Forensic Software Tools

Introduction

In this article we introduce to the hardware and software-based forensic tools. Due to the
large number of hardware and software tools, few can be covered in great detail.We shall list
the software products you will need to be familiar with to pass the exam in Part One.
The second part of this chapter introduces the physical hardware tools available to aid the
forensic practitioner.Tables are included within the chapter that supply a brief description of
the salient features of each tool.

Forensic Software Tools

This section summarizes the features and advantages of a large number of software forensics
tools. For detailed information and technical reports it is always best to view the vendor Web
sites as well as organizations that conduct technical reviews and evaluations such as National
Institute of Standards and Technology (NIST).The Computer Forensic Tools Testing project
(CFTT) web site contains additional valuable information:
■ www.cftt.nist.gov/disk_imaging.htm
■ www.cftt.nist.gov/presentations.htm
■ www.cftt.nist.gov/software_write_block.htm
The information presented in this chapter is heavily based on the assertions of the various
vendors who make the products listed in the chapter. Much of the information has been taken
from the vendors product sheets.The Computer Forensic Tools Testing project is a good source
of comparative data when deciding between these vendors.

Visual TimeAnalyzer

Visual TimeAnalyzer, shown in Figure 13.1, automatically tracks all computer usage and presents
detailed, richly illustrated reports.You can easily log individual users or specific projects and
compile detailed accounts of time spent within each program.The program helps track work
time, pauses, projects, costs, software, and internet use and gives parents control over their chil-
dren’s use of the personal computer.
The software has some privacy s afeguards and does not monitor all user data such as pass-
words and personal documents. Unlike spyware, it does not record specific keystrokes or run
screen captures as a background process.
Software functions:
■ User supervision Get detailed accounts of working hours and breaks.
■ Computer supervision Monitor the family’s PC or the company’s network.
■ Software metering Determine how often software is used and by whom.
■ Internet use Control online time and web usage.
■ Project overview Summarize the amount of time applied to each project milestone.
■ Compare users See the activity of users on their computers.
Figure 13.1 Visual TimeAnalyzer in Action

X-Ways Forensics

X-Ways Forensics also is covered in further detail in Chapter 6. It is based on WinHex and is
designed to be an advanced work environment for the digital forensic analyst.The product pro-
vides a number of features such as:
■ Forensic cloning and imaging of sound disks
■ Examination of the complete directory structure inside raw image files, even if the
directory spans segments
■ Native support for FAT, NTFS, Ext2, Ext3, Ext4, CDFS, and UDF file systems
■ Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks
■ Viewing and dumping of physical RAM and the virtual memory space of running
processes
■ Several data recovery techniques and file carving
■ File header signature database based on flexible UNIX grep notation
■ Hard disk cleansing to produce forensically sterile media
■ Gathering of slack space, free space, interpartition space, and generic text from drives
and images
■ Creation of file and directory catalogs for all computer media
■ Easy detection of and access to NTFS alternate data streams (ADS), even where
other programs fail
■ Calculation for mass hash file encryption (CRC32, MD5, SHA-1, and SHA-256)
■ Manual decompression of NTFS volumes
■ Support for the HFS, HFS+, ReiserFS, Reiser4, UFS, and UFS2 file systems
■ Support for the following partition types: MBR,Windows dynamic volumes, GUID
(GPT), Apple, unpartitioned (floppy/superfloppy)
■ Gallery view for pictures
■ Calendar view
■ File preview — a seamlessly integrated viewer component for more than 400 file
types
■ Examination of e-mail extracted from Outlook (PST)*, Outlook Express (DBX),
Mozilla (including Netscape and Thunderbird), generic mailbox (mbox, Berkeley,
BSD, UNIX), Eudora, PocoMail, Barca, Opera, Forte Agent,The Bat!, Pegasus,
PMMail, FoxMail, and local copies of maildir folders
■ Automated check of the file signature
■ Tagging of files and add them to customized report tables of notable items
■ Automatic identification of encrypted Microsoft Office and PDF documents
■ Automatic identification of pictures embedded in documents (for example Microsoft
Word, PDF, and PowerPoint)
■ Includes an internal viewer for Windows Registry files (all Windows versions) that
generates an automated Registry report — works with all Windows versions
■ Includes an internal viewer for Windows event log files
■ Listing of the contents of archives within the directory browser, even in a recursive
view
■ Logical search of all or selected files and directories — following fragmented cluster
chains, in compressed files, and optionally decoding text in PDF,WPD, and other file
formats.
■ Searches of Unicode and other types of code pages
■ Skin color detection (that is, a gallery view sorted by skin color percentage that
greatly accelerates searches for traces of child pornography and obscene images)
■ Detection of host-protected areas (HPA) —ATA-protected areas
X-Ways Forensics can also write-protect data to ensure authenticity and integrity. It has a
case management function integrated with automated activity logging (audit logs) and auto-
mated reporting.The generated reports can be imported and further processed by any applica-
tion that processes HTML — for example, Microsoft Word. It also associates comments about
files for inclusion in the generated reports or for filtering.

