Image masster solo 4 manual

Chapter 8: Common Forensic Tools

Overview

In this chapter, you'll learn more about:

· Explore disk imaging tools, forensic software tool sets, and miscellaneous software tools

· Understand computer forensic hardware

· Assemble your forensic tool kit

The first steps in any investigation nearly always involve old-fashioned detective work. As a forensic investigator, you need to observe and record your observations first. Once you start examining media contents, you'll need some tools to help you find and make sense of stored data.

Forensic investigators and computer examiners need several different types of tools to identify and acquire computer evidence. Some evidence is hidden from the casual observer and requires specialized tools to find and access. In this chapter, we'll examine a sampling of some common and popular tools available to carry out computer forensic tasks.

Disk Imaging and Validation Tools

After identifying the physical media that they suspect contains evidence, forensic investigators must make sure media is preserved before any further steps are taken. Preserving the media is necessary to provide assurance the evidence acquired is valid.

Chapter 3, "Computer Evidence," and Chapter 4, "Common Tasks," both emphasize the importance of copying all media first and then analyzing the copy. It's usually best to create an exact image of the media and verify that it matches the original before continuing the investigation. It's rare to examine the original evidence for any investigation that might end up in court. For other types of investigations, however, forensic investigators might perform a targeted examination on the original evidence. For example, assume the job is to examine a user's home folder on a server for suspected inappropriate material. It might be impossible or extremely difficult to create a mirror image of the disk drive, but the disk can be scanned for existing or deleted files while it is in use. Although examining media while in use might not always be the best practice, informal investigations use this technique frequently.

To Copy or Not to Copy?

Whenever possible, create a duplicate of the original evidence, verify the copy, and then examine the copy. Always invest the time and effort to copy original media for any investigation that might end up in a court of law. If you are sure your investigation will not end up in court, you might decide to analyze the original evidence directly. This is possible and desirable in cases where copying media would cause service interruptions.

Your choice of tools to use depends on several factors, including:

· Operating system(s) supported

Operating system(s) in which the tool runs

File systems the tool supports

· Price

· Functionality

· Personal preference

The following sections list some tools used to create and verify media copies. Some products appear in two places in the chapter. That's because several products play multiple roles. This section lists several products that are part of larger forensic software suites. While most suites of forensic software handle image acquisition, this section highlights those tools investigators tend to use most frequently.

Note

The list in this chapter is not exhaustive. There are many useful tools not listed here; thus, the exclusion of any tool need not diminish its merit. Where possible, web addresses and URLs have been included for tools examined.

dd

The dd utility tool is a mainstay in UNIX/Linux environments. This handy tool is installed with most UNIX/Linux distributions and is used to copy and convert files. As briefly discussed in Chapter 5, "Capturing the Data Image," dd is commonly used in forensics to copy an entire UNIX/Linux environment. Using dd you can specify the input and output file, as well as conversion options. This utility uses two basic arguments:

· if specifies the input file

· of specifies the output file

The dd utility abides by operating system file size limits (normally 2 GB) and truncates individual files larger than the limit. (The 2 GB limit does not apply when using the dd utility with device files.) Use caution when copying large files with dd.

If you want only to copy files smaller than the maximum file size, dd is a handy tool to keep in your forensic toolbox.

For example, to copy a simple file from a source (such as /home/user/sn.txt) to a destination (such as /tmp/newfile), you would issue the following command:

dd if=/home/user/sn.txt of=/tmp/newfile

Figure 8.1 shows the results of the above command.

Figure 8.1: Using the dd utility to copy a text file

Using similar syntax, an entire hard disk drive can easily be copied. To copy a drive located at /dev/sdb to an image file named /home/user/case1234img, use this command:

dd if=/dev/sdb of=/home/user/case1234img

Figure 8.2 shows the results of the above command.

Figure 8.2: Using the dd utility to copy an entire hard disk drive

The dd utility is already on any computer running UNIX or Linux, and an Internet search produces a list of places to obtain dd for Windows. Chrysocome provides a version of dd for Windows at http://chrysocome.net/dd. Type man dd in UNIX or Linux for a man (manual) page that documents the command syntax.

