In common with many other professions, the field of computer forensic investigation makes use of tools to allow practitioners to carry out their tasks effectively and efficiently. This article describes some of the most commonly used software "tools" and explains how and why they are used.

Although most real world tools are designed to carry out a specific task (the hammer to hammer nails, the screwdriver to turn a screw, etc.) some tools are designed to be multi-functional. Similarly some computer forensic tools are designed with only one purpose in mind whereas others may offer a whole range of functionality. The unique nature of every investigation will determine which tool from the investigator's toolkit is the most appropriate for the task in hand.

As well as differing in functionality and complexity, computer forensic tools also differ in cost. Some of the market-leading commercial products cost thousands of dollars while other tools are completely free. Again, the nature of the forensic examination and the goal of the investigation will determine the most appropriate tools to be used.

Before examining the tools themselves, a short discussion of some key concepts of computer forensic examination may be beneficial for readers new to this field:

In general, a computer forensic investigator will use a tool in order to gather data from a system (e.g. a computer or computer network) without altering the data on that system. This aspect of an investigation, the care taken to avoid altering the original data, is a fundamental principle of computer forensic examination and some of the tools available include functionality specifically designed to uphold this principle. In reality it is not always easy to gather data without altering the system in some way (even the act of shutting a computer down in order to transport it will most likely cause changes to the data on that system) but an experienced investigator will always strive to protect the integrity of the original data whenever possible. In order to do this, many computer forensic examinations involve the making of an exact copy of all the data on a disk. This copy is called an image and the process of making an image is often referred to as imaging. It is this image which is usually the subject of subsequent examination.

Another key concept is that deleted data, or parts thereof, may be recoverable. Generally speaking, when data is deleted it is not physically wiped from the system but rather only a reference to the location of the data (on a hard disk or other medium) is removed. Thus the data may still be present but the operating system of the computer no longer "knows" about it. By imaging and examining all of the data on a disk, rather than just the parts known to the operating system, it may be possible to recover data which has been accidentally or purposefully deleted.

Commercial Software

EnCase

EnCase, from Guidance Software, is a fully-featured commercial software package which enables an investigator to image and examine data from hard disks, removable media (such as floppy disks and CDs) and even Palm PDAs (Personal Digital Assistants). Many law enforcement groups throughout the world use EnCase and this can be an important factor for forensic investigators to consider where there is a possibility that an investigation may be handed over to the police or used in a court of law.

An investigation carried out with EnCase begins by using the software to create an image of the medium in question (e.g. hard disk, floppy disk, CD, PDA). This image, called an Evidence File in EnCase terminology, can be analysed in a variety of ways using the EnCase program, common examples of which might include searching the data for keywords, viewing picture files or examining deleted files.

EnCase is one of the more expensive commercial tools although a discount is available to the law enforcement community. The price does however reflect the broad range of functionality within the package, a good example of which is the eScript scripting language. This simple language allows forensic examiners to write small programs, or scripts, which can perform highly customized searching and filtering of the data which has been imaged.

Vogon Forensic Software

Vogon International offers a range of commercial computer forensic software with a product line-up divided into imaging, processing and investigation software. The imaging software is used to create an exact replica of the data on a drive which can then be indexed by the processing software to allow fast searching by the investigation component.

In broad terms Vogon's offering provides similar functionality to that of EnCase by simplifying the process of data imaging and searching for the examiner.

SafeBack

SafeBack is another commercial computer forensics program commonly used by law enforcement agencies throughout the world. SafeBack is used primarily for imaging the hard disks of Intel-based computer systems and restoring these images to other hard disks. It is a DOS based program which can be run from a floppy disk and is intended only for imaging, i.e. it does not include the analysis capabilities of EnCase or Vogon's forensic software.

Free software

The origins of computer forensic analysis lie not with the Windows operating systems which have achieved such popularity today but with UNIX, an operating system with its roots in the early 1970s. The developers of UNIX preferred to create a fairly large number of small programs which could be used together to perform more complex tasks rather than one program which could do everything and it is from these small programs that the sophisticated commercial computer forensic packages available today have grown. The small programs are still found in modern versions of the UNIX operating system and many are also available for Windows.

Data dumper

Imaging a computer's hard disk can be a lengthy process but it need not be expensive. dd (short for data dumper) is a freely available utility for UNIX systems which can make exact copies of disks suitable for forensic analysis. It is a command line tool, meaning that the dd program is run by typing a command rather than double-clicking an icon, and requires a sound knowledge of the command syntax to be used properly. Modified versions of dd intended specifically for use as a forensic utility are also available.

md5sum

Once an image has been made, how do we know that it was made correctly? How can we be sure that the copy is exactly the same as the original? The answer lies with an algorithm called MD5. This procedure results in the creation of a large number called a "message digest", or "hash", the exact value of which is determined by the layout of data found on a disk (MD5 can also be used to create message digests for files). Crucially, were the disk contents to be altered in any way, through deleting or changing a file for example, running the MD5 algorithm would result in a radically different message digest. This is true regardless of the extent of the alterations made, even a change to one bit of information on a large drive packed with data would result in a new message digest. md5sum is a freely available utility for creating MD5 message digests which, by comparing message digests of original disks and copies thereof, can be used in computer forensic examinations to ensure that an image made is an exact replica of the original.

Grep

The grep program allows files to be searched for a particular sequence of characters: the word "meeting" or the phrase "the meeting is at 4" for example. The real power of grep, however, lies in its ability to utilize metacharacters. Metacharacters are certain characters which have a special meaning to the grep program and allow great flexibility while searching. For example the metacharacter "." (i.e. a full stop, without the quotation marks) means "any character" to grep, thus searching for "ca." might result in matches for "can", "cat", "cab" and so on if these sequences of characters were present in the file being searched.

Grep has for a long time been one of the most useful tools for forensic investigators and as well as being a standard program on UNIX systems is also included as part of EnCase.

The Coroner's Toolkit

The Coroner's Toolkit is a collection of (essentially) free tools designed to be used in the forensic analysis of a UNIX machine. Whereas the tools mentioned so far can be used in a wide variety of investigations The Coroner's Toolkit is specifically designed to be of use in the investigation of a computer break-in. The tools included help to reconstruct the activities of an intruder by, amongst other things, examining the recorded times of file accesses and recovering deleted files.