Chapter 6: Current Digital Forensics Tools

6.1: Evaluating Digital Forensics Tool Needs

Types of Digital Forensics Tools

  • Hardware Forensics Tools: Range from simple, single-purpose components to complete computer systems and servers.
  • Software Forensics Tools: Are grouped into command-line applications and GUI applications. These commonly copy data from a suspect’s drive to an image file.

Tasks Performed by Digital Forensics Tools

  • Acquisition: The first task in digital forensics investigations, is making a copy of the original drive.
    • Physical data copy
    • Logical data copy
    • Data acquisition format
    • Command-line acquisition
    • GUI acquisition
    • Remote, live, and memory acquisition.
  • Validation: A way to confirm that a tool is functioning as intended.
  • Verification: Proves that two sets of data are identical by calculating hash values or using another similar method.
  • Filtering: Involves sorting and searching through investigation findings to separate good data and suspicious data.
  • Extraction: Functions as the recovery task in a digital investigation and is the most challenging of all tasks to master.
    • Data viewing
    • Keyword searching
    • Decompressing
    • Carving
    • Decrypting
    • Bookmarking or tagging
  • Reconstruction: Functions to recreate a suspect drive to show what happened during a crime or an incident.
    • Disk-to-disk copy
    • Image-to-disk copy
    • Partition-to-partition copy
    • Image-to-partition copy
    • Disk-to-image copy
    • Rebuilding files from data runs and carving
  • Reporting: To perform a forensics disk analysis and examination, you need to create a report.
    • Bookmarking or tagging
    • Log reports
    • Timelines
    • Report generator

6.2: Digital Forensics Software Tools

Command-Line Forensics Tools

  • Norton DiskEdit: One of the first MS-DOS tools used for digital investigations. This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive.
  • One advantage of using command-line tools for an investigation is that they require few system resources because they’re designed to run in minimal configurations.

Linux Forensics Tools

  • SMART
    • Designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, and Slackware.
    • It includes several plug-in utilities. This modular approach makes it possible to upgrade SMART components easily and quickly.
    • It also takes advantage of multithreading capabilities in OSs and hardware, a feature lacking in other forensics utilities.
    • Hex Viewer: It color-codes hex values to make it easier to see where a file begins and ends.
  • Helix 3
    • It is one of the easiest suites to use because of its UI.
    • What’s unique about Helix is that you can load it on a live Windows system, and it loads as a bootable Linux OS from a cold boot. Its Windows component is used for live acquisitions.
  • Kali Linux
    • It is formerly known as BackTrack.
    • It includes several tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep.
  • Autopsy and Sleuth Kit
    • Sleuth Kit: Designed as a Linux Forensic tool.
    • Autopsy: The browser interface for accessing Sleuth Kit’s command-line tools.
  • Forcepoint Threat Protection
    • Formerly known as Second Look.
    • It is a Linux memory analysis tool that was developed under a grant from the Air Force Research Lab for Pikewerks Corporation.
    • It was designed to do both onsite and remote memory acquisitions to determine whether malware is present.

6.3: Digital Forensics Hardware Tools

Forensic Workstations

  • Stationary Workstation: A tower with several bays and many peripheral devices.
  • Portable workstation: A laptop computer with almost as many bays and peripherals as a stationary workstation.
  • Lightweight workstation: A laptop computer built into a carrying case with a small selection of peripheral options.

Using a Write-Blocker

  • Write-blockers protect evidence disks by preventing data from being written to them.
  • Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a shell mode.
  • PDBlock changes interrupt-13 of a workstation’s BIOS to prevent writing to the specified drive. If you attempt to write data to the blocked drive, an alarm sounds, advising that no writes have occurred.
  • In the Windows environment, when a write-blocker is installed on an attached drive, the drive appears as any other attached disk.
  • Many vendors have developed write-blocking devices that connect to a computer through FireWire, USB 2.0 and 3.0, SATA, PATA, and SCSI controllers.
  • Most of these write-blockers enable you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.

Recommendations for a Forensic Workstation

  • Before you purchase or build a forensic workstation, determine where your data acquisitions will take place.
    • If you acquire data in the field, consider streamlining the tools you use.
    • If you want to reduce the hardware you carry, consider a product such as the WiebeTech Forensic DriveDock with its regular DriveDock FireWire bridge or the Logicube Talon.
  • When choosing a computer as a stationary or lightweight forensic workstation, you want a full tower to allow for expansion devices. You want as much memory and processor power as your budget allows and different sizes of hard drives.
  • Consider the following:
    • a 400-watt or better power supply with battery backup, extra power and data cables;
    • a SCSI controller card, external FireWire and USB ports;
    • an assortment of drive adapter bridges to connect SATA to IDE (PATA) drives;
    • an ergonomic keyboard and mouse; and
    • a good video card with at least a 17-inch monitor.
  • If you plan to conduct many investigations, a high-end video card and dual monitors are recommended. If you have a limited budget, one option for outfitting your lab is to use high-end game PCs from a local computer store.
  • Whatever vendor you choose, make sure the devices you select perform the functions you expect to need as an investigator.

6.4: Validating and Testing Forensics Software

Using National Institute of Standards and Technology Tools

  • National Institute of Standards and Technology (NIST): Publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
  • The Computer Forensic Reference Data Sets has been created recently to provide data sets for tools, training, and hardware testing.
  • Your lab must meet the following criteria and keep accurate records so that when new software and hardware become available, testing standards are in place for your lab:
    • Establish categories for digital forensics tools: Group digital forensics software according to categories, such as forensics tools designed to retrieve and trace e-mail.
    • Identify forensics category requirements: For each category, describe the technical features or functions a forensics tool must have.
    • Develop test assertions: Based on the requirements, create tests that prove or disprove the tool’s capability to meet the requirements.
    • Identify test cases: Find or create types of cases to investigate with the forensics tool, and identify information to retrieve from a sample drive or other media.
    • Establish a test method: Considering the tool’s purpose and design, specify how to test it.
    • Report test results: Describe the test results in a report that complies with ISO 17025, which requires accurate, clear, unambiguous, and objective test reports.