Join Us!

A complete list of ...
 
Notifications
Clear all

A complete list of forensic tools and tutorials  

  RSS
andrewsco
(@andrewsco)
New Member

I was wondering if any of the experienced members on this topic could take the time to share what their tools etc are. I have been searching through 5 pages of information on this site, and used google, but there are so many i just get confused. I need all this info for preliminary work that i am doing for a dissertation based around computer forensics.

What I am looking for are tools with the following criteria:
-best (including al costs - preferably Police etc so i can comment on what they use)
-best free tool
-easiest to use

Aswell as tools, any tutorials and whitepapers on these subjects too:

-How to wipe a disk as securley as possible
-How to recover information that has been wiped using software
-How to recover info that has been wiped using hardware techniques- (im very interested in this)
-How to recover information from removable storage (ie flash drives etc)
-How to encrypt a hard drive
-How to decrypt an encrypted hard drive

If anyone can post up tool used for these things and how to actually do it then it will help me scope what is possible for a dissertation title, it may also be an oppertunity to group together everything in this thread as a sticky as a lot of the info is very spread about.

PS- This is meant for windows systems.

Thanks for any help you can give

Andy

Quote
Posted : 22/03/2005 11:47 pm
keydet89
(@keydet89)
Community Legend

Andy,

As you requested info specifically for Windows systems, I'm going to focus my responses in that direction…

What I am looking for are tools with the following criteria:

Okay, but what do you want the tools to do? What category? Imaging? Take a look at SafeBack.

-best (including al costs - preferably Police etc so i can comment on what they use)

What's your criteria? Let's say you're referring to tools used for just imaging. You might check out SafeBack, or even dd.exe. If you want both imaging and analysis, some would say EnCase, as it's widely used - particularly in law enforcement. However for the cost of EnCase, you may choose to save some money and consider ILook or ProDiscover (from TechPathways).

-best free tool
-easiest to use

Again…to do what?

-How to wipe a disk as securley as possible

Several wiping tools have settings that allow the user to specify how many times and with what combination of characters they want the drive overwritten. However, is the goal to secure the data, or to remove it as well as possible and make the driver usable again?

-How to recover information that has been wiped using software

Image the drive, see if you can find the deleted files. If they've already been overwritten, there are chemical substrate and magnetic imaging techniques that can be prohibitively expensive.

-How to recover info that has been wiped using hardware techniques- (im very interested in this)

ibid.

-How to recover information from removable storage (ie flash drives etc)

Uh…plug it in…sorry, am I missing something here? Many of the flash drives I've used use a FAT file system…so plug it in and you can recover information from it. To get deleted information, one can use techniques similar to those used with regular hard drives.

-How to encrypt a hard drive
-How to decrypt an encrypted hard drive

PGP. To decrypt, you might have to use interrogation techniques to get the passphrase from the bad guy, as brute forcing may take a prohibitively long time.

I think that if you could be a little more explicit with your request, you'll get a lot more information. No one wants to sit and write an encyclopedia, especially given all of the possibilities. Narrow your focus a bit, even if just to get started, and you'll likely get better information.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 23/03/2005 10:55 am
andrewsco
(@andrewsco)
New Member

Thats a brilliant response, thank you.

I will analyse what you've said when I get a minute over the next few days, and will try and clear everything up.

thanks
Andy

ReplyQuote
Posted : 23/03/2005 1:32 pm
andrewsco
(@andrewsco)
New Member

Hi. In reply to your questions: Firstly i will point out that i have no experience in this field, so am not really aware of what the possibilities may be. Any assistance you could give on hot topics etc would be appreciated.

Imaging: now from what i gather is that what tools like encase do? I would be really interested in how this works, and whether this is the only way to do it. I would basically like to know the tool that law enforcement would use (I guess encase) the best free tools for actually imaging or analysis (As i havent done this yet, i would need both) and included in this perhaps consider how easy the tools are.

Secure deletion: Again the tools AND TECHNIQUES that law enforcement would use, the best free tool as far as dleetion goes.

Encryption: Slightly off the topic, but the best tool people may use for encrypting a hard drive (both best for any price, and the best free one) and perhaps how someone would go about breaking this encryption?

Initial thoughts are that I will be carrying out investigations on various hard drives, where I will try and uncover data which has been deleted. I am really struggling with a question, but as i have 2 or 3 spare boxes, it seems like the most practical option

Thanks a lot for any more help you could give me

Andy

ReplyQuote
Posted : 23/03/2005 4:41 pm
keydet89
(@keydet89)
Community Legend

Andy,

Imaging…yes, EnCase does this, but so do tools like ProDiscover, SafeBack, and dd (there is a dd.exe for Windows, as well as other variations). They work by copying the drive, bit-for-bit. Some also have their own proprietary method of copying…EnCase copies 64k blocks, CRCs each block, then hashes the entire set of blocks. The real test, though, comes when you restore the image to a separate drive, and (try to) boot the system.

Tools like EnCase, which is used quite widely, are not free. Dd is. As far as which is the 'best'…well, that's a matter of opinion.

Analysis is another thing all together. The marketing material for EnCase may or may not use the term "analysis", but the point is, all tools can do is perform data presentation…it's up to a person to do analysis. EnCase has some good tools…search capability, presentation of graphics files and Windows Registry. ProDiscover does this, too. Both will even present NTFS alternate data streams so that they jump right out at you…but none of that is "analysis". Training and experience are needed for that.

As far as "best" for the other functions goes…I'll leave that to others to chime in on.

As far as recovering deleted data goes for what you're doing…you're most likely going to be imaging a drive, and then attempting to pull up files that have been deleted, and perhaps partially over written. However, it's unlikely that you're going to have to deal with recovering data from a drive that's had files deleted, and then been overwritten, had a new os installed over it, etc. That sort of thing can be prohibitively expensive.

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 24/03/2005 11:29 am
Share: