Digital Forensics

3. Tools & Techniques used in Forensic Examinations

Digital Forensic Tools


"the process of uncovering and interpreting electronic data with the aim of preserving the evidence in its most original form while performing a structured investigation by collecting, identifying and validating digital information for the purpose of re-constructing past events"

Just as conventional forensics has its own tools to use in the investigation of crime scenes, like finger print powder and brushes, digital forensics has it own tools for each principal stage of the forensic process i.e.

The forensic investigation process in it simplest form.

  • Seizure of the evidence.
  • Forensic acquisition of the data from storage or memory.
  • Analysing the data
  • Producing a report with conclusions.

There are very many free and paid for digital forensic tools. Some of them are extensive collections of utility programs that can help with various stages of the the forensic process. Examples include EnCase, CAINE (Computer Aided Investigative Environment), X-Ways Forensics, SANS Investigative Forensics Toolkit (SIFT), Computer Online Forensics Evidence Extractor (COFEE), The Coroner's Toolkit and many more.

Although forensic tools vary according to the phase of the investigation for which they are being used, good tools share some common features.

  • Include an acquisition feature that allows the data to be gathered.
  • Enables searching and filtering of files
  • Can provide exact pathway locators to find the exact position of data.
  • Full disk hashing to confirm the data hasn't changed
  • Can reveal exact time and data stamps of when files were created, stored and last looked at.
  • Can work with backup files and extract data
Forensic Techniques

The aims of the forensic process are to preserve the evidence; then to use the forensic tools look at the acquired data for things that may have been deleted, hidden or unusual.

Different techniques or methods for this kind of forensic work can be used at different stages of the investigative process.

  • Preserving the evidence: Making an image (an exact copy) of the original data with the use of a 'write blocker' - write blocker prevents any program or device making changes to the original data.
    • Typical tools include Forensic Toolkit (FTK), Encase, SIFT, Coroner's toolkit, Sleuth Kit
  • Using the method of Forensic Duplication by recovering deleted files: Getting back files which might have been to deleted to hide evidence.
    • Typical tools FTK, Encase, SIFT, Coroner's toolkit, Sleuth Kit
  • Removing Files: Most files on devices are harmless with known file types and names. One technique is to filter out or remove these files to leave only those worthy of investigation. The method used here is to compare md5 hashes of files to a list of known md5 hashes of known files. If they match, they can be removed.
    • FTK or Encase are popular tools.
  • File signature verification. Works similar to raw above. A comparison is made between the header and footer information of suspect files with those of known files. Matching files can be safely removed.
    • Sleuth Kit, Encase or a written Perl script.
  • String searching and looking for file fragments: Using the search command to look for keywords or known text.
    • FTK, Encase
  • Web activity reconstruction: Getting back web browsing history, accepted cookies and temporary internet files that where the user has been removing opportunities for deniability.
    • Encase, FTK, Browser logs
  • Email activity reconstruction: Using the method of converting email repositories to readable text
    • FTK, Parabens Network Mail Examiner
  • Registry activity reconstruction: Discovering any deleted programmes or recent activity by looking at Windows system and application log files.
    • FTK, RegEdit
  • Live forensics: Using the method of analysing volatile processes; those files that are loaded in and out of memory.
    • Windows Forensic Toolchest, COFEE
  • Recovering hidden files: Actively looking for hidden files or hidden data (stenography) and attempting to gain access through the methods of Decryption and Cryptanalysis.
    • Steg Break, Steg detect, Password Cracking and Frequency analysis.
Digital Techniques

In the section titled 'Digital Forensics', create another page called Tools & Techniques and complete the following exercises.

  1. Provide definition of digital forensics
  2. Make a list of the common features shared by well known forensic applications
  3. In digital forensics, the aim is to reconstruct the past to find out 'who did it? and 'how it was done'. Explain 3 different forensic reconstruction techniques used to answer these questions.
  4. Preserving the evidence through the method of forensic duplication is the first step of any digital forensic investigation. In the imaging process, write blockers are used.
    1. Describe the purpose of a write blocker.
    2. Research write blockers and name a model and price of a 'good' write blocker.

Time for some practical work. We're going to get to grips with image files (not pictures but an exact bit for bit copy of original files, folders or disks)

All forensic tools have their own strengths and weaknesses and we all have our own preferences which we can only discover through experience and exposure to different programmes. So the next exercise is the same but uses different imaging programmes.

  1. Download and install Forensic Tool-kit Image (FTK). Get it from here FTK Image
  2. Watch the very quick demo movie that shows how to make an image of a USB pen-drive. While it 's missing parts of menu options in the drop down lists, it's easy to work out especially with your own version sitting in front of you.
  3. Make an image of your own pen-drive with FTK to see how it work. See if you can find any files you've deleted.

  4. Take a screen shot and include it in your Notebook.

Time for something similar but different.

  1. Fire up your Kali Linux.
  2. Go to applications --> Click on Forensics --> Forensic Imaging Tools --> guymager
  3. Watch the movie opposite to see how to make an image with Guymager.
  4. Make an image of your USB pen drive. Take a screenshot with the completed image in Guymager. and include it in your notebook.
  5. Open Autopsy and work along with the movie below to explore the file tree to view the contents of the file.

If you want to use the image file used in the video download by clicking on Flash_Drive.Img

Try using Autopsy on the image you made of your own USB pen drive in Guymager.

Guymager is just one of many ways of making image files particularly in the Encase format, which is slowly becoming standard for forensic examinations in combination with forensic programs like Autopsy.

One disadvantage of Guymager images in the Encase format is that they are a little harder to acccess although they are very much quicker.

The following exercises look at different ways of making exact byte for byte copies of storing data. These images will be used for recoving files and file carving exercises later on.

  1. Using dd: Watch the movie and see if you can make an image of your own pen drive. Beware the greater the capacity the longer it will take. sudo if=/dev/sdb of=Desktop/copyOfDrive
  2. Use dc3dd:(used in forensics) Make a second copy of your pendive using this method which includes hashing to show its an exact copy of the original. sudo dc3dd if=/dev/sdb1 of=Desktop/copyOfDriveDC3DD hash=sha256
  3. Both images can be mounted by right clicking on them and selecting Open with Image Mounter. Try this, and you will see the images appear as if they were drives on your computer.
  4. Try using the mount command to achieve the same result.
    1. Make a folder/directory first
      1. cd media
      2. sudo mkdir forensics
    2. Mount the image file within the the folder. sudo mount /root/Desktop/copyOfFileDC3DD forensics/
    3. Use the unmount command to unmount the drive/

Can you now do?

  • Provide a definition of the digital forensics process.
  • Explain at a broad level the stages of the forensic process
  • Give at least three examples of well known forensic tools.
  • Describe at least four common features of professional forensic programs.
  • Use imaging applications to make forensic copies of USB drives and explain how to make forensic images of larger drives.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee