Forensic Toolsby

Donald WoodCSS 350

Overview Forensic tools are an important part of the

computer forensic investigator’s ability to perform his/her job.Imaging Tools (disk imaging, write protection,

etc)Search Tools (Text, program, etc)Data Recovery Tools (deleted files, format

recovery, etc)Recommended Hardware ToolsMonitoring tools, both network and individual

systemStrengths, weaknesses, risks, reviews of each

Imaging Suggested ToolDeepSpar Disk Imager

The first dedicated imaging device built to handle disk-level problems. DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic-specific functionality.

Imaging Suggested Tool Con’tStrengths

Maps scanned sectors and “remembers” just where you left off if the process is interrupted.

WeaknessesDrive caching can cause problems for example: if there is a bad

sector within the read ahead block it can cause the drive to hang or timeout

RisksSame as weakness

ReviewsAccesses the drive directly using its own hardware and software

routines to send ATA read commands so any media errors can be identified immediately, blocks containing bad sectors are skipped and the imaging process continues from the next block of data until the first pass is finished. Once complete, it then goes backwards through the drive so that any drive caching is disabled.

Imaging Suggested Tool Con’t

Search ToolsHurricane Search

Created to help you search for evidence and solve computer crime. Hurricane Search helps find text stored on computer hard drives. Build evidence by searching text files, PDF documents, and Word files thoroughly as well as finding evidence in binary files with embedded information on hard drives.

Search Tools Con’tStrengths

Elect multiple directories to include or exclude from searches, User interface enhances the way you work through minimized keystrokes, Preview results in context, Search data hidden in compressed Zip and Binary files

WeaknessesNone Listed

RisksNone Listed

ReviewsUsed worldwide by thousands of professionals to find text and

build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.

Data RecoveryDriveLook V1.00

Scans a drive or a partition of a drive for text strings and stores them in a table. After completion of the scan you can browse this table and view the locations where the words have been found. The search function allows you to do fast inquiries for combinations of words.

Data Recovery Con’tStrengths

The search function allows you to do fast inquiries for combinations of words.

WeaknessesLimited to a Windows OS

RisksNone Listed

ReviewsUsed worldwide by thousands of professionals to find text

and build legal evidence. Our customers have reported that Hurricane Search is used to conduct employee investigation, ensure intellectual property protection, assist law enforcement officers, and located malicious data in business environments or on client workstations.

Recommended Hardware ToolsA hardware platform could be anything from a 7-bay tower to a

portable small form factor system or even a laptop. A system with a MicroATX motherboard and medium form factor case is a reasonable compromise for a static lab station. A standard MicroATX board will supply onboard video and be able to support 2 PCI cards, 2 PCI Express cards, 4 DIMMs, Parallel and Serial ATA hard drives, Floppy drives, USB 2.0, and Gigabit Ethernet. A new Intel or AMD CPU will be more than sufficient for most investigations. While the processor speed does make a difference for certain operations, one of the mainstays of the forensic investigation is the keyword search which requires that each sector of a suspect hard drive be examined and the speed of that process relies almost entirely on the speed of the drive itself. Instead of investing in high-priced workstations with the top-of-the-line CPUs, investigators should focus on ensuring the highest speed I/O bus so the system can quickly access the data stored on disk.

Network Monitoring ToolsNetwork Monitoring

Scrutinizer - delivers a diverse range of free and commercial flow measuring and monitoring tools.

Network Monitoring Tools Con’tStrengths

Saves unlimited amounts of past NetFlow data.Weaknesses

None ListedRisks

None ListedReviews

Saves unlimited amounts of past NetFlow data. Adds several additional traffic analysis Report Types (e.g. Flows, Flow Volume, NBAR Support, etc.). Algorithms perform Network Behavior Analysis on all flows across all routers / switches. Top (applications, hosts, flows, countries, domains, etc.) across all routers / switches. Constantly resolving all IP addresses. Uses saved Scrutinizer Reports to monitor for threshold violations.

http://media.plixer.com/promo/scrutinizerPromo.html

Host Monitoring ToolsAdvanced Host Monitor Version 8.58

Host Monitor is a highly scalable network monitoring software suitable for small and enterprise-level networks.

Host Monitoring Tools Con’tStrengths

In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand.

WeaknessesNone Listed

RisksNone Listed

ReviewsA system management tool that continuously monitors servers'

availability and performance. In the event of network errors, HostMonitor will alert the network administrator (or even correct the problem when possible) before problems get seriously out of hand. This helps protect your company's data and reduces the likelihood of costly network failures.

http://www.ks-soft.net/hostmon.eng/mainwin1.htm

Resources

http://www.deepspar.com/products-ds-disk-imager-forensic.html?gclid=CMaD8rf6tKECFQz_iAod0Em2Dw

http://www.hurricanesoft.com/hsforensics.jsphttp://www.runtime.org/drivelook.htmhttps://www.issa.org/Library/Journals/2006/March/St

anley,%20McGoff%20-%20Choosing%20Hardware%20for%20a%20Computer%20Forensic%20Lab.pdf

http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

http://www.ks-soft.net/hostmon.eng/

Questions