Running Head: Computer Forensic Tools

1

Computer Forensic Tools LaRon Walker Master of Information Technology and Internet Security June, 2010

2

Abstract Computer forensics is becoming a must needed skill set to keep up with the evolving computer crimes of today¶s digital world. Along with these skills, tools and utilities are also needed to help maintain the integrity of forensic evidence during the collection process. Some of these tools can include file and disk utilities, network utilities, and other system utilities that monitor active processes on a computer system.

3

Computer Forensic Tools LaRon Walker Master of Information Technology and Internet Security June, 2010 The growth of cyber crime is has created great concerns amongst consumers and corporations alike, causing more focus to be placed on ways to obtain the evidence necessary to convict the offenders. This has also forced the evolution of computer forensics. Computer forensics is a group of tools that are used in combination to collect the digital fingerprints left behind by those who attempt to hide or erase traces of data that may be used as evidence. There are many different tools today that can help forensic investigators indentify, gather, and maintain data integrity when processing digital evidence. These tools can include, but are not limited to file and disk utilities, network utilities, and other system utilities that monitor active processes on a computer system. According to Kreston (2008), some of the most commonly used forensics techniques consist of acquiring (imaging) data without altering it, registry analysis, Data Hashing, Hex Editing, Data Carving/Artifact Recovery, and Password Recovery. To have a good forensics strategy, multiple tools specializing in different areas may be necessary to gather all the information necessary to be admissible in a court room. This can be accomplished by either building a forensics toolkit from customized standalone utilities, or by using a vender-made suite

4

of tools. Although either of these strategies can be very effective, using a combination of both is common as investigators must adapt to different computing environments. The acquisition of data plays a key role when collecting information to be used as digital evidence. This practice can consist of capturing the process used to gather the data, as well as ways to verify the data has not been altered in any way. Many forensic tools have been developed to accomplish these goals. According to Kreston (2008), some of these tools include Sourceforge FTimes, Technology Pathways ProDiscover for Windows, and Intelligent Computer Solutions (ICS) Solo-3 Forensic Kit. Below is a screen shot of Technology Pathways ProDiscover for Windows gathering forensic information.

Registry analysis also plays a vital role when collecting computer forensic evidence. This tactic helps trace computer activity by browsing registry content for information that may have been deleted by other means. Parben¶s Registry Analyzer, RegRipper, and James

5

Macfarlane¶s Perl based Parse-Win32Registry are a few examples of these types of forensic weapons. Below is a screenshot of RegRipper.

Unfortunately, I did not have a registry hive file to use, so the screenshot does not display the tool in action. This is not a registry reader like Regedit, but is a tool that can extract registry information with includes or contains timestamp data. This can be useful when gather information on most recently used applications or files. Data carving is another important concept that is useful in collecting information for computer forensics evidence. The utility File is a tool that can be used along with hex editors to determine file types and formats. This tool reads the header and footer information that every file needs to be correctly recognized. Every file type has a unique set of digits that is used for identification, and the utility File along with a hex editor can help display this information.

6

Below is an example of how the utility displays this information in relation to a .lst (Fortran Program) file. The below example is performed in the Unix Operating system.

File command

7

Hex Editor Output

8

Overall, using a combination of different file and disk utilities, network utilities, and other system utilities that monitor active processes can help gather information from a computer or network in a manner that can be used as computer evidence. These tools can also help collect the data without altering it in any way. This is very critical component when investigators are called to present computer forensic evidence in courtroom.

9

References Keston, G. (2008). Computer Forensics for Windows Files. Faulkner Information Services. Retrieved June 27, 2010 from Faulkner Information Services database.

Sign up to vote on this title
UsefulNot useful