Chapter 6
Some questions to ask when evaluating tools include the following:
1. On which OS does the forensics tool run? Does the tool run on multiple OSs? 2. Is the tool versatile? For example, does it work in both Windows and Linux? Does it work in macOS? 3. Can the tool analyze more than one file system, such as FAT, NTFS, and Ext4? 4. Can a scripting language be used with the tool to automate repetitive functions and tasks? 5. Does the tool have any automated features that can help reduce the time needed to analyze data? 6. What's the vendor's reputation for providing product support? For open-source tools, how good are the support forums?
List some software forensics tools:
1. PassMark Software OSForensics 2. X-Ways Forensics 3. Guidance Software EnCase 4. Magnet Forensics AXIOM 5. AccessData FTK
Two types of data-copying methods are used in software acquisitions
1. Physical copying of the entire drive 2. LOgical copying of a disk partition
Subfunctions in the acquisition category include the following:
1. Physical data copy 2. Logical data copy 3. Data acquisition format 4. Command-line acquisition 5. GUI acquisition 6. Remote, live, and memory acquisitions
Hardware forensics tools can either be:
1. Single-purpose components 2. Complete computer systems and servers
What is the Tableau T35es-R2 SATA/IDE eSATA bridge?
A hardware forensics tool that is a single-purpose component that makes it possible to access a SATA or an IDE drive with one device
Some digital forensics software suites, such as ____, have separate tools for acquiring an image
AccessData FTK
Popular tools, such as ____ and ____, can do remote acquisitions of forensic drive images on a network, and these acquisitions can also be done with a dd command
AccessData, EnCase
____ is designed for data recovery of failed drives, a feature that comes in handy in many situations
Ace Labratory systems
____, the first task in digital forensics investigations, is making a copy of the original drive
Acquisition
____ compete for resources with a digital forensics program, and a forensics program or the OS can stop running or hang, causing delays in your investigation
Background programs
____ can also be used to find data for evidence in criminal investigations or to build a case for terminating an employee
Filtering
Many ____ acquisition tools can read all structures in an image file as though the image were the original drive and have the capability to analyze image files
GUI
____ states that Digital Evidence First Responders (DEFRs) should use validated tools
ISO standard 27037
____ states that the most important factors in data acquisition are the DEFR's competency and the use of validated tools, and it includes guidelines on how to approach acquisition in different situations
ISO standard 27037
The ____ has compiled a list of known file hashes for a variety of OSs, applications, and images that you can download. It's also adding hash values for mobile apps, specifically iOS and Android
National Software Reference Library (NSRL)
When planning purchases for your forensics lab, what should you do?
Determine what a new forensics tool can do better than one you're currently using. In particular, assess how well the software performs in validation tests, and then verify the integrity of the tool's results
____ companies are geographically diverse, so investigators might not be able to get physical access to systems without traveling long distances
Enterprise-level
____ forensics tools are grouped into command-line applications and GUI applications. Some tools are specialized to perform one task
Software
What is Extraction?
The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools
Why is using a hashing algorithm important?
This method produces a unique hexadecimal value for ensuring that the original data hasn't changed and copies are of the same unchanged data or image
Many GUI forensics tools require a lot of resources and demand computers with more memory and faster processor speeds or more processors (T/F)
True
Many digital forensics tools include a data-viewing mechanism for digital evidence and offer several ways to view data, including logical drive structures, such as folders and files (T/F)
True
Using a hashing algorithm on the entire suspect drive and all its files is a standard practice (T/F)
True
____ tools and ____ data are what allow filtering
Validating, verifying
____ is a way to confirm that a tool is functioning as intended
Validation
____ proves that two sets of data are identical by calculating hash values or using another similar method
Verification
____ acquisition of files is common in larger organizations
Remote
____ file extensions is often done to disguise or hide data, and you could miss pertinent data if you don't check file headers
Renaming
How do you validate a tool?
You can use forensic images that have been created for desktop and mobile devices; these files are posted on Web sites such as NIST's CFTT or the Scientific Working Group on Digital Evidence (SWGDE) and tell you what the tool should find as evidence on the drives. They can also give you ranges of results so that you can determine, for example, that a tool works well for acquiring Linux images but has problems with older Windows versions. These groups also publish the results of testing hardware acquisition tools
Logical acquisition, however, requires...
a live acquisition because you need to log on to the system.
