"the process of uncovering and interpreting electronic data with the aim of preserving the evidence in its most original form while performing a structured investigation by collecting, identifying and validating digital information for the purpose of re-constructing past events"
Just as conventional forensics has its own tools to use in the investigation of crime scenes, like finger print powder and brushes, digital forensics has it own tools for each principal stage of the forensic process i.e.
The forensic investigation process in it simplest form.
- Seizure of the evidence.
- Forensic acquisition of the data from storage or memory.
- Analysing the data
- Producing a report with conclusions.
There are very many free and paid for digital forensic tools. Some of them are extensive collections of utility programs that can help with various stages of the the forensic process. Examples include EnCase, CAINE (Computer Aided Investigative Environment), X-Ways Forensics, SANS Investigative Forensics Toolkit (SIFT), Computer Online Forensics Evidence Extractor (COFEE), The Coroner's Toolkit and many more.
Although forensic tools vary according to the phase of the investigation for which they are being used, good tools share some common features.
- Include an acquisition feature that allows the data to be gathered.
- Enables searching and filtering of files
- Can provide exact pathway locators to find the exact position of data.
- Full disk hashing to confirm the data hasn't changed
- Can reveal exact time and data stamps of when files were created, stored and last looked at.
- Can work with backup files and extract data
The aims of the forensic process are to preserve the evidence; then to use the forensic tools look at the acquired data for things that may have been deleted, hidden or unusual.
Different techniques or methods for this kind of forensic work can be used at different stages of the investigative process.
- Preserving the evidence: Making an image (an exact copy) of the original data with the use of a 'write blocker' - write blocker prevents any program or device making changes to the original data.
- Typical tools include Forensic Toolkit (FTK), Encase, SIFT, Coroner's toolkit, Sleuth Kit
- Using the method of Forensic Duplication by recovering deleted files: Getting back files which might have been to deleted to hide evidence.
- Typical tools FTK, Encase, SIFT, Coroner's toolkit, Sleuth Kit
- Removing Files: Most files on devices are harmless with known file types and names. One technique is to filter out or remove these files to leave only those worthy of investigation. The method used here is to compare md5 hashes of files to a list of known md5 hashes of known files. If they match, they can be removed.
- FTK or Encase are popular tools.
- File signature verification. Works similar to raw above. A comparison is made between the header and footer information of suspect files with those of known files. Matching files can be safely removed.
- Sleuth Kit, Encase or a written Perl script.
- String searching and looking for file fragments: Using the search command to look for keywords or known text.
- FTK, Encase
- Web activity reconstruction: Getting back web browsing history, accepted cookies and temporary internet files that where the user has been removing opportunities for deniability.
- Encase, FTK, Browser logs
- Email activity reconstruction: Using the method of converting email repositories to readable text
- FTK, Parabens Network Mail Examiner
- Registry activity reconstruction: Discovering any deleted programmes or recent activity by looking at Windows system and application log files.
- FTK, RegEdit
- Live forensics: Using the method of analysing volatile processes; those files that are loaded in and out of memory.
- Windows Forensic Toolchest, COFEE
- Recovering hidden files: Actively looking for hidden files or hidden data (stenography) and attempting to gain access through the methods of Decryption and Cryptanalysis.
- Steg Break, Steg detect, Password Cracking and Frequency analysis.