file000173

Module LX - Computer Forensic Tools

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Linux Tool Speeds up Computer Forensics for Cops

Source: http://news.zdnet.com/



Module Objective

• Software Computer Forensic Tools• Visual TimeAnalyzer• Evidor• Forensic Sorter• Directory Snoop• Decryption Collection Enterprise• Prodiscover DFT • R-Tools• Forensic Toolkit• EnCase® Forensic• SIM Card Seizure• PE Explorer

• Hardware Computer Forensic Tools• PDBlock• Firewire Drivedock • Write Protect Card Reader• ImageMASSter Solo-3 IT

This module will familiarize you with:



Module Flow

Forensic Toolkit

PE Explorer SIM Card Seizure

Write Protect Card ReaderFirewire Drivedock

PDBlock

EnCase® Forensic

ImageMASSter Solo-3 IT

EvidorVisual TimeAnalyzer

R-Tools

Forensic Sorter

Prodiscover DFT Directory SnoopDecryption Collection

Enterprise



Hardware Computer Forensic Tools

Software Computer Forensic Tools



Visual TimeAnalyzerhttp://www.neuber.com/timeanalyzer/

Visual TimeAnalyzer automatically tracks all computer usage and presents detailed and illustrated reports



X-Ways Forensicshttp://www.x-ways.net/

• Disk cloning and imaging, even under DOS with X-Ways Replica (forensically sound)

• Examine the complete directory structure inside raw image files, even spanned over several segments

• Native support for FAT, NTFS, Ext2/3, CDFS, UDF • Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks • View and dump physical RAM and the virtual memory of running processes • Various data recovery techniques and file carving• Hard disk cleansing to produce forensically sterile media • Gather slack space, free space, inter-partition space, and generic text from

drives and images

Features of X-Ways forensics:

X-Ways Forensics is an advanced work environment for computer forensic examiners



X-Ways Forensics: Screenshot 1



X-Ways Forensics: Screenshot 2



Evidorhttp://www.x-ways.net/

Evidor is a small subset of just the search functionality in X-Ways Forensics

It allows to search text on hard disks and retrieves the context of keyword occurrences on computer media

It examines the entire allocated space, even Windows swap/paging and hibernate files, and currently unallocated space of the hard disk

It finds data from files that have been deleted, if physically still existing

It cannot access remote networked hard disks



Evidor: Screenshot 1



Evidor: Screenshot 2



Slack Space and Data Recovery Tools: Ontrackhttp://www.ontrackdatarecovery.com/

• Repairs and restores corrupt or inaccessible Microsoft® Office and Zip files into readable files

EasyRecovery™ DataRecovery software:

• It includes capabilities of EasyRecovery DataRecovery, EasyRecovery FileRepair and EasyRecovery EmailRepair

• General capabilities – data recovery, file repair, disk diagnostics

EasyRecovery™ Professional software:

Ontrack EasyRecovery™ software products provide complete solutions for data recovery, file repair, and disk diagnostics

It allows investigator to recover deleted files, folders, and complete partitions quickly and easily, making it the ultimate do-it-yourself solution for causes of data loss



Ontrack EasyRecovery Professional: Screenshot 1



Ontrack EasyRecovery Professional: Screenshot 2



Data Recovery Tools

Forensic Sorter classifies data into 14 different categories, recovers deleted files, and Filters Out Common Hashes (FOCH)

Directory Snoop is a cluster-level search tool that allows Windows users to snoop FAT and NTFS formatted disk drives to see the data hidden in the cracks

Source: http://www.paraben-forensics.com/ Source: http://www.briggsoft.com/



PDWIPE (Physical Drive WIPE) is a DOS application capable of wiping large hard drives with capacity greater than 8.4 Gb in a short time

It supports any drive which is accessible to the system via Interrupt 13 or the MS/IBM Interrupt 13 Extensions

Permanent Deletion of Files: PDWIPEhttp://www.digitalintelligence.com/

It has three basic modes of operation

• Command line interactive• Command line confirmation• Batch file operation



Permanent Deletion of Files: Darik's Boot and Nuke (DBAN)http://www.dban.org/

Darik's Boot and Nuke ("DBAN") is a self-contained boot floppy that securely wipes the hard disks of most computers

It automatically and completely deletes the contents of any hard disk that it detects

It is a way of preventing identity theft and a good way of cleaning a Microsoft Windows installation of viruses and spyware



DBAN: Screenshot



File Integrity Checker

FileMon monitors and displays file system activity on a system in real-time

File Date Time Extractor looks through binary files, 'sniffing out' hidden, embedded 64 bit date and times

Source: http://technet.microsoft.com/

Source: http://www.digital-detective.co.uk/



File Integrity Checker

Decode - Forensic Date/Time Decoder utility was designed to decode the various date/time values found embedded within binary and other file types




Disk Imaging Tools: Snapback Datarresthttp://www.snapback.com/

The ‘Snapback Datarrest’ software has a user-friendly interface backed by powerful operation to create mirror images of variety of operating systems

It performs successful back-up and restoration

It is compatible with all IBM computers containing any OS

If a DOS floppy is booted, data can be seized quickly, accurately, and completely

It gathers every bit from the hard drive



Partition Managers: Partimagehttp://www.partimage.org/

It supports file systems:

• Ext2fs/Ext3fs• Reiser3• FAT16/32 • HPFS, JFS, UFS• XFS, HFS• NTFS

Partimage is a Linux/UNIX utility that saves partitions having a supported file system to an image file

The image file can be compressed in the gzip/bzip2 programs to save disk space



Partimage: Screenshot 1



Linux/Unix Tools: Ltoolshttp://www.it.hs-esslingen.de/

• Ltools access Linux files from Windows 9x/ME and Windows NT/2000/XP

• It consists of set of command line tools for reading and writing Linux ReiserFS, ext2, and ext3 file systems

• They have Java and .NET based GUI, an Explorer-like interface in a Web browser, providing remote access to file systems

• They are used in DOS environment to repair Linux , if the Linux system does not boot

Ltools



Ltools: Screenshot



Linux/Unix Tool: Mtoolshttp://www.gnu.org/

• Mtools is a collection of utilities to access MS-DOS disks from Unix without mounting them

• It supports Win'95 style long file names, OS/2 Xdf disks and 2m disks (store up to 1992k on a high density 3 1/2 disk)

• It handles the long filenames of Windows NT and Windows 95

Mtools



Password Recovery Tool

@stake reduces security risk by helping administrators to remove vulnerabilities caused due to weak or easily guessed passwords

Decryption Collection recovers more passwords, from more programs, in a shorter amount of time using method such as the advanced XieveTM attack method

Source: http://www.securityfocus.com/ Source: http://www.paraben-forensics.com/



Password Recovery Tool

AIM Password Decoder utility was designed to decrypt the login password for AOL Instant Messenger

MS Access Database Password Decoder utility was designed to decrypt the master password stored in a Microsoft Access database




Internet History Viewer

CookieView - Cookie Decoder was originally written as an external viewer for Encase or iLook

Cookie Viewer discovers the information that web sites store on computer




Internet History Viewer: Cache View

Cache View is a viewer for the Netscape Navigator, Mozilla and Firefox, Opera, and Internet Explorer web caches

FavURLView utility decodes Internet Shortcut (*.URL) files to allow user to compare the Shortcut Description with the actual link




Internet History Viewerhttp://www.digital-detective.co.uk/

NetAnalysis automatically rebuilds HTML web pages from an extracted cache



Multipurpose Tools: Mareswarehttp://www.dmares.com/

Maresware suite provides an essential set of tools for investigating computer records plus powerful data analysis capabilities

It is used in computer forensics for the purposes such as:

• Discovery of "hidden" files (such as NTFS Alternate Data Streams) • Incident response and evaluation of timelines • Powerful key word searching and comparing and file verification • Forensic diskette imaging • Drive wiping for information privacy and security • Disk wiping to overwrite a hard drive to DOD standards • Completely documenting the examiner's steps and procedures



Multipurpose Tools: LC Technologies Software

• It is designed to recover images, movies, and sound files from various types of digital media Photorecovery:

• It scans and finds lost partitions, boot sectors, and other file system componentsFile RecoveryPro:

• This tool completely removes data from disks to avoid passing private/secret information FILExtinguisher:

• It recovers all kinds of data from the hard diskSanDiskRescuePRO:

• It allows fast, safe, and reliable file recovery with Windows environment Data Recovery kit:

• It is a software used for reportingIntelli-SMART:

