Professional Documents
Culture Documents
Chapter 6
Current Digital Forensics Tools
At a Glance
Objectives
Teaching Tips
Quick Quizzes
Additional Projects
Additional Resources
Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-2
Lecture Notes
Overview
Chapter 6 explains how to evaluate needs for digital forensics tools. Students will first
review several available digital forensics tools. Chapter 6 also lists some considerations
for digital forensics hardware tools. Finally, students will learn various methods for
validating and testing these tools.
Chapter Objectives
Explain how to evaluate needs for digital forensics tools
Describe available digital forensics software tools
List some considerations for digital forensics hardware tools
Describe methods for validating and testing digital forensics tools
Teaching Tips
Evaluating Digital Forensics Tool Needs
1. Explain that you should look for software that is versatile, flexible, and robust. Suggest
open-source tools as an option and that the goal is to find the best value for as many
features as possible.
2. Present to your class a list of some characteristics they should consider when buying
forensic software. The list should include:
a. OS support
b. Versatility
c. Supported file systems
d. Script capabilities
e. Automated features
f. Vendor’s reputation
Teaching Mention that you should read as much information as you can about the product
Tip and look out for comparison with similar tools.
1. Point out that when testing new tools, following guidelines set up by NIST’s Computer
Forensics Tool Testing (CFTT) and ISO standards may be helpful. Explain that ISO
standard 27037 states that Digital Evidence First Responders (DEFRs) should use
validated tools.
2. Explain that digital forensics tool functions are divided into the following five major
categories:
a. Acquisition
b. Validation and verification
c. Extraction
d. Reconstruction
e. Reporting
5. Explain that there are two types of data-copying methods used in software acquisitions:
physical copying of the entire drive and logical copying of a disk partition.
6. Explain that the formats for disk acquisitions vary from raw data to vendor-specific
proprietary data. You can view the contents of a raw image file with any hexadecimal
editor. Use Figure 6-1 to illustrate your explanation.
7. Mention that creating smaller segmented files is a typical feature in vendor acquisition
tools.
9. Illustrate the major subfunctions for data validation and verification, including:
a. Hashing
b. Filtering
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-4
10. Mention that National Software Reference Library (NSRL) has compiled a list of
known file hashes for a variety of OSs, applications, and images. Use Figure 6-2 to
illustrate your explanation.
11. Explain that many digital forensics programs include a list of common header values.
With this information, you can see whether a file extension is incorrect for the file type.
Use Figures 6-3 through 6-5 to illustrate your explanation.
12. Mention that most forensics tools can identify header values.
13. Explain that extraction represents the recovery task in a digital investigation. It is the
most challenging of all tasks to master. Recovering data is the first step in analyzing an
investigation’s data.
15. Explain that from an investigation perspective, encrypted files and systems are a
problem. Many password recovery tools have a feature for generating potential
password lists for a password dictionary attack. If a password dictionary attack fails,
you can run a brute-force attack on the encrypted file.
16. Define reconstruction as the task of re-creating a suspect drive to show what happened
during a crime or an incident.
17. Explain to your students several techniques you can use to re-create a suspect’s disk
drive. You should include:
a. Disk-to-disk copy
b. Partition-to-partition copy
c. Image-to-disk copy
d. Image-to-partition copy
e. Disk-to-image copy
f. Rebuilding files from data runs and carving
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-5
18. Explain that to complete a forensics disk analysis and examination, you need to create a
report.
19. Describe how to use forensic tools logging and report generation capabilities to produce
a final report of your forensics investigation.
20. Mention that newer forensics tools can produce electronic reports in a variety of
formats. Discuss the subfunctions of the reporting function, including:
a. Bookmarking or tagging
b. Log reports
c. Timelines
d. Report generator
Tool Comparisons
1. Explain some additional considerations for your forensic tools when planning for your
lab such as flexibility, reliability, and expandability.
2. Mention the need to keep a library with older versions of your tools as a backward
compatibility measure.
Quick Quiz 1
1. ____, the first task in digital forensics investigations, involves making a copy of the
original drive.
