Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Tools

Published byCamilla McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Tools"— Presentation transcript:

1 Computer Forensics Tools
Hardware and Software Forensic Tools

2 Computer Forensic Tools
Tools are used to analyze digital data & prove or disprove criminal activity Used in 2 of the 3 Phases of Computer Forensics Acquisition – Images systems & gathers evidence Analysis – Examines data & recovers deleted content Presentation – Tools not used The field of Computer Forensic Investigation includes the capture and analysis of digital data to either prove a crime has or has not been committed. The range of crimes can include computer related crime as well as other crimes that have left evidence in digital formats. There are three main phases of computer forensics, acquisition, analysis and presentation. This presentation will focus primarily on the acquisition and analysis stages; the stage that directly relate to collection and analysis.

3 Admissibility of Forensic Evidence in Court
Data must be relevant & reliable Reliability of evidence gathered by tools assessed by judge in pre-trial hearing aka Daubert Hearing Assesses Methodology to gather evidence Sound scientific practices? Reliable evidence? The two criteria that are absolutely necessary in admissibility in law are whether or not sound scientific practices are used to collect and analyze the data presented and is that evidence reliable. That is, can the data be counted on to represent facts.

4 Pre-trial Hearings Frye Test – past method
Responsibility on scientific community Defined acceptable evidence gathering procedures Used Peer Reviewed Journals Daubert Hearing – current method Offers additional methods to test quality of evidence “The Frye test originated from Court of Appeals of the District of Columbia135 in a decision rejecting admissibility of a systolic blood pressure deception test (a forerunner of the polygraph test). The court stated that admission of this novel technique was dependent on its acceptance by the scientific community. There are three problems with the Frye standard; at what point is the principle of "sufficiently established" determined, at what point is "general acceptance" reached, and what is the proper definition of "the particular field in which it belongs". “ Source:

5 Daubert Hearing Process
Testing – Is this procedure tested? Error Rate – What is the error rate of this procedure? Publication – Has procedure been published and reviewed by peers? Acceptance – Is the procedure generally accepted within the relevant scientific community? “In its 1993 Daubert v. Merrell Dow opinion, the United States Supreme Court articulated a new set of criteria for the admissibility of scientific expert testimony and in its 1999 Kumho Tire v. Carmichael opinion, the Court extended Daubert's general holding to include non-scientific expert testimony as well.” Daubert Opinion States that:  • the trial judge must still screen scientific evidence to ensure it is relevant and reliable; • “the focus, of course, must be solely on principles and methodology, not on the conclusions they generate;”  • and, factors the court should consider include: – testing and validation – peer review – rate of error – “general acceptance” Sources:

6 Types of Security Software
Antispyware Antivirus Authentication Security Identity & Access Management Intrusion Detection Intrusion Prevention Network Firewall Remote Access Network Security Management Vulnerability Management Wireless Emergent Technology Security tools are software applications that are used to prevent unauthorized access and use of digital media. These tools are in use by home users, corporations, and small business. While not computer forensic software, these are the first steps in prevention that should be in place in not prior to any investigation, certainly after the conclusion of any investigation.

7 Types of Forensic Software
Acquisition Tools Data Discovery Tools Internet History Tools Image Viewers Viewers Password Cracking Tools Open Source Tools Mobile Device tools (PDA/Cell Phone) Large Storage Analysis Tools There are many standard tools in use by Computer Forensic experts in an attempt to trace what happened, when it occurred and who the perpetrator may have been. These are how the forensic software is classified.

8 Electronic Data Discovery Tools
Extract & Index Data Create Electronic Images of Data Search by Keyword or Document Similarity Metadata Author Date Created & Updated date sent, received Electronic Data Discovery tools, abbreviated DAQ, assist in the recovery of data that may have been deleted but not completely removed from a computer system. Extraction of data is the collection of data and indexing sorts the data into groups that enable analysis of that data. The creation of electronic data should be one of the first steps in any forensic investigation. Searching can be done either by search of strings of data or by file type or file similarity. Metadata is data that describes data such as who created a file, when it was created, the size of the file, when it was last updated or accessed.