DriveSpy

DriveSpy is a DOS-based disk imaging tool, developed by Digital Intelligence, Inc. An extended DOS forensic shell, DriveSpy provides an interface similar to the MS-DOS command line, along with additional and extended commands. The entire program is only 125 KB and easily fits on a DOS boot floppy disk. Unfortunately, DOS boot floppy disks aren't as common as they once were. Also, it takes some work to prepare media to use DriveSpy. The payoff is usually worth the effort. DriveSpy does a great job of capturing and searching disk content. All you have to do is create a DOS bootable device with the DriveSpy executable on it. The most common portable boot devices are CD/DVDs and USB devices.

To create a DOS bootable device:

1 Start DriveSpy and use the DRIVES or V command to list the drives and partitions attached to a computer. (See Figure 8.3.)

2 Choose a drive and partition for the investigation target from the SYS> prompt.

3 Select Drive 3 from the D3 command.

4 Select partition 1 at the P1 command. The partition information is displayed. (See Figure 8.4.)

Figure 8.3: Listing the drives on a system

Figure 8.4: Partition information

DriveSpy provides many functions necessary to copy and examine drive contents. The program logs all activities, optionally down to each keystroke. Logging can be disabled at will. Forensic investigators can examine DOS and non-DOS partitions and retrieve extensive architectural information for hard drives or partitions. DriveSpy does not use operating system calls to access files, and it does not change file access dates.

DriveSpy also lets you perform the following tasks:

· Create a disk-to-disk copy (supports large disk drives).

· Create a MD5 hash for a drive, partition, or selected files.

· Copy a range of sectors from a source to a target, where source and target can span drives or reside on the same drive.

· Select files based on name, extension, or attributes.

· Unerase files.

· Search a drive, partition, or selected files for text strings.

· Collect slack and unallocated space.

· Wipe a disk, partition, unallocated, or slack space.

DriveSpy provides basic command-line functionality and is portable enough to carry on a simple boot device or media to use at the scene. For pricing and more information, visit the Digital Intelligence, Inc. Web site at http://www.digitalintelligence.com/software/disoftware/drivespy/.

EnCase

The EnCase product family from Guidance Software is one of the most complete forensic suites available. More of EnCase's functionality and its different products are covered in the "Forensic Tools" section later in this chapter. EnCase is also included in this section owing to its drive duplication functions.

forensic suite

Set of tools and/or software programs used to analyze a computer for collection of evidence.

In addition to providing tools and a framework in which to manage a complete case, EnCase includes a drive duplicator (also known as a drive imager). The drive imager creates an exact copy of a drive and validates the image automatically (See Figure 8.5 and Figure 8.6). It either creates complete images or splits drive images to economize storage. EnCase copies virtually any type of media, creating an identical image for analysis. EnCase calls this static data support.

Figure 8.5: Using EnCase to select a drive for duplication

Figure 8.6: EnCase acquisition status message with an assigned globally unique identifier (GUID) and MD5

Tip

EnCase Enterprise Edition also provides support for volatile data. This feature snapshots Random Access Memory (RAM), the Windows Registry, open ports, and running applications. It provides potentially valuable information that disappears when a computer is shut down.

Guidance Software also sells a complete line of hardware disk-write blockers. Their Tableau products provide an extra measure of assurance that no writes occur on a device. You can use the hardware write blocker with EnCase or rely on EnCase's own software write blocking to protect original media. Forensic investigators can also use Tableau hardware write blockers with non-EnCase software.

The EnCase products run on Windows workstation and server operating systems. For more information on the EnCase product line and specific system requirements, visit the Guidance Software Web site at www.guidancesoftware.com.

Forensic Replicator

Forensic Replicator, from Paraben Forensic Tools, is another disk imaging tool that accommodates many types of electronic media. Forensic Replicator runs on the Windows operating system. It provides an easy-to-use interface, as shown in Figure 8.7 and Figure 8.8, to select and copy entire drives or portions of drives. It also handles most removable media, including Universal Serial Bus (USB) micro drives. Forensic Replicator stores media images in a format that the most popular forensic programs can read.

Figure 8.7: Paraben's Forensic Replicator Acquisition Wizard

Figure 8.8: Paraben's Forensic Replicator primary user interface

Forensic Replicator also provides the ability to compress and split drive images for efficient storage. The ISO option allows you to create CDs or DVDs from evidence drives that you can browse for analysis. This option makes drive analysis much easier and more accessible for general computers. Copies of the suspect drive don't need to be mounted on a dedicated forensic computer. Standard searching utilities can be used to search the CDs or DVDs. Forensic Replicator also offers the option of encrypting duplicate images for secure storage.

