Computer Forensics Tools

Hardware and

SoftwareForensic Tools

Computer Forensic Tools Tools are used to analyze digital data

& prove or disprove criminal activity Used in 2 of the 3 Phases of Computer

Forensics Acquisition – Images systems & gathers

evidence Analysis – Examines data & recovers

deleted content Presentation – Tools not used

Admissibility of Forensic Evidence in Court

Data must be relevant & reliable Reliability of evidence gathered by

tools assessed by judge in pre-trial hearing aka Daubert Hearing

Assesses Methodology to gather evidence Sound scientific practices? Reliable evidence?

Pre-trial Hearings

Frye Test – past method Responsibility on scientific community Defined acceptable evidence gathering

procedures Used Peer Reviewed Journals

Daubert Hearing – current method Offers additional methods to test quality of

evidenceSource: http://www.owlinvestigations.com/forensic_articles/aural_spectrographic/standards_of_admissibility.html

Daubert Hearing Process

Testing – Is this procedure tested? Error Rate – What is the error rate of

this procedure? Publication – Has procedure been

published and reviewed by peers? Acceptance – Is the procedure

generally accepted within the relevant scientific community?

Sources: http://www.daubertexpert.com/basics.htmlhttp://onin.com/fp/daubert_links.html#whatisadauberthearing

Types of Security Software

Network Firewall Remote Access Network Security

Management Vulnerability

Management Wireless Emergent

Technology

Antispyware Antivirus Authentication E-Mail Security Identity & Access

Management Intrusion Detection Intrusion

Prevention

Types of Forensic Software Acquisition

Tools Data Discovery

Tools Internet History

Tools Image Viewers E-mail Viewers

Password Cracking ToolsOpen Source ToolsMobile Device tools (PDA/Cell Phone)Large Storage Analysis Tools

Electronic Data Discovery Tools

Extract & Index Data Create Electronic Images of Data Search by Keyword or Document

Similarity Metadata

Author Date Created & Updated Email date sent, received

More About Electronic Data Discovery Tools

Analyze data Retrieve data from different media Convert between different media and

file formats Extract text & data from documents Create images of the documents Print documents Archive documents

Internet History Tools

Reads Information in Complete History Database

Displays List of Visited Sites Opens URLs in Internet Explorer Adds URLs to Favorites Copies URLs Prints URLS Saves Listing/Ranges as Text File

Image & E-Mail Viewers

Views Files Converts Files Catalogs Files Side by Side File

Comparisons

Password Cracking Tools

Password Recovery Allows access to computers 3 Methods to Crack Passwords

Dictionary Attack Hybrid Attack Brute Force Attack

Source: http://www-128.ibm.com/developerworks/library/s-crack/

Open Source Tools

Free tools available to Computer Forensic Specialists

Cover entire scope of forensic tools in use May more clearly and comprehensively

meet the Daubert guidelines than closed source tools

Among the most widely used

Source: http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid=136&tid=147&tid=2&tid=132

Mobile Device Tools

Number and variety of toolkits considerably more limited than for computers

Require examiner to have full access to device

Most tools focus on a single function Deleted data remains on PDA until

successful HotSync with computerSources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdfhttp://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5

Forensic Tool Suites

Provide a lower cost way to maximize the tools

Typically include the most often used tools

Parben The Coroner’s

Toolkit (TCT) The Sleuth Kit

(TSK) EnCase Forensic

Toolkit (FTK) Maresware

A Closer Look

EnCase ByteBack Forensic Toolkit Maresware Parben Coroner’s Toolkit The Sleuth Kit

EnCase

Originally developed for law enforcement

Built around case management Integrated Windows-based

graphical user interface (GUI) Multiple Features

ByteBack

Cloning/Imaging Automated File Recovery Rebuild Partitions & Boot Records Media Wipe Media Editor Software Write Block

Forensic Toolkit (FTK)

Another Tool Suite Acquires & Examines

Electronic Data Imaging Tool File Viewer

Maresware

Collection of Tool rather than Tool Suite Main Difference – Tools are Stand-Alone

& Called as Needed 4 Notable Tools

Declasfy Brandit Bates_no Upcopy

Paraben

Collection of Stand-Alone Tools Made up of 10 Individual Software

Tool Sets Purchased Separately, Price Break

for Multiple Tool Purchases Frequently Used with Mobile

Devices

Coroner’s Toolkit (TCT)

Open Source Tool Suite Supports a Post-Mortem

Analysis of Unix & Linux Systems

Written for Incident Response rather than Law Enforcement

Not Designed for Requirements to Produce & Prosecute

The Sleuth Kit (TSK)

Open-Source Software Suite Built on TCT Collection of Command-Line Tools Provides Media Management &

Forensic Analysis Core Toolkit Consists of 6 Tools

Hardware Acquisition Tools

Various Hardware & Software platforms Collect Data Process Data Save Data Display Data in Meaningful

Manner

Forensic Hardware

Workstations - Copy & Analysis

Drive Imaging System

Drive Wiper Bridge

Write Blocker SATA, SCSI, IDE,

USB

Imaging Device

SCSI Bridge

Tool Costs

Workstations starting at $5,000 Bridges starting at $200 Drive Wipers starting at $1000 Wide assortment of special cables

and hardware accessories vary in price

Software – Free (Open Source) to over $1000

Choosing Your Forensic Toolkit

Expected Types of Investigations Internal Reporting Prosecution

Operating Systems Budget Technical Skill Role

Law Enforcement Private Organization

Prepare to Tool Up

Make Lists Don’t Overbuy Overlapping Tools No One-Size Fits All Training

References

Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005

Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. McGraw-Hill, New York 2005.

Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc., Chicago 2003