file000173
TRANSCRIPT
Module LX - Computer Forensic Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Linux Tool Speeds up Computer Forensics for Cops
Source: http://news.zdnet.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Software Computer Forensic Tools• Visual TimeAnalyzer• Evidor• Forensic Sorter• Directory Snoop• Decryption Collection Enterprise• Prodiscover DFT • R-Tools• Forensic Toolkit• EnCase® Forensic• SIM Card Seizure• PE Explorer
• Hardware Computer Forensic Tools• PDBlock• Firewire Drivedock • Write Protect Card Reader• ImageMASSter Solo-3 IT
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Forensic Toolkit
PE Explorer SIM Card Seizure
Write Protect Card ReaderFirewire Drivedock
PDBlock
EnCase® Forensic
ImageMASSter Solo-3 IT
EvidorVisual TimeAnalyzer
R-Tools
Forensic Sorter
Prodiscover DFT Directory SnoopDecryption Collection
Enterprise
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Computer Forensic Tools
Software Computer Forensic Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Visual TimeAnalyzerhttp://www.neuber.com/timeanalyzer/
Visual TimeAnalyzer automatically tracks all computer usage and presents detailed and illustrated reports
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
X-Ways Forensicshttp://www.x-ways.net/
• Disk cloning and imaging, even under DOS with X-Ways Replica (forensically sound)
• Examine the complete directory structure inside raw image files, even spanned over several segments
• Native support for FAT, NTFS, Ext2/3, CDFS, UDF • Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks • View and dump physical RAM and the virtual memory of running processes • Various data recovery techniques and file carving• Hard disk cleansing to produce forensically sterile media • Gather slack space, free space, inter-partition space, and generic text from
drives and images
Features of X-Ways forensics:
X-Ways Forensics is an advanced work environment for computer forensic examiners
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
X-Ways Forensics: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
X-Ways Forensics: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidorhttp://www.x-ways.net/
Evidor is a small subset of just the search functionality in X-Ways Forensics
It allows to search text on hard disks and retrieves the context of keyword occurrences on computer media
It examines the entire allocated space, even Windows swap/paging and hibernate files, and currently unallocated space of the hard disk
It finds data from files that have been deleted, if physically still existing
It cannot access remote networked hard disks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidor: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidor: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Slack Space and Data Recovery Tools: Ontrackhttp://www.ontrackdatarecovery.com/
• Repairs and restores corrupt or inaccessible Microsoft® Office and Zip files into readable files
EasyRecovery™ DataRecovery software:
• It includes capabilities of EasyRecovery DataRecovery, EasyRecovery FileRepair and EasyRecovery EmailRepair
• General capabilities – data recovery, file repair, disk diagnostics
EasyRecovery™ Professional software:
Ontrack EasyRecovery™ software products provide complete solutions for data recovery, file repair, and disk diagnostics
It allows investigator to recover deleted files, folders, and complete partitions quickly and easily, making it the ultimate do-it-yourself solution for causes of data loss
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ontrack EasyRecovery Professional: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ontrack EasyRecovery Professional: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Recovery Tools
Forensic Sorter classifies data into 14 different categories, recovers deleted files, and Filters Out Common Hashes (FOCH)
Directory Snoop is a cluster-level search tool that allows Windows users to snoop FAT and NTFS formatted disk drives to see the data hidden in the cracks
Source: http://www.paraben-forensics.com/ Source: http://www.briggsoft.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDWIPE (Physical Drive WIPE) is a DOS application capable of wiping large hard drives with capacity greater than 8.4 Gb in a short time
It supports any drive which is accessible to the system via Interrupt 13 or the MS/IBM Interrupt 13 Extensions
Permanent Deletion of Files: PDWIPEhttp://www.digitalintelligence.com/
It has three basic modes of operation
• Command line interactive• Command line confirmation• Batch file operation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Permanent Deletion of Files: Darik's Boot and Nuke (DBAN)http://www.dban.org/
Darik's Boot and Nuke ("DBAN") is a self-contained boot floppy that securely wipes the hard disks of most computers
It automatically and completely deletes the contents of any hard disk that it detects
It is a way of preventing identity theft and a good way of cleaning a Microsoft Windows installation of viruses and spyware
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DBAN: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Integrity Checker
FileMon monitors and displays file system activity on a system in real-time
File Date Time Extractor looks through binary files, 'sniffing out' hidden, embedded 64 bit date and times
