Computer forensics involves the processes of analyzing and evaluating digital data as evidence. It is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve information that is magnetically stored or encoded.

Uses of Computer Forensics

Computer forensics is used for:

  • Law enforcement
  • Enforcing employee policies
  • Gathering evidence against an employee while being careful to follow the legal requirements for an organization wishes to terminate
  • Recovering data in the event of a hardware or software
  • Understanding how a system works.

Steps Involved in Computer Forensics

  • Preparation: To identify the purpose as well as the resource required during the investigation.
  • Acquisition: To identify the sources of digital evidence and preserve it.
  • Analysis: To extract, collect, and analyze the evidence.
  • Reporting: Documenting and presenting evidence.

Types of Computer Forensics with Free Tools

1. Data Mirroring

One of the most important steps in digital forensics is the process of data mirroring, more commonly known as disk imaging. Disk imaging takes a sector-by-sector copy, usually for forensic purposes, and as such it will contain some mechanism to prove that the copy is exact and has not been altered. It is the process of disk imaging that allows a forensic investigator to view the contents of a storage medium or computer without altering the original data in any way.

Tool: Live View

Live View is a forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

The end result is that one need not create extra “throw-away” copies of the disk or image to create the virtual machine.

Tool: DumpIt

DumpIt is used to generate a physical memory dump of Windows machines. It works with both 32-bit and 64-bit machines. Perfect to deploy the executable on USB keys, for quick incident response needs.

The raw memory dump is generated in the current directory; only a confirmation question is asked before starting.

2. Registry Forensics

Registry forensics involves extracting information and context from a largely untapped source of data and knowing the context that creates or modifies Registry data.

Tool: MuiCache View

Whenever a new application is installed, the Windows operating system automatically extracts the application name from the version resource of the exe file and stores it for later use in a Registry key known as the “MuiCache.”

This allows you to easily view and edit the list of all MuiCache items on your system. You can edit the name of the application or you can delete unwanted MUICache items.

Tool: Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows the real-time file system, Registry, and process activity.

Tool: Regshot

Regshot is a Registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one, which is done after making system changes or installing a new software product.

Results of a comparison between two shots are shown in the following manner:

Tool: USBDeview

USBDeview is a small utility that lists all USB devices that are currently connected to your computer, as well as all USB devices that you previously used. For each USB device, extended information is displayed: device name, description, device type, serial number (for mass storage devices), the date and time that device was added, vendor ID, product ID, and more.

USBDeview also allows you to uninstall USB devices that you previously used, to disconnect USB devices that are currently connected to your computer, and to disable and enable USB devices.

You can also use USBDeview on a remote computer, as long as you log in to that computer as administrator.

3. Disk Forensics

This is the process of acquiring and analyzing the data stored on physical storage media. Disk forensics includes the recovery of hidden and deleted data and also file identification, the process of identifying who created a file or message.

Tool: ADS Locator

The ADS Locator can be used to find files that have alternate ADS streams attached. ADS is a technology used to store additional data related to files, and has a lot of legit uses by the system. So this tool will only find those ADS entries that are of the user type “alternate,” which is sometimes used by spyware, malware, and viruses.

Tool: Disk Investigator

Disk Investigator helps you to discover all that is hidden on your computer hard disk. It can also help you to recover lost data. Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors. It helps to view and search raw directories, files, clusters, and system sectors. Verify the effectiveness of file and disk wiping programs. Undelete previously deleted files.

Tool: Recuva

Recuva is a free file recovery program that is capable of recovering lost or deleted files from local drives and external drives. With the integrated wizard, users will be guided through the whole recovery process with ease. It also supports removable media such as smart media, secure digital cards, a memory stick, digital cameras, flash cards, and many more.

Tool: Encrypted Disk Detector

Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the volume label for partitions on that drive, checking for Bitlocker volumes.

Encrypted Disk Detector is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.

