Computer Forensics Tools

1
Computer Forensics Tools

• Hardware
• and
• Software
• Forensic Tools

2
Computer Forensic Tools

• Tools are used to analyze digital data prove or
  disprove criminal activity
• Used in 2 of the 3 Phases of Computer Forensics
• Acquisition Images systems gathers evidence
• Analysis Examines data recovers deleted
  content
• Presentation Tools not used

3
Admissibility of Forensic Evidence in Court

• Data must be relevant reliable
• Reliability of evidence gathered by tools
  assessed by judge in pre-trial hearing aka
  Daubert Hearing
• Assesses Methodology to gather evidence
• Sound scientific practices?
• Reliable evidence?

4
Pre-trial Hearings

• Frye Test past method
• Responsibility on scientific community
• Defined acceptable evidence gathering procedures
• Used Peer Reviewed Journals
• Daubert Hearing current method
• Offers additional methods to test quality of
  evidence

Source http//www.owlinvestigations.com/forensic_
articles/aural_spectrographic/standards_of_admissi
bility.html
5
Daubert Hearing Process

• Testing Is this procedure tested?
• Error Rate What is the error rate of this
  procedure?
• Publication Has procedure been published and
  reviewed by peers?
• Acceptance Is the procedure generally accepted
  within the relevant scientific community?

Sources http//www.daubertexpert.com/basics.html
http//onin.com/fp/daubert_links.htmlwhatisadaube
rthearing
6
Types of Security Software

• Antispyware
• Antivirus
• Authentication
• E-Mail Security
• Identity Access Management
• Intrusion Detection
• Intrusion Prevention

• Network Firewall
• Remote Access
• Network Security Management
• Vulnerability Management
• Wireless
• Emergent Technology

7
Types of Forensic Software

• Acquisition Tools
• Data Discovery Tools
• Internet History Tools
• Image Viewers
• E-mail Viewers

• Password Cracking Tools
• Open Source Tools
• Mobile Device tools (PDA/Cell Phone)
• Large Storage Analysis Tools

8
Electronic Data Discovery Tools

• Extract Index Data
• Create Electronic Images of Data
• Search by Keyword or Document Similarity
• Metadata
• Author
• Date Created Updated
• Email date sent, received

9
More About Electronic Data Discovery Tools

• Analyze data
• Retrieve data from different media
• Convert between different media and file formats
• Extract text data from documents
• Create images of the documents
• Print documents
• Archive documents

10
Internet History Tools

• Reads Information in Complete History Database
• Displays List of Visited Sites
• Opens URLs in Internet Explorer
• Adds URLs to Favorites
• Copies URLs
• Prints URLS
• Saves Listing/Ranges as Text File

11
Image E-Mail Viewers

• Views Files
• Converts Files
• Catalogs Files
• Side by Side File Comparisons

12
Password Cracking Tools

• Password Recovery
• Allows access to computers
• 3 Methods to Crack Passwords
• Dictionary Attack
• Hybrid Attack
• Brute Force Attack

Source http//www-128.ibm.com/developerworks/libr
ary/s-crack/
13
Open Source Tools

• Free tools available to Computer Forensic
  Specialists
• Cover entire scope of forensic tools in use
• May more clearly and comprehensively meet the
  Daubert guidelines than closed source tools
• Among the most widely used

Source http//software.newsforge.com/software/05/
04/05/2052235.shtml?tid129tid136tid147tid2
tid132
14
Mobile Device Tools

• Number and variety of toolkits considerably more
  limited than for computers
• Require examiner to have full access to device
• Most tools focus on a single function
• Deleted data remains on PDA until successful
  HotSync with computer

Sources http//csrc.nist.gov/publications/nistir/
nistir-7100-PDAForensics.pdf http//www.cs.ucf.edu
/courses/cgs5132/spring2002/presentation/weiss.ppt
5
15
Forensic Tool Suites

• Parben
• The Coroners Toolkit (TCT)
• The Sleuth Kit (TSK)
• EnCase
• Forensic Toolkit (FTK)
• Maresware

• Provide a lower cost way to maximize the tools
• Typically include the most often used tools

16
A Closer Look

• EnCase
• ByteBack
• Forensic Toolkit
• Maresware
• Parben
• Coroners Toolkit
• The Sleuth Kit

17
EnCase

• Originally developed for law enforcement
• Built around case management
• Integrated Windows-based graphical user interface
  (GUI)
• Multiple Features

18
ByteBack

• Cloning/Imaging
• Automated File Recovery
• Rebuild Partitions Boot Records
• Media Wipe
• Media Editor
• Software Write Block

19
Forensic Toolkit (FTK)

• Another Tool Suite
• Acquires Examines Electronic Data
• Imaging Tool
• File Viewer

20
Maresware

• Collection of Tool rather than Tool Suite
• Main Difference Tools are Stand-Alone Called
  as Needed
• 4 Notable Tools
• Declasfy
• Brandit
• Bates_no
• Upcopy

21
Paraben

• Collection of Stand-Alone Tools
• Made up of 10 Individual Software Tool Sets
• Purchased Separately, Price Break for Multiple
  Tool Purchases
• Frequently Used with Mobile Devices

22
Coroners Toolkit (TCT)

• Open Source Tool Suite
• Supports a Post-Mortem Analysis of Unix Linux
  Systems
• Written for Incident Response rather than Law
  Enforcement
• Not Designed for Requirements to Produce
  Prosecute

23
The Sleuth Kit (TSK)

• Open-Source Software Suite
• Built on TCT
• Collection of Command-Line Tools
• Provides Media Management Forensic Analysis
• Core Toolkit Consists of 6 Tools

24
Hardware Acquisition Tools

• Various Hardware Software platforms
• Collect Data
• Process Data
• Save Data
• Display Data in Meaningful Manner

25
Forensic Hardware

• Workstations - Copy Analysis
• Drive Imaging System
• Drive Wiper
• Bridge
• Write Blocker
• SATA, SCSI, IDE, USB

Imaging Device
SCSI Bridge
26
Tool Costs

• Workstations starting at 5,000
• Bridges starting at 200
• Drive Wipers starting at 1000
• Wide assortment of special cables and hardware
  accessories vary in price
• Software Free (Open Source) to over 1000

27
Choosing Your Forensic Toolkit

• Expected Types of Investigations
• Internal Reporting
• Prosecution
• Operating Systems
• Budget
• Technical Skill
• Role
• Law Enforcement
• Private Organization

28
Prepare to Tool Up

• Make Lists
• Dont Overbuy
• Overlapping Tools
• No One-Size Fits All
• Training

29
References

• Computer Forensics Jump Start. Michael G.
  Solomon, Diane Barret Neil Broom. Sybex, San
  Francisco 2005
• Hacking Exposed Computer Forensics. Chris
  Davis, Aaron Philipp David Cowen. McGraw-Hill,
  New York 2005.
• Forensic and Investigative Accounting. D. Larry
  Crumbley, Lester E. Heitger G. Stevenson Smith.
  CCH Inc., Chicago 2003