Contrary to popular belief, the domain of digital forensics is far from being monolithic. From the outside looking in, it might appear that computer forensics lacks versatility in terms of use cases. But just as computers have evolved over the years, both in terms of hardware and software, so has the landscape of retrieving valuable information from them through sound forensic techniques. Constant innovation in computing leads to better methods of encryption, concealment and manipulation of data. This consequently leads to the development of more powerful tools that can match the contemporary demands of digital forensics. Today, the tools for addressing various digital forensics use cases can be divided into multiple categories, whether we’re looking at differing systems or the range of forensic functions. In this article, we will look at these categories and discuss some of the most popular digital forensics tools available to us.

Types of Computer Forensic Tools

We can classify digital forensics tools into four major groups. These groups have been formed through the natural progression of digital forensics; they evolved from generic computer forensics to more specialized categories, such as mobile and memory forensics. Let’s discuss each one briefly:

  • Computer Forensics
    • Description

The most common category of digital forensics, the term “computer forensics” is sometimes used interchangeably with “digital forensics.” It refers using forensic techniques for evidence retrieval from computers. These techniques include information identification, preservation, retrieval, and analysis in line with digital forensic standards.

Sometimes during sophisticated attacks, data from the hard drive is either erased permanently or no data is left on the hard drive at all, leaving little to no evidence for forensic investigation. Memory forensics deals with this special case of digital forensics, as it looks for possible artifacts in the computer’s memory (RAM). Niche tools have been developed to acquire and analyze computer memory, such as:

As the name suggests, mobile device forensics is that branch of digital forensics that involves evidence found on mobile devices. These include mobile phones, personal digital assistants (PDAs), and tablets – essentially, any computing device that is portable and has communication capabilities. This branch of forensics took off after the sudden boom in the popularity of smartphones, making it one of the newer divisions of digital forensics.

A centerpiece in copyright infringement lawsuits, software forensics deals with determining whether particular software has been stolen. It does so by analyzing and comparing source code, then finding any possible correlation. Software forensics has been made use of in many high-profile intellectual property (IP) litigations over the past few years.

Which Forensic Activities Are These Tools Used For?

The tools discussed above are utilized in various digital forensic settings. These include:

  • Decryption

Cracking encryption/passwords to find out the contents of files is a classic use case of digital forensic tools. While decryption is a staple in much all-in-one digital forensic software, you can also find specialized tools for data decryption and password recovery, such as EPRB by ElcomSoft.

  • File Analysis

Investigators are typically tasked with analyzing files on affected systems in the event of an attack. This analysis includes retrieving metadata information, or looking for information in file contents, otherwise known as file carving. Most popular tools for file analysis are the SANS Investigative Forensic Toolkit – SIFT and The Sleuth Kit.

  • Registry Analysis/Rebuilding

Operating systems use special files called registries to store certain information about which software is installed on the system. This information might prove to be useful in certain instances of forensic investigations. Keeping this in mind, certain tools have been developed that can reconstruct registry files. Arguably the most used tool in this category is Registry Recon, which works exclusively for Windows registries. Another option is The Sleuth Kit, with its Registry Analysis tool.

  • Media Acquisition/Backup

To attain forensically sound evidence, it is crucial that evidence retrieval is handled with great care. Ideally, you want to acquire copies (images) of disk drives, without disrupting the original in any way. Dedicated tools for such forensic activities include the FTK Imager, which is FTK’s standalone image acquisition and preview tool, and X-Ways Forensics.

  • Email Analysis

Malware can find its way into a system through fraudulent emails. In fact, infected emails are one of the leading causes of online cyber-attacks. To investigate such cases, forensic agencies look for evidence in email headers that might lead to the perpetrators. As such, email header analysis is prominently featured in popular all-in-one forensic suites such as the Forensic Toolkit (FTK) and The Sleuth Kit.

  • Packet Capture/Analysis

During a computer forensic inspection, the analysis of data packets going through the network might serve investigators well. That is because each transaction over the network is logged and a clear timeline of events can be constructed. Moreover, the contents of data packets can also be used for additional information. Wireshark is a famous packet sniffer, available across multiple platforms. It can place itself in the middle of the client and server, capturing every packet that is exchanged.

  • Live Analysis

Computer Online Forensic Evidence Extractor (COFEE)

  • Plagiarism Detection

Digital theft is an emergent concern in today’s world. To tackle this, the field of software forensics came to the fore. Tools developed under software forensics guidelines can detect plagiarism in source code, determine copyright infringement, and showcase theft of trade secrets. CodeSuite by SAFE Corp is one such tool, and has been used in IP theft cases such as Facebook vs. ConnectU.

Commercial vs. Free/Open Source Tools

As digital forensic tools are developed by a diverse set of organizations, it is natural to assume that each has its own policy on its use and availability. Most developers release their software as commercial tools, meaning the user has to pay a certain fee to use the software. Commercial forensic tools have proprietary licenses, designed specifically by the developers for that tool alone. These licenses have stipulations that the user has to agree to but, because they are proprietary, they can be different from one tool to another. Commercial forensic tools mentioned in this article include Forensic Toolkit (FTK), EPRB by ElcomSoft, Registry Recon, WindowsSCOPE, XRY, Belkasoft Evidence Center, Magnet AXIOM and CodeSuite.

In contrast to commercial tools, certain digital forensic software is released for free. Such software is generally released under the GNU General Public License (GPL). The GPL stipulates that not only the software be free to use and open-source (source code available to all), but also that all subsequent derivatives of the software be released under the same license. Software released under GPL, while lacking robust first-party support, often have thriving community support and contributions. Some forensic tools that have been cited in this article released under the GPL license are The Sleuth Kit, Wireshark, and Volatility.

Computer Forensics Training

Conclusion

So, there you have it – some of the computer forensic tools most widely used by law enforcement agencies and individual forensic experts alike. With the newfound knowledge of these tools, what they achieve and how they compare with each other, you have one more feather in your cap on your way to becoming a forensic professional. Of course, you could further accelerate the process by taking part in InfoSec’s Computer Forensics Boot Camp, where we offer state-of-the-art preparation for the IACRB Certified Computer Forensics Examiner (CCFE), and IACRB Certified Mobile Forensics Examiner (CMFE) certifications.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]