Source: http://technet.microsoft.com/
Source: http://www.digital-detective.co.uk/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Integrity Checker
Decode - Forensic Date/Time Decoder utility was designed to decode the various date/time values found embedded within binary and other file types
Source: http://www.digital-detective.co.uk/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disk Imaging Tools: Snapback Datarresthttp://www.snapback.com/
The ‘Snapback Datarrest’ software has a user-friendly interface backed by powerful operation to create mirror images of variety of operating systems
It performs successful back-up and restoration
It is compatible with all IBM computers containing any OS
If a DOS floppy is booted, data can be seized quickly, accurately, and completely
It gathers every bit from the hard drive
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Partition Managers: Partimagehttp://www.partimage.org/
It supports file systems:
• Ext2fs/Ext3fs• Reiser3• FAT16/32 • HPFS, JFS, UFS• XFS, HFS• NTFS
Partimage is a Linux/UNIX utility that saves partitions having a supported file system to an image file
The image file can be compressed in the gzip/bzip2 programs to save disk space
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Partimage: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux/Unix Tools: Ltoolshttp://www.it.hs-esslingen.de/
• Ltools access Linux files from Windows 9x/ME and Windows NT/2000/XP
• It consists of set of command line tools for reading and writing Linux ReiserFS, ext2, and ext3 file systems
• They have Java and .NET based GUI, an Explorer-like interface in a Web browser, providing remote access to file systems
• They are used in DOS environment to repair Linux , if the Linux system does not boot
Ltools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ltools: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux/Unix Tool: Mtoolshttp://www.gnu.org/
• Mtools is a collection of utilities to access MS-DOS disks from Unix without mounting them
• It supports Win'95 style long file names, OS/2 Xdf disks and 2m disks (store up to 1992k on a high density 3 1/2 disk)
• It handles the long filenames of Windows NT and Windows 95
Mtools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Password Recovery Tool
@stake reduces security risk by helping administrators to remove vulnerabilities caused due to weak or easily guessed passwords
Decryption Collection recovers more passwords, from more programs, in a shorter amount of time using method such as the advanced XieveTM attack method
Source: http://www.securityfocus.com/ Source: http://www.paraben-forensics.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Password Recovery Tool
AIM Password Decoder utility was designed to decrypt the login password for AOL Instant Messenger
MS Access Database Password Decoder utility was designed to decrypt the master password stored in a Microsoft Access database
Source: http://www.digital-detective.co.uk/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet History Viewer
CookieView - Cookie Decoder was originally written as an external viewer for Encase or iLook
Cookie Viewer discovers the information that web sites store on computer
Source: http://www.digital-detective.co.uk/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet History Viewer: Cache View
Cache View is a viewer for the Netscape Navigator, Mozilla and Firefox, Opera, and Internet Explorer web caches
FavURLView utility decodes Internet Shortcut (*.URL) files to allow user to compare the Shortcut Description with the actual link
Source: http://www.digital-detective.co.uk/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet History Viewerhttp://www.digital-detective.co.uk/
NetAnalysis automatically rebuilds HTML web pages from an extracted cache
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multipurpose Tools: Mareswarehttp://www.dmares.com/
Maresware suite provides an essential set of tools for investigating computer records plus powerful data analysis capabilities
It is used in computer forensics for the purposes such as:
• Discovery of "hidden" files (such as NTFS Alternate Data Streams) • Incident response and evaluation of timelines • Powerful key word searching and comparing and file verification • Forensic diskette imaging • Drive wiping for information privacy and security • Disk wiping to overwrite a hard drive to DOD standards • Completely documenting the examiner's steps and procedures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multipurpose Tools: LC Technologies Software
• It is designed to recover images, movies, and sound files from various types of digital media Photorecovery:
• It scans and finds lost partitions, boot sectors, and other file system componentsFile RecoveryPro:
• This tool completely removes data from disks to avoid passing private/secret information FILExtinguisher:
• It recovers all kinds of data from the hard diskSanDiskRescuePRO:
• It allows fast, safe, and reliable file recovery with Windows environment Data Recovery kit:
• It is a software used for reportingIntelli-SMART:
The LC Technologies Software comprises of the below software/tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Intelli-SMART: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multipurpose Tools: Winhex Specialist Edition
WinHex is a hexadecimal editor, helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security
Prodiscover is a law enforcement tool used to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports
Source: http://www.x-ways.net/ Source: http://www.techpathways.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Toolkits: NTI Toolshttp://www.forensics-intl.com/
• It is a floppy diskette analysis tool for security reviews and to identify data storage pattern anomaliesAnaDisk:
• It is a utility tool that is used to securely destroy computer data on a disk driveDiskScrub:
• It captures data stored in the file slack associated with all of the files on a target computer hard disk driveGetSlack:
• It determines the past Internet-based computer usage of a specific computer systemNTA Stealth:
• It is a Hard disk’s bit-stream backup softwareSafeBack 3.0:
Some of the important NTI tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Toolkits: R-Toolshttp://www.r-tt.com/
R-Tools Technology Inc. is the provider of forensic utilities for Windows OS family
• It is an undelete and data recovery software recovering files from FAT12/16/32, NTFS, NTFS5, HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2
R-Studio:
• It is a file undelete solution for FAT and NTFS file systems R-Undelete:
• It is a drive image and backup software that creates disk image files with exact, byte-by-byte copies of a hard drive, partition or logical disk
R-Drive Image:
• It protects computers present in a local network and/or to the Internet against intrusions, attacks, Trojans, spyware, and other external and internal threats
R-Firewall:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Toolkits: R-Tools (cont’d)
• It is a data security tool for advanced access right control, encryption, and auditR-guard:
• It recovers damaged files and deleted messages created by Microsoft Outlook and Microsoft Outlook Express software
R-mail:
• It is designed to recover corrupted Microsoft Word documents R-word:
• It deletes private records of user’s on-line and off-line activities, such as temporary internet files, history, cookies, passwords, swap files, etc.
R-Wipe&Clean:
• It is a file recovery utility for the Ext2FS file system used in the Linux OS and several Unix versions
R-Linux:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
R-Tools: Screenshot
R-Studio R-Guard
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
R-Tools: Screenshot (cont’d)
R-mail R-Wipe&Clean
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Toolkits: Datalifterhttp://www.datalifter.com/
DataLifter is a forensics toolkit built by StepaNetCommunications Inc
It has a set of 10 tools that helps in forensics investigations
It has two versions: DataLifter v2.0 and DataLifter.Net Bonus
The utilities that are grouped together along with DataLifterinclude:
• Active reports, Disk2File, File extraction, Image linker• Internet history, File signature generator, Email retriever, • Ping/Trace route/WHOIS, Recycle Bin history, Screen capture
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Datalifter: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Toolkits: AccessDatahttp://www.accessdata.com/
AccessData contains set of programs used for computer forensics such as:
• The Password Recovery Toolkit recovers passwords from well-known applications
Password Recovery Toolkit:
• It recovers the password for protected files
Distributed network attack:
• Registry Viewer views independent registry files and generates reports
Registry viewer:
• Wipe drive is used to overwrite and remove all the data present in a computer
Wipe drive:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FTK – Forensic Toolkithttp://www.accessdata.com/
Features:
• An integrated solution• Integrated oracle database and enhanced
searching• Powerful processing speed• Intuitive interface and functionality
Forensic Toolkit (FTK) offers forensic professionals the ability to complete a task systematically, by providing accurate information
It has full text indexing, advanced searching, deleted file recovery, data-carving, email, and graphics analysis
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image MASSter Solo and FastBloc
• It is a hard drive duplicator for workstation cloning• It can load any operating system and application
software including: Windows95/98, NT, SCO, Unix, OS/2, and Mac OS
Image MASSter Solo:
• It is a data acquisition software, which connects through an IDE channel. Does not require SCSI controller cards or SCSI drivers
• The common IDE write-blocked architecture allows data from any IDE hard drive to be gathered safely in Windows OS
FastBloc:
Source: http://www.guidancesoftware.com/
Source: http://www.ics-iq.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase® Forensichttp://www.guidancesoftware.com/
• Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide
• Investigates and analyzes multiple platforms• Finds information despite efforts to hide, cloak or delete• Manages large volumes of computer evidence• Transfers evidence files directly to law enforcement or legal
representatives as necessary
Features of EnCase:
EnCase® provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to end
