Chapter 6

Some questions to ask when evaluating tools include the following:

1. On which OS does the forensics tool run? Does the tool run on multiple OSs? 2. Is the tool versatile? For example, does it work in both Windows and Linux? Does it work in macOS? 3. Can the tool analyze more than one file system, such as FAT, NTFS, and Ext4? 4. Can a scripting language be used with the tool to automate repetitive functions and tasks? 5. Does the tool have any automated features that can help reduce the time needed to analyze data? 6. What's the vendor's reputation for providing product support? For open-source tools, how good are the support forums?

List some software forensics tools:

1. PassMark Software OSForensics 2. X-Ways Forensics 3. Guidance Software EnCase 4. Magnet Forensics AXIOM 5. AccessData FTK

Two types of data-copying methods are used in software acquisitions

1. Physical copying of the entire drive 2. LOgical copying of a disk partition

Subfunctions in the acquisition category include the following:

1. Physical data copy 2. Logical data copy 3. Data acquisition format 4. Command-line acquisition 5. GUI acquisition 6. Remote, live, and memory acquisitions

Hardware forensics tools can either be:

1. Single-purpose components 2. Complete computer systems and servers

What is the Tableau T35es-R2 SATA/IDE eSATA bridge?

A hardware forensics tool that is a single-purpose component that makes it possible to access a SATA or an IDE drive with one device

Some digital forensics software suites, such as ____, have separate tools for acquiring an image

AccessData FTK

Popular tools, such as ____ and ____, can do remote acquisitions of forensic drive images on a network, and these acquisitions can also be done with a dd command

AccessData, EnCase

____ is designed for data recovery of failed drives, a feature that comes in handy in many situations

Ace Labratory systems

____, the first task in digital forensics investigations, is making a copy of the original drive

Acquisition

____ compete for resources with a digital forensics program, and a forensics program or the OS can stop running or hang, causing delays in your investigation

Background programs

____ can also be used to find data for evidence in criminal investigations or to build a case for terminating an employee

Filtering

Many ____ acquisition tools can read all structures in an image file as though the image were the original drive and have the capability to analyze image files

GUI

____ states that Digital Evidence First Responders (DEFRs) should use validated tools

ISO standard 27037

____ states that the most important factors in data acquisition are the DEFR's competency and the use of validated tools, and it includes guidelines on how to approach acquisition in different situations

ISO standard 27037

The ____ has compiled a list of known file hashes for a variety of OSs, applications, and images that you can download. It's also adding hash values for mobile apps, specifically iOS and Android

National Software Reference Library (NSRL)

When planning purchases for your forensics lab, what should you do?

Determine what a new forensics tool can do better than one you're currently using. In particular, assess how well the software performs in validation tests, and then verify the integrity of the tool's results

____ companies are geographically diverse, so investigators might not be able to get physical access to systems without traveling long distances

Enterprise-level

____ forensics tools are grouped into command-line applications and GUI applications. Some tools are specialized to perform one task

Software

What is Extraction?

The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools

Why is using a hashing algorithm important?

This method produces a unique hexadecimal value for ensuring that the original data hasn't changed and copies are of the same unchanged data or image

Many GUI forensics tools require a lot of resources and demand computers with more memory and faster processor speeds or more processors (T/F)

True

Many digital forensics tools include a data-viewing mechanism for digital evidence and offer several ways to view data, including logical drive structures, such as folders and files (T/F)

True

Using a hashing algorithm on the entire suspect drive and all its files is a standard practice (T/F)

True

____ tools and ____ data are what allow filtering

Validating, verifying

____ is a way to confirm that a tool is functioning as intended

Validation

____ proves that two sets of data are identical by calculating hash values or using another similar method

Verification

____ acquisition of files is common in larger organizations

Remote

____ file extensions is often done to disguise or hide data, and you could miss pertinent data if you don't check file headers

Renaming

How do you validate a tool?

You can use forensic images that have been created for desktop and mobile devices; these files are posted on Web sites such as NIST's CFTT or the Scientific Working Group on Digital Evidence (SWGDE) and tell you what the tool should find as evidence on the drives. They can also give you ranges of results so that you can determine, for example, that a tool works well for acquiring Linux images but has problems with older Windows versions. These groups also publish the results of testing hardware acquisition tools

Logical acquisition, however, requires...

a live acquisition because you need to log on to the system.

