Digital Forensics

7. Choosing the Correct Forensic Tools

Which Tool?

Many of the tools used in digital forensics can be used for multiple purposes. Matasploit for example, is not normally classed as a digital forensic tool, but it can be used to 'recover' passwords that used to protect files from prying eyes.

Generally though, we want to use the right tools for the right job. Our use of Kali Linux has revealed how tools can be divided into categories and in the main we want to use the tool appropriate to stage of investigation.



Getting the data

  • FTK (Forensic Tool Kit) was used to make a disk image.
  • Used Guymager to make byte for byte image copy
  • dd in Kali Linux was another tool used to make an image.
  • dc3dd is another popular tool used to make an image.
  • Finally dcfldd was introduced as a popular method to make an image.
  • LiME (Linux Memory Extractor) is a very useful tool for obtaining a live dump of the RAM Memory contents.
  • DumpIt is the equivalent memory acquisition tool for Windows.

Be aware though, there are many other image making programs both in Linux, Windows and Mac. With all of them a write blocker must be used to prevent any changes to the original data.

Once made it is good practice to duplicate the image. Check it provides the same hash. Then archive one in the case folder and use one for the analysis.



Carving data from the image

Recovering data or finding data that's been deleted.

  • Used recoverjpeg to 'pull back' or find pictures that may have been deleted or hidden.
  • Foremost was used to exract and separate files out according to type into separate folders for later analysis.
  • Photorec was another tool used to 'recover' files. It does a lot more than its name implies.
  • Scalpel is another highly regarded file carving tool.

As with imaging tools, there are number of file carving tools that work on a varierty of platforms. some programs, for example cross over into other areas. Bulk-extractor can be used for extractions and analysis.



Understanding the story.

Having extracted the data, there comes the task of understanding the story the data tells. This can be more of an art that a science and the story being looked for, depends very much on the project brief. Can you find what you are being asked to discover.

  • File anaylsis using Autopsy within Sleuth Kit.
  • Autopsy was also used to performa a Timeframe Analysis
  • Bulk-extractor is a popular tool for email anaylsis.
  • Dumpzilla, another popular tool available for anylsing internet histories.
  • Volatility was used as a tool to reveal how a memory image could be analysed, following a trail of clues to reveal a final answer.


Coming to conclusions

Writing the report has to be done with care. It becomes a legal document used in court and may be vital piece of evidence that convicts a criminal for possibly many years in jail or proves their innocence. It is not something to be taken lightly as it essnetially asnwers the question of whether the suspect did what they are accused of.

  • Some programs like Autopsy can help with the report writing, providing hash values and the technical properties of the devices.
  • In timeframe analysis, Autopsy can reveal the order in which events happened.
  • Carving tools often provide audit.txt documents that provide file lists and values.

Other tools, while not strictly classed as forensic tools can help in the report writing by making relationship between data clearer in a more graphical form. Maltego programs are very good at this.


Bulk Extractor

Bulk Extractor is another cross platform forensic tool that is popular in Windows and Kali Linux. Essentially Bulk Extractor does two things.

  1. Carves out files into different folders according to type, and
  2. Counts the number of instances, for example
    • the number of emails sent to each address.
    • the number of times an internet site has been visted or
    • the number of times a file has been downloaded or installed.

So let's try it out.

  1. Download from within Kali Linux a practice image: ubnist1.gen3.raw. It's a 2Gb file but it shouldn't take to long.
  2. Watch and work along with the movie to see how to process the image with bulk extractor.
  3. Explore some of the files by opening them and examining their contents.
  4. Take a screen shot and include it within your notebook.

The vast majority of people as they browse the internet gather a collection of cookies. Contrary to what most users believe they are not intended to spy on people, just to help improve each user's experience of the internet. Cookie's help remember whether you've been to a site before, assisting in faster page loads, saving typing entering the same information repeatedly and so on.

For a forensic investigator cookie information can be very useful as they can show extatly what was happening in a browser at a particular time, helping to fix a user to a position in time. For example, a user can't claim to be at the gym if their computer shows them using it at the same time.

The trouble with cookies though, is that information is stored as numbers and hard to understand. This is where forensic tools come it, helping to traslate this number data in easily understandable form.


Works for Firefox, Iceweasel and Seamonkey and will convert cookies into meaningful information. Can also be used to reveal Permissions, what's been Downloaded, any Form data, internet History, what sites have been Bookmarked as well as any pages that have been cached.

Go to Kali Tools.

Use an instruction like:

root@kali:~# dumpzilla '/root/.mozilla/firefox/k780shir.default/' --All

Where K78shir is the name of the user.

If you use Mozilla Firefox and hopefully you are, bring in a file of your own cookies, either on a pendrive or in your Glow One Drive.

  1. Read the instructions in Kali Tools on Dumpzilla.
  2. Take a screenshot and include it within your notebook.
  3. Experiement with some of the switches to see the difference in output.
  4. List at least three separate pieces of information that can be extracted from a cookie file.

If you haven't got a file of cookies of your own, try this one.


Created for use with Internet Explorer (IE) cookie files.

If you are Internet Explorer user at home, collect some cookie data as shown in the video and bring them in to school on a pen drive or store them in your glow one drive for collection at school.

  1. Watch and work along with the video to put through Galleta through its paces.
  2. See if you can load the resulting .txt file into a spreadsheet.
  3. Take a snapshot and includ it within your notebook.

If you haven't any IE cookies of your own, you can download some here.

Can you now do?

  • Select appropriate programs for use at each stage of the forensic process.
  • Use appropriate tools for each stage of analysis (file analysis, timeframe analysis, email analysis and internet anylsis.
  • Demonstrate the use of a range of forensic tools used in the analysis of data.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee