Computer Forensics Software
There are many computer forensics software available that serve different purposes.
In fact, some programs were not designed for forensics, but is used as a tool to assist. Some are free, some are expensive. We'll go over each one. Of course, these are just my own personal opinions. For the record, we are using EnCase 6 and Paraben's Email Examiner. I plan to install FTK Imager, Robocopy, R-Studio, and M2CFG Writeblock Utility.
Analysis Software:
EnCase 6 is an expensive, but powerful software that is used mainly for imaging and analysis. Personally, I do not like the interface but since they are the largest software company in the industry, many investigators are use to it. I don't like the fact that you have to scroll horizontally to access some functions. I would prefer to see everything at once. The new index function is not as good as FTK's yet. Searching is awkward. I would think by clicking the Search function, I can start searching. However, it is not that intuitive. You need to enter keywords (for live search) or conditions (for the index) on a separate window than the Search function. However, it is a powerful software. It just has a higher learning curve than other programs. I'm sure I would like it more once I take their training courses. An important note is that it has been proven in court over and over again, that it has been accepted by the courts.
Forensic Toolkit (FTK) 1.7 is less expensive than EnCase, but just as powerful. FTK's interface looks overwhelming at first as there are many buttons on the main window. However, their basic training course makes it very easy to learn. With that said, everything is where you expect it to be. Images, email, and search are easy to use and straightforward. The reports feature creates a nice and clean report of what the investigator found. The index feature makes it easy to do multiple keyword searches. Although it takes a long time to start the case, as it indexes everything first, search results are instant afterwards. FTK 2.0 (not out yet as of this writing) uses multiple threads to allow the investigator to work directly into the case, while indexing at the same time. Although I prefer FTK over EnCase, but it is important to know both as you may find some cases where EnCase can find things that FTK cannot and the other way around.
Imaging:
FTK Imager provides an easy way to image a hard drive. It allows the investigator to create dd images, Smart images, and EnCase images. The program loads quickly, allows easy previewing of a hard drive, and is my preferred choice for imaging. It is also available free from AccessData.
Forensic Copy:
Robocopy is a free program and is part of the Windows Server 2003 Resource Kit Tools. Although previous versions did not copy forensically, the new version does. This is a very fast and efficient program that will retry copying automatically if it fails. There were times when I had to copy logical files from one drive to another and hope the copy does not fail. With this program, I can leave it overnight and not worry about it. Pinpoint Labs provides a free user interface for Robocopy. They also provide other free tools that is worth checking out.
XXCopy is another good copy program. The professional version is not free, but is still inexpensive. However, between the two copy programs mentioned, I would choose Robocopy over this.
USB Software Writeblock:
Windows XP SP2 allows users to writeblock USB devices through the registry. A white paper for this is provided by AccessData here. The Mid-Michigan Computer Forensics Group provides a user interface utility for this feature. To work properly, the USB device must not be connected to the computer first. Then enable the writeblock. Then plug the device. Any devices currently connected when the writeblock was enabled will not be protected. As always, verify that all software you use works properly. One problem that I have with this program is that it does not state the current status of the writeblock (enabled or disabled). I also prefer to use a hardware writeblocker over software.
Mounting Images:
Sometimes we want to mount images to preview the drive. Although FTK Imager is capable to achieving this function, sometimes it is easier to see it mounted in an interface we are use to. Mount Image Pro 2.0 is an inexpensive software that lets us mount dd and EnCase images as Windows drives. From there, we can preview the drive as if it were part of our local computer.
Another great software is Mount Everything. One time, we received many UNIX drives to investigate. We had to boot a system using Knoppix, create a Samba server, and from there, image the drive through the network. At that time, I did not know about Mount Everything. This program lets us mount the UNIX drive as a Windows partition. It shows as another drive on Windows Explorer, which makes it much easier to image.
Wiping Drives:
EnCase can be used to wipe drives, however I prefer to use WinHex. WinHex is a powerful, but affordable software that provides a low-level view of drives. When I am wiping multiple drives, I prefer to use a hardware solution that allows multiple drives to be connected at once. However, to verify that a drive has been zeroed out, or to wipe a single drive, I prefer to use WinHex. WinHex lets us decide whether to do a single pass or a Department of Defense (DoD) wipe. To quickly verify a wiped drive, I like to run the checksum function and see that it adds up to 0.
There are so many tools out there. The ones listed are some that I currently use. You should use programs that you know well. As long as you know how the software works and can defend the software you use, it should be in your arsenal
Post a Comment