Guide to Computer Forensics and Investigations, Sixth Edition 6-1

Chapter 6
Current Digital Forensics Tools

At a Glance

Instructor’s Manual Table of Contents

 Overview

 Objectives

 Teaching Tips

 Quick Quizzes

 Class Discussion Topics

 Additional Projects

 Additional Resources

 Key Terms

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-2

Lecture Notes

Overview
Chapter 6 explains how to evaluate needs for digital forensics tools. Students will first
review several available digital forensics tools. Chapter 6 also lists some considerations
for digital forensics hardware tools. Finally, students will learn various methods for
validating and testing these tools.

Chapter Objectives
 Explain how to evaluate needs for digital forensics tools
 Describe available digital forensics software tools
 List some considerations for digital forensics hardware tools
 Describe methods for validating and testing digital forensics tools

Teaching Tips
Evaluating Digital Forensics Tool Needs

1. Explain that you should look for software that is versatile, flexible, and robust. Suggest
open-source tools as an option and that the goal is to find the best value for as many
features as possible.

2. Present to your class a list of some characteristics they should consider when buying
forensic software. The list should include:
a. OS support
b. Versatility
c. Supported file systems
d. Script capabilities
e. Automated features
f. Vendor’s reputation

Teaching Mention that you should read as much information as you can about the product
Tip and look out for comparison with similar tools.

Types of Digital Forensics Tools

1. Illustrate the two major categories of forensic tools:

a. Hardware
i. Simple single-purpose components
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-3

ii. Complete computer systems and servers

b. Software
i. Command-line
ii. GUI

Tasks Performed by Digital Forensics Tools

1. Point out that when testing new tools, following guidelines set up by NIST’s Computer
Forensics Tool Testing (CFTT) and ISO standards may be helpful. Explain that ISO
standard 27037 states that Digital Evidence First Responders (DEFRs) should use
validated tools.

2. Explain that digital forensics tool functions are divided into the following five major
categories:
a. Acquisition
b. Validation and verification
c. Extraction
d. Reconstruction
e. Reporting

3. Define acquisition as the task of making a copy of the original drive.

4. Describe the acquisition subfunctions, including:

a. Physical data copy
b. Logical data copy
c. Data acquisition format
d. Command-line acquisition
e. GUI acquisition
f. Remote, live, and memory acquisitions

5. Explain that there are two types of data-copying methods used in software acquisitions:
physical copying of the entire drive and logical copying of a disk partition.

6. Explain that the formats for disk acquisitions vary from raw data to vendor-specific
proprietary data. You can view the contents of a raw image file with any hexadecimal
editor. Use Figure 6-1 to illustrate your explanation.

7. Mention that creating smaller segmented files is a typical feature in vendor acquisition
tools.

8. Define validation as confirming that a tool is functioning as intended. Verification

involves proving that two sets of data are identical by calculating hash values or using
another similar method.

9. Illustrate the major subfunctions for data validation and verification, including:
a. Hashing
b. Filtering
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-4

c. Analyzing file headers

10. Mention that National Software Reference Library (NSRL) has compiled a list of
known file hashes for a variety of OSs, applications, and images. Use Figure 6-2 to
illustrate your explanation.

11. Explain that many digital forensics programs include a list of common header values.
With this information, you can see whether a file extension is incorrect for the file type.
Use Figures 6-3 through 6-5 to illustrate your explanation.

12. Mention that most forensics tools can identify header values.

13. Explain that extraction represents the recovery task in a digital investigation. It is the
most challenging of all tasks to master. Recovering data is the first step in analyzing an
investigation’s data.

14. Describe the subfunctions of the extraction phase, including:

a. Data viewing
b. Keyword searching
c. Decompressing or uncompressing
d. Carving
e. Decrypting
f. Bookmarking or tagging

15. Explain that from an investigation perspective, encrypted files and systems are a
problem. Many password recovery tools have a feature for generating potential
password lists for a password dictionary attack. If a password dictionary attack fails,
you can run a brute-force attack on the encrypted file.

