Contrary to popular belief, the domain of digital forensics is far from being monolithic. From the outside looking in, it might appear that computer forensics lacks versatility in terms of use cases. But just as computers have evolved over the years, both in terms of hardware and software, so has the landscape of retrieving valuable information from them through sound forensic techniques. Constant innovation in computing leads to better methods of encryption, concealment and manipulation of data. This consequently leads to the development of more powerful tools that can match the contemporary demands of digital forensics. Today, the tools for addressing various digital forensics use cases can be divided into multiple categories, whether we’re looking at differing systems or the range of forensic functions. In this article, we will look at these categories and discuss some of the most popular digital forensics tools available to us.

Types of Computer Forensic Tools

We can classify digital forensics tools into four major groups. These groups have been formed through the natural progression of digital forensics; they evolved from generic computer forensics to more specialized categories, such as mobile and memory forensics. Let’s discuss each one briefly:

Digital Forensics

The most common category of digital forensics, the term “computer forensics” is sometimes used interchangeably with “digital forensics.” It refers using forensic techniques for evidence retrieval from computers. These techniques include information identification, preservation, retrieval, and analysis in line with digital forensic standards.

Examples:

Memory Forensics

Sometimes during sophisticated attacks, data from the hard drive is either erased permanently or no data is left on the hard drive at all, leaving little to no evidence for forensic investigation. Memory forensics deals with this special case of digital forensics, as it looks for possible artifacts in the computer’s memory (RAM). Niche tools have been developed to acquire and analyze computer memory, such as:

Examples:

Mobile Device Forensics

As the name suggests, mobile device forensics is that branch of digital forensics that involves evidence found on mobile devices. These include mobile phones, personal digital assistants (PDAs), and tablets – essentially, any computing device that is portable and has communication capabilities. This branch of forensics took off after the sudden boom in the popularity of smartphones, making it one of the newer divisions of digital forensics.

Examples:

Software Forensics

A centerpiece in copyright infringement lawsuits, software forensics deals with determining whether particular software has been stolen. It does so by analyzing and comparing source code, then finding any possible correlation. Software forensics has been made use of in many high-profile intellectual property (IP) litigations over the past few years.

Example:

Which Forensic Activities Are These Tools Used For?

The tools discussed above are utilized in various digital forensic settings. These include:

  • Decryption

Cracking encryption/passwords to find out the contents of files is a classic use case of digital forensic tools. While decryption is a staple in much all-in-one digital forensic software, you can also find specialized tools for data decryption and password recovery, such as EPRB by ElcomSoft.

  • File Analysis

Investigators are typically tasked with analyzing files on affected systems in the event of an attack. This analysis includes retrieving metadata information, or looking for information in file contents, otherwise known as file carving. Most popular tools for file analysis are the SANS Investigative Forensic Toolkit – SIFT and The Sleuth Kit.

  • Registry Analysis/Rebuilding

Operating systems use special files called registries to store certain information about which software is installed on the system. This information might prove to be useful in certain instances of forensic investigations. Keeping this in mind, certain tools have been developed that can reconstruct registry files. Arguably the most used tool in this category is Registry Recon, which works exclusively for Windows registries. Another option is The Sleuth Kit, with its Registry Analysis tool.

  • Media Acquisition/Backup

To attain forensically sound evidence, it is crucial that evidence retrieval is handled with great care. Ideally, you want to acquire copies (images) of disk drives, without disrupting the original in any way. Dedicated tools for such forensic activities include the FTK Imager, which is FTK’s standalone image acquisition and preview tool, and X-Ways Forensics.

  • Email Analysis

Malware can find its way into a system through fraudulent emails. In fact, infected emails are one of the leading causes of online cyber-attacks. To investigate such cases, forensic agencies look for evidence in email headers that might lead to the perpetrators. As such, email header analysis is prominently featured in popular all-in-one forensic suites such as the Forensic Toolkit (FTK) and The Sleuth Kit.

  • Packet Capture/Analysis

During a computer forensic inspection, the analysis of data packets going through the network might serve investigators well. That is because each transaction over the network is logged and a clear timeline of events can be constructed. Moreover, the contents of data packets can also be used for additional information. Wireshark is a famous packet sniffer, available across multiple platforms. It can place itself in the middle of the client and server, capturing every packet that is exchanged.

  • Live Analysis

Computer Online Forensic Evidence Extractor (COFEE)

  • Plagiarism Detection

Digital theft is an emergent concern in today’s world. To tackle this, the field of software forensics came to the fore. Tools developed under software forensics guidelines can detect plagiarism in source code, determine copyright infringement, and showcase theft of trade secrets. CodeSuite by SAFE Corp is one such tool, and has been used in IP theft cases such as Facebook vs. ConnectU.

Other Commercial Computer Forensic Tools

X Ways Forensics:

X Ways Forensics is one of the powerful commercial Computer Forensic Tools available today. It is Windows-based software which offers many functionalities pertaining to computer forensics. One of the most significant advantages of this software is that it can be used in a portable mode.

Thus, there is no need for installing the actual software. As a result, this always pays well for the forensic examiner when it comes to live imaging or live system analysis. Some of the unique features of this tool are Disk Imaging and Cloning.

