
Basic. ProDiscover Basic is a complete GUI-based computer
forensic software package. It include the ability to image,
preserve, analyze, and report on evidence found on a computer
disk drive. This version is freeware and may be used and shared
free of charge.
Take a look at the full product line for more details on specific
features. To learn more about ProDiscover, visit the Technology
- 16. Pathways Web site at www.techpathways.com.
SIFT
The SANS Investigative Forensic Toolkit (SIFT) is a collection
of open source (and freely available) forensic utilities. SANS
originally developed SIFT as a toolkit for students in the SANS
Computer Forensic Investigations and Incident Response
course. The students liked the toolkit so much that word spread
and SANS decided to repackage and release it to the public.
SIFT is available either as a VMware virtual machine or as an
ISO image to create a bootable CD. It provides the ability to
examine disks and images created using other forensic software.
This toolkit allows users to examine the following file systems:
· Windows (FAT, VFAT, NTFS)
· Mac (HFS)
· Solaris (UFS)
· Linux (ext2/ext3)
SIFT tools support the following evidence image formats:
· Raw (dd)
· Expert Witness (E01)
· Advanced Forensic Format (AFF)
SIFT includes these individual tools:
· The Sleuth Kit (TSK file system analysis)
· Log2timeline (generates timelines)
· Ssdeep and md5deep (generates hashes)
· Foremost/Scalpel (file carving)
· Wireshark (network analysis) (http://www.wireshark.org/)
(See Figure 8.25.)
Figure 8.25: Wireshark Network Analyzer
· Vinetto (thumbs.db analysis)
· Pasco (Internet Explorer history analysis)
· Rifiuti (examines Recycle Bin)
· Volatility Framework (memory forensics)
· DFLabs (GUI front end for TSK)
· Autopsy (GUI front end for TSK)
· PyFLAG (log and disk analysis)
- 17. · Guymager (GUI imager for evidence acquisition)
Figure 8.26: Guymager open source forensic manager
SANS also provides users with documentation (including a
series of "how-to" tutorials) on using SIFT in a forensic
investigation. For more information on SIFT, visit the SANS
Web site at https://computer-
forensics2.sans.org/community/downloads/.
X-Ways Forensics
X-Ways Forensics, from X-Ways Software Technology AG, is a
collection of forensic tools that assist in examining media
images. Compared to other forensic suites in this section, it's a
little more lightweight. However, it does provide several
forensic tools that include some large package features at a very
reasonable price.
Some of the main X-Ways features include:
· Case management
· Automatic activity logging
· Automated reports in HyperText Markup Language (HTML)
· A display of existing and deleted files, sorted by file type
category
· Gallery view for graphics
· Skin color detection helps in isolating pictures that may
contain pornography
· File extension/file type mismatches detection
· EnCase media image support (read)
This list only covers a few of the many features of X-Ways. For
more information on this product, visit the X-Ways Software
Technology Web site at http://www.x-ways.net/forensics/.
Miscellaneous Software Tools
In addition to drive imaging software and complete forensic
software suites, there are many targeted tools and utilities that
are of value to computer forensic investigators. No matter how
many features your forensic suite of choice may have, your
investigation might have specific needs that require other
special tools.
- 18. The following sections cover a few special-purpose tools. As
with previous sections, consider each of these tools and choose
the best ones for your forensic needs.
DriveSpy
DriveSpy was introduced earlier in the "Disk Imaging and
Validation Tools" section. It's included here as well to remind
you that DriveSpy does a lot more than just duplicate drives.
For instance, you can:
· Select files based on name, extension, or attributes
· View the sectors and clusters in built-in hex viewers.
· Search a partition or drive for specific text strings
DriveSpy provides basic command-line functionality that is
portable enough to carry on a single floppy disk and use at the
scene of a forensic investigation. After an image of a drive is
created, DriveSpy also assists you in examining image content.
For pricing and more information, visit the Digital Intelligence,
Inc. Web site at
http://www.digitalintelligence.com/software/disoftware/drivesp
y/.
dtSearch
After you create an image of suspect media, you'll need to
search it for possible evidence. The dtSearch product line, from
dtSearch Corporation, provides solutions that enable you to
search terabytes of text in a short time. Although not strictly a
forensic tool, dtSearch (Figure 8.27) supports a highly
necessary forensic function.