Answer: Acquisition
2. Verification proves that two sets of data are identical by calculating _____ or using
another similar method.
Answer: hash values
3. The ____ function is the recovery task in a computing investigation and is the most
challenging of all tasks to master.
Answer: extraction
4. Many password recovery tools have a feature for generating potential password lists for
a(n) ____ attack.
Answer: password dictionary
5. The purpose of having a(n) ____ function in a forensics tool is to re-create a suspect
drive to show what happened during a crime or an incident.
Answer: reconstruction
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-6
1. The following sections explore some options for command-line and GUI tools in both
Windows and Linux.
1. Mention that the first tools that analyzed and extracted data from floppy disks and hard
disks were MS-DOS tools for IBM PC file systems. Norton DiskEdit was one of the
first MS-DOS tools used for computer investigations.
2. Explain that one advantage of command-line tools is that they require few system
resources because they’re designed to run in minimal configurations.
3. Point out that some command-line forensics tools are created specifically Windows CLI
platforms. There are others for macOS and Linux.
1. Mention that UNIX has been mostly replaced by Linux and it is gaining popularity due
to cost and GUI features. Some of the Linux forensics tools are SMART, Helix 3, Kali
Linux, Autopsy with Sleuth Kit, and Forcepoint Threat Protection.
2. Explain that SMART was designed to be installed on numerous Linux versions. You
can analyze a variety of file systems with SMART. A number of plug-in utilities are
included with SMART.
Teaching Mention that you can learn more about SMART Linux live CD at
tip http://www.asrdata.com/forensic-software/smart-linux/
4. Explain that Helix is one of the easiest suites to begin with. You can load it on a live
Windows system and it loads as a bootable Linux OS from a cold boot.
Teaching Emphasize that a live acquisition has not been accepted as a valid forensics
tip practice by some international courts.
5. Mention that Kali Linux was formerly known as BackTrack. Explain that it includes a
variety of tools and has an easy-to-use KDE interface.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-7
6. Explain that Sleuth Kit is a Linux forensics tool, and Autopsy was the browser interface
used to access Sleuth Kit’s tools.
7. Explain that Forcepoint Threat Protection, formerly known as Second Look, is a Linux
memory analysis tool that was developed under a grant from the Air Force Research
Lab for Pikewerks Corporation. It was designed to do both onsite and remote
(enterprise) memory acquisition to determine whether malware is present.
1. Explain that GUI forensics tools simplify digital forensics investigations and help
training beginning investigators. Most of them come in suites of tools.
Teaching GUI forensic tools are no different from other GUI tools when compared with
tip their equivalent command-line utilities.
1. Emphasize the fact that hardware will eventually fail, so you need to carefully plan for
equipment replacement. Costs you should consider when planning your budget include
failures, maintenance fees, and anticipated replacements.
Forensic Workstations
2. Mention that you need to balance what you need and what your system can handle.
3. Explain the differences in planning the hardware for a digital forensics lab for a police
agency and for a private corporation lab. Clearly the requirements are going to be
different. Private labs need to deal with fewer options than police labs.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-8
7. Explain that you can buy a forensic workstation from a vendor as an alternative, such as
F.R.E.D units. Having vendor support can save you time and frustration when you have
problems.
8. Mention that you can always mix and match components to get the capabilities you
need for your forensic workstation.
Using a Write-Blocker
2. Explain that software write-blockers typically run in a shell mode. Hardware options
are ideal for GUI forensic tools. They act as a bridge between the suspect drive and the
forensic workstation.
3. Mention that when you use a write-blocker, you can navigate to the blocked drive with
any application, but you cannot write to the drive. A write-blocker discards the written
data. However, for the OS, the data copy is successful.
1. Mention that you should determine where your data acquisitions will take place.
3. Mention that if you have a limited budget, one option for outfitting your lab is to use
high-end game PCs.
1. Explain to your students the importance of preserving the integrity of your evidence,
especially if it is admitted to court.
1. Mention that the NIST’s CFTT project manages research on digital forensics tools.
2. Explain that NIST has created criteria for testing digital forensics tools based on
standard testing methods, the ISO 17025 criteria for testing items that have no current
standards.