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase® Forensic: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase® Forensic: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase® Forensic: Screenshot 3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Recovery Tools
E-mail Examiner is e-mail examination tool that recovers active and deleted mail messages
Network E-mail Examiner allows investigator to examine Microsoft Exchange (EDB), Lotus Notes (NSF), and GroupWise e-mail stores
Source: http://www.paraben-forensics.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Agent Companionhttp://www.paraben-forensics.com/
• Enhanced reporting options for professional and comprehensive output of examined data
• Customized by examiner so each case can be loaded based on the specifics of that case
• Note taking and bookmarking capabilities built in for easy reference to examined data
• Case logging feature tracks all parts of analysis in detailed log file
Features of Case Agent Companion:
Paraben's Case Agent Companion is designed to optimize both the time of the forensics examiner and the agent working the case
It has built in viewers for over 225 file formats, searching, and reporting that makes forensics process faster, more efficient, and more effective
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Agent Companion: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chat Examinerhttp://www.paraben-forensics.com/
Chat Examiner is a specialized tool to perform a thorough analysis of chat logs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Paraben Hard Drive Forensics: Forensic Replicatorhttp://www.paraben-forensics.com/
• Supports for creating and viewing VHD (Virtual Hard Disk)• Supports for WiebeTech write block devices• Supports for viewing Linux EXT2 and EXT3 partitions• Creates bit-stream images of removable media, partitions, or an entire
physical hard drive• Creates images of USB micro drives
Forensic Replicator Features:
Paraben's Forensic Replicator is used to bit-stream imaging of hard drives and media
It acquires a wide range of electronic media from a floppy to a hard disk
Captured images can be compressed, segmented, and easily read into the forensic analysis programs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Replicator Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Analyzerhttp://www.paraben-forensics.com/
Paraben's Registry Analyzer is a component of Paraben's P2 forensic collection and is used for viewing, analyzing, and reporting the Windows registry files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• On-site or remote preview of a target system• Post mortem analysis of dead systems • Testing and verification of other forensic programs• Conversion of proprietary "evidence file" formats• “Knock-and-talk” inquiries and investigations
Features of SMART:
SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals
ASR Data’s SMARThttp://www.asrdata.com/SMART/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oxygen Phone Managerhttp://www.oxygensoftware.com/
Oxygen Phone Manager supports all the models of Nokia mobile phone
Supported different connection types such as InfraRed, Bluetooth, and Various USB
It backs up and restores all information from mobile phone
Highly customizable imports
Export of phonebook to all the popular formats
Supports three storage types: SIM card, phone memory and disk
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oxygen Phone Manager: Screenshot 1
Main Window
SMS Manager
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oxygen Phone Manager: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIM Card Seizurehttp://www.paraben-forensics.com/
SIM Card Seizure is a tool that analyzes SIM card data and recovers deleted data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Text Searcherhttp://www.paraben-forensics.com/
Paraben's Text Searcher is a text searching tool that will make any forensics examiner more effective and more efficient
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autorunshttp://technet.microsoft.com/
Autoruns shows what programs are configured to run during system bootup or login, and the entries in the order Windows processes them
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autostart Viewerhttp://www.diamondcs.com.au/
Autostart Viewer allows you to see all known autostarts on your system, all on the one screen
It also gives you complete control over the autostart references, and allows you to modify or delete them
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Belkasoft RemovExhttp://belkasoft.com/
Belkasoft RemovEx allows user to disable Internet Explorer and Windows Explorer plug-ins
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HashDighttp://ftimes.sourceforge.net/
HashDig technology is a collection of utilities designed to help practitioners automate the process of resolving MD5 and SHA1 hashes
It was designed to work in conjunction with FTimes
This method can be implemented quite effectively by manipulating hashes and comparing them to one or more reference databases
The HashDig format:
•hash|category
The reverse HashDig format:
•category|hash
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inforenz Foragerhttp://www.deticaforensics.com/