Figure 8.27: dtSearch
The dtSearch products offer the following features:
· Over 25 search options, including indexed, unindexed, field
content searching for supported file types, and full-text search
options
· Convert results to HTML, XML, or PDF, with search results
highlighted (exposes the search results context)
· Support for distributed searching for high performance
The dtSearch product line includes several different products
- 19. for different forensic investigative needs, including:
· dtSearch Desktop Searches stand-alone machines
· dtSearch Network Searches across networks
· dtSearch Spider Extends a local search to a remote Web site
· dtSearch Web Supports instant text searching for online
documents
· dtSearch Publish Publishes an instant searchable database on
CD/DVD
· dtSearch Engine Empowers developers to add dtSearch's
functionality to applications
For a forensic examiner, the Desktop and Network products
provide the capability to find possible evidence on multiple
machines. For more detailed product information, visit the
dtSearch Corporation Web site at www.dtsearch.com.
NetAnalysis
NetAnalysis, from Digital Detective, is a software utility that
recovers and then analyzes Internet browser artifacts.
NetAnalysis (Figure 8.28) empowers investigators to search and
analyze browser history from suspect computers. Even if a user
deletes all browser history, NetAnalysis can still recover much
of that deleted content and reconstruct past actions.
Figure 8.28: NetAnalysis
NetAnalysis enables investigators to reconstruct visited Web
sites from locally cached data. It can read several standard
forensic image formats, including images generated by EnCase.
The Auto Investigate function helps investigators save time by
automatically identifying suspicious Web sites that may contain
specific content, such as child pornography. It also analyzes
search terms, user IDs, and passwords it finds on the suspect
computer.
NetAnalysis helps investigators recover and identify the most
valuable information to an investigation. Using NetAnalysis to
find questionable browsing activity is much easier than
performing a manual analysis. NetAnalysis also allows users to
develop standard key terms and queries to share and use with
- 20. other investigations.
For more detailed product information, visit the Digital
Detective Web site at http://www.digital-
detective.co.uk/netanalysis.asp.
Quick View Plus File Viewer
Quick View Plus, from Avantstar, is a general-purpose file
viewer. Quick View Plus (Figure 8.29) allows you to view files
in over 300 formats. Quick View Plus also allows you to view
parts of files and print them or cut and paste into your own
applications.
Figure 8.29: Quick View Plus file viewer
From a forensic perspective, Quick View Plus provides
examiners the ability to search many types of files for text
strings and view the results in the context of the original file.
Find more details on Quick View Plus by visiting the Avantstar
Web site at www.avantstar.com.
ThumbsPlus File Viewer
ThumbsPlus File Viewer, from Cerious Software Inc., is a
general-purpose file viewer and editor. It allows you to view
files in many formats. A good file-viewing tool makes browsing
through several graphics files far easier. ThumbsPlus (Figure
8.30) makes it easy to collect and browse most common graphic
formats.
Figure 8.30: ThumbsPlus Pro
You can find many more details on ThumbsPlus by visiting the
Cerious Web site at http://www.cerious.com/featuresv7.shtml.
Paraben Tools
Paraben Corporation provides a wide array of forensic tools.
The Forensic Replicator was introduced earlier. In this section,
you'll learn about three additional Paraben tools. At the end of
the Paraben Tools section, be certain to follow the link to learn
about other forensic tools offered by Paraben.
Device Seizure
Paraben's Device Seizure (Figure 8.31 and Figure 8.32) is a
- 21. software tool that enables investigators to acquire and analyze
data from over 2,400 different mobile devices. This includes
mobile phones, PDAs, and GPS devices. Paraben also sells
hardware accessories that work with Device Seizure to allow
you to physically connect to all supported mobile devices.
Figure 8.31: Paraben's Device Seizure Welcome Wizard
Figure 8.32: Paraben's Device Seizure main screen
Device Seizure acquires and organizes a large amount of mobile
data, including:
· Active and deleted text messages
· Phonebook entries from memory and the SIM card
· Call history with call details
· PDA common information (calendar, to-do list, etc.)
· File system contents
· GPS information
· E-mail information
Device Seizure can also translate GPS coordinates into Google
Earth data. This makes it easy to present evidence in a form that
anyone can easily see and understand. Paraben designed Device
Seizure to be a solid forensic tool for mobile device
investigations.
Chat Stick
Paraben provides several consumer products for home and
corporate use, such as the Chat Stick. The Chat Stick is a USB
thumb drive that comes preloaded with software.
Using the Chat Stick is easy. Simply insert the Chat Stick in a
USB port on a target computer. The Chat Stick software
automatically launches and lets you search for chat logs from
most popular instant message (IM) software, including:
· Yahoo
· MSN
· ICQ
· Trillian
· Skype
- 22. · Hello
· Miranda
Chat Stick identifies chat logs and copies these logs to the USB
thumb drive. From there, Chat Stick software (Figure 8.33)
allows users to view and create reports on all IM conversations.