Paraben also sells a FireWire or USB-to-IDE/SATA write blocker, called Paraben's Lockdown V3, as a companion product.

For additional information about the Paraben forensic tools product line, see the "Forensic Tools" section later in this chapter. For more information on the Forensic Replicator product, visit the Paraben Web site at http://www.paraben-forensics.com/replicator.html.

FTK Imager

FTK (Forensic Toolkit) Imager from AccessData Corporation is a Windows-based set of forensic tools that includes powerful media duplication features. (See Figure 8.9.) This free imaging tool allows you to mount a forensic image of the suspect computer so that the suspect's image becomes a letter drive on the investigator's computer.

Figure 8.9: AccessData FTK Imager

FTK can create media images from many different source formats, including:

· NTFS and NTFS compressed

· FAT12, FAT16, and FAT32

· Linux ext2, ext3, and ext4

· HFS, HFS+, CDFS, and VXFS

Figure 8.10 shows the image creation progress message.

Figure 8.10: FTK Imager creating an image

FTK generates CRC or MD5 hash values, as do most products in this category, for disk-copy verification. In addition, FTK provides full searching capability for media and images created from other disk imaging programs. Image formats that FTK reads include:

· EnCase

· SMART

· Expert Witness

· ICS

· Ghost

· dd

· Advanced Forensic Format (AFF)

· AccessData Logical Image (ADI)

For more information about FTK Imager, visit the AccessData Corporation Web site at www.accessdata.com.

Norton Ghost

Norton Ghost, from Symantec, is not strictly a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original. You can verify the copies you make and ensure each partition is an exact copy, but a complete drive image that Ghost creates commonly returns a different hash value than a hash of the original drive. This means that, although Ghost is a handy tool, it may not provide evidence that is admissible in a court of law. The most common uses for Ghost include backup/restore and creating installation images for multiple computers. Even though Ghost's primary use is not forensics, its utility merits a place in our list of useful tools. (See Figure 8.11.)

Figure 8.11: Norton Ghost

Norton Ghost is a Windows application and requires a Windows operating system. For more information on Norton Ghost, visit the Symantec Web site at http://us.norton.com/ghost.

ProDiscover

ProDiscover, from Technology Pathways, is another suite of forensic tools worth considering for your forensic toolkit. Like other forensic software suites, ProDiscover provides disk imaging and verification features. (See Figure 8.12.)

ProDiscover can create a bit stream copy of an entire suspect disk, including host protected hardware protected area (HPA) sections, to keep original evidence safe. The HPA is an area of a hard disk drive that the disk controller does not report to the BIOS or the operating system. Some disk drive manufacturers use the HPA to hide utilities from the operating system. (For more information, see Chapter 5.)

Another interesting feature of ProDiscover is that it allows you to capture a disk image over a network without being physically connected to a suspect computer.

Figure 8.12: Capturing a disk image with ProDiscover

ProDiscover also automatically creates and records MD5 or SHA-1 hashes for evidence files to prove data integrity. Figure 8.13 shows the main project window.

Figure 8.13: ProDiscover project

Technology Pathways provides several different versions of ProDiscover, to meet specific forensic needs. As with other forensic suites, we cover additional features in a later section of this chapter.

All Technology Pathways products include disk imaging and verification and require a Windows operating system. For more information on ProDiscover, visit the Technology Pathways Web site at www.techpathways.com.

SMART Acquisition Workshop (SAW)

The SMART Acquisition Workshop (SAW) product from ASR Data Acquisition & Analysis, LLC, is a stand-alone utility that creates forensic-quality images from storage devices. SAW runs on Windows, Linux, and Mac computers. Regardless of the operating system, SAW uses a GUI that makes creating images of evidence data easy. (See Figure 8.14.)

Although SAW works as a stand-alone utility, it also works with another ASR Data utility, SmartMount. SmartMount uses image files from SAW and several other imaging tools, to ensure fast performance for many common forensic activities. ASR Data states that SmartMount exceeds competitors' performance by running up to twenty times faster for searches, indexing, and analysis operations.

Figure 8.14: SAW interface

Even without SmartMount, SAW provides a solid method to create images of many different types of storage media using a straightforward GUI. For more information on SAW, visit the ASR Data Acquisitions & Analysis Web site at http://www.asrdata.com/forensic-software/saw/.

SMART

SMART comes from the same organization that produces the SAW utility, ASR Data Acquisition & Analysis, LLC. The suite comprises several tools integrated into a full-featured forensic software package. Two tools in the package are SMART Acquisition, which provides disk imaging, and SMART Authentication, which provides verification functionality.

