by Donald Wood CSS 350

Overview Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. Imaging Tools (disk imaging, write protection, etc) Search Tools (Text, program, etc) Data Recovery Tools (deleted files, format recovery, etc) Recommended Hardware Tools Monitoring tools, both network and individual system Strengths, weaknesses, risks, reviews of each

Imaging Suggested Tool DeepSpar Disk Imager The first dedicated imaging device built to handle disk- level problems. DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic-specific functionality.

Imaging Suggested Tool Con’t Strengths Maps scanned sectors and “remembers” just where you left off if the process is interrupted. Weaknesses Drive caching can cause problems for example: if there is a bad sector within the read ahead block it can cause the drive to hang or timeout Risks Same as weakness Reviews Accesses the drive directly using its own hardware and software routines to send ATA read commands so any media errors can be identified immediately, blocks containing bad sectors are skipped and the imaging process continues from the next block of data until the first pass is finished. Once complete, it then goes backwards through the drive so that any drive caching is disabled.

Imaging Suggested Tool Con’t

Search Tools Hurricane Search Created to help you search for evidence and solve computer crime. Hurricane Search helps find text stored on computer hard drives. Build evidence by searching text files, PDF documents, and Word files thoroughly as well as finding evidence in binary files with embedded information on hard drives.

Search Tools Con’t Strengths Elect multiple directories to include or exclude from searches, User interface enhances the way you work through minimized keystrokes, Preview results in context, Search data hidden in compressed Zip and Binary files Weaknesses None Listed Risks None Listed Reviews Used worldwide by thousands of professionals to find text and build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.

Data Recovery DriveLook V1.00 Scans a drive or a partition of a drive for text strings and stores them in a table. After completion of the scan you can browse this table and view the locations where the words have been found. The search function allows you to do fast inquiries for combinations of words.

Data Recovery Con’t Strengths The search function allows you to do fast inquiries for combinations of words. Weaknesses Limited to a Windows OS Risks None Listed Reviews Used worldwide by thousands of professionals to find text and build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.

Recommended Hardware Tools A hardware platform could be anything from a 7-bay tower to a portable small form factor system or even a laptop. A system with a MicroATX motherboard and medium form factor case is a reasonable compromise for a static lab station. A standard MicroATX board will supply onboard video and be able to support 2 PCI cards, 2 PCI Express cards, 4 DIMMs, Parallel and Serial ATA hard drives, Floppy drives, USB 2.0, and Gigabit Ethernet. A new Intel or AMD CPU will be more than sufficient for most investigations. While the processor speed does make a difference for certain operations, one of the mainstays of the forensic investigation is the keyword search which requires that each sector of a suspect hard drive be examined and the speed of that process relies almost entirely on the speed of the drive itself. Instead of investing in high- priced workstations with the top-of-the-line CPUs, investigators should focus on ensuring the highest speed I/O bus so the system can quickly access the data stored on disk.

Network Monitoring Tools Network Monitoring Scrutinizer - delivers a diverse range of free and commercial flow measuring and monitoring tools.

Network Monitoring Tools Con’t Strengths Saves unlimited amounts of past NetFlow data. Weaknesses None Listed Risks None Listed Reviews Saves unlimited amounts of past NetFlow data. Adds several additional traffic analysis Report Types (e.g. Flows, Flow Volume, NBAR Support, etc.). Algorithms perform Network Behavior Analysis on all flows across all routers / switches. Top (applications, hosts, flows, countries, domains, etc.) across all routers / switches. Constantly resolving all IP addresses. Uses saved Scrutinizer Reports to monitor for threshold violations.

Host Monitoring Tools Advanced Host Monitor Version 8.58 Host Monitor is a highly scalable network monitoring software suitable for small and enterprise-level networks.

Host Monitoring Tools Con’t Strengths In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand. Weaknesses None Listed Risks None Listed Reviews A system management tool that continuously monitors servers' availability and performance. In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand. This helps protect your company's data and reduces the likelihood of costly network failures.

Resources forensic.html?gclid=CMaD8rf6tKECFQz_iAod0Em2Dw forensic.html?gclid=CMaD8rf6tKECFQz_iAod0Em2Dw y,%20McGoff%20- %20Choosing%20Hardware%20for%20a%20Computer%20 Forensic%20Lab.pdf y,%20McGoff%20- %20Choosing%20Hardware%20for%20a%20Computer%20 Forensic%20Lab.pdf netflow-scrutinizer.php netflow-scrutinizer.php

Questions