However, some investigators opt to use hardware devices, such as Tableau TD2, Logicube Talon, VOOM Hardcopy 3P, or Image MASSter Solo-4 Forensic unit from Intelligent Computer Solutions, Inc., for...
acquiring an image
Forensics tools are constantly being developed, updated, patched, revised, and discontinued. Therefore, checking vendors' Web sites routinely to look for new features and improvements is important. These improvements might...
address a difficult problem you're having in an investigation
After validating a tool, you must also make sure...
all forensic copies of a particular device have the same hash value
You need to develop a ____ to justify the acquisition of digital forensics hardware and software
business plan
All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. For example, EnCase prompts you to...
calculate the MD5 hash value of acquired data
The investigation process also involves reconstructing fragments of files that have been deleted from a suspect drive. In North America, this reconstruction is called ____
carving
Software forensics tools are commonly used to...
copy data from a suspect's drive to an image file
Hardware devices, such as Tableau TD2, Logicube Talon, VOOM Hardcopy 3P, or Image MASSter Solo-4 Forensic unit from Intelligent Computer Solutions, Inc., have built-in software for...
data acquisition. No other device or program is needed to make a duplicate drive; however, you still need forensics software to analyze the data
Popular tools, such as AccessData and EnCase, can do remote acquisitions of forensic drive images on a network, and these acquisitions can also be done with a ____ command.
dd
The raw data format is typically created with the Linux ____ command
dd
The investigation process also involves reconstructing fragments of files that have been ____ from a suspect drive
deleted
In acquisition, what's most important is...
documenting what was done and why
One reason to choose a logical acquisition is drive ____
encryption
The ____ function is the recovery task in a digital investigation and is the most challenging of all tasks to master
extraction
Investigators often need to be able to extract data from unallocated disk space. Locating ____ information, as mentioned in "Validation and Verification," is a reliable method for carving data
file header
Searching and comparing ____ rather than file extensions improves filtering
file headers
Another related process to validation and verification is ____, which involves sorting and searching through investigation findings to separate good data and suspicious data
filtering
Recovering data is the ____ step in analyzing an investigation's data
first
Another feature to consider for extraction is the ____ the forensics tool can read
format
You can also use ____ to create a known good hash value list of a fresh installation of an OS, all applications, and known good images and documents (spreadsheets, text files, and so on)
hash values
Another feature to consider is ____. It's useful for identifying fragments of data in slack and free disk space that might be partially overwritten.
hashing and comparing sectors of data
Whether you choose a software or hardware solution for acquisition, make sure the tool has a ____ for verification purposes
hashing function
Each file type has a ____ associated with a file extension, and many forensics tools include a list of common file headers
header value
Another way to filter data is analyzing and verifying ____ for known file types
header values
To view these file headers, you use a ____, which can tell you whether a file extension is incorrect for the file type
hexadecimal editor
WinHex and Hex Workshop give you a...
hexadecimal view or a plaintext view of the data
With known good hash values, an investigator could...
ignore all files on this known good list and focus on other files that aren't on this list
With some tools, you can set filters to select file types to search, such as searching only PDF files. Another function in some forensics tools, such as X-Ways Forensics and OSForensics, is ____ all words on a drive. These features speed up keyword searches, which speeds up analysis
indexing
Forensics tools have functions for searching for keywords of interest to the investigation. Using a ____ speeds up the analysis process, if used correctly; however, a poor selection of keywords generates too much information
keyword search
Several digital forensics tools can integrate known good file hash sets and compare them with file hashes from a suspect drive to see whether they match. With this process, you can eliminate...
large amounts of data quickly so that you can focus your evidence analysis
Searching and comparing file headers rather than file extensions improves filtering. With this feature, you can...
locate files that might have been altered intentionally
Creating smaller segmented files is a typical feature in vendor acquisition tools. Their purpose is to...
make it easier to store acquired data on smaller media, such as CDs and USB drives
Other acquisition tools require combining hardware devices and software programs to make disk acquisitions. For example, many software tools...
mount drives as read-only, and others might require a physical write-blocker
When you're selecting tools for your lab, keep an...
open mind, and compare platforms and applications for different tasks
Sometimes GUI forensics tools require more resources than a typical workstation has because of...
