Current Computer Forensics

Tools
 Objectives

• Explain how to evaluate needs for computer

forensics tools
• Describe available computer forensics software
tools
• List some considerations for computer forensics
hardware tools
• Describe methods for validating and testing
computer forensics tools
 Types of Computer Forensics Tools

• Hardware forensic tools

– Range from single-purpose
components to complete computer
systems and servers
• Software forensic tools Logicube Talon
– Types (link Ch 7a)
• Command-line applications
• GUI applications
– Commonly used to copy data from a suspect’s disk
drive to an image file
 Tasks Performed by Computer
Forensics Tools

• Five major categories:

– Acquisition
– Validation and discrimination
– Extraction
– Reconstruction
– Reporting
 Acquisition

• Making a copy of the original drive

• Acquisition sub functions:
– Physical data copy
– Logical data copy
– Data acquisition format
– Command-line acquisition
– GUI acquisition
– Remote acquisition
– Verification
• A physical image collects all bits of data on the
storage medium, regardless of whether it is
allocated or unallocated to a file system. A logical
image collects only the data that is visible to the
file system.
 Acquisition (continued)
• Two types of data-copying methods are used in software
acquisitions:
– Physical copying of the entire drive
– Logical copying of a disk partition
• The formats for disk acquisitions vary
– From raw data to vendor-specific proprietary compressed data
• Creating smaller segmented files is a typical feature in
vendor acquisition tools.
• All computer forensics acquisition tools have a method for
verification of the data-copying process
– That compares the original drive with the image
 Validation and discrimination

• Validation
– Ensuring the integrity of data being copied
• Discrimination of data
– Involves sorting and searching through all
investigation data
 Validation and discrimination
(continued)
• Subfunctions
– Hashing(process of converting a given key into another value)
• CRC-32, MD5, Secure Hash Algorithms
– Filtering
• Known system files can be ignored
• Based on hash value sets
– Analyzing file headers
• Discriminate files based on their types
• National Software Reference Library (NSRL) has compiled a
list of known file hashes(algorithm that calculates a fixed-size
bit string value from a file)
• CRC32 is a popular checksum algorithm used to
detect data corruption.
• The MD5 hash function was originally designed for
use as a secure cryptographic hash algorithm for
authenticating digital signatures
• SHA-1 (short for Secure Hash Algorithm 1) is one
of several cryptographic hash functions. SHA-1 is
most often used to verify that a file has been
unaltered.
Tasks Performed by Computer
Forensics Tools (continued)
 Validation and discrimination
(continued)

• Many computer forensics programs include a list of

common header values
– With this information, you can see whether a file
extension is incorrect for the file type
• Most forensics tools can identify header values
Tasks Performed by Computer
Forensics Tools (continued)
 Extraction

• Recovery task in a computing investigation

• Most demanding of all tasks to master
• Recovering data is the first step in analyzing an
investigation’s data
 Extraction (continued)

• Subfunctions
– Data viewing
– Keyword searching
– Decompressing
– Carving (reconstructing
file fragments)
– Decrypting
– Bookmarking
• Keyword search speeds up analysis for
investigators
FTK's Search Pane
 Extraction (continued)

• From an investigation perspective, encrypted files

and systems are a problem
• Many password recovery tools have a feature for
generating potential password lists
– For a password dictionary attack
• If a password dictionary attack fails, you can run a
brute-force attack(trial-and-error to guess login
info, encryption keys, or find a hidden web page)
 Reconstruction

• Re-create a suspect drive to show what happened

during a crime or an incident
• Subfunctions
– Disk-to-disk copy
– Image-to-disk copy
– Partition-to-partition copy
– Image-to-partition copy
 Reconstruction (continued)

• Some tools that perform an image-to-disk copy:

– SafeBack
– SnapBack
– EnCase
– FTK Imager
– ProDiscover
 VOOM Shadow 2

• For write-blocked courtroom demos using real

original drive, use Voom Shadow 2 (link Ch 7b)
 Reporting

• To complete a forensics disk analysis and

examination, you need to create a report
• Subfunctions
– Log reports
– Report generator
• Use this information when producing a final report
for your investigation
Tool Comparisons
iClicker Questions
Which task includes removing
files that are known Windows
system files?

A.Acquisition
B.Validation
C.Discrimination
D.Carving
E.Extraction
Which task includes creating a
working duplicate of the
evidence hard disk on a
physical hard disk?