• Identifies relevant data through its highly flexible and sophisticated searches that perform simultaneous high-level and meta-data level filtering
• Mines down into .zip container files recursively to obtain meta-data from deeply nested files, as well as providing meta-data from the .zip container files themselves
• Generates an index for all or part of your search area to speed up investigations, or to work without the original data
• Produces rapid reports on multiple documents, including document time-lines and document history (where available) without needing to open the original application
• Allows investigation and analysis of known files without needing to perform a search• Analyzes the history of Microsoft Word and Excel documents created on any platform (including
Microsoft Windows and Mac OS) • Provides detailed property values for a growing number of file types
Features of Inforenz Forager:
Inforenz Forager is a forensic investigation tool that enables to search for, identify, analyze, and report on information about computer files
It is the first commercially available forensic investigation tool to collate and link the metadata of different computer files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
KaZAlyserhttp://www.sandersonforensics.com/
• Lists all database entries in a tabular form• Displays the file integrity tag • Allows the investigator to tag and comment each record • Identifies files that appear (from title, keywords etc.) to be related to Child
Pornography • Identifies files that have a known Child Pornography hash value • Identifies all graphics/movie files • Exports the content of a database to a CSV file
It provides the following functions:
KaZAlyser is the successor to the popular P2PView KaZaA/Morpheus database viewer
It provides significant enhancements to the investigation process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DiamondCS OpenPortshttp://www.diamondcs.com.au/
DiamondCS OpenPorts is a command line interface tool that allows to see all open TCP and UDP ports on your system
It displays information about the sockets/ports on your system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pascohttp://www.foundstone.com/
Pasco is designed to examine the contents of Internet Explorer's cache files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Patchithttp://www.foundstone.com/
MESSAGE <"message">
Displays a message during script execution
DIR <"directory path">
Optional directory path to search for files. For compatibility it is advisable not to use specific drive names in the path
FILE <"filename"> [filesize]
Filename to patch. Optional filesize specifies the size that the file must match to be accepted
FIND [<*>]...
Performs a search on the current file for the sequence of bytes that match ... up to max 256. Use the keyword * to match any byte. If a match is found then the PATCH file position value is set to the file position at which the found pattern begins
Patchit is a file byte-patching utility
It can patch sequences of bytes in any file, search for byte patterns (with wildcards) and also extract and utilize DLL exported function addresses
The total command list is shown below:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Patchit (cont’d)
FUNCTION <"funcname">
Sets the current patch position to the file position of the given exported function name (case sensitive). It is assumed that the file being patched is a DLL
PATCH [[POS ] | [OFFSET ]] ...
Patches the current file at optional file position/offset. Replaces orig_byte with new_byte. Fails if original byte read from file is not orig_byte
COPY <"orig_file"> <"new_file">
Copies "orig_file" to "new_file“
DELETE <"filename">
Deletes the specified file
INIFILE <"filemame">
Specifies an INI file to be used in subsequent INI commands. This filename is relative to the last DIR directory path
INISECTION <"section">
Specifies an INI section name for use in subsequent INIWRITE commands
INIWRITE <"keyname"> <"value">
Writes the given string value to the INI keyname in the previously specified INI file's section
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PE Explorerhttp://www.pe-explorer.com/
• Works with PE files such as .EXE, .DLL, .SYS, .ACM, .OCX, .DPL, and .BPL
• Opens broken or packed files in Safe mode• Verifies PE file's integrity• Supports custom plug-ins to perform any startup processing
Features of PE Explorer:
PE Explorer tool is used for inspecting the inner workings of user software, third party application and libraries for which user do not have source code
Once user select the file that wish to examine, it analyzes the file and displays a summary of the PE header information, and all of the resources contained in the PE file
It allows user to explore the specific elements within an executable file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PE Explorer: Screenshot
Syntex Description Editor
Expert properties display details about selected function
Log Window Syntex Details Window
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Port Explorerhttp://www.diamondcs.com.au/
Features of Port Explorer:
• Configurable interface• Multi-language support• Hidden server detection• Port-to-process mapping• Socket send/receive blocking• Packet-sniffing• IP-to-country resolving• Traffic volume reporting
