Chapter 6: Current Digital Forensics Tools

6.1: Evaluating Digital Forensics Tool Needs

Types of Digital Forensics Tools

• Hardware Forensics Tools: Range from simple, single-purpose components to complete computer systems and servers.
• Software Forensics Tools: Are grouped into command-line applications and GUI applications. These commonly copy data from a suspect’s drive to an image file.

Tasks Performed by Digital Forensics Tools

• Acquisition: The first task in digital forensics investigations, is making a copy of the original drive.
  • Physical data copy
  • Logical data copy
  • Data acquisition format
  • Command-line acquisition
  • GUI acquisition
  • Remote, live, and memory acquisition.
• Validation: A way to confirm that a tool is functioning as intended.
• Verification: Proves that two sets of data are identical by calculating hash values or using another similar method.
• Filtering: Involves sorting and searching through investigation findings to separate good data and suspicious data.
• Extraction: Functions as the recovery task in a digital investigation and is the most challenging of all tasks to master.
  • Data viewing
  • Keyword searching
  • Decompressing
  • Carving
  • Decrypting
  • Bookmarking or tagging
• Reconstruction: Functions to recreate a suspect drive to show what happened during a crime or an incident.
  • Disk-to-disk copy
  • Image-to-disk copy
  • Partition-to-partition copy
  • Image-to-partition copy
  • Disk-to-image copy
  • Rebuilding files from data runs and carving
• Reporting: To perform a forensics disk analysis and examination, you need to create a report.
  • Bookmarking or tagging
  • Log reports
  • Timelines
  • Report generator

6.2: Digital Forensics Software Tools

Command-Line Forensics Tools

• Norton DiskEdit: One of the first MS-DOS tools used for digital investigations. This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive.
• One advantage of using command-line tools for an investigation is that they require few system resources because they’re designed to run in minimal configurations.

Linux Forensics Tools

• SMART
  • Designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, and Slackware.
  • It includes several plug-in utilities. This modular approach makes it possible to upgrade SMART components easily and quickly.
  • It also takes advantage of multithreading capabilities in OSs and hardware, a feature lacking in other forensics utilities.
  • Hex Viewer: It color-codes hex values to make it easier to see where a file begins and ends.
• Helix 3
  • It is one of the easiest suites to use because of its UI.
  • What’s unique about Helix is that you can load it on a live Windows system, and it loads as a bootable Linux OS from a cold boot. Its Windows component is used for live acquisitions.
• Kali Linux
  • It is formerly known as BackTrack.
  • It includes several tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep.
• Autopsy and Sleuth Kit
  • Sleuth Kit: Designed as a Linux Forensic tool.
  • Autopsy: The browser interface for accessing Sleuth Kit’s command-line tools.
• Forcepoint Threat Protection
  • Formerly known as Second Look.
  • It is a Linux memory analysis tool that was developed under a grant from the Air Force Research Lab for Pikewerks Corporation.
  • It was designed to do both onsite and remote memory acquisitions to determine whether malware is present.

6.3: Digital Forensics Hardware Tools

Forensic Workstations

• Stationary Workstation: A tower with several bays and many peripheral devices.
• Portable workstation: A laptop computer with almost as many bays and peripherals as a stationary workstation.
• Lightweight workstation: A laptop computer built into a carrying case with a small selection of peripheral options.

Using a Write-Blocker

• Write-blockers protect evidence disks by preventing data from being written to them.
• Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a shell mode.
• PDBlock changes interrupt-13 of a workstation’s BIOS to prevent writing to the specified drive. If you attempt to write data to the blocked drive, an alarm sounds, advising that no writes have occurred.
• In the Windows environment, when a write-blocker is installed on an attached drive, the drive appears as any other attached disk.
• Many vendors have developed write-blocking devices that connect to a computer through FireWire, USB 2.0 and 3.0, SATA, PATA, and SCSI controllers.
• Most of these write-blockers enable you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.

Recommendations for a Forensic Workstation

• Before you purchase or build a forensic workstation, determine where your data acquisitions will take place.
  • If you acquire data in the field, consider streamlining the tools you use.
  • If you want to reduce the hardware you carry, consider a product such as the WiebeTech Forensic DriveDock with its regular DriveDock FireWire bridge or the Logicube Talon.
• When choosing a computer as a stationary or lightweight forensic workstation, you want a full tower to allow for expansion devices. You want as much memory and processor power as your budget allows and different sizes of hard drives.
• Consider the following:
  • a 400-watt or better power supply with battery backup, extra power and data cables;
  • a SCSI controller card, external FireWire and USB ports;
  • an assortment of drive adapter bridges to connect SATA to IDE (PATA) drives;
  • an ergonomic keyboard and mouse; and
  • a good video card with at least a 17-inch monitor.
• If you plan to conduct many investigations, a high-end video card and dual monitors are recommended. If you have a limited budget, one option for outfitting your lab is to use high-end game PCs from a local computer store.
• Whatever vendor you choose, make sure the devices you select perform the functions you expect to need as an investigator.

6.4: Validating and Testing Forensics Software

Using National Institute of Standards and Technology Tools

• National Institute of Standards and Technology (NIST): Publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
• The Computer Forensic Reference Data Sets has been created recently to provide data sets for tools, training, and hardware testing.
• Your lab must meet the following criteria and keep accurate records so that when new software and hardware become available, testing standards are in place for your lab:
  • Establish categories for digital forensics tools: Group digital forensics software according to categories, such as forensics tools designed to retrieve and trace e-mail.
  • Identify forensics category requirements: For each category, describe the technical features or functions a forensics tool must have.
  • Develop test assertions: Based on the requirements, create tests that prove or disprove the tool’s capability to meet the requirements.
  • Identify test cases: Find or create types of cases to investigate with the forensics tool, and identify information to retrieve from a sample drive or other media.
  • Establish a test method: Considering the tool’s purpose and design, specify how to test it.
  • Report test results: Describe the test results in a report that complies with ISO 17025, which requires accurate, clear, unambiguous, and objective test reports.