Evidor

Evidor searches for all occurrences of keywords within text files in digital media such as hard
disks, and retrieves the context. It examines all files in the entire allocated space, — including
Windows swap/paging and hibernate files — along with unallocated and slack space. It will find
data files that have been deleted if they still physically exist on the hard disk. Evidor is a small
subset of the search functionality included in in X-Ways Forensics. Evidor cannot access remote
networked hard disks.
Slack Space and Data Recovery Tools
These tools aid in the recovery of deleted files and data, including file fragments in slack space
on file systems supported by Windows.

Ontrack

Ontrack Data Recovery is a simple-to-use tool used to recover lost, remote, and deleted data. It
is provided with a file repair capability for files in Microsoft Word and Zip format. It also
recovers deleted files, folders, and entire partitions. It uses an emergency boot diskette to
retrieve data from systems that cannot boot Windows.The user can start, stop, or resume the
recovery process and select an FTP location as the destination for the recovered data.The user
can configure the file filter for a quick or full scan.
The analyst can use this application perform an enhanced search using the options such as
find, find next, and find previous. Ontrack can filter and sort data according to the file date,
time, name, status, and size. It can scan the media for lost and remote data and lets the user
specify the locations to copy the recovered files and folders to.

DriveSpy

DriveSpy is a modified MS-DOS shell designed to imitate and extend the potential of MS-
DOS for forensic purposes. It uses a set of standard MS-DOS commands followed by com-
mands specific to DriveSpy to process the computer during investigations.
DriveSpy can wipe an entire drive or partition, unallocated space, or slack space. It can also
create an MD5 hash of an entire drive, partition, or selected files. It saves and restores com-
pressed images of a partition for forensic use.
It can process the following:
■ Hard drives with capacity of more than 8.4 GB
■ Floppy drives and other removable drives
■ FAT 12, FAT 16, /FAT 16x, FAT 32, and FAT 32x partitions
■ Hidden MS-DOS partitions
Filters to sort the recovered files according to date, name, time, status, and size are available.
DriveSpy performs the following functions for recovering data:
■
■
■
Retrieve lost, remote, or deleted data and entire partitions.
Start, stop, or resume the recovery process.
Select an FTP location to copy the recovered files and folders to..

Data Recovery Tools

The following tools may be used to recover information from many sources including PDAs,
cameras, and disk drives.
Device Seizure
Device Seizure is covert surveillance software developed by Paraben Corporation. It can aid in
forensically analyzing and recovering mobile phone and PDA data including deleted text mes-
sages, photos, and call logs. It supports Palm,Windows CE,Windows Mobile, BlackBerry, and
Psion devices as well as certain Nokia, Sony Ericsson, Motorola, iDen, Siemens, LG, Samsung,
and Symbian-based phone models. It also supports GSM SIM card acquisition and deleted data
recovery using SIMCon technology. Device Seizure is supported on Windows 98,Windows
XP, and Windows Vista.

Forensic Sorter

Forensic Sorter organizes and speeds the examination of the contents of a hard drive. It sorts
the contents of hard drives into categories such as video, audio, and spreadsheets so you can
easily find what you’re looking for. It will filter common Windows files, recover deleted files, or
file fragments in slack, deleted, and unallocated space.
The application supports drive images in RAW, PFR (Forensic Replicator), Safeback,
and EnCase image files and is compatible with Paraben’s P2 Forensic Examination
Technology. It sorts files by header rather than file extension for accuracy and sorts files
located in unpartitioned space. Forensic Sorter identifies encrypted files for easy recovery
using Paraben’s Decryption Collection. All data output is non-proprietary so any tool can be
used for analysis performed after sorting. It is designed for use with Paraben’s Case Agent
Companion. It supports:
■ EFS file detection
■ NTFS compressed file read operations
■ NTFS streamoperations
■ HTML reporting
■ Ext 2 and Ext 3 partition operations
■ Compressed archive (ZIP, RAR, etc.) sorting
■ Drives with bad sectors sorting
■ Unicode support
■ Removable disk support
■ OLE storage support
■ Palm OS file detection
■ Chat log file detection
■ E-mail Examiner and Network E-mail Examiner-supported file detection
■ XML output validation