The LC Technologies Software comprises of the below software/tools:



Intelli-SMART: Screenshot



Multipurpose Tools: Winhex Specialist Edition

WinHex is a hexadecimal editor, helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security

Prodiscover is a law enforcement tool used to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports

Source: http://www.x-ways.net/ Source: http://www.techpathways.com/



Toolkits: NTI Toolshttp://www.forensics-intl.com/

• It is a floppy diskette analysis tool for security reviews and to identify data storage pattern anomaliesAnaDisk:

• It is a utility tool that is used to securely destroy computer data on a disk driveDiskScrub:

• It captures data stored in the file slack associated with all of the files on a target computer hard disk driveGetSlack:

• It determines the past Internet-based computer usage of a specific computer systemNTA Stealth:

• It is a Hard disk’s bit-stream backup softwareSafeBack 3.0:

Some of the important NTI tools:



Toolkits: R-Toolshttp://www.r-tt.com/

R-Tools Technology Inc. is the provider of forensic utilities for Windows OS family

• It is an undelete and data recovery software recovering files from FAT12/16/32, NTFS, NTFS5, HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2

R-Studio:

• It is a file undelete solution for FAT and NTFS file systems R-Undelete:

• It is a drive image and backup software that creates disk image files with exact, byte-by-byte copies of a hard drive, partition or logical disk

R-Drive Image:

• It protects computers present in a local network and/or to the Internet against intrusions, attacks, Trojans, spyware, and other external and internal threats

R-Firewall:



Toolkits: R-Tools (cont’d)

• It is a data security tool for advanced access right control, encryption, and auditR-guard:

• It recovers damaged files and deleted messages created by Microsoft Outlook and Microsoft Outlook Express software

R-mail:

• It is designed to recover corrupted Microsoft Word documents R-word:

• It deletes private records of user’s on-line and off-line activities, such as temporary internet files, history, cookies, passwords, swap files, etc.

R-Wipe&Clean:

• It is a file recovery utility for the Ext2FS file system used in the Linux OS and several Unix versions

R-Linux:



R-Tools: Screenshot

R-Studio R-Guard



R-Tools: Screenshot (cont’d)

R-mail R-Wipe&Clean



Toolkits: Datalifterhttp://www.datalifter.com/

DataLifter is a forensics toolkit built by StepaNetCommunications Inc

It has a set of 10 tools that helps in forensics investigations

It has two versions: DataLifter v2.0 and DataLifter.Net Bonus

The utilities that are grouped together along with DataLifterinclude:

• Active reports, Disk2File, File extraction, Image linker• Internet history, File signature generator, Email retriever, • Ping/Trace route/WHOIS, Recycle Bin history, Screen capture



Datalifter: Screenshot



Toolkits: AccessDatahttp://www.accessdata.com/

AccessData contains set of programs used for computer forensics such as:

• The Password Recovery Toolkit recovers passwords from well-known applications

Password Recovery Toolkit:

• It recovers the password for protected files

Distributed network attack:

• Registry Viewer views independent registry files and generates reports

Registry viewer:

• Wipe drive is used to overwrite and remove all the data present in a computer

Wipe drive:



FTK – Forensic Toolkithttp://www.accessdata.com/

Features:

• An integrated solution• Integrated oracle database and enhanced

searching• Powerful processing speed• Intuitive interface and functionality

Forensic Toolkit (FTK) offers forensic professionals the ability to complete a task systematically, by providing accurate information

It has full text indexing, advanced searching, deleted file recovery, data-carving, email, and graphics analysis



Image MASSter Solo and FastBloc

• It is a hard drive duplicator for workstation cloning• It can load any operating system and application

software including: Windows95/98, NT, SCO, Unix, OS/2, and Mac OS

Image MASSter Solo:

• It is a data acquisition software, which connects through an IDE channel. Does not require SCSI controller cards or SCSI drivers

• The common IDE write-blocked architecture allows data from any IDE hard drive to be gathered safely in Windows OS

FastBloc:

Source: http://www.guidancesoftware.com/

Source: http://www.ics-iq.com/



EnCase® Forensichttp://www.guidancesoftware.com/

• Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide

• Investigates and analyzes multiple platforms• Finds information despite efforts to hide, cloak or delete• Manages large volumes of computer evidence• Transfers evidence files directly to law enforcement or legal

representatives as necessary

Features of EnCase:

EnCase® provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to end



EnCase® Forensic: Screenshot 1



Email Recovery Tools

E-mail Examiner is e-mail examination tool that recovers active and deleted mail messages

Network E-mail Examiner allows investigator to examine Microsoft Exchange (EDB), Lotus Notes (NSF), and GroupWise e-mail stores

Source: http://www.paraben-forensics.com/



Case Agent Companionhttp://www.paraben-forensics.com/

• Enhanced reporting options for professional and comprehensive output of examined data

• Customized by examiner so each case can be loaded based on the specifics of that case

• Note taking and bookmarking capabilities built in for easy reference to examined data

• Case logging feature tracks all parts of analysis in detailed log file

Features of Case Agent Companion:

Paraben's Case Agent Companion is designed to optimize both the time of the forensics examiner and the agent working the case

It has built in viewers for over 225 file formats, searching, and reporting that makes forensics process faster, more efficient, and more effective



Case Agent Companion: Screenshot



Chat Examinerhttp://www.paraben-forensics.com/

Chat Examiner is a specialized tool to perform a thorough analysis of chat logs



Paraben Hard Drive Forensics: Forensic Replicatorhttp://www.paraben-forensics.com/

• Supports for creating and viewing VHD (Virtual Hard Disk)• Supports for WiebeTech write block devices• Supports for viewing Linux EXT2 and EXT3 partitions• Creates bit-stream images of removable media, partitions, or an entire

physical hard drive• Creates images of USB micro drives

Forensic Replicator Features:

Paraben's Forensic Replicator is used to bit-stream imaging of hard drives and media

It acquires a wide range of electronic media from a floppy to a hard disk

Captured images can be compressed, segmented, and easily read into the forensic analysis programs



Forensic Replicator Screenshot



Registry Analyzerhttp://www.paraben-forensics.com/

Paraben's Registry Analyzer is a component of Paraben's P2 forensic collection and is used for viewing, analyzing, and reporting the Windows registry files



• On-site or remote preview of a target system• Post mortem analysis of dead systems • Testing and verification of other forensic programs• Conversion of proprietary "evidence file" formats• “Knock-and-talk” inquiries and investigations

Features of SMART:

SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals

ASR Data’s SMARThttp://www.asrdata.com/SMART/



SMART: Screenshot 1



SMART: Screenshot 2



Oxygen Phone Managerhttp://www.oxygensoftware.com/

Oxygen Phone Manager supports all the models of Nokia mobile phone

Supported different connection types such as InfraRed, Bluetooth, and Various USB

It backs up and restores all information from mobile phone

Highly customizable imports

Export of phonebook to all the popular formats

Supports three storage types: SIM card, phone memory and disk



Oxygen Phone Manager: Screenshot 1

Main Window

SMS Manager



Oxygen Phone Manager: Screenshot 2



SIM Card Seizurehttp://www.paraben-forensics.com/

SIM Card Seizure is a tool that analyzes SIM card data and recovers deleted data



Text Searcherhttp://www.paraben-forensics.com/

Paraben's Text Searcher is a text searching tool that will make any forensics examiner more effective and more efficient



Autorunshttp://technet.microsoft.com/

Autoruns shows what programs are configured to run during system bootup or login, and the entries in the order Windows processes them



Autostart Viewerhttp://www.diamondcs.com.au/

Autostart Viewer allows you to see all known autostarts on your system, all on the one screen

It also gives you complete control over the autostart references, and allows you to modify or delete them



Belkasoft RemovExhttp://belkasoft.com/

Belkasoft RemovEx allows user to disable Internet Explorer and Windows Explorer plug-ins



HashDighttp://ftimes.sourceforge.net/

HashDig technology is a collection of utilities designed to help practitioners automate the process of resolving MD5 and SHA1 hashes

It was designed to work in conjunction with FTimes

This method can be implemented quite effectively by manipulating hashes and comparing them to one or more reference databases

The HashDig format:

•hash|category

The reverse HashDig format:

•category|hash



Inforenz Foragerhttp://www.deticaforensics.com/

• Identifies relevant data through its highly flexible and sophisticated searches that perform simultaneous high-level and meta-data level filtering

• Mines down into .zip container files recursively to obtain meta-data from deeply nested files, as well as providing meta-data from the .zip container files themselves