Port Explorer is the premier port-to-process mapper that allows user to view all the open network ports/sockets on the system
It is a network monitoring utility and has an intuitive GUI that allows user to monitor all the network activity, your computer is involved in
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Port Explorer: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PowerGREPhttp://www.powergrep.com/
PowerGREP is a Windows grep tool that searches through large number of files on user’s computer or network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Explorerhttp://technet.microsoft.com/
Process Explorer tool shows you information about which handles and DLLs processes have opened or loaded
Its display consists of two sub-windows
• Top window always shows a list of the currently active processes, including the names of their owning accounts
• Bottom window information depends on the mode that Process Explorer is running
Features of Process Explorer:
• Supports for full handle viewing on Win9x/Me• Processes icons and tree display• Services process highlighting• Configurable refresh rate• Refreshes highlighting• DLL descriptions in the DLL view• Highlights relocated DLLs• Jump-to-entry in the find dialog
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Explorer: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PyFLAGhttp://www.pyflag.net/
PyFLAG is a web based tool used for the analysis of large volumes of log files and forensic investigations
It can be deployed on a central server and shared with a number of users simultaneously
It has the ability to load many different log file formats, perform forensic analysis of disks and image
It uses a database as a backend to assist in managing the large volumes of data
It analyzes network traffic as obtained via tcpdump quickly and efficiently
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PyFLAG: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PyFLAG: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Analyzing Tool: Regmonhttp://technet.microsoft.com/
Regmon is a Registry monitoring utility that shows user which applications are accessing the Registry, which keys they are accessing, and the Registry data that they are reading and writing in real-time
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reverse Engineering Compiler http://www.backerstreet.com/
REC is a portable reverse engineering compiler, or decompiler
It reads an executable file, and attempts to produce a C-like representation of the code and data used to build the executable file
Features of REC:
• Multitarget: REC can decompile 386, 68k, PowerPC and MIPS R3000 programs• Multiformat• Multihost: REC is available for Linux 3.0 (i386), Windows 95 and SunOS 4.1.4• Supports high-level symbolic information in COFF, ELF+STAB, AOUT+STAB• Scalable user interaction
• HTTP server mode allows using an HTML browser as user interface
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reverse Engineering Compiler: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reverse Engineering Compiler: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SafeBackhttp://www.forensics-intl.com/safeback.html
SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition
The process is analogous to photography and the creation of a photo negative
It is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives
It is a DOS-based utility to back up and restore hard disks
It is used:
• To create evidence grade backups of hard disk drives on Intel based computer systems• To exactly restore archived SafeBack images to another computer hard disk drive of equal or larger
storage capacity• As an evidence preservation tool in law enforcement and civil litigation matters• As an intelligence gathering tool by military agencies
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TapeCathttp://www.sandersonforensics.com/
TapeCat is a Windows-based Tape Forensics package
It has the following functionality:
• Creates a FAT formatted image file and extracts the content of an archive tape directly into the image file for subsequent direct import into forensic investigation tools such as Encase or ILook
• Extracts the contents of an archive tape to disk (i.e. restore) maintaining file dates and times
• Displays a catalogue of all volumes on a given tape (supported formats only)• Supports out of sequence backup tapes (NTBackup and Backup Exec only)• Filters (include or exclude) files based on file extension, file signature, and hash
values - search for known files or exclude known files • Extracts only unique files • Raw dumps the contents of a tape to disk• Duplicates tape to tape• Duplicates via hard disk• Creates tape images • Maintains a forensic log of all activity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Visionhttp://www.foundstone.com/
Vision is a host based forensics tool that shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Computer Forensic Tools
Software Computer Forensic Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Computer Forensic Tools
• PDBlock• Write-blocker• NoWrite• FireWire DriveDock• Write Protect Card Reader• Serial-ATA DriveLock Kit• ImageMASSter Solo-3 IT• ImageMASSter 4002i• ImageMasster 3002SCSI• Image MASSter 3004SATA
List of hardware computer forensics tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Disk Write Protection Tools: PDBlock and Write-blockerhttp://www.digitalintelligence.com/
