The computer is a reliable witness that cannot lie. Digital evidence contains an unfiltered account of a suspect’s activity, recorded in his or her direct words and actions. But, some people say that using digital information as evidence is a bad idea. If it’s easy to change computer data, how can it be used as reliable evidence?
To identify all the hidden details that are left after or during an incident, the computer forensics is used. The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial.
Computers are getting more powerful day by day, so the field of computer forensics must rapidly evolve. Previously, we had many computer forensic tools that were used to apply forensic techniques to the computer. However, we have listed few best forensic tools that are promising for today’s computers:
- SANS SIFT
- ProDiscover Forensic
- Volatility Framework
- The Sleuth Kit (+Autopsy)
- X-Ways Forensics
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu-based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. The free SIFT toolkit that can match any modern incident response and forensic tool suite is also featured in SANS’ Advanced Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
It supports analysis of Expert Witness Format, Advanced Forensic Format (AFF), and RAW (dd) evidence formats. It also includes tools such as timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.
Key new features of SIFT include:
- Ubuntu LTS 14.04 Base.
- 64-bit base system.
- Better memory utilization.
- Auto-DFIR package update and customizations.
- Latest forensic tools and techniques.
- VMware Appliance ready to tackle forensics.
- Cross compatibility between Linux and Windows.
- Option to install stand-alone via (.iso) or use via VMware Player/Workstation.
- Online Documentation Project at http://sift.readthedocs.org/
- Expanded Filesystem Support.
ProDiscover Forensic is a powerful computer security tool that enables computer professionals to locate all of the data on a computer disk and at the same time protect evidence and create quality evidentiary reports for use in legal proceedings.
It can recover deleted files, examine slack space, access Windows Alternate Data Streams, and dynamically allows a preview, search, and image-capture of the Hardware Protected Area (HPA) of the disk utilizing its own pioneered the technology. It is not possible to hide data from a ProDiscover Forensic because it reads the disk at the sector level.
Key features of ProDiscover Forensic include:
- Create a Bit-Stream copy of the disk to be analyzed, including hidden HPA section (patent pending), to keep original evidence safe.
- Search files or an entire disk, including slack space, HPA section, and Windows NT/2000/XP Alternate Data Streams for complete disk forensic analysis.
- Preview all files, even if hidden or deleted, without altering data on disk, including file Metadata.
- Examine and cross reference data at the file or cluster level to ensure nothing is hidden, even in slack space.
- Utilize Perl scripts to automate investigation tasks.
The Volatility Framework was released publicly at the BlackHat and based on years of published academic research into advanced memory analysis and forensics. Volatility framework introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work in this exciting area of research.
Volatility also provides a unique platform that enables cutting-edge research to be immediately transitioned into the hands of digital investigators. It has become an indispensable digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world.
The Sleuth Kit (+Autopsy):
The Sleuth Kit is a collection of command line tools that allows us to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
The core functionality of The Sleuth Kit (TSK) allows you to analyze volume and file system data. The plug-in framework allows you to incorporate additional modules to analyze file contents and build automated systems.
An Autopsy is easy to use, a GUI-based program that allows us to analyze hard drives and smartphones efficiently. It has a plug-in architecture that helps us to find add-on modules or develop custom modules in Java or Python.
Below is the list of Autopsy features:
- Multi-User Cases: Collaborate with fellow examiners on larger cases.
- Timeline Analysis: Displays system events in a graphical interface to help identify activity.
- Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
- Web Artifacts: Extracts web activity from common browsers to help identify user activity.
- Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
- LNK File Analysis: Identifies shortcuts and accessed documents
- Email Analysis: Parses MBOX format messages, such as Thunderbird.
- EXIF: Extracts geolocation and camera information from JPEG files.
- File Type Sorting: Group files by their type to find all images or documents.
- Media Playback: View videos and images in the application and not require an external viewer.
- Thumbnail Viewer: Displays thumbnail of images to help quick view pictures.
CAINE (Computer Aided Investigative Environment) is a Linux Live CD that contains a wealth of digital forensic tools. The latest version of Caine is based on the Ubuntu Linux LTS, MATE, and LightDM. Compared to its original version, the current version has been modified to meet the standard forensic reliability and safety standards.
- Caine Interface – a user-friendly interface that brings together some well-known forensic tools, many of which are open source.
- Updated and optimized environment to conduct a forensic analysis.
- Semi-automatic report generator.
Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.
Ethical Hacking Training – Resources (InfoSec)
Xplico is a network forensics analysis tool, which is software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng). Xplico is able to extract and reconstruct all the Web pages and contents (images, files, cookies, and so on).
Features of Xplico include:
- Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6.
- Port Independent Protocol Identification (PIPI) for each application protocol;
- Output data and information in SQLite database or Mysql database and/or files;
- At each data reassembled by Xplico is associated an XML file that uniquely identifies the flows and the pcap containing the data reassembled;
- No size limit on data entry or the number of files entrance (the only limit is HD size);
- Modularity. Each Xplico component is modular.
Xplico is installed by default in the major distributions of digital forensics and penetration testing:
- Kali Linux
- Security Onion
- CERT Linux Forensics Tools Repository
X-Ways Forensics is an advanced work environment for computer forensic examiners. X-Ways Forensics is efficient to use, not a resource-hungry, often runs faster, finds deleted files and offers many features that the others lack. X-Ways Forensics is fully portable, runs off a USB stick on any given Windows system without installation.
Key features of X-ray forensic include:
- Disk cloning and imaging
- Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD and VMDK images
- Complete access to disks, RAIDs, and images more than 2 TB in size
- Automatic identification of lost/deleted partitions
- Viewing and editing binary data structures using templates
- Recursive view of all existing and deleted files in all subdirectories
These are some best and popular forensic tools used by many professionals and law enforcement agencies in performing different forensics. However, the list is not limited to the above-defined tools. There are many other free and premium tools available in the market as well. These tools can be used to investigate the evolving attacks.