Department of

Computer Science and

Engineering

FORENSICS IN CYBER SECURITY

Course Code : 20232IT204
Year / Semester : 2024-25/ SUMMER
Slot :
Course Category : Program Elective
Faculty Name : Dr. M Saravanan
Credits :4
Hours :75

School of Computing
Vel Tech Rangarajan Dr. Sagunthala R&D Institute of
Science and Technology
 Unit - 4

UNIT IV Forensics Tools

Evaluating Forensics Tool Needs- Tasks performed by forensics

tools- Forensics Software Tools: Command-line forensic tools,
Linux forensic tools- Forensics Hardware Tools: Forensic
work station, Write-Blocker- Validating and Testing Forensics
Software

Department of Computer Science and Engineering 2

 Objectives

• Explain how to evaluate needs for computer

forensics tools
• Describe available computer forensics software tools
• List some considerations for computer forensics
hardware tools
• Describe methods for validating and testing
computer forensics tools

Department of Computer Science and Engineering 3

 Current computer Forensic tools

• Computer forensics tools are constantly being developed,

updated, patched, and revised.

• Therefore, checking vendors’ Web sites routinely to look for

new features and improvements is important.

• Before purchasing any forensics tools, consider whether the

tool can save you time during investigations and whether
that time savings affects the reliability of data you recover.

Department of Computer Science and Engineering 4

Evaluating Computer Forensics Tool Need
Some questions to ask when evaluating computer forensic tools:

• On which OS does the forensics tool run?

• Is the tool versatile? For example, does it work in Windows 98, XP, and
Vista and produce the same results in all three OSs?

• Can the tool analyze more than one file system, such as FAT, NTFS,
and Ext2fs?

• Can a scripting language be used with the tool to automate repetitive

functions and tasks?

• Does the tool have any automated features that can help reduce the
time needed to analyze data?

• What is the vendor’s reputation for providing product support?

Department of Computer Science and Engineering 5

Evaluating Computer Forensics Tool Need

• When you search for tools, keep in mind what file types you’ll be
analyzing.

• For example, if you need to analyze Microsoft Access databases, look

for a product designed to read these files.

• If you’re analyzing e-mail messages, look for a forensics tool capable

of reading e-mail content.

Department of Computer Science and Engineering 6

Evaluating Computer Forensics Tool Need

Department of Computer Science and Engineering 7

 Types of Computer Forensics Tools

• Hardware forensic tools

• Range from single-purpose components to complete
computer systems and servers
• Software forensic tools
• Types
• Command-line applications
• GUI applications
• Commonly used to copy data from a suspect’s disk drive
to an image file

Department of Computer Science and Engineering 8

 Types of Computer Forensics Tools

• All computer forensics tools, both hardware and software,

perform specific functions.

These functions are grouped into five major categories.

• Acquisition
• Validation and discrimination
• Extraction
• Reconstruction
• Reporting

Department of Computer Science and Engineering 9

 Acquisition

• Acquisition, the first task in computer forensics investigations, is

making a copy of the original drive.

• Physical data copy

• Logical data copy
• Data acquisition format
• Command-line acquisition
• GUI acquisition
• Remote acquisition
• Verification

Department of Computer Science and Engineering 10

 Acquisition

• Acquisition
• Making a copy of the original drive
• Acquisition subfunctions:
• Physical data copy
• Logical data copy
• Data acquisition format
• Command-line acquisition
• GUI acquisition
• Remote acquisition
• Verification

Department of Computer Science and Engineering 11

 Acquisition

• Some computer forensics software suites, such as AccessData

FTK and EnCase, provide separate tools for acquiring an image.

• However, some investigators opt to use hardware devices,

such as the Logicube Talon, VOOM HardCopy 3, or
ImageMASSter Solo III Forensic unit from Intelligent Computer
Solutions, Inc., for acquiring an image.

• These hardware devices have their own built-in software for

data acquisition.

Department of Computer Science and Engineering 12

 Acquisition

• Acquisition (continued)
• Two types of data-copying methods are used in software
acquisitions:
• Physical copying of the entire drive
• Logical copying of a disk partition
• The formats for disk acquisitions vary
• From raw data to vendor-specific proprietary compressed data
• You can view the contents of a raw image file with any
hexadecimal editor

Department of Computer Science and Engineering 13

 Acquisition

Department of Computer Science and Engineering 14

 Cont..,

• Acquisition (continued)
• Creating smaller segmented files is a typical feature in
vendor acquisition tools
• All computer forensics acquisition tools have a method for
verification of the data-copying process
• That compares the original drive with the image

Department of Computer Science and Engineering 15

 Cont..,

• Two types of data-copying methods are used in software

acquisitions:

• physical copying of the entire drive and

• logical copying of a disk partition.

