Every computer forensic gumshoe needs a set of good, solid tools to undertake a proper investigation, and the tools you use vary according to the type of investigation you’re working on.
The list of tools isn’t all-inclusive — and you may have your own favourites — but the ones we describe are the basic ones you should use.
Computer Forensic Software Tools
The days of hard-core computer geeks knowing every square digital inch of an operating system are years behind us.
Although computer forensic professionals can now do the drudge work of scanning for evidence using nothing more than a keyboard and a hex editor, that person can access tools that automate the work to use their time more effectively.
In fact, modern computer forensic software can find evidence in only minutes, whereas in the “old days” the process took hours or even days! You still have to know your way around a computer, but these tools are true time-savers.
Just remember that a tool is only as good as the person who uses it.
EnCase
EnCase, the gold standard is used by countless organizations for almost any computer forensic investigation. The power of this must-have item for your computer forensic toolbox, and your ability to customize it for unique searches, set it apart from most competitors.
EnCase comes built-in with many forensic features, such as keyword searches, e-mail searches, and Web page carving. The numerous versions of its forensic software range from mobile device acquisitions to full-blown network forensic-analysis tools.
Two other cool features are its:
- Scripting language: You can customize searches.
- Fully automated report function: It builds reports for you quickly.
EnCase is sold by Guidance Software on its Web site. Support for EnCase is rock solid, and the technical support staff knows how to solve problems fairly quickly in addition to providing multilanguage support.
Forensic ToolKit (FTK)
AccessData has created a forensic software tool that’s fairly easy to operate because of its one-touch-button interface, and it’s also relatively inexpensive. The new version of FTK is even easier to use, and AccessData has started a forensic certification, ACE, based on its software.
FTK has automated, to a high degree, the hard, behind-the-scenes work of setting up searches. Press the Email button and out pop the e-mails. The FTK report generator does the hard work of putting a useful report into the forensic software’s automated hands while still allowing the investigator control over the report if needed.
FTK is sold on the AcessData Web site at www.accessdata.com. Everything you need to order the software and training is on the site. Even the certification process is available for you to peruse.
Device Seizure
The Paraben forensic tools compete with the top two computer forensic software makers EnCase and FTK (described earlier in this chapter). Still, the company truly shines in the mobile forensic arena.
Using Paraben’s Device Seizure product, you can look at most mobile devices on the market. With more cases going mobile, Device Seizure is a must-have tool.
You can use Device Seizure to access and download almost all information contained in a mobile device, such as text messages or user data, and in a way that’s forensically acceptable in court.
Device Seizure and all the extras that can go with it are at www.paraben.com along with other useful forensic tools.
Computer Forensic Hardware
In contrast to computer forensic software designed to extract data or evidence on time and from a logical point of view, forensic hardware is primarily used to connect the computer’s physical parts to extract the data for use with the forensic software.
The basic idea behind forensic hardware is to facilitate the forensic transfer of digital evidence from one device to another as quickly as possible.
FRED
The Forensic Recovery of Evidence Device (FRED) forensic workstation from Digital Intelligence has an interface for all occasions — and then some. In addition to the laboratory version, FRED comes in mobile versions that facilitate the acquisition of evidence in the field for quick analysis.
FRED combines just about every available interface into one convenient workstation so that you don’t have to connect and disconnect a toolbox full of interfaces. Another helpful FRED feature is collecting software packages that are loaded on it if you request it: EnCase, FTK, Paraben’s P2, and many others.
Digital Intelligence, at www.digitalintelligence.com, has all the information you could ever want about the FRED systems. The company also offers training in the use of its systems and provides helpful technical support.
CRU Forensic Field Kit
When you need a small footprint and useful equipment for field use, the CRU field kit is hard to beat, figuratively and literally. Even with its small footprint, this field kit has the most popular interfaces available, and you can even customize it for your unique needs.
Using the CRU field kit, you can carry the essential pieces of your forensic toolkit. The heart of this field kit consists of the write-protect devices that WiebeTech manufactures in-house. The kits also contain interfaces for EIDE, SATA, and laptop hard drives.
You can find CRU field kits here, and they’re also listed at some third-party Web sites.
Logicube
Logicube offers some of the fastest disk-to-disk and disk-to-image transfer equipment now on the market. As storage devices grow larger, transferring 4 gigabytes per minute can save quite a bit of time over other field data acquisition methods.
The Logicube data capture equipment captures data from a target media. It transfers it to another disk or an image while at the same time performing an integrity check to ensure a forensic copy. The devices have various interfaces and usually come in a field kit configuration.
