Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 5. Overview of Digital Forensics Tools

Information in this chapter:

• What makes a tool forensically sound?

• Who performs tool testing?

• Computer forensics tools: An overview

• Classes of forensics tools

• Mobile device forensics tools

In the realm of digital forensics, there are a variety of tools in use today. There are tools for acquiring digital evidence and tools for analyzing digital evidence. There are three types of digital forensics software in use today: commercial tools, open source (free) tools, and tools developed for and available only to law enforcement agencies. In this chapter we take a look at the different types of tools and who uses them. We will also review the requirements for a tool to be a “forensically sound” tool.

Keywords

Forensic Software, Cell Phone, Mobile Device, Acquisition, Drive Duplication, Triage, Tools

Introduction

Since this book is written for legal professionals, you may be asking yourself why this chapter was included. While all this talk about tools may seem unnecessary, our objective is to familiarize you with forensic tool validation and common forensics tools. In our experience, we faced numerous people claiming to be digital forensics experts who frankly didn’t know which end was up when it comes to the proper tools in the digital forensics field. By having an idea of how the forensic tool validation process works, and common tools that are used, we hope to give you the information necessary to question examiners you might potentially hire, to see if they are qualified or not. If they do not possess any of these tools and cannot explain to you why a particular tool can stand up in court, chances are they will do you and your client more harm than good.

In the realm of digital forensics, a variety of tools are in use today. There are tools for acquiring digital evidence and tools for analyzing digital evidence. There are both hardware tools and software tools. There are tools commercially developed and available to anyone who can afford the price, open source tools available for free, and tools that are only available to law enforcement agencies. However, all of these tools, independent of their origination or who may use them, must meet minimum criteria to be considered forensically sound. These criteria are based on engineering and scientific principles that are translatable into the creation of both a testing and validation methodology.

5.1. What makes a tool forensically sound?

For any tool to be forensically sound, it must be definable, predictable, repeatable, and verifiable.

• Definable: One of the fundamental aspects of any forensic process is that the desired outcome and purpose must be definable. In other words, you must be able to state the problem, articulate the desired outcome, develop an algorithm to describe the process, and finally, have a measurement system to validate the process. As an example, for a forensic imaging tool, you would define it as:

• Problem: There is a need to have a forensically sound tool to make identical copies of digital evidence.

• Desired outcome: To create a process and method and ultimately a device or software application that can create a forensically identical copy of digital evidence in a verifiable and repeatable manner. (Note that this does not specify any criteria for performance related to speed of the copy process.)

• Algorithm: An algorithm is a description of a process, broken down into logical steps. Algorithms are normally used in computer programming, but can be applied to any process that uses a yes/no type of logic. A decision tree can be regarded as a graphical presentation of an algorithm. In this case, we would first express the algorithm in pseudo-code. Pseudo-code is an informal description of an algorithm, basically a plain-language way to describe what the algorithm should do when it is actually written in real code. In this case, the pseudo-code for the forensic copy tool would look like this:

If system is on, write-blocking is enabled: (Protect the original from modification)

Okay to start copy process

While copy process is running

Check each block of data for errors

If no errors, accept and store

Calculate MD-5 hash value and store for that data block for verification purposes

Otherwise, reject data block, and re-copy

Re-copy previous data block

Re-check for errors

If still contains errors after this many tries, mark as bad blocks

Store bad block information

Proceed to next data block

Repeat until all data is copied and verified.

The algorithm shown in pseudo-code is far from complete and is only shown as an example of how a high-level description of an algorithm for making a forensically sound copy would look.

• Predictable: Any function that the tool is going to perform must be predictable. If the tool cannot give predictable results, then it is not forensically sound, and all bets are off. Predictability in this case means that the tool will perform in a predictable manner across any usage of the tool for a specified function. In plain language, if the tool is supposed to find pictures of certain types, the prediction is that it will always find those types of pictures.

• Repeatable: The function must be repeatable within a tolerance of error. Let’s take an example from the field of robotics: One of the defining characteristics in robotics is repeatability. If a robot arm is to move to a certain point, and then deposit a part in a certain location, can it repeat that exact movement hundreds of thousands of times within a defined tolerance of error? When you are looking at a forensic tool, can it repeat the function reliably, and what is the tolerance for error? Can it find 100 percent of the selected type of pictures 100 percent of the time or only 95 percent of the time? Is that 5 percent margin of error tolerable?

• Verifiable: One of the most important criteria for a tool in the arena of forensics is the ability to verify the results of the tool, not only within a particular testing environment, but also with other tools of the same type. For instance, if one examiner in a case is using EnCase forensic software and the other examiner is using Forensic Tool Kit forensic software, do they both produce the same result? If they do not, then the question must be raised: Is the difference a software error or an examiner error? This is not a matter of interpretation by the examiner, but a matter of exactness in a particular function of the tool. The idea is that no matter what forensic tool is being used by an examiner, the results of his or her examination must be verifiable by another examiner, independent of the tool being used as long as the tools are comparable in specification and function.

5.2. Who performs tool testing?

The overall governing organization for the testing and validation of digital forensics tools in the United States is the Computer Forensics Tool Testing program (CFTT) at the National Institute of Standards and Technology (NIST). The CFTT develops testing methodology for specific tools. The following description of testing methodology is from the CFTT website:

The goal of the Computer Forensic Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. A capability is required to ensure that forensic software tools consistently produce accurate and objective test results. Our approach for testing computer forensics tools is based on well-recognized international methodologies for conformance testing and quality testing.¹

5.3. Computer forensics tools: An overview

Forensic software and hardware tools come in a variety of shapes and sizes, some designed to do everything in an examination and some designed to perform a specific function. In this section we will look at some of the better-known tools, without attempting to create a catalog of all tools. First we will look at forensic software tools and then forensic hardware tools. The tools are broken down into classes, and then by function.