Tool: Passware Encryption Analyzer

This tool scans a computer for password-protected and encrypted files, and reports encryption complexity and decryption options for each file. With EA you get all password recovery and decryption options that are available for the files and hard disk images of the cases you are investigating.

4. Network Forensics

Network forensics is related to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. The ultimate goal of network forensics is to provide sufficient evidence to allow the criminal perpetrator to be successfully prosecuted. The practical application could be in areas such as hacking, insurance companies, fraud, defamation, etc.

Tool: Wireshark

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding, and other features that let you dig deep into network traffic and inspect individual packets.

Tool: Network Miner

Network Miner is a network forensic analysis tool for Windows that can detect the OS, hostname, and open ports of network hosts through packet sniffing or by parsing a PCAP file. Network Miner can also extract transmitted files from network traffic.

5. Email Forensics

Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional detective work. It is used for retrieving information from mailbox files.

Tool: MiTec Mail Viewer

This is a viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML files. It displays a list of contained messages with all needed properties, like an ordinary e-mail client. Messages can be viewed in detailed view, including attachments and an HTML preview. It has powerful searching and filtering capability and also allows extracting email addresses from all emails in opened folder to list by one click. Selected messages can be saved to eml files with or without their attachments. Attachments can be extracted from selected messages by one command.

Tool: OST and PST Viewer

Nucleus Technologies’ OST and PST viewer tools help you view OST and PST files easily without connecting to an MS Exchange server. These tools allow the user to scan OST and PST files and they display the data saved in it including email messages, contacts, calendars, notes, etc., in a proper folder structure.

6. Internet Forensics

During most investigations, an individual’s web browsing activity often provides investigative leads. Evidence of Internet web browsing typically exists in abundance on the user’s computer. Most web browsers utilize a system of caching to expedite web browsing and make it more efficient. This web browsing Internet cache is a potential source of evidence for the computer investigator. Following are the tools for browser forensics.

Tool: ChromeCacheView

ChromeCacheView is a small utility that reads the cache folder of the Google Chrome web browser and displays a list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, content type, file size, last accessed time, expiration time, server name, server response, and more.

You can easily select one or more items from the cache list and then extract the files to another folder or copy the list of URLs to the clipboard.

Tool: MozillaCookiesView

This tool displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into a text, HTML, or XML file, delete unwanted cookies, and backup/restore the cookies file. It can read cookies files created by any version of Netscape/Mozilla browser.

Tool: MyLastSearch

MyLastSearch utility scans the cache and history files of your web browser and locates all search queries that you made with the most popular search engines and with popular social networking sites. The search queries that you made are displayed in a table with the following columns: Search Text, Search Engine, Search Time, Search Type, Web Browser, and the search URL.

You can select one or more search queries and then copy them to the clipboard or save them into text/html/xml file.

Tool: PasswordFox

PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by the Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily choose to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: record index, web site, user name, password, user name field, password field, and the sign-on’s filename.

7. Application Forensics

With application forensics, we can extracts logs of applications those were stored during the execution of applications. For any application we can see the application’s restricted information without knowing the password.

Tool: SkypeLogView

SkypeLogView reads the log files created by the Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. You can select one or more items from the logs list and then copy them to the clipboard, or export them into a text/html/csv/xml file.

Tool: Yahoo! Messenger Archive Decoder

Yahoo! Messenger Archive Decoder allows you to view all the chat conversation without knowing the password. This software decodes normal conversation messages, private messages, conferences, and SMS/Mobile Messages to HTML or plain text, complete with time stamps, smileys, and font formatting. It also supports Unicode text.

Conclusion

Computer forensics is all about collecting evidence from computers that is sufficiently reliable to stand up in court. The goal of computer forensics is to do a structured investigation and find out exactly what happened in a digital system and who was responsible for it. There are many tools that are used in the process of examining digital evidence and evaluating system security. Some of the free tools that are described above will help you conduct a computer forensic investigation in a well-defined manner.