The Logicube Web site at www.logicube.com has information about the devices and how to order them. The company also offers other forensic products and has an in-house research-and-development team.
Computer Forensic Laboratories
Every good computer forensic scientist or investigator needs a place to do their work. In the ideal location to conduct an investigation, you have absolute control of security, tools, and even the physical environment.
Ideally, we’re describing your computer forensic laboratory! As in any science field, computer forensics requires its own set of laboratory tools to get the job done.
Computer forensic data server
Any computer forensic investigative unit of any size rapidly runs into where to store cases in progress or that need to be archived for possible later use. A centralized data storage solution is the best and most secure solution.
A forensic data server allows you to keep forensic images in a centralized, secure, and organized manner that lets you focus more on analyzing cases than looking for them. A server needs to have large data capacity, authenticate users for security purposes, and the capacity to perform backups of all data in case the storage devices fail.
You can find commercial-grade servers at any larger computer vendors, such as Dell and HP, and forensic companies, such as Digital Intelligence.
Forensic write blockers
One basic piece of equipment that a computer forensic laboratory needs are simple but effective write blocker. Although most software tools have built-in software write blockers, you also need an assortment of physical write blockers to cover as many situations or devices as possible.
A write blocker is used to keep an operating system from making any changes to the original or suspect media to keep from erasing or damaging potential evidence.
Software write blockers work at the operating system level and are specific to the operating system. In other words, a software write blocker works on only the operating system in which it is installed.
A physical write blocker works at the hardware level and can work with any operating system because, at the physical level, the write blocker is intercepting (or, in many cases, blocking) electrical signals to the storage device and has no concern about which operating system is in place.
The technology used by computers to read and write to storage devices is well understood and fairly straightforward — you can find dozens of manufacturers of write-protect devices.
For reliability and support, stick with these name brands in the industry:
- Digital Intelligence: The UltraKit write-block product (see www.digitalintelligence.com) follows the everything-but-the-kitchen-sink model. All standard storage device formats, such as IDE, SCSI, SATA, and USB, are supported. Besides, the cables and power supplies are furnished, to make this kit one of the most complete in the industry.
- Paraben: Paraben has taken the idea of a Faraday box and added silver-lined gloves to allow an investigator to work on a wireless device located inside the box.
- The Wireless Stronghold Box (see www.paraben.com) is a must-see for any computer forensic laboratory working with wireless devices. This box, a Faraday cage, isolates any enclosed wireless device, making it a wireless write blocker. For added protection, all connections leading into the box are filtered.
- Wiebetech : These write-protect devices run the spectrum from field kits to RAID systems. Wiebetech products (see www.wiebetch.com) are also sold by the major forensic software makers, which adds to their credibility.
Media wiping equipment
Whether you complete one case per year or one case per day, you need to wipe the media you work with before you even start your case, to ensure that no cross-contamination between your cases occurs.
Forensic data wipers ensure that no data from a previous case is still present on the media. Most data wipers don’t erase existing data per se. They overwrite the data with either random binary strings or a repeating pattern of bits.
In addition to this capability, you need a report when the device is finished to prove that you wiped the drive beforehand. In a lab environment, you usually should have a dedicated device just for wiping your media to don’t use up valuable forensic tool resources spent wiping drives rather than analyzing evidence.
All the major computer forensic software and hardware manufacturers carry data wiping equipment. The chances are good that you can also purchase a dedicated data wiping unit wherever you bought your computer forensic software.
Just be wary of third-party data wiping tools that don’t have a way to verify the data wipe and don’t have a data wipe report function.
Recording equipment
Human perceptions being what they are, having an unbiased way to record events and objects is essential to computer forensic investigators. The choice of which device or devices you ultimately choose is based on your needs, but you must use some unbiased documentation method.
Using video or audio equipment to record important aspects of a case is a useful way to record your case’s unbiased view permanently. Using a video camera, you can repeatedly visit a crime scene to look for that single clue you missed.
You can document your methods directly by recording your work or even recording a computer screen’s output in a pinch.
Simply recording your thoughts is often best accomplished using a simple digital recorder that essentially acts as your personal note-taker!
You can find digital video cameras and audio recorders in any good retail electronics store, such as Best Buy or Radio Shack, and Internet retailers.
The basic models now available are more than enough to document all your case needs, as long as you carry extra batteries and data storage capacity.
FAQs
What tools do forensic analyst use? ›
Forensic laboratory equipment ranges from instrumentation you would see in a general laboratory, such as microscopes, fume hoods, chromatographs and spectrometers, to equipment used for specific forensic analysis, like cyanoacrylate fuming chambers for lifting of latent fingerprints.
What are the 3 A's of cyber forensics? ›Acquisition (without altering or damaging), Authentication (that recovered evidence is the exact copy of the original data), and Analysis (without modifying) are the three main steps of computer forensic investigations.
What are three types of tools used by digital forensic examiners? ›- Disk and data capture tools;
- File viewers and file analysis tools;
- Registry analysis tools;
- Internet and network analysis tools;
- Email analysis tools;
- Mobile devices analysis tools;
- Mac OS analysis tools;
- Database forensics tools.
- SANS SIFT. ...
- ProDiscover Forensic. ...
- Volatility Framework. ...
- CAINE. ...
- X-Ways Forensics. ...
- Xplico. ...
- The Sleuth Kit (+Autopsy) ...
- Registry Recon.
Xplico is an open-source network forensic analysis tool. It is used to extract useful data from applications which use Internet and network protocols. It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others.
What are the five 5 steps of digital forensics? ›Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4) Documentation and, 5) Presentation.
What are the three C's in computer forensics? ›Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C's of Security." What do we mean by precision?
What are the 4 phases of digital forensics? ›- Identification. First, find the evidence, noting where it is stored.
- Preservation. Next, isolate, secure, and preserve the data. ...
- Analysis. Next, reconstruct fragments of data and draw conclusions based on the evidence found.
- Documentation. ...
- Presentation.
Digital Forensic Tools are software applications that help to preserve, identify, extract, and document computer evidence for law procedures. These tools help to make the digital forensic process simple and easy.
What is FTK used for? ›Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
What is one of the most important tools of the forensic investigator? ›
| Term | Definition |
|---|---|
| the first task of forensic scientists is to convict a perpetrator (true or false) | false |
| our brains fill in the gaps in our memories (true or false) | true |
| one of the most important tools of the forensic investigator is the ability to... | observe, interpret, and report observations clearly |
Tools Serologists use
These tools are part of a kit that includes swabs to collect DNA, sterelized cloths, smear slides, protective eyewear and gloves to prevent crime scene contamination.
Several technologies are used in different fields of forensic science to conduct investigations and examine the evidence. Among them include: scanning electron microscopy, DNA fingerprinting, alternative light photography, facial reconstruction and LA-ICP-MS. is because they are easy to use and are affordable [15].
What is a hardware forensic tool? ›Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts. Digital Evidence.
Is FTK Toolkit free? ›The toolkit includes a standalone disk imaging program called FTK Imager. FTK Imager is a free tool that saves an image of a hard disk in one file or in segments that may be reconstructed later.
How much does FTK cost? ›FTK is a forensic suite. The owner, AccessData, also make the solid product FTK Imager available for free. They have recently expanded to offer cloud forensic capabilities. FTK is priced similarly to Encase, at around $3000.
What is ProDiscover used for? ›ProDiscover is widely used in Computer Forensics and Incident Response. The product suite is also equipped with diagnostic and evidence collection tools for corporate policy compliance investigations and electronic discovery. ProDiscover helps in efficiently uncovering files and data of interest.
Which software can make a forensic copy of RAM? ›Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory to be captured to a file. First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible.
What is Bulk_extractor tool? ›bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
How many C's are in computer forensics? ›There are three c's in computer forensics.
What is the difference between computer forensics and digital forensics? ›
Technically, the term computer forensics refers to the investigation of computers. Digital forensics includes not only computers but also any digital device, such as digital networks, cell phones, flash drives and digital cameras.
What is the first step in computer forensics? ›The digital forensic process is intensive. First, investigators find evidence on electronic devices and save the data to a safe drive. Then, they analyze and document the information. Once it's ready, they give the digital evidence to police to help solve a crime or present it in court to help convict a criminal.
Who is the father of computer forensics? ›The field of digital forensics started early 90's when digital computer compromised. FBI CART program which was previously known as "Magnet Media Program" and the father of Computer Forensics Michael Anderson was the chief head of this program.
What is computer forensics PPT? ›INTRODUCTION 1.1 DEFINITION “Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.”(Rodney Mckemmish 1999).
What are the three sources of digital evidence? ›There are many sources of digital evidence, but for the purposes of this publication, the topic is divided into three major forensic categories of devices where evidence can be found: Internet-based, stand-alone computers or devices, and mobile devices.