• Generates an index for all or part of your search area to speed up investigations, or to work without the original data

• Produces rapid reports on multiple documents, including document time-lines and document history (where available) without needing to open the original application

• Allows investigation and analysis of known files without needing to perform a search• Analyzes the history of Microsoft Word and Excel documents created on any platform (including

Microsoft Windows and Mac OS) • Provides detailed property values for a growing number of file types

Features of Inforenz Forager:

Inforenz Forager is a forensic investigation tool that enables to search for, identify, analyze, and report on information about computer files

It is the first commercially available forensic investigation tool to collate and link the metadata of different computer files



KaZAlyserhttp://www.sandersonforensics.com/

• Lists all database entries in a tabular form• Displays the file integrity tag • Allows the investigator to tag and comment each record • Identifies files that appear (from title, keywords etc.) to be related to Child

Pornography • Identifies files that have a known Child Pornography hash value • Identifies all graphics/movie files • Exports the content of a database to a CSV file

It provides the following functions:

KaZAlyser is the successor to the popular P2PView KaZaA/Morpheus database viewer

It provides significant enhancements to the investigation process



DiamondCS OpenPortshttp://www.diamondcs.com.au/

DiamondCS OpenPorts is a command line interface tool that allows to see all open TCP and UDP ports on your system

It displays information about the sockets/ports on your system



Pascohttp://www.foundstone.com/

Pasco is designed to examine the contents of Internet Explorer's cache files



Patchithttp://www.foundstone.com/

MESSAGE <"message">

Displays a message during script execution

DIR <"directory path">

Optional directory path to search for files. For compatibility it is advisable not to use specific drive names in the path

FILE <"filename"> [filesize]

Filename to patch. Optional filesize specifies the size that the file must match to be accepted

FIND [<*>]...

Performs a search on the current file for the sequence of bytes that match ... up to max 256. Use the keyword * to match any byte. If a match is found then the PATCH file position value is set to the file position at which the found pattern begins

Patchit is a file byte-patching utility

It can patch sequences of bytes in any file, search for byte patterns (with wildcards) and also extract and utilize DLL exported function addresses

The total command list is shown below:



Patchit (cont’d)

FUNCTION <"funcname">

Sets the current patch position to the file position of the given exported function name (case sensitive). It is assumed that the file being patched is a DLL

PATCH [[POS ] | [OFFSET ]] ...

Patches the current file at optional file position/offset. Replaces orig_byte with new_byte. Fails if original byte read from file is not orig_byte

COPY <"orig_file"> <"new_file">

Copies "orig_file" to "new_file“

DELETE <"filename">

Deletes the specified file

INIFILE <"filemame">

Specifies an INI file to be used in subsequent INI commands. This filename is relative to the last DIR directory path

INISECTION <"section">

Specifies an INI section name for use in subsequent INIWRITE commands

INIWRITE <"keyname"> <"value">

Writes the given string value to the INI keyname in the previously specified INI file's section



PE Explorerhttp://www.pe-explorer.com/

• Works with PE files such as .EXE, .DLL, .SYS, .ACM, .OCX, .DPL, and .BPL

• Opens broken or packed files in Safe mode• Verifies PE file's integrity• Supports custom plug-ins to perform any startup processing

Features of PE Explorer:

PE Explorer tool is used for inspecting the inner workings of user software, third party application and libraries for which user do not have source code

Once user select the file that wish to examine, it analyzes the file and displays a summary of the PE header information, and all of the resources contained in the PE file

It allows user to explore the specific elements within an executable file



PE Explorer: Screenshot

Syntex Description Editor

Expert properties display details about selected function

Log Window Syntex Details Window



Port Explorerhttp://www.diamondcs.com.au/

Features of Port Explorer:

• Configurable interface• Multi-language support• Hidden server detection• Port-to-process mapping• Socket send/receive blocking• Packet-sniffing• IP-to-country resolving• Traffic volume reporting

Port Explorer is the premier port-to-process mapper that allows user to view all the open network ports/sockets on the system

It is a network monitoring utility and has an intuitive GUI that allows user to monitor all the network activity, your computer is involved in



Port Explorer: Screenshot



PowerGREPhttp://www.powergrep.com/

PowerGREP is a Windows grep tool that searches through large number of files on user’s computer or network