However, some investigators opt to use hardware devices, such as Tableau TD2, Logicube Talon, VOOM Hardcopy 3P, or Image MASSter Solo-4 Forensic unit from Intelligent Computer Solutions, Inc., for...

acquiring an image

Forensics tools are constantly being developed, updated, patched, revised, and discontinued. Therefore, checking vendors' Web sites routinely to look for new features and improvements is important. These improvements might...

address a difficult problem you're having in an investigation

After validating a tool, you must also make sure...

all forensic copies of a particular device have the same hash value

You need to develop a ____ to justify the acquisition of digital forensics hardware and software

business plan

All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. For example, EnCase prompts you to...

calculate the MD5 hash value of acquired data

The investigation process also involves reconstructing fragments of files that have been deleted from a suspect drive. In North America, this reconstruction is called ____

carving

Software forensics tools are commonly used to...

copy data from a suspect's drive to an image file

Hardware devices, such as Tableau TD2, Logicube Talon, VOOM Hardcopy 3P, or Image MASSter Solo-4 Forensic unit from Intelligent Computer Solutions, Inc., have built-in software for...

data acquisition. No other device or program is needed to make a duplicate drive; however, you still need forensics software to analyze the data

Popular tools, such as AccessData and EnCase, can do remote acquisitions of forensic drive images on a network, and these acquisitions can also be done with a ____ command.

dd

The raw data format is typically created with the Linux ____ command

dd

The investigation process also involves reconstructing fragments of files that have been ____ from a suspect drive

deleted

In acquisition, what's most important is...

documenting what was done and why

One reason to choose a logical acquisition is drive ____

encryption

The ____ function is the recovery task in a digital investigation and is the most challenging of all tasks to master

extraction

Investigators often need to be able to extract data from unallocated disk space. Locating ____ information, as mentioned in "Validation and Verification," is a reliable method for carving data

file header

Searching and comparing ____ rather than file extensions improves filtering

file headers

Another related process to validation and verification is ____, which involves sorting and searching through investigation findings to separate good data and suspicious data

filtering

Recovering data is the ____ step in analyzing an investigation's data

first

Another feature to consider for extraction is the ____ the forensics tool can read

format

You can also use ____ to create a known good hash value list of a fresh installation of an OS, all applications, and known good images and documents (spreadsheets, text files, and so on)

hash values

Another feature to consider is ____. It's useful for identifying fragments of data in slack and free disk space that might be partially overwritten.

hashing and comparing sectors of data

Whether you choose a software or hardware solution for acquisition, make sure the tool has a ____ for verification purposes

hashing function

Each file type has a ____ associated with a file extension, and many forensics tools include a list of common file headers

header value

Another way to filter data is analyzing and verifying ____ for known file types

header values

To view these file headers, you use a ____, which can tell you whether a file extension is incorrect for the file type

hexadecimal editor

WinHex and Hex Workshop give you a...

hexadecimal view or a plaintext view of the data

With known good hash values, an investigator could...

ignore all files on this known good list and focus on other files that aren't on this list

With some tools, you can set filters to select file types to search, such as searching only PDF files. Another function in some forensics tools, such as X-Ways Forensics and OSForensics, is ____ all words on a drive. These features speed up keyword searches, which speeds up analysis

indexing

Forensics tools have functions for searching for keywords of interest to the investigation. Using a ____ speeds up the analysis process, if used correctly; however, a poor selection of keywords generates too much information

keyword search

Several digital forensics tools can integrate known good file hash sets and compare them with file hashes from a suspect drive to see whether they match. With this process, you can eliminate...

large amounts of data quickly so that you can focus your evidence analysis

Searching and comparing file headers rather than file extensions improves filtering. With this feature, you can...

locate files that might have been altered intentionally

Creating smaller segmented files is a typical feature in vendor acquisition tools. Their purpose is to...

make it easier to store acquired data on smaller media, such as CDs and USB drives

Other acquisition tools require combining hardware devices and software programs to make disk acquisitions. For example, many software tools...

mount drives as read-only, and others might require a physical write-blocker

When you're selecting tools for your lab, keep an...

open mind, and compare platforms and applications for different tasks

Sometimes GUI forensics tools require more resources than a typical workstation has because of...

