Forensic Tools
Download
Report
Transcript Forensic Tools
by
Donald Wood
CSS 350
Overview
Forensic tools are an important part of the computer
forensic investigator’s ability to perform his/her job.
Imaging Tools (disk imaging, write protection, etc)
Search Tools (Text, program, etc)
Data Recovery Tools (deleted files, format recovery, etc)
Recommended Hardware Tools
Monitoring tools, both network and individual system
Strengths, weaknesses, risks, reviews of each
Imaging Suggested Tool
DeepSpar Disk Imager
The first dedicated imaging device built to handle disk-
level problems. DeepSpar Disk Imager Forensic Edition
is a portable version of DeepSpar Disk Imager Data
Recovery Edition with addition of forensic-specific
functionality.
Imaging Suggested Tool Con’t
Strengths
Maps scanned sectors and “remembers” just where you left off if
the process is interrupted.
Weaknesses
Drive caching can cause problems for example: if there is a bad
sector within the read ahead block it can cause the drive to hang
or timeout
Risks
Same as weakness
Reviews
Accesses the drive directly using its own hardware and software
routines to send ATA read commands so any media errors can be
identified immediately, blocks containing bad sectors are skipped
and the imaging process continues from the next block of data
until the first pass is finished. Once complete, it then goes
backwards through the drive so that any drive caching is disabled.
Imaging Suggested Tool Con’t
Search Tools
Hurricane Search
Created to help you search for evidence and solve
computer crime. Hurricane Search helps find text stored
on computer hard drives. Build evidence by searching
text files, PDF documents, and Word files thoroughly as
well as finding evidence in binary files with embedded
information on hard drives.
Search Tools Con’t
Strengths
Elect multiple directories to include or exclude from searches, User
interface enhances the way you work through minimized keystrokes,
Preview results in context, Search data hidden in compressed Zip and
Binary files
Weaknesses
None Listed
Risks
None Listed
Reviews
Used worldwide by thousands of professionals to find text and build
legal evidence. Our customers have reported that Hurricane Search is
used to conduct employee investigation, ensure intellectual property
protection, assist law enforcement officers, and located malicious data
in business environments or on client workstations.
Data Recovery
DriveLook V1.00
Scans a drive or a partition of a drive for text strings and
stores them in a table. After completion of the scan you
can browse this table and view the locations where the
words have been found. The search function allows you
to do fast inquiries for combinations of words.
Data Recovery Con’t
Strengths
The search function allows you to do fast inquiries for combinations
of words.
Weaknesses
Limited to a Windows OS
Risks
None Listed
Reviews
Used worldwide by thousands of professionals to find text and build
legal evidence. Our customers have reported that Hurricane Search
is used to conduct employee investigation, ensure intellectual
property protection, assist law enforcement officers, and located
malicious data in business environments or on client workstations.
Recommended Hardware Tools
A hardware platform could be anything from a 7-bay tower to
a portable small form factor system or even a laptop. A system
with a MicroATX motherboard and medium form factor case
is a reasonable compromise for a static lab station. A standard
MicroATX board will supply onboard video and be able to
support 2 PCI cards, 2 PCI Express cards, 4 DIMMs, Parallel
and Serial ATA hard drives, Floppy drives, USB 2.0, and
Gigabit Ethernet. A new Intel or AMD CPU will be more than
sufficient for most investigations. While the processor speed
does make a difference for certain operations, one of the
mainstays of the forensic investigation is the keyword search
which requires that each sector of a suspect hard drive be
examined and the speed of that process relies almost entirely
on the speed of the drive itself. Instead of investing in highpriced workstations with the top-of-the-line CPUs,
investigators should focus on ensuring the highest speed I/O
bus so the system can quickly access the data stored on disk.
Network Monitoring Tools
Network Monitoring
Scrutinizer - delivers a diverse range of free and
commercial flow measuring and monitoring tools.
Network Monitoring Tools Con’t
Strengths
Saves unlimited amounts of past NetFlow data.
Weaknesses
None Listed
Risks
None Listed
Reviews
Saves unlimited amounts of past NetFlow data. Adds several
additional traffic analysis Report Types (e.g. Flows, Flow Volume,
NBAR Support, etc.). Algorithms perform Network Behavior
Analysis on all flows across all routers / switches. Top
(applications, hosts, flows, countries, domains, etc.) across all
routers / switches. Constantly resolving all IP addresses. Uses
saved Scrutinizer Reports to monitor for threshold violations.
http://media.plixer.com/promo/scrutinizerPromo.html
Host Monitoring Tools
Advanced Host Monitor Version 8.58
Host Monitor is a highly scalable network monitoring
software suitable for small and enterprise-level
networks.
Host Monitoring Tools Con’t
Strengths
In the event of network errors, HostMonitor will alert the network
administrator (or even correct the problem when possible) before
problems get seriously out of hand.
Weaknesses
None Listed
Risks
None Listed
Reviews
A system management tool that continuously monitors servers'
availability and performance. In the event of network errors,
HostMonitor will alert the network administrator (or even correct
the problem when possible) before problems get seriously out of
hand. This helps protect your company's data and reduces the
likelihood of costly network failures.
http://www.ks-soft.net/hostmon.eng/mainwin1.htm
Resources
http://www.deepspar.com/products-ds-disk-imager
forensic.html?gclid=CMaD8rf6tKECFQz_iAod0Em2Dw
http://www.hurricanesoft.com/hsforensics.jsp
http://www.runtime.org/drivelook.htm
https://www.issa.org/Library/Journals/2006/March/Stanle
y,%20McGoff%20%20Choosing%20Hardware%20for%20a%20Computer%20
Forensic%20Lab.pdf
http://www.plixer.com/products/netflow-sflow/freenetflow-scrutinizer.php
http://www.ks-soft.net/hostmon.eng/
Questions