Chapter 6 Current Digital Forensics ToolsChapter 2 outlined how to set up a forensics laboratory. This chapter explores manysoftware and hardware tools used during digital forensics investigations. No specifictools arerecommended;instead, the goal is to explain how to select tools for digitalinvestigations basedon specific criteria.Forensics tools are constantly being developed, updated, patched, revised,anddiscontinued. Therefore, checking vendors’ Web sites routinely to look for new featuresandimprovements is important. These improvements might address a difficult problem you’re havingin an investigation.Before purchasing any forensics tools, consider whether the tool can saveyou time during investigations and whether that time savings affects the reliability of data yourecover. Many GUI forensics tools require a lot of resources and demand computers with morememory and faster processor speeds or more processors. Sometimes they require moreresources than a typical workstation has because of other applications, such as antivirusprograms, running in the background. These background programs compete for resources witha digital forensics program, and a forensics program or the OS can stop running or hang,causing delays in your investigation. Finally, when planning purchases for your forensics lab,determine what a new forensics tool can do better than one you’re currently using. In particular,assess how well the software performs in validation tests, and then verify the integrity of thetool’s results.NOTE:As software continues to develop and investigators have new needs, vendors willaddress these needs. The tools listed in this chapter are in no way a complete list of toolsavailable for Windows, Linux, or macOS.Evaluating Digital Forensics Tool NeedsAs described in Chapter 2, you need to develop a business plan to justify them acquisition ofdigital forensics hardware and software. When researching options, consider open-source tools,which sometimes include technical support. The goal is to find the best value for as manyfeatures as possible. Some questions to ask when evaluating tools include the following:•On which OS does the forensics tool run? Does the tool run on multiple OSs?• Is the tool versatile? For example, does it work in both Windows and Linux? Does it work inmacOS?• Can the tool analyze more than one file system, such as FAT, NTFS, and Ext4?• Can a scripting language be used with the tool to automate repetitive functions and tasks?• Does the tool have any automated features that can help reduce the time needed to analyzedata?• What’s the vendor’s reputation for providing product support? For open-source tools, howgood are the support forums?As you learn more about digital investigations, you’ll have more questions about tools forconducting these investigations. When you search for tools, keep in mind what OSs and filetypes you’ll be analyzing. For example, if you need to analyze Microsoft Access or SQL Server Show
What is computer forensics?Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics and cyber forensics are often used as synonyms for computer forensics. Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes. The use of computer forensics isn't always tied to a crime. The forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive, reformatted operating system (OS) or other situation where a system has unexpectedly stopped working. Why is computer forensics important?In the civil and criminal justice system, computer forensics helps ensure the integrity of digital evidence presented in court cases. As computers and other data-collecting devices are used more frequently in every aspect of life, digital evidence -- and the forensic process used to collect, preserve and investigate it -- has become more important in solving crimes and other legal issues. The average person never sees much of the information modern devices collect. For instance, the computers in cars continually collect information on when a driver brakes, shifts and changes speed without the driver being aware. However, this information can prove critical in solving a legal matter or a crime, and computer forensics often plays a role in identifying and preserving that information. Digital evidence isn't just useful in solving digital-world crimes, such as data theft, network breaches and illicit online transactions. It's also used to solve physical-world crimes, such as burglary, assault, hit-and-run accidents and murder. Businesses often use a multilayered data management, data governance and network security strategy to keep proprietary information secure. Having data that's well managed and safe can help streamline the forensic process should that data ever come under investigation. Find out the six steps to building resilient digital asset protection.Businesses also use computer forensics to track information related to a system or network compromise, which can be used to identify and prosecute cyber attackers. Businesses can also use digital forensic experts and processes to help them with data recovery in the event of a system or network failure caused by a natural or other disaster. As the world becomes more reliant on digital technology for the core functions of life, cybercrime is rising. As such, computer forensic specialists no longer have a monopoly on the field. See how the police in the U.K. are adopting computer forensic techniques to keep up with increasing rates of cybercrime. Types of computer forensicsThere are various types of computer forensic examinations. Each deals with a specific aspect of information technology. Some of the main types include the following:
How does computer forensics work?Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information investigators are looking for. In general, these procedures include the following three steps:
Often, multiple tools are used in computer forensic investigations to validate the results they produce. Learn how a researcher at Kaspersky Lab in Asia created an open source forensics tool for remotely collecting malware evidence without compromising system integrity. Techniques forensic investigators useInvestigators use a variety of techniques and proprietary forensic applications to examine the copy they've made of a compromised device. They search hidden folders and unallocated disk space for copies of deleted, encrypted or damaged files. Any evidence found on the digital copy is carefully documented in a finding report and verified with the original device in preparation for legal proceedings that involve discovery, depositions or actual litigation. Computer forensic investigations use a combination of techniques and expert knowledge. Some common techniques include the following:
Find out more about computer forensic analytics in this chapter from the book Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology, by Chet Hosmer. It shows how to use Python and cybersecurity technology to preserve digital evidence. How is computer forensics used as evidence?Computer forensics has been used as evidence by law enforcement agencies and in criminal and civil law since the 1980s. Some notable cases include the following:
Murder is just one of the many types of crime computer forensics can aid in combating. Learn how forensic financial analysis software is used to combat fraud.
Computer forensics careers and certificationsComputer forensics has become its own area of scientific expertise, with accompanying coursework and certification. The average annual salary for an entry-level computer forensic analyst is about $65,000, according to Salary.com. Some examples of cyber forensic career paths include the following:
A bachelor's degree -- and, sometimes, a master's degree -- in computer science, cybersecurity or a related field are required of computer forensic professionals. There are several certifications available in this field, including the following:
Learn more about a cyber forensics career from this interview with Amanda Rousseau, senior malware researcher at Endgame (now at Facebook), who began her career performing computer forensic investigations at the Department of Defense Cyber Crime Center. This was last updated in May 2021 Continue Reading About computer forensics (cyber forensics)
Dig Deeper on Threat detection and response
Which tool is used for forensic imaging?Autopsy and the Sleuth Kit are likely the most well-known forensics toolkits in existence. The Sleuth Kit is a command-line tool that performs forensic analysis of forensic images of hard drives and smartphones. Autopsy is a GUI-based system that uses The Sleuth Kit behind the scenes.
What are forensic tools used for?Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts.
What type of tool can be used to compare results and verify a new tool by viewing data in its raw format?Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format? Command-line disk acquisition tool from New Technologies, Inc.
What is FTK Imager?FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.
|