SMART runs in Linux and provides a graphical view of devices in a system (Figure 8.15). The first step in creating a disk image is to calculate a hash value for the source device.

Figure 8.15: SMART displays devices in a system.

After SMART generates and stores the hash value, it creates one or more device images. SMART can create multiple image files, use compression, split images to fit on smaller devices, and associate images with existing case files (Figure 8.16).

Figure 8.16: Creating an image file with SMART

For more information on SMART, visit the ASR Web site at http://www.asrdata.com/forensic-software/smart-for-linux/.

WinHex

WinHex, from X-Ways Software Technology AG, is a Windows-based universal hexadecimal editor and disk management utility. It supports recovery from lost or damaged files and general editing of disk contents. Its disk cloning feature is most relevant to this section.

WinHex clones any connected disk (see Figure 8.17 and Figure 8.18) and verifies the process using checksums or hash calculations.

Figure 8.17: Starting the clone process in WinHex

Figure 8.18: The Clone Disk dialog box in WinHex

WinHex provides many features beyond disk imaging and verification. You can use WinHex to examine, and optionally edit, disk contents. You can also search disks for text strings using WinHex's search engine. Its support for various data types and its ability to view data in different formats make WinHex a valuable forensic tool.

For more information on WinHex and its additional capabilities, visit the X-Ways Software Technology Web site at http://www.x-ways.net/winhex/.

Forensic Tools

After you make a verified copy of original media, you're ready to begin analysis. The tools discussed in the following sections can perform many forensic functions. Your choice of tools depends on specific investigative needs. The following sections include common software and hardware tools and cover their capabilities.

As with disk imaging tools, your choice of tools to use depends on the following:

· Operating system(s) supported

· User interface preferences

· Budget

· Functionality/capabilities

· Vendor loyalty

Software Suites

Several companies specialize in developing and providing forensic tools. These companies produce software and/or hardware with diverse functionality. Some suites of forensic software are tightly integrated and have mature user interfaces. Other forensic suites are little more than collections of useful utilities. Consider the following tools and try out the ones you like. Your final choice of forensic tools should enable you to perform the examinations you will encounter. Although bells and whistles are nice, it's more important to get the tools you really need.

EnCase

Guidance Software produces the EnCase product line. EnCase was originally developed for law enforcement personnel to carry out investigations. This product line has grown to support commercial incident response teams as well.

The general concept of a case is central to the EnCase product. The first action you take is to create a case file. All subsequent activities (see Figure 8.19, Figure 8.20, and Figure 8.21) relate to a case.

Figure 8.19: EnCase interface

Figure 8.20: Using EnCase to search for keywords

Figure 8.21: Viewing IP addresses with EnCase

EnCase is an integrated Windows-based GUI tool suite. Even though the EnCase functionality is impressive, you are likely to need other utilities at some point. Fully integrated solutions can increase productivity, but don't hesitate to use another tool when you need it.

Here are just a few features of EnCase:

· Snapshot enables investigators to capture volatile information including:

RAM contents

Running programs

Open files and ports

· Organizes results into case files and manages case documents

· Helps maintain the chain of custody

· Provides tools for incident response teams to respond to emerging threats

· Supports real-time and postmortem examinations

EnCase provides the functionality to acquire and examine many types of evidence. The organization around a case provides the structure to keep information in order. Overall, EnCase is one of the premium suites of software you definitely should evaluate when selecting forensic tools. For more information on EnCase, visit the Web site at www.guidancesoftware.com.

Forensic Toolkit (FTK)

Another forensic suite that provides an integrated user interface is AccessData's Forensic Toolkit (FTK) (Figure 8.22). FTK runs in Windows operating systems and provides a powerful tool set to acquire and examine electronic media.

Figure 8.22: FTK Evidence Processing options

As discussed in "Disk Imaging and Validation," earlier in this chapter, FTK contains a disk imaging tool. This imaging tool provides one or more copies of primary evidence for analysis.

FTK provides an easy-to-use file viewer that recognizes nearly 300 types of files. It also provides full text indexing powered by dtSearch (we cover dtSearch features later in this chapter in the "Miscellaneous Software Tools" section). FTK's integrated file viewer and search capabilities enable it to find evidence on most devices.

