1. CSCD 496 Computer Forensics
Lecture 6
Tools for Computer Forensics
Winter 2010

2. Introduction A successful Computer Forensics investigator
Must have a lot of tools!
Think of tools like Batman Utility Belt
James Bond special devices
While you won't be sticking to walls ...

3. Introduction Computer Security similar to Digital Forensics
Need knowledge of OS's, networks, software vulnerabilities, defense types of software
Firewalls, virus software, Intrusion detection
Digital Forensics differs
Evidence is the focus, not preventing compromise
Specialized tools become critical to collecting and preserving evidence

4. Goal of Having Tools Prior to Investing Time/Money in Tool(s)‏
Ask: What will the tool do for me?
Automated features – Save time
Allow examination of new file systems
Vendor reputation – increase confidence in results

5. Types of Tools Two Main categories of tools
Hardware Tools
Range from simple single purpose components to complete forensics systems
Software Tools
Most common Windows and Linux OS based
Simple image makers to full featured programs
Frequently use both in collecting and preserving evidence

6. Investigative Process Model
Persuasion and testimony
Ends with testimony
Reporting
Analysis
Tools
Organization and Search
Case
Management
Reduction
Harvesting
Tools
Recovery
Preservation
Identification of seizure
Incident/Crime scene protocols
Tools
Assessment of worth
Incident Alerts or accusation
Begins with Incident alert

7. Type of Tools Hardware Tools
Complete investigative systems, Digital Forensics Workstation
Can put one together yourself
Suggestions in Chapters 2 and 3
Buy one ready made like the F.R.E.D. Forensic Recovery and Forensics Device
About $6000

8. F.R.E.D. Information FORENSIC SYSTEMS
“F.R.E.D. family of forensic workstations consists of integrated forensic processing platforms capable of handling most challenging computer case”
F.R.E.D. professional forensic systems, and the Digital Intelligence UltraBay universal write protected imaging bay, deliver the ability to easily duplicate evidence directly from IDE/SCSI/SATA hard drives, floppies, CDs, DVDs, ZIP cartridges, 4MM DAT tapes and PC Card/Smartmedia/SD-MMC/Memory Stick/Compact

9. Hardware Forensic Devices
Write Blockers
Hardware
Device that intercepts data intended for the disk
Prevents writing that could alter data
Many types
IDE, SCSCI and SATA interfaces
Connect your evidence disk drive to your workstation and start OS as usual
Acts as a bridge between disk drive and forensic workstation

10. Write Blocker Hardware
Implement media write blockers during acquisition:
Prevent changes to evidence
Sit between forensic machine and media
SCSI, SATA, IDE, etc

11. Hardware Forensic Devices
Hardware Write Blocker
Windows drive appears as any other drive
Can access the drive to view files
Or use word to read files
When you copy data to blocked drive
Shows copy was a success
Write blocker actually discards the data
Data is written to NULL
When you look at disks, won’t see data or files you copied to it

12. UltraBlock-SATA Example – Digital Intelligence
The UltraBlock-SATA can be connected to your laptop or desktop using FireWire-A (400 Mb/s) or the FireWire-B (800 Mb/s) interfaces
Like the UltraBlock-IDE, the UltraBlock-SATA is provided with write protection enabled by default
Is user configurable for Read-Only or Read-Write Operation.
Cost: UltraBlock – SATA $ 199
SATA Kit $ 281
UltraBlock Scsi Kit $ 446

13. Type of Tools Software Tools
Most common and numerous compared to hardware
Command line tools, GUI tools, Windows, Unix/Linux, OS specific tools
Today, look mostly at Windows tools
Later, cover Linux/Unix OS tools, mostly open source
One way to group tools is by investigative function
Can be grouped into five categories which map to tasks used in a computer investigation
Some of these tools specific to a single task
Others, full featured programs used across all tasks

14. Tools by Investigative Tasks
Tasks include
1. Acquisition
2. Validation and Discrimination
3. Extraction
4. Reconstruction
5. Reporting

15. Acquisition What is the goal of acquisition?
Is obtaining the data from a crime scene
First step in an investigation, typically
Make copy of the original disk drive
Preserve digital evidence
Two types of software acquisition
Physical copying of a disk – entire disk
Logical copying of a disk partition

16. Acquisition Bit Stream copy
Bit-by-bit copy of the original storage medium
Exact duplicate
Example: dd command in Unix/Linux
Creates a file, called a Bit Stream Image file
Already covered this ...

17. Acquisition - Image File
X-Ways Forensics

18. Acquisition – Image File
Encase example

19. Validation and Discrimination
Validation of Data
Why do we do this?
Ensures integrity of data
Need this to prove guilt or innocence to legal system
Where we use hashes of original data and compare to copies of acquired data
Do this each time we access the copy
Most integrated forensics tools do this automatically for you

20. Validation and Discrimination
Discrimination of Data
Sorting and Searching of Data
Purpose:
Separate “good” data from “suspicious” data
Subfunctions of Validation and Discrimination
Hashing
Filtering
Analysis of File Headers

21. Validation and Discrimination
Hash Values of Known Files
Discriminate between known files and unknown files
Known list of good file hash values
Maintained by NIST at National Software Reference Library (NSRL)‏
Forensics Tools - import known good file hashes
Compare them to files on suspect drive

22. Validation and Discrimination
Analyze Header Values
Many programs include list of common file header values
Known file types have distinctive headers
Allow OS to determine file type
See whether file extension matches header value
Common to hide files by changing extension
jpg or gif becomes .txt
Header will disagree – shows up in tool

23. Extraction Most demanding task Recovery digital evidence
View data, keyword search, file carving, decryption
Tools below have Nice GUI, plus offer all of the above capabilities
FTK, EnCase, SMART, iLook, ProDiscover

24. Extraction Keyword Search
Allows you to search for keywords of interest
When doing text/pattern searches
usually also run:
File signature verification
Review file headers
Match with extension
Hash computation
Compute hashes on all
files

25. Extraction File Signature verification
Encase can compare each file header to library
of over 220 unique known signatures
to determine file type, eg .doc, .jpg, etc

26. Extraction Case one: A file header matches a known value but the
extension does not match
Can assist in finding files with changed extensions
For example renaming a .jpg file with a .txt
extension:
Can do for every file and quick sort to search
for inconsistencies

27. Extraction Case two: Encase will act consistent with header when
A file header matches a known value but the
file does not have an extension
Encase will act consistent with header when
file is double clicked,
e.g. launch Excel for file matching Excel header
Encase will act consistent with header when
file is viewed
e.g. Gallery view will display pictures even
though no extensions

28. Extraction
Hash computation
Calculate the MD5 hash of every file

29. Extraction
Import NIST known OS MD5 or SHA-1 hashes available on their web site

30. Evidence Analysis
Encase now indicates “*known” files
(* used for sorting purposes)‏

31. Extraction
Now use an Encase Filter to remove these files from view and searches:
In this case, reduced 21,085 files to 14,787
30% less files to search!

32. Extraction Deconstruct file fragments From deleted files
“Carving” name in the US
Locate file header information
Most tools also analyze unallocated areas of a disk drive or bit stream image file
Locate entire file structure of file fragments carved out and copied to a new file

33. Extraction Decryption
Encrypted data is a problem for forensics investigations
Files can be encrypted, entire disk or partition
Some tools produce list of words for password guessing of an encrypted area
Could possibly locate password in a temporary file on disk, if you are lucky!!
Can also run a brute force attack against the file

34. Reconstruction Task of re-creating a suspect's disk drive
Don't always have to do this, depends
Run suspect computer to show what happened during a crime
Or, create an identical copy for other investigators
Do a bit-by-bit copy to identical disk as suspect disk
Disk technology changes pretty fast
Not likely to find identical drive and model

35. Reconstruction Several ways to do this Hardware and Software tools
Disk-to-disk copy
Image-to-disk copy
Partition-to-partition copy
Image-to-partition copy
Hardware and Software tools
All of these tools adjust target disk geometry
Means if target disk differs from original suspect disk will map cylinders, sectors and tracks of original to target
Target Disk must be equal or larger in size

36. Reconstruction Hardware Tools Software Tools Hardware is fastest
Logical Forensic SF-5000
Logical Forensic MD5
Image MaSSter Solo 2
Software Tools
Safeback, SnapCopy plus others

37. Reporting Many forensics tools also do reporting Log Report
Produce a report of steps taken in an investigation
Good if need to repeat an investigation
Or, review steps taken
Peer review of the case
FTK, iLook, X-Ways Forensic, Encase, ProDiscover
Plus most others

38. Validating and Testing Forensic Software
NIST - National Institute of Standards and Technology
NIST sponsored a project called “Computer Forensics Tool Testing” (CFTT)‏
Why might you want to test these tools?

39. Validating and Testing Forensic Software
NIST - National Institute of Standards and Technology
Publishes articles, tools and procedures for testing and validating computer forensics software
Software should be verified so that there is greater confidence in digital evidence used in court
Created a general approach for testing computer forensics tools
Criteria for testing is at the same site
MD5 and SHA-1Hashes of Known files

40. Examples of Tools Disk that came with your Book has:
Technology Pathways ProDiscover Basic
Access Data Forensic Toolkit (FTK), Registry Viewer and FTK Imager
Runtime Software DiskExplorer for FAT, NTFS and HDHOST
X-Ways Forensics WinHex
Page xxiii in text has links to many other tools
For next assignment, you get to download tools, play with them ... fun, fun, fun !!!

41. Resources Resources for Tools E-Evidence List of Software Tools
Open Source Forensics Tools: The Legal Argument
Brian Carrier
evidence.org/papers/opensrc_legal.pdf
Nice source of references and tool discussions for open source tools
Evaluating Commercial Counter Forensics Tools
Matthew Geiger
rforensics.pdf

42. Summary and Limitations
Tools Are Critical to being a Computer Forensics Investigator!!!
Better set of tools
More complete analysis of data
More types of analysis and data/computers can analyze
More confidence that data was handled correctly
Confidence in evidence increases
Important in court
Tool Limitations
Encrypted data, can't help too much
Steganography

43. References
Nelson, Bill et al. “Guide to Computer Forensics Investigations”
Chapter 7

44. Finish Check Web Site for Reading Assignment due today,
Next Assignment on Friday !!!