Digital devices are ubiquitous, and their use in chain-of-evidence investigations is crucial. Today’s smoking gun is more likely to be a laptop or a phone than a more literal weapon. Whether such a device belongs to a suspect or victim, the vast swathes of data these systems contain could be all an investigator needs to put together a case. That said, retrieving that data securely, efficiently, and lawfully is not always a simple endeavor. As a result, investigators rely on new digital forensics tools to assist them. Digital forensics tools are all relatively new. Up until the early 1990s, most digital investigations were conducted through live analysis, which meant examining digital media by using the device-in-question as anyone else would. However, as devices became more complex and packed with more information, live analysis became cumbersome and inefficient. Eventually, freeware and proprietary specialist technologies began to crop up as both hardware and software to carefully sift, extract, or observe data on a device without damaging or modifying it. Digital forensics tools can fall into many different categories, including database forensics, disk and data capture, email analysis, file analysis, file viewers, internet analysis, mobile device analysis, network forensics, and registry analysis. In addition, many tools fulfill more than one function simultaneously, and a significant trend in digital forensics tools are “wrappers”—one that packages hundreds of specific technologies with different functionalities into one overarching toolkit. New tools are developed daily, both as elite government-sponsored solutions and basement hacker rigs. The recipe for each is a little bit different. Some of these go beyond simple searches for files or images and delve into the arena of cybersecurity, requiring network analysis or cyber threat assessment. When there is a tool for everything, the most pressing question is which one to use. Below, ForensicsColleges has collected some of the best digital forensics and cybersecurity tools. In selecting from the wide range of options, we considered the following criteria:
Autopsy Autopsy runs background jobs in parallel so that even if a full search takes hours, a user will know within minutes whether targeted keywords have been found. In addition, investigators working with multiple devices can create a central repository through Autopsy that will flag phone numbers, email addresses, or other relevant data points. Developed by the same team that created The Sleuth Kit, a library of command line tools for investigating disk images, Autopsy is an open-source solution, available for free in the interests of education and transparency. Unfortunately, the latest version is written in Java, and it is currently only available for Windows. Bulk Extractor The most recent versions of Bulk Extractor can perform social network forensics and extract addresses, credit card numbers, URLs, and other types of information from digital evidence. Other capabilities include creating histograms based on frequently used email addresses and compiling word lists, which can be helpful for password cracking. All extracted information can be processed either manually or with one of four automated tools, one of which incorporates context-specific stop lists (i.e., search terms flagged by the investigator) that remove some human error from digital forensics investigation. The software is available for free for Windows and Linux systems. COFEE Microsoft claimed that COFEE had reduced three- to four-hour tasks to under 20 minutes at the time of its release. In addition, thousands of law enforcement agencies worldwide (including INTERPOL) use COFEE, and Microsoft provides free technical support. In November 2009, COFEE was leaked onto multiple torrent sites. So while it is possible—though incredibly tricky—for criminals to build around the features in COFEE, it is also possible for the average citizen to now get a look at what was once the industry standard across the world for digital forensics. Computer Aided Investigative Environment Digital Forensics Framework The tool can be used to investigate hard drives and volatile memory and create reports about system and user activity on the device in question. The DFF was developed with the three main goals of modularity (allowing for changes to the software by developers), scriptability (allowing for automation), and genericity (keeping the operating-system agnostic to help as many users as possible). The software is available for free on GitHub. DumpZilla Developed in Python, it works under Linux and Windows 32/64 bit systems and DumpZilla is available for free from the developer’s website. While this was created as a standalone tool, its specific nature and lean packaging make it a vital component of future digital forensics suites. EnCase Offering a comprehensive software lifecycle package from triage to final reports, EnCase also features platforms such as OpenText Media Analyzer, which reduces the amount of content for investigators to review to close cases faster manually. With four site license options for small companies; federal, state, and local law enforcement; consulting organizations; and colleges and universities, it offers criminal justice evidence analysis through just a few clicks. ExifTool The software itself is lightweight and quick, making it an ideal inclusion in future digital forensics suites and easy to use. ExifTool is updated regularly and is available for both Windows and OSx from the developer’s website. FTK Imager This tool can read all operating systems and enables users to recover files that have been deleted from digital recycle bins. In addition, it can parse XFS files and create hashes of files to check data integrity. MAGNET RAM Capture This tool can export raw memory data in raw formats (.DMP, .RAW, .BIN), which can be uploaded to other forensics analysis tools such as Magnet AXIOM and Magnet IEF. This free tool supports several versions of Windows operating systems. Nagios Nagios supports standard enterprise-level network services such as ICMP, POP3, SMTP, and HTTP. It is compatible with Linux, Windows, server, application, SNMP, and log monitoring services and integrates with third-party addons. Free trials are available. Redline Offering much more technical and under-the-hood capability than most digital forensics investigations necessitate, Redline has more applications in cybersecurity and other tech-driven criminal behavior where a granular analysis is critical. Redline currently only functions on Windows-based systems, but it is regularly updated by FireEye for optimum performance and can be downloaded for free on the FireEye website. SIFT Workstation SIFT is flexible and compatible with expert witness format (E01), advanced forensic format (AFF), and raw evidence formats. Built on Ubuntu, it incorporates many separate tools (including some on this list, such as Autopsy and Volatility) and puts them at an investigator’s disposal. SIFT is available for free and updated regularly. SNORT SNORT helps IT security professionals analyze network security vulnerabilities and prevent them from happening. When a network intrusion occurs, cybersecurity professionals are notified while the software blocks security intrusions. Tor Tor’s mission is to “advance human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.” Volatility Written in Python and supportive of almost all 32-bit and 64-bit machines, it can sift through cached sectors, crash dumps, DLLs, network connections, ports, process lists, and registry files. The tool is available for free, and the code is hosted on GitHub. Wireshark Captured network data can be viewed on a graphical user interface on Windows, Linux, OSx, and several other operating systems. The data can be read from Ethernet Bluetooth, USB, and several others, while the output can be exported to XML, PostScript, CSV, or plain text. Wireshark’s applications remain primarily in cybersecurity, but there are digital forensics investigation applications. Less about the smoking gun than the breadcrumb trail, Wireshark can point an investigator in the direction of malicious activity so that it can be tracked down and investigated. |