FTK works with media images created by several imaging utilities, including:

5 FTK

6 EnCase

7 SMART

8 dd

Search capabilities include e-mail and archive file analysis. FTK also enables users to quickly examine files in many different formats. Results are organized by case and presented in a case content summary. For more information on FTK, visit the AccessData Web site at www.accessdata.com.

The Sleuth Kit (TSK)

The Sleuth Kit (TSK) is a popular, free, open source forensic software suite. TSK is a collection of command-line tools that provides media management and forensic analysis functionality.

TSK has a few features that deserve separate mention. TSK supports Mac partitions and analyzes files from Mac file systems. It also runs on Mac OS X. TSK can analyze volatile data on running systems.

The core TSK toolkit contains five different types of tools.

· File System Tools

File System Layer The fsstat tool reports file system details, including inode Numbers (file system data structures that contain file information), block or cluster ranges, and super block details for UNIX-based systems. For FAT file systems, fsstat provides an abbreviated FAT table listing.

File Name Layer The ffind and fls tools report allocated, unallocated, and deleted filenames.

Meta Data Layer The icat, ifind, ils, and istat tools report on file metadata (file details) stored in file systems.

Data Unit Layer The blkcat, blkls, blkstat, and blkcalc tools report file content information and statistics.

File System Journal The jcat and jls tools report journal information and statistics.

· Volume System Tools

The mmls, mmstat, and mmcat tools provide information on the lay-out of disks or other media.

· Image File Tools

The img_stat, and img_cat tools provide details and content information for image files.

· Disk Tools

The disk_sreset, and disk_stat tools detect and remove an HPA on an ATA disk.

· Other Tools

hfind The hfind tool looks up hash values.

mactime This tool uses fls and ils output to create timelines of file activity, such as create, access and write activity.

sorter This tool sorts files based on file type.

sigfing This tool searches for a binary value in a file, starting at a specific offset location.

For more information on TSK, visit the TSK Web site at www.sleuthkit.org.

ProDiscover

Technology Pathways provides two different versions of the ProDiscover tool suite: Forensics and Incident Response (IR), depending on your particular forensic needs. (ProDiscover IR is shown in Figure 8.23 and Figure 8.24.) Both ProDiscover products run in Windows with an integrated GUI.

Figure 8.23: Using ProDiscover IR to add comments to a file

Figure 8.24: Search results in ProDiscover IR

Here are some notable ProDiscover features:

· Allows live system examination

· Identifies Trojan horse programs and other software intended to compromise system security

· Utilizes a remote agent that allows centralized examination and monitoring, along with encrypted network communication to secure analysis data

· Creates a bit stream copy of an entire suspect disk, including hidden HPA sections, to keep original evidence safe

· Ensures integrity of acquired images using MD5 or SHA-1 hashes

· Supports FAT12, FAT16, FAT32, all NTFS versions, Linux ext2/ext3, and Sun Solaris UFS file systems

· Generates reports in eXtensible Markup Language (XML)

ProDiscover provides functionality similar to other full-featured forensic software suites listed in this section.

Technology Pathways also offers a free version of ProDiscover Basic. ProDiscover Basic is a complete GUI-based computer forensic software package. It include the ability to image, preserve, analyze, and report on evidence found on a computer disk drive. This version is freeware and may be used and shared free of charge.

Take a look at the full product line for more details on specific features. To learn more about ProDiscover, visit the Technology Pathways Web site at www.techpathways.com.

SIFT

The SANS Investigative Forensic Toolkit (SIFT) is a collection of open source (and freely available) forensic utilities. SANS originally developed SIFT as a toolkit for students in the SANS Computer Forensic Investigations and Incident Response course. The students liked the toolkit so much that word spread and SANS decided to repackage and release it to the public.

SIFT is available either as a VMware virtual machine or as an ISO image to create a bootable CD. It provides the ability to examine disks and images created using other forensic software. This toolkit allows users to examine the following file systems:

· Windows (FAT, VFAT, NTFS)

· Mac (HFS)

· Solaris (UFS)

· Linux (ext2/ext3)

SIFT tools support the following evidence image formats:

· Raw (dd)

· Expert Witness (E01)

· Advanced Forensic Format (AFF)

SIFT includes these individual tools:

· The Sleuth Kit (TSK file system analysis)

· Log2timeline (generates timelines)

· Ssdeep and md5deep (generates hashes)

· Foremost/Scalpel (file carving)

· Wireshark (network analysis) (http://www.wireshark.org/) (See Figure 8.25.)