Module 5

Computer forensic tools

 Definition and functions
• Computer forensics tools are hardware or software
tools that can be used to aid in the recovery and
preservation of digital evidence.

• Computer forensics tools allow investigators to gather

intelligence about computer users, find deleted files,
reconstruct artifacts, and try to gather as much
evidence as they can.

• The outcome of using all these tools should be

handled by professional computer forensic analysts in
order to be admissible in a court of law.
Types of computer forensic tools
Computer forensics tools are designed to ensure that the information
extracted from computers is accurate and reliable. Due to the wide
variety of different types of computer-based evidence, a number of
different types of computer forensics tools exist, including:
• Disk and data capture tools

• File viewers

• File analysis tools

• Registry analysis tools

• Internet analysis tools

• Email analysis tools

• Mobile devices analysis tools

• Network forensics tools

• Database forensics tools

 Autopsy/The Sleuth Kit

Autopsy and The Sleuth Kit are among the most well-known and popular
forensics tools in existence.
These tools are designed to analyze disk images, perform in-depth
analysis of file systems and include a wide variety of the following
features.

• Extensible — the user should be able to add new functionality by

creating plugins that can analyze all or part of the underlying data
source.
• Centralised — the tool must offer a standard and consistent mechanism
for accessing all features and modules.
• Ease of Use — the Autopsy Browser has the wizards and historical tools
to make it easier for users to repeat their steps without excessive
reconfiguration.
• Multiple Users — the tool should be usable by one investigator or
coordinate the work of a team.
 ProDiscover
ProDiscover Forensics is a comprehensive digital forensics software
that empowers investigators to capture key evidence from computer
systems
The software suite is also equipped with diagnostic and evidence
collection tools for forensic investigations and electronic discovery.

• Preview and Image Disks

• Examine all major file systems
• Full Text Search with Multi-Lingual Capabilities.
• Web and Email Artifacts.
• Social Media Artifacts
• Integrated tools and viewers
• Integrated Artificial Intelligent Tools for Image and Video Analytics
• Cloud forensics
 FTK Imager
(Forensic Tool Kit)
FTK Imager is a tool for creating disk images and is
absolutely free to use. It was developed by The Access Data
Group. It is a tool that helps to preview data and for imaging.

• Complete hard drive examination

• Finds deleted emails
• Scans the disk for content strings
• Incorporates independent disk imaging program
• Contains different viewing perspectives of information
• Computes MD5 hash values; affirms document integrity
• Simple user interface; Advance search/password access
 EnCase
EnCase is traditionally used in forensics to recover evidence from
seized hard drives. It allows the investigator to conduct in-depth
analysis of user files to collect evidence such as documents,
pictures, internet history and Windows Registry information.

• Retrieves evidence from handheld devices

• Forensic, eDiscovery, and security investigation
• Conducts top to bottom records investigation
• Automatic data collection and recording to Android device
• Contains different viewing perspectives of information
• Ability to acquire data from other devices while maintaining
integrity of all evidences
• User friendly; built-in reporting functionalities
• Built in encryption support
 WinHex
WinHex is a hexadecimal editor for the Windows
operating system. It is used for forensics, data
recovery, low-level data processing, and IT security. It
allows the user to view files in hexadecimal format.

• Examine any level of digital evidence

• Verify results of other tools
• Create forensic image of stored data
• Interprets correct date/time of system files
• Calculates MD5 hash value
• Recovers deleted files
• Effective on NTFS/FAT file system/EXT2 & EXT3
Linux
• Useful in learning about file partition & file data
structure
• Enables low-level data analysis
 X-Ways Forensics
X-Ways is an advanced platform utilized in digital forensic
investigations that runs on all available Windows versions
• Commercial computer forensic asset
• Incorporates 22 languages
• New file container format widely compatible
• Extensive list of functionalities
• Access to disk, RAIDS over 2TB
• Analyze remote computers
• Customizable evidence processing options
• Portable; continually checks for updates
• Complex user interface
 Oxygen Forensic Suite
Oxygen Forensic Suite is a software forensic tool primarily
focusing on extracting evidence from mobile phones or
mobile devices to support a digital forensic investigation

• Commercial computer forensic asset

• New file container format widely compatible
• Incorporates 22 languages
• Access to disk, RAIDS over 2TB
• Analyze remote computers
• Customizable evidence processing options
• Portable; continually checks for updates
• Extensive list of functionalities
• Complex user interface