Chapter 6: Current Digital Forensics Tools

Hardware Forensics Tools

Range from simple, single-purpose components to complete computer systems and servers.

Software Forensics Tools

Are grouped into command-line applications and GUI applications. These commonly copy data from a suspect’s drive to an image file.

Acquisition

The first task in digital forensics investigations, is making a copy of the original drive.

Validation

A way to confirm that a tool is functioning as intended.

Verification

Proves that two sets of data are identical by calculating hash values or using another similar method.

Filtering

Involves sorting and searching through investigation findings to separate good data and suspicious data.

Extraction

Functions as the recovery task in a digital investigation and is the most challenging of all tasks to master.

Reconstruction

Functions to recreate a suspect drive to show what happened during a crime or an incident.

Norton DiskEdit

One of the first MS-DOS tools used for digital investigations. This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive.

SMART

Designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, and Slackware.

Hex Viewer

It color-codes hex values to make it easier to see where a file begins and ends.

Helix 3

It is one of the easiest suites to use because of its UI. You can load it on a live Windows system, and it loads as a bootable Linux OS from a cold boot. Its Windows component is used for live acquisitions.

Kali Linux

It is formerly known as BackTrack. It includes several tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep.

Forcepoint Threat Protection

It is a Linux memory analysis tool that was developed under a grant from the Air Force Research Lab for Pikewerks Corporation.

Stationary Workstation

A tower with several bays and many peripheral devices.

Portable workstation

A laptop computer with almost as many bays and peripherals as a stationary workstation.

Lightweight workstation

A laptop computer built into a carrying case with a small selection of peripheral options.

Write-blockers

These protect evidence disks by preventing data from being written to them.

National Institute of Standards and Technology (NIST)

Publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

Computer Forensic Reference Data Sets

The _________ has been created recently to provide data sets for tools, training, and hardware testing.

File Slack

Unused space allocated for a file.