• The situation dictates whether you make a physical or logical

acquisition

Department of Computer Science and Engineering 16

 Validation and Discrimination

• Validation and discrimination

• Validation
• Ensuring the integrity of data being copied
• Discrimination of data
• Involves sorting and searching through all investigation data

Department of Computer Science and Engineering 17

 Validation and Discrimination

• Two issues in dealing with computer evidence are

critical. • First is ensuring the integrity of data being
copied—the validation process.

• Second is the discrimination of data, which involves

sorting and searching through all
investigation data.

• Many forensics software vendors offer three methods

for discriminating data values.

Department of Computer Science and Engineering 18

 Cont..,

• Hashing

• Filtering

• Analyzing file headers

• Validating data is done by obtaining hash

values.This unique hexadecimal value for data, used
to make sure the original data hasn’t changed.

Department of Computer Science and Engineering 19

 Validation and Discrimination

• The primary purpose of data discrimination is to remove

good data from suspicious data.

• Good data consists of known files, such as OS files and

common programs (Microsoft Word, for example).

• The National Software Reference Library (NSRL) has

compiled a list of known file hashes for a variety of OSs,
applications, and images.

Department of Computer Science and Engineering 20

Validation and Discrimination

Department of Computer Science and Engineering 21

 Cont..,

• Validation and discrimination (continued)

• Many computer forensics programs include a list of
common header values
• With this information, you can see whether a file extension is
incorrect for the file type
• Most forensics tools can identify header values

Department of Computer Science and Engineering 22

 Cont..,

Department of Computer Science and Engineering 23

 Cont..,

Department of Computer Science and Engineering 24

 Cont..,

Department of Computer Science and Engineering 25

 Extraction

• Extraction
• Recovery task in a computing investigation
• Most demanding of all tasks to master
• Recovering data is the first step in analyzing an
investigation’s data

Department of Computer Science and Engineering 26

 Extraction

• The extraction function is the recovery task in a computing investigation and is

the most challenging of all tasks to master.

• Recovering data is the first step in analyzing an investigation’s data.

• The following sub functions of extraction are used in investigations.

• Data viewing
• Keyword searching
• Decompressing
• Carving
• Decrypting
• Bookmarking

Department of Computer Science and Engineering 27

 Extraction

• Extraction (continued)
• Subfunctions
• Data viewing
• Keyword searching
• Decompressing
• Carving
• Decrypting
• Bookmarking
• Keyword search speeds up analysis for investigators

Department of Computer Science and Engineering 28

 Extraction

Department of Computer Science and Engineering 29

 Cont.,

Department of Computer Science and Engineering 30

 Extraction

• Extraction (continued)
• From an investigation perspective, encrypted files and
systems are a problem
• Many password recovery tools have a feature for
generating potential password lists
• For a password dictionary attack
• If a password dictionary attack fails, you can run a brute-
force attack

Department of Computer Science and Engineering 31

 Cont.,

• Many computer forensics tools include a

dataviewing mechanism for digital evidence.

• Tools such as ProDiscover, X-Ways Forensics, FTK,

EnCase, SMART, ILook, and others offer several ways
to view data, including logical drive structures, such
as folders and files.

Department of Computer Science and Engineering 32

 Reconstruction

• The purpose of having a reconstruction feature in a forensics tool is to re-

create a suspect drive to show what happened during a crime or an incident.

• Another reason for duplicating a suspect drive is to create a copy for other
computer investigators, who might need a fully functional copy of the drive so
that they can perform their own acquisition, test, and analysis of the evidence.

• These are the sub functions of reconstruction:

• Disk-to-disk copy
• Image-to-disk copy
• Partition-to-partition copy
• Image-to-partition copy

Department of Computer Science and Engineering 33

 Reconstruction

• Reconstruction
• Re-create a suspect drive to show what happened during
a crime or an incident
• Subfunctions
• Disk-to-disk copy
• Image-to-disk copy
• Partition-to-partition copy
• Image-to-partition copy

Department of Computer Science and Engineering 34

 Reconstruction (continued)

• Reconstruction (continued)
• Some tools that perform an image-to-disk copy:
• SafeBack
• SnapBack
• EnCase
• FTK Imager
• ProDiscover

Department of Computer Science and Engineering 35

 Reporting

• Reporting
• To complete a forensics disk analysis and examination,
you need to create a report
• Subfunctions
• Log reports
• Report generator
• Use this information when producing a final report for
your investigation

Department of Computer Science and Engineering 36

 Tool Comparisons

Department of Computer Science and Engineering 37

 Other Considerations for Tools

• Considerations
• Flexibility
• Reliability
• Expandability
• Keep a library with older version of your tools
• Create a software library containing older versions of
forensics utilities, OSs, and other programs

Department of Computer Science and Engineering 38

 Computer Forensics Software Tools

• The following sections explore some options for

command-line and GUI tools in both Windows and
UNIX/Linux

Department of Computer Science and Engineering 39

 Command-line Forensic Tools

• The first tools that analyzed and extracted data from

floppy disks and hard disks were MS-DOS tools for
IBM PC file systems
• Norton DiskEdit
• One of the first MS-DOS tools used for computer
investigations
• Advantage
• Command-line tools require few system resources
• Designed to run in minimal configurations

Department of Computer Science and Engineering 40

 UNIX/Linux Forensic Tools

• *nix platforms have long been the primary

command-line OSs
• SMART
• Designed to be installed on numerous Linux versions
• Can analyze a variety of file systems with SMART
• Many plug-in utilities are included with SMART
• Another useful option in SMART is its hex viewer

Department of Computer Science and Engineering 41

 UNIX/Linux Forensic Tools (continued)

• Helix
• One of the easiest suites to begin with
• You can load it on a live Windows system
• Loads as a bootable Linux OS from a cold boot
• Autopsy and SleuthKit
• Sleuth Kit is a Linux forensics tool
• Autopsy is the GUI/browser interface used to access
Sleuth Kit’s tools

Department of Computer Science and Engineering 42

 Pro discover

Department of Computer Science and Engineering 43

 FTk imager

Department of Computer Science and Engineering 44

Exploring the Role of E-mail in Investigations

Department of Computer Science and Engineering 45

 X-ways forensics

Department of Computer Science and Engineering 46

 UNIX/Linux Forensic Tools (continued)

• Helix
• One of the easiest suites to begin with
• You can load it on a live Windows system
• Loads as a bootable Linux OS from a cold boot
• Autopsy and SleuthKit
• Sleuth Kit is a Linux forensics tool
• Autopsy is the GUI/browser interface used to access
Sleuth Kit’s tools

Department of Computer Science and Engineering 47

 Hex Menu

Department of Computer Science and Engineering 48

UNIX/Linux Forensic Tools (continued)

• Knoppix-STD
• Knoppix Security Tools Distribution (STD)
• A collection of tools for configuring security measures, including
computer and network forensics
• Knoppix-STD is forensically sound
• Doesn’t allow you to alter or damage the system you’re analyzing
• Knoppix-STD is a Linux bootable CD

Department of Computer Science and Engineering 49

 STD Information

Department of Computer Science and Engineering 50

 STD Information

Department of Computer Science and Engineering 51

 Other GUI Forensic Tools

• Simplify computer forensics investigations

• Help training beginning investigators
• Most of them come into suites of tools
• Advantages
• Ease of use
• Multitasking
• No need for learning older OSs

Department of Computer Science and Engineering 52

 Other GUI Forensic Tools (continued)

• Disadvantages
• Excessive resource requirements
• Produce inconsistent results
• Create tool dependencies

Department of Computer Science and Engineering 53

 Computer Forensics Hardware Tools

• Technology changes rapidly

• Hardware eventually fails
• Schedule equipment replacements
• When planning your budget consider:
• Failures
• Consultant and vendor fees
• Anticipate equipment replacement

Department of Computer Science and Engineering 54

 Forensic Workstations

• Carefully consider what you need

• Categories
• Stationary
• Portable
• Lightweight
• Balance what you need and what your system can
handle

Department of Computer Science and Engineering 55

 Forensic Workstations (continued)

• Police agency labs

• Need many options
• Use several PC configurations
• Private corporation labs
• Handle only system types used in the organization
• Keep a hardware library in addition to your software
library

Department of Computer Science and Engineering 56

 Forensic Workstations (continued)

