What goes in a fore...
 
Notifications
Clear all

What goes in a forensic toolkit?

19 Posts
10 Users
0 Likes
1,912 Views
(@nat038)
Posts: 4
New Member
Topic starter
 

Hi all,

I'm in the process of setting up a computer forensic service and am putting together a complete toolkit - hardware and software. Does anyone have a list of equipment that should constitute a toolkit?

Thanks and regards.

 
Posted : 06/12/2012 9:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Are you a competitor of mine?

 
Posted : 06/12/2012 10:16 pm
(@lilpopps21)
Posts: 9
Active Member
 

nat038,

This list is by no means exhaustive, but hopefully will give you some ideas. There is not a set list of hardware and software and many factors attribute to what is contained in your arsenal (Budget, OS familiarity, Type of Work, etc).

Check out the various forensic boot CDs (CAINE/Helix/SIFT/DEFT/etc.)
-These are linux based but contain just about every tool you would need to perform an examination. That being said it is linux and a majority of the tools are CLI but, they are FREE!

Writeblockers

-Tableau/Wiebetech (SATA/Firewire/USB/etc)
-USB Registry Key Registry Edit Writeblock (google it) (always test)

Hard Drive Acquisition Software/Hardware

-Tableau TD1/TD2 (Hardware -There are several others, I am familiar with Tableau - which are great)
-FTK Imager (Free)(Software)
-Forensic Boot CDs (CAINE/DEFT/HELIX/etc.) - all have multiple linux imaging applications (AIR/guymager/dd)

Hard Drive Forensic Analysis Suites
Each suite has its own pros and cons, you need to decide which one(s) is/are best for you (you should have at least two for findings validation).
-Autopsy/TSK (free)
-X-ways Forensics(Commercial - 1/3 of the price of FTK and EnCase)
-AccessData FTK (Commercial - last time I checked roughly $3k - $3.5k)
-Guidance Software EnCase (Commercial - you want version 6, I have personally used version 7 and it is full of bugs)

Email Tools
-Nuix Proof Finder (Great tool - 15gb mailbox limit)
-Paraben Email Examiner or Network Email Examiner
-Aid4Mail
-Advanced Outlook Repair/Advanced Exchange Repair

Metadata Tools
-ExifTool (free)
-metadata assistant
-metadataminer

Cell Phone Forensic Acquisition/Analysis
-Cellebrite UFED (Excellent, but expensive)
-XRY (i have never used it but I've heard good things from others)
-Paraben Device Seizure
-Oxygen Forensics
-Via Forensics (Android) also has (Santoku - bootable forensic cd for mobile device analysis) Santoku is fairly new so I'm sure the guys at Via Forensics will continue to develop it.

Random
-Tools (screw drivers (magnetic tips), pill cases (for holding screws), Apple compatible screw drivers (pentalobe)
-Digital Camera
-Chain of Custody forms
-Evidence Tags
-Labels

As I mentioned this list is not exhaustive. The main thing to remember is that in forensics, you always need to validate your findings. So you depending on your experience, you may want to have a commercial tool and an open source tool to validate. If you are comfortable with Linux and CLI than you do not "need" a commercial tool. There are tons of open source tools which work extremely well. Forensic Control has an entire list of free tools posted on their website.

Remember GOOGLE IS YOUR FRIEND!

 
Posted : 07/12/2012 12:39 am
(@armresl)
Posts: 1011
Noble Member
 

Lilpops, I know you are new around here. However, we try to foster a nice, wonderful, almost aromatic peach type environment where Jamie will not let anyone say "Google is your friend" and especially not in caps.

 
Posted : 07/12/2012 7:55 am
(@lilpopps21)
Posts: 9
Active Member
 

Lilpops, I know you are new around here. However, we try to foster a nice, wonderful, almost aromatic peach type environment where Jamie will not let anyone say "Google is your friend" and especially not in caps.

I apologize as I meant no disrespect by it, just trying to inform the OP that there are numerous great resources out there.

 
Posted : 07/12/2012 8:31 am
(@armresl)
Posts: 1011
Noble Member
 

I know you didn't. Just telling you so you don't get a nastygram from mods

Lilpops, I know you are new around here. However, we try to foster a nice, wonderful, almost aromatic peach type environment where Jamie will not let anyone say "Google is your friend" and especially not in caps.

I apologize as I meant no disrespect by it, just trying to inform the OP that there are numerous great resources out there.

 
Posted : 07/12/2012 8:37 am
(@lilpopps21)
Posts: 9
Active Member
 

I appreciate the heads up!

 
Posted : 07/12/2012 9:11 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

May I raise a generic question? ?
I seem to detect a "CATCH22" situation.

Say that a long time expert and willing to help member suggests to have in the toolkit a "protofractional flubbinator" (a fictional tool that is very useful for "frastling grops and zerling drestroos") .

I would presume that - besides the sheer existence of the tool in the toolkit - the actual operator of the forensic service should have spent long hours studying the theory behind both "frastling" and "zerling" and yet more hours getting familiar and practicing with the actual specific make/model "flubbinator", or at least with similar "protofractional" tools in order to be able to use that tool.

Then, he/she would already know the existence of the tool, would know when and how to use it and would be capable of deciding himself/herself whether this tool is needed in the toolkit or not, this depending by a lot of factors, including the cost of the tool, the kind of work the forensic service is going to provide, etc., etc.

jaclaz

 
Posted : 07/12/2012 4:37 pm
(@nat038)
Posts: 4
New Member
Topic starter
 

Thanks for (most of) the post so far. I shoudl clarify…

I'm setting up an in-house service for the company I work for. I have a pretty good idea of the toolkit contents, I'm a past techie so I know one end of a computer from another.

If there are any decent lists out there I'd be grateful for a pointer.

 
Posted : 07/12/2012 5:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I shoudl clarify…

Yes ) , maybe if you list the actual expected kind of activities the "in-house service" is likely to perform, some member could give you more specific advice, as opposed to "generic" lists.
I mean, as an example, if your firm only uses (say) BlackBerries as mobile communication devices, you will have no need for any "specific" iPhone tools, or if it the scope is exclusively "PC forensics" you won't have any need for tools related to Cell Phone forensics.

jaclaz

 
Posted : 07/12/2012 5:16 pm
Page 1 / 2
Share: