Post on 23-Dec-2015
Computer Forensics Tools
Hardware and
SoftwareForensic Tools
Computer Forensic Tools Tools are used to analyze digital data
& prove or disprove criminal activity Used in 2 of the 3 Phases of Computer
Forensics Acquisition – Images systems & gathers
evidence Analysis – Examines data & recovers
deleted content Presentation – Tools not used
Admissibility of Forensic Evidence in Court
Data must be relevant & reliable Reliability of evidence gathered by
tools assessed by judge in pre-trial hearing aka Daubert Hearing
Assesses Methodology to gather evidence Sound scientific practices? Reliable evidence?
Pre-trial Hearings
Frye Test – past method Responsibility on scientific community Defined acceptable evidence gathering
procedures Used Peer Reviewed Journals
Daubert Hearing – current method Offers additional methods to test quality of
evidenceSource: http://www.owlinvestigations.com/forensic_articles/aural_spectrographic/standards_of_admissibility.html
Daubert Hearing Process
Testing – Is this procedure tested? Error Rate – What is the error rate of
this procedure? Publication – Has procedure been
published and reviewed by peers? Acceptance – Is the procedure
generally accepted within the relevant scientific community?
Sources: http://www.daubertexpert.com/basics.htmlhttp://onin.com/fp/daubert_links.html#whatisadauberthearing
Types of Security Software
Network Firewall Remote Access Network Security
Management Vulnerability
Management Wireless Emergent
Technology
Antispyware Antivirus Authentication E-Mail Security Identity & Access
Management Intrusion Detection Intrusion
Prevention
Types of Forensic Software Acquisition
Tools Data Discovery
Tools Internet History
Tools Image Viewers E-mail Viewers
Password Cracking ToolsOpen Source ToolsMobile Device tools (PDA/Cell Phone)Large Storage Analysis Tools
Electronic Data Discovery Tools
Extract & Index Data Create Electronic Images of Data Search by Keyword or Document
Similarity Metadata
Author Date Created & Updated Email date sent, received
More About Electronic Data Discovery Tools
Analyze data Retrieve data from different media Convert between different media and
file formats Extract text & data from documents Create images of the documents Print documents Archive documents
Internet History Tools
Reads Information in Complete History Database
Displays List of Visited Sites Opens URLs in Internet Explorer Adds URLs to Favorites Copies URLs Prints URLS Saves Listing/Ranges as Text File
Image & E-Mail Viewers
Views Files Converts Files Catalogs Files Side by Side File
Comparisons
Password Cracking Tools
Password Recovery Allows access to computers 3 Methods to Crack Passwords
Dictionary Attack Hybrid Attack Brute Force Attack
Source: http://www-128.ibm.com/developerworks/library/s-crack/
Open Source Tools
Free tools available to Computer Forensic Specialists
Cover entire scope of forensic tools in use May more clearly and comprehensively
meet the Daubert guidelines than closed source tools
Among the most widely used
Source: http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid=136&tid=147&tid=2&tid=132
Mobile Device Tools
Number and variety of toolkits considerably more limited than for computers
Require examiner to have full access to device
Most tools focus on a single function Deleted data remains on PDA until
successful HotSync with computerSources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdfhttp://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5
Forensic Tool Suites
Provide a lower cost way to maximize the tools
Typically include the most often used tools
Parben The Coroner’s
Toolkit (TCT) The Sleuth Kit
(TSK) EnCase Forensic
Toolkit (FTK) Maresware
A Closer Look
EnCase ByteBack Forensic Toolkit Maresware Parben Coroner’s Toolkit The Sleuth Kit
EnCase
Originally developed for law enforcement
Built around case management Integrated Windows-based
graphical user interface (GUI) Multiple Features
ByteBack
Cloning/Imaging Automated File Recovery Rebuild Partitions & Boot Records Media Wipe Media Editor Software Write Block
Forensic Toolkit (FTK)
Another Tool Suite Acquires & Examines
Electronic Data Imaging Tool File Viewer
Maresware
Collection of Tool rather than Tool Suite Main Difference – Tools are Stand-Alone
& Called as Needed 4 Notable Tools
Declasfy Brandit Bates_no Upcopy
Paraben
Collection of Stand-Alone Tools Made up of 10 Individual Software
Tool Sets Purchased Separately, Price Break
for Multiple Tool Purchases Frequently Used with Mobile
Devices
Coroner’s Toolkit (TCT)
Open Source Tool Suite Supports a Post-Mortem
Analysis of Unix & Linux Systems
Written for Incident Response rather than Law Enforcement
Not Designed for Requirements to Produce & Prosecute
The Sleuth Kit (TSK)
Open-Source Software Suite Built on TCT Collection of Command-Line Tools Provides Media Management &
Forensic Analysis Core Toolkit Consists of 6 Tools
Hardware Acquisition Tools
Various Hardware & Software platforms Collect Data Process Data Save Data Display Data in Meaningful
Manner
Forensic Hardware
Workstations - Copy & Analysis
Drive Imaging System
Drive Wiper Bridge
Write Blocker SATA, SCSI, IDE,
USB
Imaging Device
SCSI Bridge
Tool Costs
Workstations starting at $5,000 Bridges starting at $200 Drive Wipers starting at $1000 Wide assortment of special cables
and hardware accessories vary in price
Software – Free (Open Source) to over $1000
Choosing Your Forensic Toolkit
Expected Types of Investigations Internal Reporting Prosecution
Operating Systems Budget Technical Skill Role
Law Enforcement Private Organization
Prepare to Tool Up
Make Lists Don’t Overbuy Overlapping Tools No One-Size Fits All Training
References
Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005
Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. McGraw-Hill, New York 2005.
Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc., Chicago 2003