A.Discrimination
B.Carving
C.Extraction
D.Reconstruction
E.Reporting
Which task includes remotely
imaging a suspect's hard drive?

A.Acquisition
B.Validation
C.Extraction
D.Reconstruction
E.Reporting
Which tool allows you to boot
from the evidence drive safely?

A.VOOM Shadow 2
B.Hardware write-blocker
C.FTK Imager
D.VMware
E.EnCase
 Shadow 3 offers investigators the unique ability to boot
and interact with systems running any operating system
without affecting the data on connected drives. Whether
it's a computer, a game console, a DVR, or something else,
you can see what's on the system—in the field, in the lab,
or in court. Hardware write-blocking ensures that drives in
evidence remain unchanged, even as the system performs
operations that normally write changes to the drive. With
Shadow 3, you get the speed and convenience of exploring
suspect systems through their native environments while
preserving your evidence.
Computer Forensics Software
Tools
 Computer Forensics Software Tools

• The following sections explore some options for

command-line and GUI tools in both Windows and
UNIX/Linux
 Command-line Forensic Tools
• The first tools that analyzed and extracted data from
floppy disks and hard disks were MS-DOS tools for IBM
PC file systems
• Norton DiskEdit
– One of the first MS-DOS tools used for computer
investigations.
– powerful tool you can use to explore drives and retrieve lost
data.
• Advantage
– Command-line tools require few system resources
• Designed to run in minimal configurations
 DIR /Q

• Shows file owner

 UNIX/Linux Forensic Tools
• *nix platforms have long been the primary command-line
OSs
• SMART(Self-Monitoring, Analysis, and Reporting
Technology)
– The purpose is to monitor the reliability of the hard drive
and predict drive failures, and to carry out different types of
drive self-tests.
– Designed to be installed on numerous Linux versions
– Can analyze a variety of file systems with SMART
– Many plug-in utilities are included with SMART
– Another useful option in SMART is its hex viewer
UNIX/Linux Forensic Tools (continued)

• Helix
– Helix is an incident response and computer forensics
toolkit based on the popular Knoppix Live bootable
CD.
– It contains dozens of tools for incident response on
Windows and Linux systems.
• Autopsy and SleuthKit
– Sleuth Kit is a Linux forensics tool
– Autopsy is the GUI/browser interface used to access
Sleuth Kit’s tools
UNIX/Linux Forensic Tools (continued)

• Knoppix-STD
– Knoppix Security Tools Distribution (STD)
• A collection of tools for configuring security measures,
including computer and network forensics
– Knoppix-STD is forensically sound
• Doesn’t allow you to alter or damage the system
you’re analyzing
– Knoppix-STD is a Linux bootable CD
 BackTrack

• BackTrack 4 was a Linux distribution that focused

on security, based on the Knoppix Linux
distribution aimed at digital forensics and
penetration testing use.
 Raptor

http://forensicir.blogspot.com/2009/07/uns
ung-tools-raptor-forensics.html

http://forensicir.blogspot.com/2009/07/unsung-tools-raptor-
forensics.html
 Advantages & Disadvantages

• Advantages
– Ease of use
– Multitasking
– No need for learning older OSs

• Disadvantages
– Excessive resource requirements
– Produce inconsistent results
– Create tool dependencies
Computer Forensics
Hardware Tools
 Computer Forensics Hardware Tools

• Technology changes rapidly

• Hardware eventually fails
– Schedule equipment replacements
• When planning your budget consider:
– Failures
– Consultant and vendor fees
– Anticipate equipment replacement
 Forensic Workstations

• Carefully consider what you need

• Categories
– Stationary
– Portable
– Lightweight
• Balance what you need and what your system can
handle
 Forensic Workstations (continued)

• Police agency labs

– Need many options
– Use several PC configurations
• Private corporation labs
– Handle only system types used in the organization
• Keep a hardware library in addition to your
software library
 Building your Own Forensic
Workstation

• Not as difficult as it sounds

• Advantages
– Customized to your needs
– Save money
• Disadvantages
– Hard to find support for problems
– Can become expensive if careless
• Also need to identify what you intend to analyze
 Purchasing a Forensic Workstation
• You can buy one from a vendor as an alternative
• Examples
– F.R.E.D(Forensic Recovery of Evidence Device)
– F.I.R.E. IDE