Directory Snoop

This program is a cluster-level search tool that allows Windows users to analyze and view files
in FAT- and NTFS-formatted disk drives to see what data can be recovered. It can recover
deleted files or permanently erase sensitive files. Supported media include hard drives, floppy
disks, Zip disks, magneto-optical drives, and flashcard devices. Its features include:
■ FAT and NTFS modules
■ Recovering deleted files, including those emptied from the recycle bin
■ Destroying sensitive files with the secure wiping functionality, which provides up to
35 wiping passes
■ Secure wiping slack and free drive space
■ Purging sensitive file names left behind after normal erasing
■ Copying open and locked files with the cluster copy function
■ Searching, filtering, and sorting files globally by name and other parameters
■ Viewing, searching, printing, and copying raw cluster data
■ Dynamically linking clusters with cluster chains and the files that use them
■ Examining the FAT and Master File Tables
■ Viewing files through external applications
■ Verifying the effectiveness of other file wiping programs

Permanent Deletion of Files

Drive wiping is a crucial component of all digital forensic examinations. Any drive that is not
thoroughly wiped has to be considered suspect.The following tools aid in this goal.

PDWipe

PDWipe is capable of wiping large hard drives (in excess of 8.4 GB) in just under 11 minutes.
It will perform a declassification drive wipe in accordance with the NAVSO P5239-10 security
standard.This wiping algorithm exceeds that specified by the DOD 5220.22-M specification
for both “clearing” and “purging” of sensitive information on hard drives.
PDWipe provides the option of specifying a character code other than 0x00 when wiping
a drive. It also offers the ability to wipe the drive using a random pattern. PDWipe can also
record Logical Sector Addresses, and cylinder-head-sector (CHS) addresses for Int13 and Int13x
geometries at the beginning of the sectors being wiped.This is useful when diagnosing archi-
tectural discrepancies when moving a drive between systems or validating imaging utilities.
PDWipe can process all drives in a system such that all drives can be wiped with a single
program operation. If desired, PDWipe will generate a report of the wiping activity performed
on a system. PDWipe can also verify that the contents of a specified number of randomly
chosen sectors have been wiped. If wipe verification is requested, PDWipe will also automati-
cally verify the first and last sector on the drive.
PDWipe will support any drive which accessible to your system through the Int13 or the
Microsoft/IBM Int13 extensions. System BIOSs typically provide this capability for all attached
IDE or EIDE devices. In addition, most SCSI adapters offer the ability to support attached
devices through Int13 as well.

Darik’s Boot and Nuke

Darik’s Boot and Nuke (DBAN) is available from http://dban.sourceforge.net/ and is free. It is
a self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will
automatically and completely delete the contents of any hard disk that it can detect, which
makes it an appropriate utility for bulk or emergency data destruction.
DBAN can ensure due diligence in computer recycling, a way of preventing identity theft
if you want to sell a computer, and a good way to totally clean a Microsoft Windows installa-
tion of viruses and spyware. DBAN prevents or thoroughly hinders all known techniques of
hard disk forensic analysis.

File Integrity Checker

Failing to maintain the integrity of a file or drive image could be the end of a forensic exami-
nation.These tools help you to prove that the file you copied into evidence has not been
altered subsequently.They make possible a quick and reliable diagnosis of a system image for
the purpose of determining if any changes have occurred.

Filemon

Filemon and Regmon have been replaced by the Process Monitor on Windows 2000 SP4,
Windows XP SP2,Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon are
included in these Windows versions for support of earlier Windows operating systems such as
Windows 95.
Filemon monitors and displays file system activity on a system in real time. Its advanced
capabilities make it a powerful tool for exploring the way Windows works, seeing how applica-
tions use the files and DLLs, or tracking down problems in system or application file configura-
tions. Filemon’s timestamping feature can show you precisely when every open, read, write, or
delete operation happens, and its status column tells you the outcome. It begins monitoring
when you start it, and its output window can be saved to a file for offline viewing. It has full
search capability, and if you find that you’re getting information overload, simply set up one or
more filters.

File Date Time Extractor

File Date Time Extractor (FDTE) from Digital Detectives searches through binary files to
uncover hidden, embedded, 64-bit date and time data.Windows files, such as Word documents
contain several timestamp formats. It is important to note that false positives are common due
to data patterns in files that look like timestamps but are not.