other applications, such as antivirus programs, running in the background
PassMark Software OSForensics, X-Ways Forensics, Guidance Software EnCase, Magnet Forensics AXIOM, and AccessData FTK are GUI tools designed to...
perform most forensics acquisition and analysis functions
Making a ____ acquisition of a drive with whole disk encryption can result in unreadable data
physical
Most software acquisition tools include the option of imaging an entire ____ drive or just a ____ partition
physical, logical
Acquisition is a procedure that...
preserves the original drive to make sure it doesn't become corrupt and damage the digital evidence
The ____ format, typically created with the Linux dd command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive
raw data
Disk acquisition formats vary from ____ to ____
raw data, vendor-specific proprietary
Making a physical acquisition of a drive with whole disk encryption can result in unreadable data. With a logical acquisition, however, you can still...
read and analyze the files
A common task in digital investigations is searching for and recovering ____
relevant data
The investigation process also involves reconstructing fragments of files that have been deleted from a suspect drive. In Europe, this reconstruction is called ____
salvaging
When performing filtering, you..
separate good data from suspicious data
Before purchasing any forensics tools, consider whether...
the tool can save you time during investigations and whether that time savings affects the reliability of data you recover
Most forensics tools analyze ____ of a drive or a ____ and locate fragments or entire file structures that can be carved and copied into a newly reconstructed file
unallocated areas, forensic image
Any tool that has a built-in software write-blocker should be...
verified to make sure evidence hasn't been altered
Another way to narrow down a search is by using...
word lists created for a specific case
Validation and verification functions do not work hand in hand (T/F)
False
What is SafeBack?
A software forensics tool, created by New Technologies, Inc. (NTI), was designed as a command-line disk acquisition tool. It's no longer supported, but you can still find it distributed online. However, it's used more as a reliable fallback when all else fails than a primary tool
The following categories of functions are meant as guidelines for evaluating digital forensics tools, with subfunctions for refining data analysis and recovery and ensuring data quality:
1. Acquisition 2. Validation and verification 3. Extraction 4. Reconstruction 5. Reporting
NIST's CFTT and other groups include additional functions (that aren't in the guidelines for evaluating digital forensics tools), such as:
1. Data acquisition 2. Data extraction from mobile devices 3. File reconstruction, 4. String searching
The following subfunctions of extraction are used in investigations:
1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging
Some examples of complete systems (hardware forensics tools) are:
1. Digital Intelligence F.R.E.D. systems 2. DIBS Advanced Forensic Workstations 3. Forensic Computers' Forensic Examination Stations 4. Ace Labratory systems
Digital forensics tools are divided into two major categories:
1. Hardware 2. Software
All digital forensics tools, both hardware and software, perform specific functions. When you're testing new tools, you might find it helpful to follow guidelines set up by:
1. NIST's Computer Forensics Tool Testing (CFTT) program 2. STM International's (formerly the American Society of Testing and Materials) E2678 standard 3. International Organization on Computer Evidence (IOCE)
What is a Keyword Search?
A method of finding files or other information by entering relevant characters, words, or phrases in a search tool
What is the Computer Forensics Tool Testing (CFTT) program?
A project sponsored by the National Institute of Standards and Technology (NIST) to manage research on digital forensics tools
A raw-format imaging tool can copy data from one drive to another disk or to segmented files. Because it's a true unaltered copy, you can view a raw image file's contents with any hexadecimal editor, such as ____ or ____
Hex Workshop, WinHex
A standard indicator for graphics files is the hex value ____
FF D8
____ consists of known files, such as OS files, common applications (Microsoft Word, for example), and standard files used in a company's day-to-day business
Good data
____ forensics tools range from simple, single-purpose components to complete computer systems and servers
Hardware
Hardware acquisition tools, such as Image ____, can perform simultaneous MD5 and CRC-32 hashing during data acquisition
MASSter Solo-4
All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. For example, FTK validates...
MD5 and SHA-1 hash sets during data acquisition
____, for example, enables you to acquire the forensic image and process it in the same step.
Magnet AXIOM
When you search for tools, keep in mind what ____ and ____ types you'll be analyzing
OSs, file
Another widely used GUI tool, ____, has been acquired by ARC Group, a cybersecurity company
Technology Pathways ProDiscover Forensics Edition
What is Acquisition?
The process of creating a duplicate image of data; one of the required functions of digital forensics tools