3. Mention that your lab must meet the following criteria and keep accurate records so
that when new software and hardware become available, testing standards are in place
for your lab:
a. Establish categories for digital forensics tools
b. Identify digital forensics category requirements
c. Develop test assertions
d. Identify test cases
e. Establish a test method
f. Report test results
4. Explain that the National Software Reference Library (NSRL) project collects all
known hash values for commercial software applications and OS files. It uses SHA-1
to generate a known set of digital signatures called the Reference Data Set (RDS).
5. RDS can be used to filter known information. You can also use the RDS to locate and
identify known bad files.
1. Explain the importance of verifying your results. For that, you must use at least two
different tools. One tool is for retrieving and examining your evidence and the other
tool is for verifying the results.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-10
2. Explain that one way to compare results and verify a new tool is by using a disk editor,
such as Hex Workshop or WinHex. Disk editors do not have a flashy interface, but are
reliable tools and can be used to access raw data.
3. Describe the steps involved in the digital forensics examination protocol, including:
a. Conduct the investigation with a GUI tool
b. Verify your results with a disk editor
c. Compare hash values obtained with both tools
4. Describe the steps involved in the digital forensics tool upgrade protocol, including:
a. Test new releases, OS patches, and upgrades
b. If you found a problem, report it to your forensics tool vendor. Do not use the
forensics tool until the problem has been fixed
c. Use a test hard disk for validation purposes
d. Check the Web for new editions, updates, patches, and validation tests for your
tools
Quick Quiz 2
1. The first tools that analyzed and extracted data from floppy disks and hard disks were
____ tools for IBM PC file systems.
Answer: MS-DOS
2. A useful option in SMART is the _____, which color-codes hex values to make it easier
to see where a file begins and ends.
Answer: hex viewer
3. A forensic workstation that is usually a laptop computer built into a carrying case with a
small selection of peripheral options is known as a _____ workstation.
Answer: lightweight
4. ____ are used to protect evidence disks by preventing data from being written to them.
Answer: Write-blockers
5. NIST created the ____ project with the goal of collecting all known hash values for
commercial software and OS files.
Answer: National Software Reference Library (NSRL)
National Software Reference Library
NSRL
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-11
2. Ask students to discuss the advantages and disadvantages of using ISO standards for
testing and validation purposes. The discussion should be oriented but not limited to
ISO standards. Any other standard definition can be used.
Additional Projects
1. Ask students to analyze the content of a Microsoft Outlook PST file. Can they read its
contents?
2. Ask students to investigate the major characteristics of USB 2.0/3.0 and FireWire ports.
Additional Resources
1. Brute force attack:
http://www.computerhope.com/jargon/b/brutforc.htm
3. Kali Linux:
http://www.kali.org/
Key Terms
acquisition — The process of creating a duplicate image of data; one of the five
required functions of digital forensics tools.
brute-force attack — The process of trying every combination of characters—letters,
numbers, and special characters typically found on a keyboard—to find a matching
password or passphrase value for an encrypted file.
Computer Forensics Tool Testing (CFTT) — A project sponsored by the National
Institute of Standards and Technology to manage research on digital forensics tools.
extraction — The process of pulling relevant data from an image and recovering or
reconstructing data fragments; one of the five required functions of digital forensics
tools.
keyword search — A method of finding files or other information by entering relevant
characters, words, or phrases in a search tool.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 6-12
National Software Reference Library (NSRL) — A NIST project with the goal of
collecting all known hash values for commercial software and OS files.
password dictionary attack — An attack that uses a collection of words or phrases
that might be passwords for an encrypted file. Password recovery programs can use a
password dictionary to compare potential passwords to an encrypted file’s password or
passphrase hash values.
reconstruction — The process of rebuilding data files; one of the required functions of
digital forensics tools.
validation — A way to confirm that a tool is functioning as intended; one of the
required functions of digital forensics tools.
verification — The process of proving that two sets of data are identical by calculating
hash values or using another similar method.
write-blocker — A hardware device or software program that prevents a computer
from writing data to an evidence drive.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.