other applications, such as antivirus programs, running in the background

PassMark Software OSForensics, X-Ways Forensics, Guidance Software EnCase, Magnet Forensics AXIOM, and AccessData FTK are GUI tools designed to...

perform most forensics acquisition and analysis functions

Making a ____ acquisition of a drive with whole disk encryption can result in unreadable data

physical

Most software acquisition tools include the option of imaging an entire ____ drive or just a ____ partition

physical, logical

Acquisition is a procedure that...

preserves the original drive to make sure it doesn't become corrupt and damage the digital evidence

The ____ format, typically created with the Linux dd command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive

raw data

Disk acquisition formats vary from ____ to ____

raw data, vendor-specific proprietary

Making a physical acquisition of a drive with whole disk encryption can result in unreadable data. With a logical acquisition, however, you can still...

read and analyze the files

A common task in digital investigations is searching for and recovering ____

relevant data

The investigation process also involves reconstructing fragments of files that have been deleted from a suspect drive. In Europe, this reconstruction is called ____

salvaging

When performing filtering, you..

separate good data from suspicious data

Before purchasing any forensics tools, consider whether...

the tool can save you time during investigations and whether that time savings affects the reliability of data you recover

Most forensics tools analyze ____ of a drive or a ____ and locate fragments or entire file structures that can be carved and copied into a newly reconstructed file

unallocated areas, forensic image

Any tool that has a built-in software write-blocker should be...

verified to make sure evidence hasn't been altered

Another way to narrow down a search is by using...

word lists created for a specific case

Validation and verification functions do not work hand in hand (T/F)

False

What is SafeBack?

A software forensics tool, created by New Technologies, Inc. (NTI), was designed as a command-line disk acquisition tool. It's no longer supported, but you can still find it distributed online. However, it's used more as a reliable fallback when all else fails than a primary tool

The following categories of functions are meant as guidelines for evaluating digital forensics tools, with subfunctions for refining data analysis and recovery and ensuring data quality:

1. Acquisition 2. Validation and verification 3. Extraction 4. Reconstruction 5. Reporting

NIST's CFTT and other groups include additional functions (that aren't in the guidelines for evaluating digital forensics tools), such as:

1. Data acquisition 2. Data extraction from mobile devices 3. File reconstruction, 4. String searching

The following subfunctions of extraction are used in investigations:

1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging

Some examples of complete systems (hardware forensics tools) are:

1. Digital Intelligence F.R.E.D. systems 2. DIBS Advanced Forensic Workstations 3. Forensic Computers' Forensic Examination Stations 4. Ace Labratory systems

Digital forensics tools are divided into two major categories:

1. Hardware 2. Software

All digital forensics tools, both hardware and software, perform specific functions. When you're testing new tools, you might find it helpful to follow guidelines set up by:

1. NIST's Computer Forensics Tool Testing (CFTT) program 2. STM International's (formerly the American Society of Testing and Materials) E2678 standard 3. International Organization on Computer Evidence (IOCE)

What is a Keyword Search?

A method of finding files or other information by entering relevant characters, words, or phrases in a search tool

What is the Computer Forensics Tool Testing (CFTT) program?

A project sponsored by the National Institute of Standards and Technology (NIST) to manage research on digital forensics tools

A raw-format imaging tool can copy data from one drive to another disk or to segmented files. Because it's a true unaltered copy, you can view a raw image file's contents with any hexadecimal editor, such as ____ or ____

Hex Workshop, WinHex

A standard indicator for graphics files is the hex value ____

FF D8

____ consists of known files, such as OS files, common applications (Microsoft Word, for example), and standard files used in a company's day-to-day business

Good data

____ forensics tools range from simple, single-purpose components to complete computer systems and servers

Hardware

Hardware acquisition tools, such as Image ____, can perform simultaneous MD5 and CRC-32 hashing during data acquisition

MASSter Solo-4

All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. For example, FTK validates...

MD5 and SHA-1 hash sets during data acquisition

____, for example, enables you to acquire the forensic image and process it in the same step.

Magnet AXIOM

When you search for tools, keep in mind what ____ and ____ types you'll be analyzing

OSs, file

Another widely used GUI tool, ____, has been acquired by ARC Group, a cybersecurity company

Technology Pathways ProDiscover Forensics Edition

What is Acquisition?

The process of creating a duplicate image of data; one of the required functions of digital forensics tools