• Having vendor support can save you time and frustration when you have
problems
 Using a Write-Blocker

• Write-blocker
– Prevents data writes to a hard disk
• Software-enabled blockers
– Software write-blockers are OS dependant
– Example: PD(physical Drive)Block from Digital
Intelligence
• DOS only, not Windows
• Hardware options
– Ideal for GUI forensic tools
– Act as a bridge between the suspect drive and the
forensic workstation
 Using a Write-Blocker (continued)
• Can navigate to the blocked drive with any application
• Discards the written data
– For the OS the data copy is successful
• Connecting technologies
– FireWire(high-speed computer data-transfer interface used
to connect personal computers, audio and video devices)
– USB 2.0(connect a variety of peripheral devices such as
mice, keyboards, printers, scanners, external hard drives)
– SCSI controllers(chip that allows a Small Computer System
Interface (SCSI) storage device to communicate with the
operating system across a SCSI bus.)
 Recommendations for a Forensic
Workstation

• Determine where data acquisitions will take place

• Data acquisition techniques
– USB 2.0
– FireWire
• Expansion devices requirements
• Power supply with battery backup
• Extra power and data cables
 Recommendations for a Forensic
Workstation (continued)

• External FireWire and USB 2.0 ports

• Assortment of drive adapter bridges
• Ergonomic considerations
– Keyboard and mouse
– A good video card with at least a 17-inch monitor
• High-end video card and monitor
• If you have a limited budget, one option for
outfitting your lab is to use high-end game PCs
Validating and Testing
Forensic Software
 Validating and Testing Forensic
Software

• Make sure the evidence you recover and analyze

can be admitted in court
• Test and validate your software to prevent
damaging the evidence
 Using National Institute of Standards
and Technology (NIST) Tools

• Computer Forensics Tool Testing (CFTT)

program
– Manages research on computer forensics tools
• NIST has created criteria for testing computer
forensics tools based on:
– Standard testing methods
– ISO 17025 criteria for testing items that have no
current standards
– ISO 5725
 Using National Institute of Standards
and Technology (NIST) Tools
(continued)
• Your lab must meet the following criteria
– Establish categories for computer forensics tools
– Identify computer forensics category requirements
– Develop test assertions
– Identify test cases
– Establish a test method
– Report test results
 Using National Institute of Standards
and Technology (NIST) Tools
(continued)
• National Software Reference Library (NSRL)
project
– Collects all known hash values for commercial
software applications and OS files
• Uses SHA-1 to generate a known set of digital
signatures called the Reference Data Set (RDS)
– Helps filtering known information
– Can use RDS(Reference Data Set) to locate and
identify known bad files
 Using Validation Protocols

• Always verify your results

• Use at least two tools
– Retrieving and examination
– Verification
• Understand how tools work
• One way to compare results and verify a new tool
is by using a disk editor
– Such as Hex Workshop or WinHex
– But it won't work with encrypted or compressed files
Using Validation Protocols (continued)

• Disk editors
– Do not have a flashy interface
– Reliable tools
– Can access raw data
• Computer Forensics Examination Protocol
– Perform the investigation with a GUI tool
• Usually FTK or EnCase
– Verify your results with a disk editor
– If a file is recovered, compare hash values obtained
with both tools
Using Validation Protocols (continued)

• Computer Forensics Tool Upgrade Protocol

– Test
• New releases
• OS patches and upgrades
– If you find a problem, report it to forensics tool
vendor
• Do not use the forensics tool until the problem has
been fixed
– Use a test hard disk for validation purposes
– Check the Web for new editions, updates, patches,
and validation tests for your tools
iClicker Questions
Which tool is useful for
verification, but not for
compressed or encrypted files?

A.FTK
B.EnCase
C.Raptor
D.Hex Editor
E.NSRL
Which tool has a Forensics
Mode, but does not boot into
that mode by default?

A.Norton DiskEdit
B.Helix
C.Knoppix-STD
D.Raptor
E.BackTrack
Which tool used to be free but
now costs money?

A.SMART
B.Helix
C.Knoppix-STD
D.Raptor
E.BackTrack
Which tool comes built in to
Windows?

A.DIR /Q
B.SMART
C.Helix
D.Autopsy & SleuthKit
E.BackTrack