Teaching For more information about dictionary attacks visit:

Tip http://searchsecurity.techtarget.com/definition/dictionary-attack

16. Define reconstruction as the task of re-creating a suspect drive to show what happened
during a crime or an incident.

17. Explain to your students several techniques you can use to re-create a suspect’s disk
drive. You should include:
a. Disk-to-disk copy
b. Partition-to-partition copy
c. Image-to-disk copy
d. Image-to-partition copy
e. Disk-to-image copy
f. Rebuilding files from data runs and carving

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-5

18. Explain that to complete a forensics disk analysis and examination, you need to create a
report.

19. Describe how to use forensic tools logging and report generation capabilities to produce
a final report of your forensics investigation.

20. Mention that newer forensics tools can produce electronic reports in a variety of
formats. Discuss the subfunctions of the reporting function, including:
a. Bookmarking or tagging
b. Log reports
c. Timelines
d. Report generator

Tool Comparisons

1. Use Table 6-1 to compare various forensics tools functions.

Other Considerations for Tools

1. Explain some additional considerations for your forensic tools when planning for your
lab such as flexibility, reliability, and expandability.

2. Mention the need to keep a library with older versions of your tools as a backward
compatibility measure.

Quick Quiz 1
1. ____, the first task in digital forensics investigations, involves making a copy of the
original drive.
Answer: Acquisition

2. Verification proves that two sets of data are identical by calculating _____ or using
another similar method.
Answer: hash values

3. The ____ function is the recovery task in a computing investigation and is the most
challenging of all tasks to master.
Answer: extraction

4. Many password recovery tools have a feature for generating potential password lists for
a(n) ____ attack.
Answer: password dictionary

5. The purpose of having a(n) ____ function in a forensics tool is to re-create a suspect
drive to show what happened during a crime or an incident.
Answer: reconstruction
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-6

Digital Forensics Software Tools

1. The following sections explore some options for command-line and GUI tools in both
Windows and Linux.

Command-Line Forensics Tools

1. Mention that the first tools that analyzed and extracted data from floppy disks and hard
disks were MS-DOS tools for IBM PC file systems. Norton DiskEdit was one of the
first MS-DOS tools used for computer investigations.

2. Explain that one advantage of command-line tools is that they require few system
resources because they’re designed to run in minimal configurations.

3. Point out that some command-line forensics tools are created specifically Windows CLI
platforms. There are others for macOS and Linux.

Linux Forensic Tools

1. Mention that UNIX has been mostly replaced by Linux and it is gaining popularity due
to cost and GUI features. Some of the Linux forensics tools are SMART, Helix 3, Kali
Linux, Autopsy with Sleuth Kit, and Forcepoint Threat Protection.

2. Explain that SMART was designed to be installed on numerous Linux versions. You
can analyze a variety of file systems with SMART. A number of plug-in utilities are
included with SMART.

3. Mention that another useful option in SMART is its hex viewer.

Teaching Mention that you can learn more about SMART Linux live CD at
tip http://www.asrdata.com/forensic-software/smart-linux/

4. Explain that Helix is one of the easiest suites to begin with. You can load it on a live
Windows system and it loads as a bootable Linux OS from a cold boot.

Teaching Emphasize that a live acquisition has not been accepted as a valid forensics
tip practice by some international courts.

5. Mention that Kali Linux was formerly known as BackTrack. Explain that it includes a
variety of tools and has an easy-to-use KDE interface.

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-7

6. Explain that Sleuth Kit is a Linux forensics tool, and Autopsy was the browser interface
used to access Sleuth Kit’s tools.

7. Explain that Forcepoint Threat Protection, formerly known as Second Look, is a Linux
memory analysis tool that was developed under a grant from the Air Force Research
Lab for Pikewerks Corporation. It was designed to do both onsite and remote
(enterprise) memory acquisition to determine whether malware is present.

Other GUI Forensic Tools

1. Explain that GUI forensics tools simplify digital forensics investigations and help
training beginning investigators. Most of them come in suites of tools.

2. Describe the advantages of using GUI forensic tools, including:

a. Ease of use
b. Multitasking
c. No need for learning older OSs

3. Describe the disadvantages of using GUI forensic tools, including:

a. Excessive resource requirements
b. Produce inconsistent results
c. Create tool dependencies

Teaching GUI forensic tools are no different from other GUI tools when compared with
tip their equivalent command-line utilities.

Digital Forensics Hardware Tools

1. Emphasize the fact that hardware will eventually fail, so you need to carefully plan for
equipment replacement. Costs you should consider when planning your budget include
failures, maintenance fees, and anticipated replacements.

Forensic Workstations

1. Start by describing the types of workstations you can find, including:

a. Stationary
b. Portable
c. Lightweight

2. Mention that you need to balance what you need and what your system can handle.

3. Explain the differences in planning the hardware for a digital forensics lab for a police
agency and for a private corporation lab. Clearly the requirements are going to be
different. Private labs need to deal with fewer options than police labs.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-8

4. Mention that building your own workstation is not as difficult as it sounds.

5. Describe the advantages of building your own forensic workstation, including:

a. Customized to your needs
b. Save money

6. Describe the disadvantages of building your own forensic workstation, including:

a. Hard to find support for problems
b. Can become expensive if careless

7. Explain that you can buy a forensic workstation from a vendor as an alternative, such as
F.R.E.D units. Having vendor support can save you time and frustration when you have
problems.

8. Mention that you can always mix and match components to get the capabilities you
need for your forensic workstation.

Using a Write-Blocker

1. Explain that a write-blocker prevents data writes to a hard disk.

2. Explain that software write-blockers typically run in a shell mode. Hardware options
are ideal for GUI forensic tools. They act as a bridge between the suspect drive and the
forensic workstation.

3. Mention that when you use a write-blocker, you can navigate to the blocked drive with
any application, but you cannot write to the drive. A write-blocker discards the written
data. However, for the OS, the data copy is successful.

4. Describe some of the connecting technologies used by write-blockers, including:

a. FireWire
b. USB 2.0 and 3.0
c. SATA, PATA, and SCSI controllers

Recommendations for a Forensic Workstation

1. Mention that you should determine where your data acquisitions will take place.

2. Describe some of the recommendations for a forensic workstation, including:

a. Data acquisition techniques such as: USB 3.0 and FireWire
b. Expansion devices requirements
c. As much memory and processing power as budget allows
d. Power supply with battery backup
e. Extra power and data cables
f. A SCSI controller card
g. External FireWire and USB ports
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-9

h. Assortment of drive adapter bridges

i. Ergonomic keyboard and mouse
j. A good video card with at least a 17-inch monitor
k. High-end video card and monitor

3. Mention that if you have a limited budget, one option for outfitting your lab is to use
high-end game PCs.

Validating and Testing Forensic Software

1. Explain to your students the importance of preserving the integrity of your evidence,
especially if it is admitted to court.

Using National Institute of Standards and Technology (NIST) Tools

1. Mention that the NIST’s CFTT project manages research on digital forensics tools.

2. Explain that NIST has created criteria for testing digital forensics tools based on
standard testing methods, the ISO 17025 criteria for testing items that have no current
standards.

3. Mention that your lab must meet the following criteria and keep accurate records so
that when new software and hardware become available, testing standards are in place
for your lab:
a. Establish categories for digital forensics tools
b. Identify digital forensics category requirements
c. Develop test assertions
d. Identify test cases
e. Establish a test method
f. Report test results

4. Explain that the National Software Reference Library (NSRL) project collects all
known hash values for commercial software applications and OS files. It uses SHA-1
to generate a known set of digital signatures called the Reference Data Set (RDS).

5. RDS can be used to filter known information. You can also use the RDS to locate and
identify known bad files.

Using Validation Protocols

1. Explain the importance of verifying your results. For that, you must use at least two
different tools. One tool is for retrieving and examining your evidence and the other
tool is for verifying the results.