How hard is digital forensics? ›Computer forensics is hard, and it requires you to have a solid and varied IT background. If you decide to pursue a career in this field, it is essential to keep up with new technology trends. It is the responsibility of investigators in this field to investigate digital data collected as evidence in criminal cases.
What are the two types of data collected with forensics? ›Two types of data are typically collected in data forensics. This first type of data collected in data forensics is called persistent data. Persistent data is data that is permanently stored on a drive, making it easier to find. The other type of data collected in data forensics is called volatile data.
How can we collect evidence in cyber crime? ›Evidence that May be Gathered Digitally
Computer documents, emails, text and instant messages, transactions, images and Internet histories are examples of information that can be gathered from electronic devices and used very effectively as evidence.
With any digital forensic investigation, EnCase and FTK are the two most commonly used tools by law enforcement. Encase is capable of acquiring data from a variety of digital devices, including smartphones/tablets, hard drives, and removable media.
Which tool is used for mobile forensics? ›Hex dump. A hex dump, also called physical extraction, extracts the raw image in binary format from the mobile device. The forensic specialist connects the device to a forensic workstation and pushes the boot-loader into the device, which instructs the device to dump its memory to the computer.
Is FTK Imager open source? ›
FTK Imager is an open-source software by AccessData that is used for creating accurate copies of the original evidence without actually making any changes to it.
Is FTK Imager 4.5 free? ›FTK Imager is a tool for creating disk images and is absolutely free to use.
Can FTK Imager image phones? ›So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager.
Why is FTK Imager good? ›FTK® Imager can create perfect copies, or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space.
What tools do criminalists use? ›Criminalists use scientific and investigative methods to deduce how a particular crime took place. Today's criminalists utilize modern tools like 3D imaging and DNA sequencing to help law enforcement, building upon methods used hundreds of years ago.
What is the most reliable form of forensic evidence? ›The Report, written by the US President's Science and Technology advisors (PCAST), concludes that DNA analysis is the only forensic technique that is absolutely reliable.
What are the 5 basic components in the crime scene? ›Summary. In this chapter, we have discussed the critical issues of crime scene management, evidence identification, evidence location, evidence collection, evidence protection, and proper documentation.
What is FTK used for? ›Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
What tools do forensic accountants use? ›Truth be told, forensic accountants rely on calculators and computers. Generally speaking, think of a forensic accountant as a financial investigator.
What are forensic tools used for? ›Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts.
What is autopsy forensic tool used for? ›
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
How much does FTK cost? ›FTK is a forensic suite. The owner, AccessData, also make the solid product FTK Imager available for free. They have recently expanded to offer cloud forensic capabilities. FTK is priced similarly to Encase, at around $3000.
Is FTK Imager 4.5 free? ›FTK Imager is a tool for creating disk images and is absolutely free to use.
Can FTK Imager image phones? ›So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager.
Do forensic accountants use Excel? ›Excel spreadsheets are widely used throughout business and are the most pervasively used of the various End-User Computing (EUC) applications. Spreadsheets are widely made use of in Forensic Accounting.
What are the forensic audit techniques? ›- Identify what fraud, if any, is being carried out.
- Determine the time period during which the fraud has occurred.
- Discover how the fraud was concealed.
- Identify the perpetrators of the fraud.
- Quantify the loss suffered due to the fraud.
- Gather relevant evidence that is admissible in the court.
Forensic data analytics allows you to make more informed and targeted decisions, specifically related to your internal controls, which can help you reduce fraud risks. By dissecting large data sets with the help of a forensic accountant, your organization will be able to do the following: Monitor trends.
What are the three C's in computer forensics? ›Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C's of Security." What do we mean by precision?
What is digital forensic tools? ›Digital Forensic Tools are software applications that help to preserve, identify, extract, and document computer evidence for law procedures. These tools help to make the digital forensic process simple and easy.
What is cyber security forensics? ›Digital Forensics in Cyber Security, Defined
They're the people who collect, process, preserve, and analyze computer-related evidence. They help identify network vulnerabilities and then develop ways to mitigate them. They go deep inside networks, computers, and smartphones in search of evidence of criminal activity.
What is the difference between autopsy and FTK Imager? ›
This is because FTK has stability issue and it crashes while processing and indexing of data. This makes FTK really slow as we can observe in the results. Autopsy is used for finding digital evidence while EnCase is used to process the evidence.
What is volatility tool? ›Volatility is a command-line tool that allows you to quickly pull out useful information such as what processes were running on the device, network connections, and processes that contained injected code. You can even dump DLL's and processes for further analysis.
Is autopsy free to download? ›Download Autopsy for free
Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.