• Not as difficult as it sounds

• Advantages
• Customized to your needs
• Save money
• Disadvantages
• Hard to find support for problems
• Can become expensive if careless
• Also need to identify what you intend to analyze

Department of Computer Science and Engineering 57

 Forensic Workstations (continued)

• You can buy one from a vendor as an alternative

• Examples
• F.R.E.D.
• F.I.R.E. IDE
• Having vendor support can save you time and
frustration when you have problems
• Can mix and match components to get the
capabilities you need for your forensic workstation

Department of Computer Science and Engineering 58

 Using a Write-Blocker

• Write-blocker
• Prevents data writes to a hard disk
• Software-enabled blockers
• Software write-blockers are OS dependant
• Example: PDBlock from Digital Intelligence
• Hardware options
• Ideal for GUI forensic tools
• Act as a bridge between the suspect drive and the
forensic workstation

Department of Computer Science and Engineering 59

 Using a Write-Blocker (continued)

• Can navigate to the blocked drive with any application

• Discards the written data
• For the OS the data copy is successful
• Connecting technologies
• FireWire
• USB 2.0
• SCSI controllers

Department of Computer Science and Engineering 60

 Recommendations for a Forensic Workstation

• Determine where data acquisitions will take place

• Data acquisition techniques
• USB 2.0
• FireWire
• Expansion devices requirements
• Power supply with battery backup
• Extra power and data cables

Department of Computer Science and Engineering 61

 (continued)

• External FireWire and USB 2.0 ports

• Assortment of drive adapter bridges
• Ergonomic considerations
• Keyboard and mouse
• A good video card with at least a 17-inch monitor
• High-end video card and monitor
• If you have a limited budget, one option for outfitting
your lab is to use high-end game PCs

Department of Computer Science and Engineering 62

 Validating and Testing Forensic Software

• Make sure the evidence you recover and analyze can

be admitted in court
• Test and validate your software to prevent damaging
the evidence

Department of Computer Science and Engineering 63

 Using National Institute of Standards and Technology (NIST) Tools

• Computer Forensics Tool Testing (CFTT) program

• Manages research on computer forensics tools
• NIST has created criteria for testing computer
forensics tools based on:
• Standard testing methods
• ISO 17025 criteria for testing items that have no current
standards
• ISO 5725

Department of Computer Science and Engineering 64

 (continued)

• Your lab must meet the following criteria

• Establish categories for computer forensics tools
• Identify computer forensics category requirements
• Develop test assertions
• Identify test cases
• Establish a test method
• Report test results
• Also evaluates drive-imaging tools using
• Forensic Software Testing Support Tools (FS-TST)

Department of Computer Science and Engineering 65

 (continued)

• National Software Reference Library (NSRL) project

• Collects all known hash values for commercial software
applications and OS files
• Uses SHA-1 to generate a known set of digital signatures called
the Reference Data Set (RDS)
• Helps filtering known information
• Can use RDS to locate and identify known bad files

Department of Computer Science and Engineering 66

 Using Validation Protocols

• Always verify your results

• Use at least two tools
• Retrieving and examination
• Verification
• Understand how tools work
• One way to compare results and verify a new tool is
by using a disk editor
• Such as Hex Workshop or WinHex

Department of Computer Science and Engineering 67

 (continued)

• Disk editors
• Do not have a flashy interface
• Reliable tools
• Can access raw data
• Computer Forensics Examination Protocol
• Perform the investigation with a GUI tool
• Verify your results with a disk editor
• Compare hash values obtained with both tools

Department of Computer Science and Engineering 68

 (continued)

• Computer Forensics Tool Upgrade Protocol

• Test
• New releases
• OS patches and upgrades
• If you find a problem, report it to forensics tool vendor
• Do not use the forensics tool until the problem has been fixed
• Use a test hard disk for validation purposes
• Check the Web for new editions, updates, patches, and
validation tests for your tools

Department of Computer Science and Engineering 69

 Summary

• Create a business plan to get the best hardware and

software
• Computer forensics tools functions
• Acquisition
• Validation and discrimination
• Extraction
• Reconstruction
• Reporting
• Maintain a software library on your lab

Department of Computer Science and Engineering 70

 Summary (continued)

• Computer Forensics tools types

• Software
• Hardware
• Forensics software
• Command-line
• GUI
• Forensics hardware
• Customized equipment
• Commercial options
• Include workstations and write-blockers

Department of Computer Science and Engineering 71

 Thank You

Department of Computer Science and Engineering