5.4. Classes of forensics tools

While there is no formal classification of forensic software tools, it is an easy task to put different forensics tools into general categories both by availability and by function:

• Availability

• Commercial. Commercial software includes tools that are available to anyone who is willing to pay the purchase price. Prices for forensic software tools range from less than one hundred dollars for some single-purpose tools up to tens of thousands of dollars for enterprise level forensics and e-discovery tools.

• Open Source. Open source tools are those that are developed under the Open Source Initiative² and are covered by one of the various licenses approved under that initiative. Open source tools are distributed free to anyone and are developed and supported by interested community members. The most well-known of these is the SleuthKit developed by Brian Carrier, author of “File System Forensic Analysis.”³

• Law Enforcement Only (LEO). Some digital forensics tools are developed for use by law enforcement only. One such program is iLook. iLook is one of the more well-known law enforcement only forensics tools. It was developed by Elliot Spencer, and then maintained by the Internal Revenue Service Criminal Investigation Division (IRS-CI). In 2008, federal funding ended for the product, but Elliot Spencer’s company Perlustro now sells a commercial version of the software. ⁴

• Function

• Suites. Forensic software suites are those programs designed to “do it all.” The typical software suite operates as a single program to handle all aspects of a computer examination. All of the suites also include ancillary programs for the acquisition (forensic copying) of digital evidence in a forensically sound manner. These comprehensive forensic software suites are designed to handle acquisition of evidence, verification, analysis, and preservation all in one place. This enables the forensic examiner to perform all of the processes and functions needed for a complete forensic analysis from collection though reporting results for use in court testimony.

Guidance Software (www.guidancesoftware.com) and Access Data Corporation (www.accessdata.com) have extensive documentation citing court cases that have involved EnCase and Forensic Tool Kit available on their websites.

– EnCase (Guidance Software Corporation)

– FTK Forensic Tool Kit (Access Data Corporation)

– iLook LEO and iLookPI (Perlustro Corporation)

– SMART (ASR Data, Data Acquisition and Analysis, LLC)

– P2 Commander (Paraben Corporation)

– X-Ways Forensics (X-Ways Software Technology AG)

– MacForensicsLab (MacForensicsLab, Inc.)

– BlackLight Mac Analysis (BlackBag Technologies)

• Task-Specific or Single-Purpose. Many software programs are available that perform a specialized task or function such as forensic triage, e-mail forensics, peer-to-peer forensics, chat program forensics, and Internet history forensics. This list includes software designed to handle specific tasks in the major evidence categories. Here we list some of the more well-known task-specific or single-purpose forensics tools.

– Forensic Triage Products. Forensic triage is the process of conducting an examination of a computer to either eliminate it or include it for a full forensic analysis. Forensic triage is becoming more popular today as the number of cases involving computers continues to grow, swamping law enforcement agencies with computers waiting for a forensic examination. Forensic triage is seen as a way to reduce the backlog of computers that must be given a full forensic examination.

• Drive Prophet (Guardian Digital Forensics)

• Triage Examiner (ADF Solutions, Inc.)

– E-mail Only Products. E-mail forensic software is used to recover and analyze stored e-mail in a variety of formats, including corrupted e-mail stores.

• Email Examiner and Network Email Examiner (Paraben Corporation)

• Email Detective (Hot Pepper Technology)

• Mail Analyzer (Belkasoft)

– Chat Programs. Chat program forensic software is designed to recover chat logs from chat services such as Yahoo Messenger, MSN, Trillian, Hello, Miranda, Skype, and others.

• Forensic IM Analyzer (Belkasoft)

• Chat Examiner (Paraben Corporation)

– Internet History

• NetAnalysis (Digital Detective)

• Browser Analyzer (Belkasoft)

• Acquisition (forensic software and hardware for making forensic copies of evidence)

– Software for Acquisitions

• EnCase Forensic Software (Guidance Software Corporation)

• Linen (Guidance Software Corporation)

• FTK Imager (Access Data Corporation)

• Forensic Replicator (Paraben Corporation)

• MacQuisition (BlackBag Technologies)

• Helix (e-fense)

– Hardware for Acquisitions. Forensic acquisition hardware comes in the form of write-blockers for protecting original evidence as well as in the form of forensic drive duplicators. There are far too many individual write-blocking products to list them by name. Below is a list of companies that produce and sell write-blocking and drive-duplication products.

• Tableau

• Logicube

• Weibetech

• Intelligent Computer Solutions

• Voom Technologies

5.5. Mobile device forensics tools

Mobile devices require their own set of unique tools to acquire and analyze the data contained on cell phones, personal data assistants, iPods, iPads and even GPS units. The following is a list of the major products available for mobile device forensics.

• Paraben Device Seizure (Paraben Corporation)

• Cellebrite (Cellebrite USA Corporation)

• Susteen SecureView (Susteen Inc.)

• CellDEK (Logicube)

• Mobilyze (BlackBag Technologies)

• BitPim (Open source free application)

• XRY (Micro Sysemation AB)

• Berla Corp GPS Forensic Software (Berla Corporation)

Summary

In this chapter we looked at the criteria for a forensically sound tool, and the organizations that provide testing and validation for forensics tools. We looked at the various classes of forensics tools and discussed the types of forensic software and hardware tools currently in use today. We also included a list of all of the manufacturers of the tools covered in this chapter for further reading.

References

[1]

[2]

[3]

[4]

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 5. Overview of Digital Forensics Tools

Create new playlist

Sign In

Sign Up