Many of the tools used in digital forensics can be used for multiple purposes. Matasploit for example, is not normally classed as a digital forensic tool, but it can be used to 'recover' passwords that used to protect files from prying eyes.
Generally though, we want to use the right tools for the right job. Our use of Kali Linux has revealed how tools can be divided into categories and in the main we want to use the tool appropriate to stage of investigation.
- FTK (Forensic Tool Kit) was used to make a disk image.
- Used Guymager to make byte for byte image copy
- dd in Kali Linux was another tool used to make an image.
- dc3dd is another popular tool used to make an image.
- Finally dcfldd was introduced as a popular method to make an image.
- LiME (Linux Memory Extractor) is a very useful tool for obtaining a live dump of the RAM Memory contents.
- DumpIt is the equivalent memory acquisition tool for Windows.
Be aware though, there are many other image making programs both in Linux, Windows and Mac. With all of them a write blocker must be used to prevent any changes to the original data.
Once made it is good practice to duplicate the image. Check it provides the same hash. Then archive one in the case folder and use one for the analysis.
Recovering data or finding data that's been deleted.
- Used recoverjpeg to 'pull back' or find pictures that may have been deleted or hidden.
- Foremost was used to exract and separate files out according to type into separate folders for later analysis.
- Photorec was another tool used to 'recover' files. It does a lot more than its name implies.
- Scalpel is another highly regarded file carving tool.
As with imaging tools, there are number of file carving tools that work on a varierty of platforms. some programs, for example cross over into other areas. Bulk-extractor can be used for extractions and analysis.
Having extracted the data, there comes the task of understanding the story the data tells. This can be more of an art that a science and the story being looked for, depends very much on the project brief. Can you find what you are being asked to discover.
- File anaylsis using Autopsy within Sleuth Kit.
- Autopsy was also used to performa a Timeframe Analysis
- Bulk-extractor is a popular tool for email anaylsis.
- Dumpzilla, another popular tool available for anylsing internet histories.
- Volatility was used as a tool to reveal how a memory image could be analysed, following a trail of clues to reveal a final answer.
Writing the report has to be done with care. It becomes a legal document used in court and may be vital piece of evidence that convicts a criminal for possibly many years in jail or proves their innocence. It is not something to be taken lightly as it essnetially asnwers the question of whether the suspect did what they are accused of.
- Some programs like Autopsy can help with the report writing, providing hash values and the technical properties of the devices.
- In timeframe analysis, Autopsy can reveal the order in which events happened.
- Carving tools often provide audit.txt documents that provide file lists and values.
Other tools, while not strictly classed as forensic tools can help in the report writing by making relationship between data clearer in a more graphical form. Maltego programs are very good at this.