Disk Imaging is normally used during investigative work, however; it can also be used for system backup, restoring old hard drive data into new hard drive data, etc. In addition to this, file carving is another very significant feature of this tool. For example, it can perform activities like File Carving quickly unlike other tools that would otherwise take a lot of time.

File Carving is a technique for searching file headers/file signatures in spaces marked as unallocated by the file system to fully to recover them. Data can be used in a binary format so that it can be interpreted in the raw format.

X Ways Forensics can identify free space, slack space, etc. It can read globally accepted file formats such as the Expert witness file format (E0*), the virtual machines image (VMDK), etc. The complete version of this tool also contains a hardware dongle.

Light utilities of X Ways forensics are the X Ways Investigator which helps a non-forensic specialist to mechanically search for the evidence and the X Ways Imager which is used exclusively for Disk Imaging.

EnCase:

EnCase is a prevalent computer forensic tool. Guidance Software Inc develops it. This is a dongle based software. It is a Windows-based computer forensic tool. It is primarily used for Disk Imaging, reading the various file systems (NTFS, FAT, exFAT and other MAC related file systems), reconstructing the lost partitions, recovering deleted files, etc.

The Encase Forensic edition is a fully equipped software kit which aids the forensic examiner to the most granular level. One prime feature of this tool is that you can bookmark your pieces of evidence with a mere click of the mouse.

Encase also has a reporting feature and has several reporting template formats which are flexible to be changed as per the user’s preferences and/or needs. When Encase is installed on the computer, the folder “Encase” is created at the default location. Inside this folder, there is a file by the name “linen” which signifies the use of Encase for the Linux platform.

The File viewing facility of Encase helps the forensics user to view a single file into multiple file formats (such as .doc, transcript, hex, etc.). The Encase processor can also perform data carving, the indexing of data, and the searching of expression. The search utility can also be used to search in unallocated space in hex values.

Another version of EnCase is the EnCase Portable which is a hardware dongle and can be used to boot a computer directly. This product supports strong hash calculation standards such CRC, MD5 and SHA which makes it a globally trusted and court admissible tool for the computer forensic examiner.

It also works well with many types of disk encryption formats. As a result, significant changes have taken place with the evolution of the sophistication of the tools in later versions.

Forensic Toolkit (FTK):

The Forensic Toolkit, popularly known as FTK, is a computer forensic/investigative toolkit. This software is made by AccessData. The lighter version of FTK is the FTK Imager which is used for disk imaging. One can always use the FTK Imager to image a physical drive, logical drive, or even a partition on a USB drive. The file format which is used in this product is known as “adf” which is AccessData format.

Using the FTK Imager, data can be viewed, and deleted files can be recovered based on its status of being overwritten. One fundamental feature of this tool is that it can mount the image and emulate the image in Windows Explorer. Also, the FTK Imager is a portable tool which can directly be used on the live machine as well.

MacQuisition

MacQuisition is one of the unique computer forensic tool created by BlackBag Technologies. It can be used with Mac desktops/laptops. As a result, the MacQuisition proves to be a potent tool for the MAC OS X operating systems.

One of the primary advantages of this tool is that the forensic examiner can choose to acquire an email or other kinds and types of data which is specific to the investigations process of the case which is being worked on.

This tool authenticates the acquired image using the MD5, SHA hash values. It safely boots from a MacQuisition USB dongle and write blocks the device. Also. The MacQuisition can be used for live imaging and capturing the contents of the RAM Memory.

Commercial vs. Free/Open-Source Tools

As digital forensic tools are developed by a diverse set of organizations, it is natural to assume that each has its own policy on its use and availability. Most developers release their software as commercial tools, meaning the user has to pay a certain fee to use the software. Commercial forensic tools have proprietary licenses, designed specifically by the developers for that tool alone. These licenses have stipulations that the user has to agree to but, because they are proprietary, they can be different from one tool to another. Commercial forensic tools mentioned in this article include Forensic Toolkit (FTK), EPRB by ElcomSoft, Registry Recon, WindowsSCOPE, XRY, Belkasoft Evidence Center, Magnet AXIOM and CodeSuite.

In contrast to commercial tools, certain digital forensic software is released for free. Such software is generally released under the GNU General Public License (GPL). The GPL stipulates that not only the software be free to use and open-source (source code available to all), but also that all subsequent derivatives of the software be released under the same license. Software released under GPL, while lacking robust first-party support, often have thriving community support and contributions. Some forensic tools that have been cited in this article released under the GPL license are The Sleuth Kit, Wireshark, and Volatility.

Computer Forensics Training

Conclusion

So, there you have it – some of the computer forensic tools most widely used by law enforcement agencies and individual forensic experts alike. With the newfound knowledge of these tools, what they achieve and how they compare with each other, you have one more feather in your cap on your way to becoming a forensic professional. Of course, you could further accelerate the process by taking part in InfoSec’s Computer Forensics Boot Camp, where we offer state-of-the-art preparation for the IACRB Certified Computer Forensics Examiner (CCFE), and IACRB Certified Mobile Forensics Examiner (CMFE) certifications.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Motivate Your Workforce to Care About Security! Transform end user behavior with 1,200+ SecurityIQ awareness training tools

Section Guide

Ryan
Fahey

View more articles from Ryan