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-10

2. Explain that one way to compare results and verify a new tool is by using a disk editor,
such as Hex Workshop or WinHex. Disk editors do not have a flashy interface, but are
reliable tools and can be used to access raw data.

3. Describe the steps involved in the digital forensics examination protocol, including:
a. Conduct the investigation with a GUI tool
b. Verify your results with a disk editor
c. Compare hash values obtained with both tools

4. Describe the steps involved in the digital forensics tool upgrade protocol, including:
a. Test new releases, OS patches, and upgrades
b. If you found a problem, report it to your forensics tool vendor. Do not use the
forensics tool until the problem has been fixed
c. Use a test hard disk for validation purposes
d. Check the Web for new editions, updates, patches, and validation tests for your
tools

Quick Quiz 2
1. The first tools that analyzed and extracted data from floppy disks and hard disks were
____ tools for IBM PC file systems.
Answer: MS-DOS

2. A useful option in SMART is the _____, which color-codes hex values to make it easier
to see where a file begins and ends.
Answer: hex viewer

3. A forensic workstation that is usually a laptop computer built into a carrying case with a
small selection of peripheral options is known as a _____ workstation.
Answer: lightweight

4. ____ are used to protect evidence disks by preventing data from being written to them.
Answer: Write-blockers

5. NIST created the ____ project with the goal of collecting all known hash values for
commercial software and OS files.
Answer: National Software Reference Library (NSRL)
National Software Reference Library
NSRL

Class Discussion Topics

1. Ask students to compare write-blockers, both hardware- and software-based. Discuss
the major advantages and disadvantages. The discussion should include topics such as
price and performance.

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-11

2. Ask students to discuss the advantages and disadvantages of using ISO standards for
testing and validation purposes. The discussion should be oriented but not limited to
ISO standards. Any other standard definition can be used.

Additional Projects
1. Ask students to analyze the content of a Microsoft Outlook PST file. Can they read its
contents?

2. Ask students to investigate the major characteristics of USB 2.0/3.0 and FireWire ports.

Additional Resources
1. Brute force attack:
http://www.computerhope.com/jargon/b/brutforc.htm

2. The Sleuth Kit & Autopsy:

www.sleuthkit.org/

3. Kali Linux:
http://www.kali.org/

4. Hash algorithms Web sites:

a. RFC 3174 – US Secure Hash Algorithm 1 (SHA1), www.faqs.org/rfcs/rfc3174.html
b. SHA1 version 1.0, www.w3.org/PICS/DSig/SHA1_1_0.html
c. Security of the SHA family of Hash Functions,
https://www.schneier.com/blog/archives/2014/09/security_of_the.html

Key Terms
 acquisition — The process of creating a duplicate image of data; one of the five
required functions of digital forensics tools.
 brute-force attack — The process of trying every combination of characters—letters,
numbers, and special characters typically found on a keyboard—to find a matching
password or passphrase value for an encrypted file.
 Computer Forensics Tool Testing (CFTT) — A project sponsored by the National
Institute of Standards and Technology to manage research on digital forensics tools.
 extraction — The process of pulling relevant data from an image and recovering or
reconstructing data fragments; one of the five required functions of digital forensics
tools.
 keyword search — A method of finding files or other information by entering relevant
characters, words, or phrases in a search tool.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-12

 National Software Reference Library (NSRL) — A NIST project with the goal of
collecting all known hash values for commercial software and OS files.
 password dictionary attack — An attack that uses a collection of words or phrases
that might be passwords for an encrypted file. Password recovery programs can use a
password dictionary to compare potential passwords to an encrypted file’s password or
passphrase hash values.
 reconstruction — The process of rebuilding data files; one of the required functions of
digital forensics tools.
 validation — A way to confirm that a tool is functioning as intended; one of the
required functions of digital forensics tools.
 verification — The process of proving that two sets of data are identical by calculating
hash values or using another similar method.
 write-blocker — A hardware device or software program that prevents a computer
from writing data to an evidence drive.

© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.