Figure 8.33: Paraben's Chat Stick software
Chat stick makes it easy for parents to check up on IM activities
on home computers. Businesses also use Chat Stick to ensure
their employees uphold their acceptable use policies for
computer equipment at work.
Paraben Porn Stick
Paraben's Porn Stick is another consumer product distributed on
a USB thumb drive. The Porn Stick contains preloaded software
that searches a target computer for suspicious images—
specifically pornography.
As with the Chat Stick, the Porn Stick software automatically
launches when the thumb drive is plugged into a USB port.
Users can search one or more drives on the target computer for
suspicious images.
The Porn Stick stores thumbnails of suspicious images on the
USB thumb drive. Images can be previewed once the scan is
finished. To make the process more palatable, the Porn Stick
blurs image thumbnails. You can select any image and use the
mouse pointer to see a small portion of the unblurred image (see
Figure 8.34). This feature makes it difficult to "accidentally"
view objectionable material.
Figure 8.34: Detection results from Paraben's Porn Stick
software
The Porn Stick is a consumer product that home and business
users typically purchase. As with the Chat Stick, parents can
use it at home and businesses can use it in the office to check
for acceptable use policy violations.
For more information on any Paraben products, visit their Web
site at www.paraben.com.
- 23. Snagit
Snagit, from TechSmith Corporation, is a full-featured tool
designed to capture and manage screenshots. Sometimes, the
best way to document the state of evidence is to save an image
from the screen. Snagit (Figure 8.35) makes it easy to take
screenshots using over 40 different methods. You can record
any aspect of what's on a computer monitor.
Figure 8.35: Snagit
Once you take a screenshot, Snagit allows you to edit it (see
Figure 8.36) and add features to highlight specific areas on that
image. Snagit also helps in sharing, cataloging, and storing
screenshot images. Snagit can help to simplify any
investigation.
Figure 8.36: Snagit Editor
For more information on Snagit, visit the TechSmith Web site at
http://www.techsmith.com/snagit/.
Hardware
Up to this point, we've ignored the requirement that all software
tools must run on hardware of some type. Although forensic
tools run on general-purpose machines, using dedicated
computers for forensic investigations is often advisable. Using
dedicated hardware decreases the possibility of accidental
contamination by nonforensic applications.
Although actual evidence contamination cannot occur on the
original evidence when analyzing an image of the original,
other applications might affect the evidence image copy you are
examining. Your forensic machine probably has special-purpose
hardware elements such as a disk-write blocker, keystroke
logger, or multiple format disk controllers.
Because forensic examination computers tend to support
special-purpose hardware and software, several companies offer
hardware devices and complete computer systems built from the
ground up to serve as forensic hardware devices. Some of these
systems can be expensive, but if you need a prebuilt forensic
- 24. hardware platform, the cost is probably justified. Carefully
consider your needs based on:
· Where will you analyze media?
· At the scene
· In the lab
· How often do you use forensic software?
· What type of operating system and hardware must you
analyze?
· Will the evidence you collect be presented in a court of law?
Answers to these questions will help you to decide whether you
need special-purpose forensic hardware and what features you
need. The following sections describe the products offered by
some forensic hardware providers.
Cellebrite
Cellebrite produces a line of forensic hardware for use in
mobile device forensics. Their Universal Forensic Extraction
Device (UFED) enables forensic investigators to extract
information from more than 3,600 mobile devices, including
phones and GPS units. UFED is used by militaries, law
enforcement agencies, governments, and intelligence agencies
around the world to extract information from mobile devices
during investigations.
UFED comes in multiple versions to support user-specific
requirements. The UFED system includes over 100 different
connectors that allow investigators to attach any type of mobile
device. UFED software supports many features investigators
need, including:
· Extract existing and deleted phone data
· Call history
· Text messages
· Contacts
· Images
· Geotags
· Search, reconstruct, and analyze phone data
· Integrate GPS information with Google Maps and Google
Earth
- 25. For more information on Cellebrite UFED products, visit the
Web site at http://www.cellebrite.com/forensic-products.html.
ICS Solo 4
Intelligent Computer
Solution
s (ICS) specializes in data duplication hardware. They produce
a line of forensic acquisition products for both field and lab use.
Their forensic products use high-speed hardware and hardware
write blockers to duplicate evidence media. Instead of using
software tools to create images of evidence media, ICS provides
hardware to accomplish the same task. The tool also has the
ability to capture video played on Web sites.
The main advantage to using hardware data acquisition is
increased speed. ICS products transfer data at rates up to 18
GB/min. That is far faster than any software image acquisition.
ICS products, such as the ICS Solo-4 (Figure 8.37), provide a
convenient method to extract images from a suspect computer,
even without removing its hard drive(s).
Photograph Courtesy of Intelligent Computer