Scribd
Upload
105 views

Digital Forensic Tools

Digital forensic tools are used to uncover and interpret electronic data in a structured investigation by collecting, identifying, and validating digital information to reconstruct past events. There are many free and paid forensic tools that assist with acquiring data, analyzing it, and producing a report, such as EnCase, CAINE, X-Ways Forensics, SIFT, and COFEE. These tools aim to preserve evidence, search and filter files, recover deleted files, and reconstruct activities like web, email, and registry usage to answer questions about "who did it" and "how it was done." A key technique is making an exact copy or image of original data using a write blocker to prevent changes while investigating.

Uploaded by

Shu Bham
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
105 views

Digital Forensic Tools

Digital forensic tools are used to uncover and interpret electronic data in a structured investigation by collecting, identifying, and validating digital information to reconstruct past events. There are many free and paid forensic tools that assist with acquiring data, analyzing it, and producing a report, such as EnCase, CAINE, X-Ways Forensics, SIFT, and COFEE. These tools aim to preserve evidence, search and filter files, recover deleted files, and reconstruct activities like web, email, and registry usage to answer questions about "who did it" and "how it was done." A key technique is making an exact copy or image of original data using a write blocker to prevent changes while investigating.

Uploaded by

Shu Bham
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Digital Forensic Tools

"the process of uncovering and interpreting electronic data with the aim of preserving the
evidence in its most original form while performing a structured investigation by collecting,
identifying and validating digital information for the purpose of re-constructing past events"

Just as conventional forensics has its own tools to use in the investigation of crime scenes,
like finger print powder and brushes, digital forensics has it own tools for each principal
stage of the forensic process i.e.

The forensic investigation process in it simplest form.

 Seizure of the evidence.


 Forensic acquisition of the data from storage or memory.
 Analysing the data
 Producing a report with conclusions.

There are very many free and paid for digital forensic tools. Some of them are extensive
collections of utility programs that can help with various stages of the the forensic process.
Examples include

EnCase,

CAINE (Computer Aided Investigative Environment),

X-Ways Forensics,

SANS

Investigative Forensics Toolkit (SIFT),

Computer Online Forensics Evidence Extractor (COFEE),

The Coroner's Toolkit and many more.

Although forensic tools vary according to the phase of the investigation for which they are
being used, good tools share some common features.

 Include an acquisition feature that allows the data to be gathered.


 Enables searching and filtering of files
 Can provide exact pathway locators to find the exact position of data.
 Full disk hashing to confirm the data hasn't changed
 Can reveal exact time and data stamps of when files were created, stored and last
looked at.
 Can work with backup files and extract data

Forensic Techniques
The aims of the forensic process are to preserve the evidence; then to use the forensic tools
look at the acquired data for things that may have been deleted, hidden or unusual.

Different techniques or methods for this kind of forensic work can be used at different stages
of the investigative process.

 Preserving the evidence: Making an image (an exact copy) of the original data with
the use of a 'write blocker' - write blocker prevents any program or device making
changes to the original data.
o Typical tools include Forensic Toolkit (FTK), Encase, SIFT, Coroner's toolkit,
Sleuth Kit
 Using the method of Forensic Duplication by recovering deleted files: Getting back
files which might have been to deleted to hide evidence.
o Typical tools FTK, Encase, SIFT, Coroner's toolkit, Sleuth Kit
 Removing Files: Most files on devices are harmless with known file types and
names. One technique is to filter out or remove these files to leave only those worthy
of investigation. The method used here is to compare md5 hashes of files to a list of
known md5 hashes of known files. If they match, they can be removed.
o FTK or Encase are popular tools.
 File signature verification. Works similar to raw above. A comparison is made
between the header and footer information of suspect files with those of known files.
Matching files can be safely removed.
o Sleuth Kit, Encase or a written Perl script.
 String searching and looking for file fragments: Using the search command to look
for keywords or known text.
o FTK, Encase
 Web activity reconstruction: Getting back web browsing history, accepted cookies
and temporary internet files that where the user has been removing opportunities for
deniability.
o Encase, FTK, Browser logs
 Email activity reconstruction: Using the method of converting email repositories to
readable text
o FTK, Parabens Network Mail Examiner
 Registry activity reconstruction: Discovering any deleted programmes or recent
activity by looking at Windows system and application log files.
o FTK, RegEdit
 Live forensics: Using the method of analysing volatile processes; those files that are
loaded in and out of memory.
o Windows Forensic Toolchest, COFEE
 Recovering hidden files: Actively looking for hidden files or hidden data
(stenography) and attempting to gain access through the methods of Decryption and
Cryptanalysis.
o Steg Break, Steg detect, Password Cracking and Frequency analysis.
Tasks

1. No Questions asked.

In the section titled 'Digital Forensics', create another page called Tools & Techniques and
complete the following exercises.

1. Provide definition of digital forensics


2. Make a list of the common features shared by well known forensic applications
3. In digital forensics, the aim is to reconstruct the past to find out 'who did it? and 'how
it was done'. Explain 3 different forensic reconstruction techniques used to answer
these questions.
4. Preserving the evidence through the method of forensic duplication is the first step of
any digital forensic investigation. In the imaging process, write blockers are used.
1. Describe the purpose of a write blocker.
2. Research write blockers and name a model and price of a 'good' write blocker.

2. Don't Look Back with FTK

3. Don't look back with Kali Linux and Guymager


4. Back in the doghouse

You might also like