Decode: Forensic Data/Time Decoder

This utility was designed to decode the various date/time values found embedded within
binary and other file types. It supports the following date/time formats and will allow you to
specify the offset from GMT.
■ Windows 64-Bit (little endian) date and time
■ Windows 64-Bitan) date and time
■ Windows cookie-format date and time
■ Windows filetime-format date and time
■ UNIX 32-Bit (little endian) date and time
■ UNIX 32-Bit (big endian) date and time
■ UNIX numeric date and time
■ MAC absolute date and time
■ MS-DOS 32-Bit date and time
■ HFS 32-Bit (little endian) date and time
■ HFS 32-Bit (big endian) date and time
■ HFS+ 32-Bit (little endian) date and time
■ HFS+ 32-Bit (big endian) date and time
Date and time values are stored within Windows in various formats.ample, Internet
History – (index.dat), recycle bin (INFO) files,Windows link files, and Microsoft Office docu-
ments contain a 64-bit date/time structure. Decode can take a decimal hexadecimal value and
convert it into a date and time value in a variety of formats.
Disk Imaging Tools
These tools will create a bit-image copy of a drive or other media.

Snapback DatArrest

SnapBack DatArrest can obtain the mirror images of different operating systems. It provides
successful backup of data present in the hard disk of a system. It is specially designed to create
backup of mission-critical data backups.
The captured image contains all system and networking software with associated drivers,
software applications, and configurations, and all the files including deleted files, slack space, and
data files, as well as the CMOS settings for the system.
The data gathering takes place in several modes such as copying server hard drives to tape,
PC hard drives to tape, server or PC hard drives to removable media, hard drives to hard drives,
or tape to tape. It obtains a bit level backup of data present in a hard disk.The DatArrest Suite
provides the ability to copy:
■ Server hard drive to tape
■ PC hard drive to tape
■ Server or PC hard drive to removable media
■ Hard drive to hard drive
■ Tape to tape
DatArrest backs up any hard drive (SCSI, IDE, etc.) to any SCSI tape drive, removable
drive, and even a SCSI or IDE hard drive.
Partition Managers: Partimage
Partimage is a Linux utility which saves partitions with a supported file system to an image file.
Most Linux and Windows file systems are supported.The image file can be compressed with
the gzip or bzip2 programs to save disk space, and they can be split into multiple files to be
copied on CDs or DVDs, Partitions can also be saved across the network using the Partimage
network support, or using Samba or NFS. If you don’t want to install Partimage, you can
download and run it from a CD.

Linux/UNIX Tools: Ltools and Mtools

The Ltools application is equipped with many command-line applications, which are executed
from a MS-DOSwindow in Windows 9x,Windows ME,Windows NT,Windows 2000, or
Windows XP.These applications provide the same functionality as the Linux “ls”, “cp”, “rm”,
“chmod”, “chown”, and “ln” commands.Therefore, the MS-DOS and Windows operating sys-
tems allow users to list Linux files and directories to copy files from Linux to Windows.
Supported command sets include:
1. Delete or rename files in Linux (ldel and lren)
2. Creation of symbolic links (lln)
3. Create new Linux directories (lmkdir)
4. Modify a Linux file’s access rights (lchange)
5. Change the Linux default directory (lcdrive)
Many of the tools present in UNIX operating systems have functions that are built into a
single executable file.These functions are called a bundle of command-line parameters.
The MTools application is a group of tools that can allow the user to manipulate the
UNIX systems.The MTools application can perform read, write, and other operations on MS-
DOS files. Each application copies the commands that are present in MS-DOS.The MTools
application also allows the user to unload and mount floppy disks.
The Coroner’s Toolkit and Tctutils
Dan Farmer and Wietse Venema developed The Coroner’s Toolkit (TCT).This is a group of
applications that can be used to aid a forensics investigation on UNIX systems.This system can
be executed in most UNIX/Linux operating systems.
The Coroner’s Toolkit has a collection of applications and plug-ins that give the program
additional functionality.The Coroner’s Toolkit was first put into use for the purpose of a post-
mortem analysis of a UNIX operating system after a break-in.The application was first given
to a computer forensic class for real life applications in the field in 1999.This tool is mainly
designed to help in a forensic investigation and is one of the most frequently used by forensic
investigators.

Password Recovery Tools

A password cracker hashes all the words in a dictionary file and compares every result with the
password hash. If a match is found, the password is the dictionary word.The following are tools
that may be used to file poorly configured passwords.

@Stake

The LOphtCrack application has been upgraded to version 5, which is the latest version.The
LOphtCrack application is an award-wining password auditing and recovery application used
by many corporate companies worldwide.The LOphtCrack application uses many methods to
reduce the security risk to network administrators by:
1. Identifying and resolving security vulnerabilities.
2. Recovering Windows and UNIX account password.
3. Rapidly processing accounts by using pre-computer password tables.
LOphtCrack equipped with many additional features which include automated password
scanning that can be scheduled and Windows and UNIX operating system support.The appli-
cation is also equipped with a remote scanning engine for multiple domains.There are many
dictionaries for constructing new and secure passwords.