• PDBlock tool is designed to prevent unexpected writes to a physical disk drive
• It write protects hard disks on a system and prevents write requests to particular hard disks on a system
• It has an option to select specific write protected hard drives• Safeguard any particular drive accessed from the system through
Interrupt 13 or the MS/IBM Interrupt 13 extensions
PDBlock
• Write-blocker prevents data from being written to a hard disk during investigations
• It allows sample access to the forensic examiner to download, examine and investigate the data present in a system
Write-blocker
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Disk Write Protection Tools: Nowrite http://www.mykeytech.com/nowrite.html
Features:
• True IDE to IDE connections• Transparent to hardware and software• Blocks any writes to the drive• Supports large drives (+130Gigs)• Supports identifying host protected area
NoWrite is a write blocker for IDE hard drives
Figure: NoWrite
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Disk Write Protection Tools: Firewire Drivedockhttp://www.wiebetech.com/
• Dual FireWire 400 Ports for daisy chaining• USB 2.0 Port for attachment of USB hosts• Disk Drive Power In LED for powering from standard 4-pin
drive power connectors• FireWire Host Detection LED to identify valid FireWire
host attachment• USB Host Detection LED to identify USB attachment
Features of Wiebetech’s FireWireDriveDock:
Wiebetech’s FireWire DriveDock v4 is a forensic tool for investigators who deals with bare 3.5" IDE drives
This tool attaches drives through dual FireWire 400 or USB that allows daisy-chaining for more versatility
Figure: Firewire Drivedock
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Write Protect Card Readerhttp://www.ics-iq.com/
Write Protect Card Reader transfers data to a PC from digital camera, digital camcorder PDA, MP3 player, and digital voice recorder
It can read multiple types of flash memory while blocking any writes to it
Features of Write Protect Card Reader:
• USB 2.0 connection• Backward compatible to USB 1.1• Complete plug and play• Read 12 different popular digital media• Can read data among four different media simultaneously• Maximum data throughput up to 480 Mbits/sec • Unique icon for each media type under My Computer folder• Size small enough to fit in most jacket pocket• Bus powered - no AC adapter needed
Figure: Write Protect Card Reader
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Serial-ATA DriveLock Kithttp://www.ics-iq.com/
Features:
• Write Protection through P-ATA and S-ATA Interface
• Multiple media support • High speed operation• Ease of use and portable
Figure: Serial-ATA DriveLock Kit
The Drive Lock S-ATA device is a hardware write protect solution which prevents data writes to S-ATA and P-ATA hard disk drives
It is designed to block write command sent to the hard drive while previewed or duplicated
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter Solo-3 IThttp://www.ics-iq.com/
• MD5 and CRC32 hashing• Touch screen user interface• Copy to two target drives simultaneously• Multiple media support
Features of ImageMASSter Solo-3 IT:
Figure: ImageMASSter Solo-3 IT
The ImageMASSter Solo-3 IT is a complete, inclusive High Speed Data Duplication Tool that integrates all the latest advanced features in data imaging
It can copy data from IDE and laptop drives, Serial ATA and SCSI drives as well as Flash Cards
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter 4002ihttp://www.ics-iq.com/
Features of ImageMASSter 4002i:
• Copy to multiple drives simultaneously• Copy between different drive models and sizes• 48-Bit support• Multiple user defined settings
Figure: ImageMASSter 4002i
ImageMASSter 4002i product provides the tools necessary to mass duplicate regular and notebook P-ATA and S-ATA hard drives for high volume drive deployments
It can duplicate to 2 drives simultaneously at speeds greater than 2GB/min
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter 3002SCSIhttp://www.ics-iq.com/
The Image MASSter 3002S hard drive duplicator is a tool for SCSI Hard Drives duplication
It is designed to copy data from 1 to 2 SCSI hard drives
It supports IDE hard drives duplication as well as Serial ATA hard drives duplication
Features of Image MASSter 3002S:
• Copy to multiple drives simultaneously• Multiple media support• Multiple copy methods• Bad sector handling
Figure: ImageMasster 3002SCSI
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ImageMASSter 3004SATAhttp://www.ics-iq.com/
• Duplicates to multiple drives simultaneously • Multiple copy methods • WipeOut: erases data on up to 5 SATA hard
drives simultaneously
Features of Image MASSter3004SATA:
Figure: Image MASSter 3004SATA
The Image MASSter 3004SATA Hard Drive Duplicator is an advanced, cost-effective drive duplicator with multi data copy and drive cloning functionalities
Data Duplication Speeds can exceed 1.6 GB/min
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
This module has provided information on computer forensics software and hardware tools that are important in forensic investigation
Data recovery plays a crucial role during investigations
Tools that perform various functions are known as Multi-purpose tools