Process Explorerhttp://technet.microsoft.com/

Process Explorer tool shows you information about which handles and DLLs processes have opened or loaded

Its display consists of two sub-windows

• Top window always shows a list of the currently active processes, including the names of their owning accounts

• Bottom window information depends on the mode that Process Explorer is running

Features of Process Explorer:

• Supports for full handle viewing on Win9x/Me• Processes icons and tree display• Services process highlighting• Configurable refresh rate• Refreshes highlighting• DLL descriptions in the DLL view• Highlights relocated DLLs• Jump-to-entry in the find dialog



Process Explorer: Screenshot



PyFLAGhttp://www.pyflag.net/

PyFLAG is a web based tool used for the analysis of large volumes of log files and forensic investigations

It can be deployed on a central server and shared with a number of users simultaneously

It has the ability to load many different log file formats, perform forensic analysis of disks and image

It uses a database as a backend to assist in managing the large volumes of data

It analyzes network traffic as obtained via tcpdump quickly and efficiently



PyFLAG: Screenshot 1



PyFLAG: Screenshot 2



Registry Analyzing Tool: Regmonhttp://technet.microsoft.com/

Regmon is a Registry monitoring utility that shows user which applications are accessing the Registry, which keys they are accessing, and the Registry data that they are reading and writing in real-time



Reverse Engineering Compiler http://www.backerstreet.com/

REC is a portable reverse engineering compiler, or decompiler

It reads an executable file, and attempts to produce a C-like representation of the code and data used to build the executable file

Features of REC:

• Multitarget: REC can decompile 386, 68k, PowerPC and MIPS R3000 programs• Multiformat• Multihost: REC is available for Linux 3.0 (i386), Windows 95 and SunOS 4.1.4• Supports high-level symbolic information in COFF, ELF+STAB, AOUT+STAB• Scalable user interaction

• HTTP server mode allows using an HTML browser as user interface



Reverse Engineering Compiler: Screenshot 1



Reverse Engineering Compiler: Screenshot 2



SafeBackhttp://www.forensics-intl.com/safeback.html

SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition

The process is analogous to photography and the creation of a photo negative

It is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives

It is a DOS-based utility to back up and restore hard disks

It is used:

• To create evidence grade backups of hard disk drives on Intel based computer systems• To exactly restore archived SafeBack images to another computer hard disk drive of equal or larger

storage capacity• As an evidence preservation tool in law enforcement and civil litigation matters• As an intelligence gathering tool by military agencies



TapeCathttp://www.sandersonforensics.com/

TapeCat is a Windows-based Tape Forensics package

It has the following functionality:

• Creates a FAT formatted image file and extracts the content of an archive tape directly into the image file for subsequent direct import into forensic investigation tools such as Encase or ILook

• Extracts the contents of an archive tape to disk (i.e. restore) maintaining file dates and times

• Displays a catalogue of all volumes on a given tape (supported formats only)• Supports out of sequence backup tapes (NTBackup and Backup Exec only)• Filters (include or exclude) files based on file extension, file signature, and hash

values - search for known files or exclude known files • Extracts only unique files • Raw dumps the contents of a tape to disk• Duplicates tape to tape• Duplicates via hard disk• Creates tape images • Maintains a forensic log of all activity



Visionhttp://www.foundstone.com/

Vision is a host based forensics tool that shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications




Software Computer Forensic Tools




• PDBlock• Write-blocker• NoWrite• FireWire DriveDock• Write Protect Card Reader• Serial-ATA DriveLock Kit• ImageMASSter Solo-3 IT• ImageMASSter 4002i• ImageMasster 3002SCSI• Image MASSter 3004SATA

List of hardware computer forensics tools:



Hard Disk Write Protection Tools: PDBlock and Write-blockerhttp://www.digitalintelligence.com/

• PDBlock tool is designed to prevent unexpected writes to a physical disk drive

• It write protects hard disks on a system and prevents write requests to particular hard disks on a system

• It has an option to select specific write protected hard drives• Safeguard any particular drive accessed from the system through

Interrupt 13 or the MS/IBM Interrupt 13 extensions

PDBlock

• Write-blocker prevents data from being written to a hard disk during investigations

• It allows sample access to the forensic examiner to download, examine and investigate the data present in a system