9 More About Electronic Data Discovery Tools
Analyze data Retrieve data from different media Convert between different media and file formats Extract text & data from documents Create images of the documents Print documents Archive documents Electronic data discovery tools are not limited to simply finding the data and metadata. Some of the functions of data acquisition tools are listed above.

10 Internet History Tools
Reads Information in Complete History Database Displays List of Visited Sites Opens URLs in Internet Explorer Adds URLs to Favorites Copies URLs Prints URLS Saves Listing/Ranges as Text File Internet history tools are useful in tracking how users have used the internet and sites on the internet that were accessed. This is limited, however, in that there is no way to be sure a site was not accessed by simple searches unless there are multiple sites that are similar in content.

11 Image & E-Mail Viewers Views Files Converts Files Catalogs Files
Side by Side File Comparisons Image and viewers allow the forensic investigator to view images and s and capture as evidence. Most image and viewers have the capability to view and access multiple image and formats.

12 Password Cracking Tools
Password Recovery Allows access to computers 3 Methods to Crack Passwords Dictionary Attack Hybrid Attack Brute Force Attack Dictionary Attack - A dictionary file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to to the job. Hybrid Attack - A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and so on. Brute Force Attack - A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password. Source:

13 Open Source Tools Free tools available to Computer Forensic Specialists Cover entire scope of forensic tools in use May more clearly and comprehensively meet the Daubert guidelines than closed source tools Among the most widely used Open Source tools are often classified as freeware and shareware. They are easily and readily available on the internet. The reason open source tools may more clearly and comprehensively meet the Daubert guidelines is because of their extensive use and the fact that the code can be viewed and assessed by experts in the field to verify its value. Source:

14 Mobile Device Tools Number and variety of toolkits considerably more limited than for computers Require examiner to have full access to device Most tools focus on a single function Deleted data remains on PDA until successful HotSync with computer Digital forensic investigation of mobile devices is beginning to come into its own. Because these devices have some differences with computers, different tools are needed and the scope of the tools has not yet matured. Therefore, there are fewer tools available for this type of investigation. Sources:

15 Forensic Tool Suites Provide a lower cost way to maximize the tools
Parben The Coroner’s Toolkit (TCT) The Sleuth Kit (TSK) EnCase Forensic Toolkit (FTK) Maresware Provide a lower cost way to maximize the tools Typically include the most often used tools Forensic tool suites are typically an enterprise type of application. While some suites are a collection of separately used tools, called upon as needed, other suites are a collection of integrated software that require the investigator to follow a process and use the different applications sequentially. Many commercially available tool suites can be quite costly and intricate. The Coroner’s Toolkit and The Sleuth Kit are the only open source suites listed above.

16 A Closer Look EnCase ByteBack Forensic Toolkit Maresware Parben
Coroner’s Toolkit The Sleuth Kit Let’s take a closer look at some more specific forensic software and examine what features and functions are included. We’ll look at some of the more popular choices that are available to the computer forensic investigator today.

17 EnCase Originally developed for law enforcement
Built around case management Integrated Windows-based graphical user interface (GUI) Multiple Features EnCase is a Forensic Tool Suite. This means it is a bundled software package that provides multiple forensic tools within the box. The first action taken with this software is to create a case file. While it contains some impressive features, there is a good chance the forensic investigator will need another utility eventually. Enterprise Edition – Centralized monitoring and real-time investigation Snapshot – Capture of RAM contents, running programs, open files and ports Organizes results into case file & provides case management for multiple cases Maintains chain of custody Tools for incident response to respond to emerging threats Supports real-time and post-mortem investigations

18 ByteBack Cloning/Imaging Automated File Recovery
Rebuild Partitions & Boot Records Media Wipe Media Editor Software Write Block ByteBack is a disk imaging and validation tool. It will allow the computer forensic investigator to preserve the data and validate its integrity for prosecution. Cloning/Imaging: Clones to the same media type or images physical sectors of many media types Automated File Recovery: Recovers most files on FAT and NTFS volumes (deleted files, files in slack space & old formats) Rebuild Partitions and Boot Records: Repairs FAT and NTFS volumes, boot records & partitions Media Wipe: Overwrites sectors of a drive Media Editor: View and Search of raw data Software Write Block: Prevent writing to source drive and does calculations to verify integrity of copy operations

19 Forensic Toolkit (FTK)
Another Tool Suite Acquires & Examines Electronic Data Imaging Tool File Viewer Forensic Toolkit is one of the more powerful toolsets for acquiring and examining data. Imaging Tool - Provides one or multiple copies of evidence for analysis. File Viewer – Recognizes over 270 file types & provides full text searching capabilities Search – Includes and zip files Compatible with media images created on the following: FTK, EnCase, SMART, SnapBack, SafeBack, Linux dd Compatible with multiple formats: AOL, Netscape, Yahoo, EarthLink, Eudora, Hotmail, MSN Compatible with multiple zip file formats: PKZip, WinZip, WinRAR, GZip, TAR Results are organized by case and presented as a case summary.

20 Maresware Collection of Tool rather than Tool Suite
Main Difference – Tools are Stand-Alone & Called as Needed 4 Notable Tools Declasfy Brandit Bates_no Upcopy Maresware contains the tools routinely used by computer forensic investigators. Similar to competitor tools with the difference that this is really a collection of tools, rather than a suite. The tools can be called out and used as needed for specific tasks. No specific order is needed to use them, as in EnCase, in which you must create a case prior to doing any other activity. Declasfy – Disk wiping tool that overwrites physical media in compliance with U.S. Department of Defense standards Brandit – Brands hard disks with ownership information; useful in tracing and identifying stolen hard drives Bates_no – Adds identifying numbers to document file names, making it easier to manage records and files (case management) Upcopy – Copies entire directories from source to destination without changing any attributes or time/date stamps

21 Paraben Collection of Stand-Alone Tools
Made up of 10 Individual Software Tool Sets Purchased Separately, Price Break for Multiple Tool Purchases Frequently Used with Mobile Devices This product is a top choice for PDA and cell phone forensic investigations. Mobile device investigations are somewhat different than computer investigation and Parben is a leading expert in this area. Tools that Parben offers are listed below: Forensic Replicator – Disk Imaging and Verification tool Forensic Sorter – Classified data into one of 14 categories, increasing efficiency in investigations Network Examiner – Explores network archives Examiner – Examines files; compatible with 15 mail types Decryption Collection – Recovery of passwords and decryption of encrypted data Text Search – Searches files for text strings Case Agent Companion – File viewer capability of over 225 file types & allows examination results by case PDA Seizure – Acquires, views & reports on PDA evidence Cell Seizure – Acquires, views & reports on Cell Phone evidence

22 Coroner’s Toolkit (TCT)
Open Source Tool Suite Supports a Post-Mortem Analysis of Unix & Linux Systems Written for Incident Response rather than Law Enforcement Not Designed for Requirements to Produce & Prosecute Coroner’s Toolkit is not designed to meet stringent requirements to produce and manage courtroom evidence, leaving the case management and maintain the chain of custody up to the investigator using the toolkit. One of the features that makes this suite different is that it can run on a live machine and return information about running processes and open files. 4 Main Features: Grave-Robber – Collects large amounts of data from the subject machine; Can take hours; Returns large amounts of information Ils & mactime programs – Analyze & display access patterns of files from historical perspective or from a running machine Unrm & lazarus programs – Recovery of deleted files and file fragments Findkey – Examines files & running programs to recover keys

23 The Sleuth Kit (TSK) Open-Source Software Suite Built on TCT
Collection of Command-Line Tools Provides Media Management & Forensic Analysis Core Toolkit Consists of 6 Tools TSK runs on Unix, Linux and Mac OS. The Sleuth Kit is unique in that it also supports Mac partitions and can analyze files from Mac systems. It has also been tested to run on Mac OS X. Like TCT, it has the ability to analyze data on running systems. 6 Tools: Fsstat – Reports file system details: inode numbers, block & cluster ranges, super block details for Unix systems, & provides an abbreviated FAT table listing for FAT file systems. Ffind & fls – Reports allocated, unallocated & deleted file names Icat, ifind, ils, & istat – Reports on meta data (file details) stored in the file systems Dcat, dlc, dstat, & dclac – Reports file content information & statistics Mmls – Reports on the layout of the disk Hfind – Looks up hash values Mactime – Uses fls & ils output to create timelines of file activity – create, read, write Sorter – Sorts files based on file types Autopsy Forensic Browser is a GUI front end for TSK Provides graphical interface Adds case management capability Also runs in Unix, Linux, Mac OS Provides additional features to TSK: Dead Analysis – Analyzes on a device in trusted environment Live Analysis – Analyzes a system that is up and running Case Management – Organizes activities by case Even Sequencer – Finds patterns by organizing system events in chronological order Notes – Provides means to keep notes organized by case Image Integrity – Verifies integrity of media images Reports – Creates reports of activities organized by case Logging – Creates audit logs for activities organized by case

24 Hardware Acquisition Tools
Various Hardware & Software platforms Collect Data Process Data Save Data Display Data in Meaningful Manner Acquisition tools can be hardware, as well as software. These tools can be used to create “safe” images of the suspect system for further collection and analysis.

25 Forensic Hardware Workstations - Copy & Analysis Drive Imaging System
Drive Wiper Bridge Write Blocker SATA, SCSI, IDE, USB Imaging Device Workstations are primarily used for copy of suspect systems and then further used to analyze that information. These can be quite costly. Drive imaging hardware is less expensive and allows for a quick copy of the data from a system being investigated. Drive wipers are primarily used to overwrite all data on hard disks and partitions. Bridges come in multiple formats or can accommodate multiple formats. These are use to prevent writing to the system. SCSI Bridge

26 Tool Costs Workstations starting at $5,000 Bridges starting at $200
Drive Wipers starting at $1000 Wide assortment of special cables and hardware accessories vary in price Software – Free (Open Source) to over $1000

27 Choosing Your Forensic Toolkit
Expected Types of Investigations Internal Reporting Prosecution Operating Systems Budget Technical Skill Role Law Enforcement Private Organization The options available in computer forensics can be overwhelming. In making your decision of what you will need, you need to consider what type of investigations you will be involved in. If there will be prosecutions expected, then it would pay to include tools that meet the Daubert Hearing requirements. However, if you will be using these tools for internal reporting, tools with less stringent reporting and chain of custody may be adequate. Additionally, the operating systems you expect to be working with will also influence your decision in tools chosen. Obviously, budget plays a large part of the decision-making process in the selection of tools to be used. The technical skill of the user of the tools should be taken into account in order to assure tools are used efficiently and effectively. It does no good to have the best tool available if one does not know how to use it. Finally, the role played by the forensic investigator will also play a part in the selection of the toolkit used. Some tools are available only to law enforcement and while others are available to all, they are geared more toward one role than the other.

28 Prepare to Tool Up Make Lists Don’t Overbuy Overlapping Tools
No One-Size Fits All Training Prior to putting together a toolkit, make a few lists. One list should be what you want your toolkit to do. Another list should be options available. One of the most common mistakes is to overbuy. So do your research and choose wisely to obtain only what you need. You can obtain more later if you find a need was not met. Although many tools overlap, it’s okay. You may end up with a couple disk imaging tools that are bundled with something else you needed. Use the disk imaging tool that makes the most sense or you are most comfortable with. No one set of tools meets the needs for every investigator. It makes sense to visit multiple vendors and even purchase from multiple vendors. Finally, get the necessary training to learn how to use your tools effectively. Remember an untrained user can actually do more damage than good in an investigation .

29 References Computer Forensics Jump Start. Michael G. Solomon, Diane Barret & Neil Broom. Sybex, San Francisco 2005 Hacking Exposed – Computer Forensics. Chris Davis, Aaron Philipp & David Cowen. McGraw-Hill, New York 2005. Forensic and Investigative Accounting. D. Larry Crumbley, Lester E. Heitger & G. Stevenson Smith. CCH Inc., Chicago 2003 All internet sources are listed per slide as used.

Download ppt "Computer Forensics Tools"

Similar presentations

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Data Collection, Analysis and Preservation Computer Forensics: Data Collection, Analysis and Preservation Kikunda Eric Kajangu, Cher Vue, and John Mottola.

Data Collection, Analysis and Preservation Computer Forensics: Data Collection, Analysis and Preservation Kikunda Eric Kajangu, Cher Vue, and John Mottola.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.

Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO.515020181-9.

Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google