Digital Forensics Tools

Wolf

A forensic utility used to track routing/flow information in communications data.

How should an investigator use properties of a file to detect steganography?

Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase.

How does a rainbow table work to crack passwords?

It uses a table of all possible keyboard combinations and their hash values, then searches for a match.

Sniffer

A network forensics tool that captures and analyzes data packets traveling across a network. It can intercept traffic in real time or from logs to examine information such as IP addresses, protocols, and transmitted data, and is used for troubleshooting, monitoring, and forensic investigation of network activity.

Tracer

A tool or utility used to track the path that data packets take across a network from a source to a destination. It identifies each hop (router or node) along the route and can help locate where delays, failures, or suspicious traffic occur.

XRY

A digital forensic tool used on iPhone to perform a brute-force attack on the passcode. Older iPhones had a four-digit PIN with 10,000 possible combinations of the digits 0–9. Now iPhone has a six-digit PIN, allowing for 1 million combinations.

Pwnage

PwnageTool is a legacy iOS jailbreaking application for Mac OS X, designed for jailbreaking older iPhones and iPod touches. It is primarily recognized as a tool to bypass Apple's restrictions and carrier-lock restrictions.

iMyFone

A data recovery tool designed to recover lost, deleted, or inaccessible files from iPhones, iPads, and iPods. It can recover data—including messages, photos, contacts, and WhatsApp data—directly from the device, or by extracting it from iTunes/iCloud backups.

iPhone Analyzer

Acts as what?

A forensic tool designed to browse, parse, and analyze data from iPhone backups or directly from the device. It acts as a "digital microscope" allowing users to view files that are normally hidden or inaccessible through the standard iPhone interface.

Which tool creates a bit by bit copy of a Windows 8 phone?

Cellebrite

What tool can you use to unlock an iPhone?

XRY

Which tool can do a workflow check of steganography?

Invisible Secrets

Snow

SNOW is a steganography tool that hides data inside text files using whitespace characters.

What should a forensic investigator use to gather the most reliable routing information for tracking an email message?

Email Header

What are the core elements of steganography?

Carrier, Payload, Channel

Which tool should be used to search for hidden data in images?

EnCase / FTK

Which tool can be used to hide text messages in popular American songs and then uploaded to the web?

MP3Stego

Which password cracking tool uses rainbow tables?

Ophcrack

EnCase

EnCase from Guidance Software is a very widely used forensic toolkit. This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.

EnCase prevents the examiner from making any accidental changes to the suspect machine. This matches the way examiners normally examine computers.

FTK

Useful for?

Provides tools for?

The Forensic Toolkit (FTK) from AccessData is a widely used forensic analysis tool that is popular with law enforcement. Available for Windows or Mac. With FTK, you can select which hash to use to verify the drive when you copy it, which features you want to use on the suspect drive, and how to search it.

FTK is particularly useful at cracking passwords like for password-protected PDF files, Excel spreadsheets, and other documents.

It provides tools to search and analyze the Windows Registry where Windows stores all information regarding any programs installed. This includes viruses, worms, Trojan horses, rootkits, hidden programs, and spyware.

It gives you tools for examining email. The email can be arranged in a timeline, giving a complete view of the entire email conversation and the ability to focus on any specific item of interest.

It has an Explicit Image Detection add-on that automatically detects pornographic images. This is useful in cases involving allegations of pornography.

Sleuth Kit

Good for who?

Utilities?

GUI?

The Sleuth Kit is a collection of command-line tools that are free. This tool set isn’t as rich or easy to use as other tools, but is a good option for a budget-conscious agency.

One useful utility included is ffind.exe. You can search for a given file or only deleted versions of a file. Best used when you know the specific file you are searching for. It is not a good option for a general search.

Many people think command-line utilities are cumbersome. Fortunately, a graphical user interface (GUI) named Autopsy has been created for Sleuth Kit. Autopsy can be a second tool used to validate the results you derive from your primary tool.

Disk Investigator

This is a free forensics utility that comes as a GUI for use with Windows OS. It is not a full-featured product like EnCase, but it is easy to use. It analyzes and recovers deleted data.

When launched, it shows you a cluster-by-cluster view of your hard drive in hexadecimal form.

From the View menu, you can view directories or the root.

The Tools menu allows you to search for a specific file or to recover deleted files.

6 Steganography Tools

QuickStego - is very easy to use, but very limited.

Invisible Secrets - is more robust, with a free and paid/commercial version.

MP3Stego - hides a payload in MP3 files.

Deep Sound - hides data in sound files

Stealth Files 4 - works with sound files, video files, and image files.

StegVideo - hides data in a video sequence.

Which forensic tools check for steganographically hidden messages?

EnCase and Forensic Toolkit (FTK)

Ophcrack

Depends on what?

Popular hacking tools like Ophcrack depend on rainbow tables. Very successful at cracking Windows local machine passwords.

Oxygen Forensics

This is a full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting data such as contacts, social media data, etc. Logical extraction.

Cellebrite

The most widely known phone forensics tool. Used heavily by federal law enforcement. It is a very robust and effective tool. Only downside is its high cost. It is the most expensive phone forensics tool on the market. Creates a bit-by-bit copy of a phone.

MobileEdit

There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones.

Device Seizure

Paraben's Device Seizure is a specialized forensic software tool used to extract, analyze, and report on data from mobile devices, including smartphones, GPS units, and tablets. It performs both logical and physical imaging—including deleted data recovery—while maintaining forensic integrity for law enforcement. There is a license fee associated with this product

Forensic SIM Cloner

This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.

Which tool should be used to gather digital evidence on a supposed sensitive data leak being exposed on a local network?

Sniffer