Write-blocker



Hard Disk Write Protection Tools: Nowrite http://www.mykeytech.com/nowrite.html

Features:

• True IDE to IDE connections• Transparent to hardware and software• Blocks any writes to the drive• Supports large drives (+130Gigs)• Supports identifying host protected area

NoWrite is a write blocker for IDE hard drives

Figure: NoWrite



Hard Disk Write Protection Tools: Firewire Drivedockhttp://www.wiebetech.com/

• Dual FireWire 400 Ports for daisy chaining• USB 2.0 Port for attachment of USB hosts• Disk Drive Power In LED for powering from standard 4-pin

drive power connectors• FireWire Host Detection LED to identify valid FireWire

host attachment• USB Host Detection LED to identify USB attachment

Features of Wiebetech’s FireWireDriveDock:

Wiebetech’s FireWire DriveDock v4 is a forensic tool for investigators who deals with bare 3.5" IDE drives

This tool attaches drives through dual FireWire 400 or USB that allows daisy-chaining for more versatility

Figure: Firewire Drivedock



Write Protect Card Readerhttp://www.ics-iq.com/

Write Protect Card Reader transfers data to a PC from digital camera, digital camcorder PDA, MP3 player, and digital voice recorder

It can read multiple types of flash memory while blocking any writes to it

Features of Write Protect Card Reader:

• USB 2.0 connection• Backward compatible to USB 1.1• Complete plug and play• Read 12 different popular digital media• Can read data among four different media simultaneously• Maximum data throughput up to 480 Mbits/sec • Unique icon for each media type under My Computer folder• Size small enough to fit in most jacket pocket• Bus powered - no AC adapter needed

Figure: Write Protect Card Reader



Serial-ATA DriveLock Kithttp://www.ics-iq.com/

Features:

• Write Protection through P-ATA and S-ATA Interface

• Multiple media support • High speed operation• Ease of use and portable

Figure: Serial-ATA DriveLock Kit

The Drive Lock S-ATA device is a hardware write protect solution which prevents data writes to S-ATA and P-ATA hard disk drives

It is designed to block write command sent to the hard drive while previewed or duplicated



ImageMASSter Solo-3 IThttp://www.ics-iq.com/

• MD5 and CRC32 hashing• Touch screen user interface• Copy to two target drives simultaneously• Multiple media support

Features of ImageMASSter Solo-3 IT:

Figure: ImageMASSter Solo-3 IT

The ImageMASSter Solo-3 IT is a complete, inclusive High Speed Data Duplication Tool that integrates all the latest advanced features in data imaging

It can copy data from IDE and laptop drives, Serial ATA and SCSI drives as well as Flash Cards



ImageMASSter 4002ihttp://www.ics-iq.com/

Features of ImageMASSter 4002i:

• Copy to multiple drives simultaneously• Copy between different drive models and sizes• 48-Bit support• Multiple user defined settings

Figure: ImageMASSter 4002i

ImageMASSter 4002i product provides the tools necessary to mass duplicate regular and notebook P-ATA and S-ATA hard drives for high volume drive deployments

It can duplicate to 2 drives simultaneously at speeds greater than 2GB/min



ImageMASSter 3002SCSIhttp://www.ics-iq.com/

The Image MASSter 3002S hard drive duplicator is a tool for SCSI Hard Drives duplication

It is designed to copy data from 1 to 2 SCSI hard drives

It supports IDE hard drives duplication as well as Serial ATA hard drives duplication

Features of Image MASSter 3002S:

• Copy to multiple drives simultaneously• Multiple media support• Multiple copy methods• Bad sector handling

Figure: ImageMasster 3002SCSI



ImageMASSter 3004SATAhttp://www.ics-iq.com/

• Duplicates to multiple drives simultaneously • Multiple copy methods • WipeOut: erases data on up to 5 SATA hard

drives simultaneously

Features of Image MASSter3004SATA:

Figure: Image MASSter 3004SATA

The Image MASSter 3004SATA Hard Drive Duplicator is an advanced, cost-effective drive duplicator with multi data copy and drive cloning functionalities

Data Duplication Speeds can exceed 1.6 GB/min



Summary

This module has provided information on computer forensics software and hardware tools that are important in forensic investigation

Data recovery plays a crucial role during investigations

Tools that perform various functions are known as Multi-purpose tools