Unit- II Chapter 5

Current Computer Forensics Tools

Different types of computer forensics tools

• Computer forensics tools are divided into two major categories: hardware and software.
• Hardware Forensics Tools:
o Hardware forensics tools range from simple, single purpose components to
complete computer systems and servers.
o Single-purpose components can be devices, such as the ACARD AEC-7720WP
Ultra-Wide SCSI-to IDE Bridge, which is designed to write-block an IDE drive
connected to a SCSI cable.
o Some examples of complete systems are Digital Intelligence F.R.E.D. systems,
DIBS Advanced Forensic Workstations, and Forensic Computers Forensic
Examination Stations and portable units.
• Software Forensics Tools:
o Software forensics tools are grouped into command-line applications and GUI
applications.
o Some tools are specialized to perform one task, such as SafeBack, a command-line
disk acquisition tool from New Technologies, Inc. (NTI).
o Other tools are designed to perform many different tasks. For example, Technology
Pathways Pro Discover, X-Ways Forensics, Guidance Software EnCase, and
AccessData FTK are GUI tools designed to perform most computer forensics
acquisition and analysis functions.
o Software forensics tools are commonly used to copy data from a suspect’s drive to
an image file.
o Many GUI acquisition tools can read all structures in an image file as though the
image were the original drive.
o Many analysis tools, such as ProDiscover, EnCase, FTK, X-Ways Forensics, ILook,
and others, have the capability to analyse image files.

Command line and GUI computer forensics software tools.

• The following sections explore some options for command-line and GUI tools in both
Windows and UNIX/Linux:
• Command-Line Forensics Tools: -
o The first tools that analysed and extracted data from floppy disks and hard disks were
MS-DOS tools for IBM PC file systems.
o One of the first MS-DOS tools used for computer investigations was Norton DiskEdit.
o This tool used manual processes that required investigators to spend considerable time
on a typical 500 MB drive.
• One advantage of using command-line tools for an investigation is that they require few
system resources because they are designed to run in minimal configurations.
• Most tools fit on bootable media (floppy disk, USB drive, CD, or DVD).
• Conducting an initial inquiry or a complete investigation with bootable media can save time
and effort.
• Most tools also produce a text report small enough to fit on a floppy disk.
• Some command-line forensics tools are created specifically for DOS/Windows platforms;
others are created for Macintosh and UNIX/Linux.
• Because there are many different versions of UNIX and Linux, these OSs are often referred
to as *nix platforms.
• UNIX/Linux Forensics Tools: -
o The *nix platforms have long been the primary command-line OSs, but typical end
users have not used them widely.
o However, with GUIs now available with *nix platforms, these OSs are becoming more
popular with home and corporate end users.
• Following are some *nix tools for Forensics Analysis:

1. SMART:
o SMART is designed to be installed on numerous Linux versions.
o We can analyse a variety of file systems with SMART; for a list of file systems or to
download an evaluation ISO image for SMART and SMART Linux,
o SMART includes several plug-in utilities. This modular approach makes it possible to
upgrade SMART components easily and quickly.
o SMART can also take advantage of multithreading capabilities in OSs and hardware, a
feature lacking in other forensics utilities.
o Another useful option in SMART is the hex viewer. Hex values are color-coded to make
it easier to see where a file begins and ends.

2. Helix:
o Helix can load it on a live Windows system, and it loads as a bootable Linux OS from
a cold boot. Its Windows component is used for live acquisitions.
o During corporate investigations, often we need to retrieve RAM and other data, such as
the suspect’s user profile, from a workstation or server that cannot be seized or turned
off.
o This data is extracted while the system is running and captured in its state at the time
of extraction.

3. BackTrack:
o BackTrack is another Linux Live CD used by many security professionals and forensics
investigators.
o It includes a variety of tools and has an easy-to-use KDE interface.
o Autopsy and Sleuth Kit are included with the BackTrack tools as well as Foremost,
dcfldd, Pasco, MemFetch, and MBoxGrep.

4. Autopsy and Sleuth Kit:

o Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser interface for
accessing Sleuth Kit’s tools.
o The Sleuth Kit is a collection of command line tools and a C library that allows you to
analyse disk images and recover files from them.
o Autopsy is an easy to use, GUI-based program that allows to efficiently analyse hard
drives and smart phones.
o It has a plug-in architecture that allows to find add-on modules or develop custom
modules in Java or Python.

5. Knoppix-STD:
o Knoppix Security Tools Distribution (STD) is a collection of tools for configuring
security measures, including computer and network forensics.
 o Like Helix, Knoppix-STD is a Linux bootable CD. If we shut down Windows and
reboot with the Knoppix-STD disc in the CD/DVD drive, system boots into Linux.

6. Other GUI Forensics Tools: -

o Several software vendors have introduced forensics tools that work in Windows.
Because GUI forensics tools do not require the same understanding of MS-DOS and
file systems as command-line tools, they can simplify computer forensics
investigations.
o Most GUI tools are put together as suites of tools. For example, Technology Pathways,
AccessData, and Guidance Software.
o GUI tools have several advantages, such as ease of use, the capability to perform
multiple tasks, and no requirement to learn older OSs.
o Their disadvantages range from excessive resource requirements and producing
inconsistent results because of the type of OS used, such as Windows Vista 32-bit or
64-bit systems.

Forensics workstation
• Many computer vendors offer a wide range of forensic workstations that we can tailor to
meet your investigation needs. The more diverse investigation environment, the more
options we need.
• In general, forensic workstations can be divided into the following categories:
1. Stationary workstation—A tower with several bays and many peripheral devices.
2. Portable workstation—A laptop computer with a built-in LCD monitor and almost as
many bays and peripherals as a stationary workstation
3. Lightweight workstation—Usually a laptop computer built into a carrying case with
a small selection of peripheral options

Write-Blocker
• Write-blockers protect evidence disks by preventing data from being written to them.
• Software and hardware write-blockers perform the same function but in a different
fashion.
• Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a
shell mode.
• PDBlock can run only in a true DOS mode, however, not in a Windows MS-DOS shell.
• With hardware write-blockers, we can connect the evidence drive to workstation and
start the OS as usual. Hardware write-blockers are ideal for GUI forensics tools.
• They prevent Windows or Linux from writing data to the blocked drive. Hardware
write-blockers act as a bridge between the suspect drive and the forensic workstation.
• In the Windows environment, when a write-blocker is installed on an attached drive,
the drive appears as any other attached disk.
• When we copy data to the blocked drive or write updates to a file with Word, Windows
shows that the data copy is successful.
• However, the write-blocker discards the written data—in other words, data is written to
null.
• When we restart the workstation and examine the blocked drive, we will not see the
data or files you copied to it previously.
• Most of the write-blockers enables to remove and reconnect drives without having to
shut down the workstation, which saves time in processing the evidence drive.