Introduction to Digital Forensics/Forensic tools

In the early days of digital forensics analysts had to make do with existing system administration or information security tools. Plenty of these existed, but they were not particularly suited to the more formal approach of a forensic investigation. In particular much of the software required you to run it on the live system, which introduced all manner of problems with modifying evidence ("Acquisition" in part one details the problems with live analysis).

During the 1980s and 90s, however, increased funding and interest in the field encouraged the development of a variety of specialist commercial and freeware tools. These can generally be broken down into three categories:


 * General forensic tools
 * Tools allowing a wide variety of investigation, particularly keyword searching, on digital media.


 * Specialist forensic tools
 * Which focus on a specific piece of forensic material for investigation - perhaps images, or internet artefacts. Often relying on output from one of the general tools.


 * Case Management tools
 * These are used to track, audit and report on cases

In addition there is a "fourth" category of useful software, a normal piece of software which can usefully be adapted for use in a forensic investigation.

This section makes mention of several commercial tools. This is not an endorsement of the tools, they are intended to serve as examples to explore

General forensic tools
Many of these tools are complex, commercially produced, and come with enterprise price tags (in the region of thousands of dollars a year). The majority of commercial tools run on Windows whilst free tools tend to run on Linux.

Later on we will discuss the ways digital media can be investigated in more depth, but for the moment it is important to understand that general forensic software is usually centred around the act of keyword searching across a piece of digital media. The two most common ways of performing such searches is "live search" (where the digital media is parsed for a set of keywords and bookmarks of hit locations is stored) and "indexing" (where a text index of the digital media is created, allowing searches to be performed quickly using the index). Both styles have advantages and disadvantages.

The "de facto" industry standard tool is usually considered to be EnCase, produced by Guidance Software. It is a general forensics tool tailored for windows systems and focuses on the live search method. It includes a scripting interface, dubbed EnScript, which is useful for developing custom tools to extract information. EnCase is closely followed by Access Data's Forensic Toolkit (or FTK). Other Windows-based tools include ILOOK, Paraben's E3 and ISEEK (which uses a new hybrid-forensics approach). Open source Linux tools include The Sleuth Kit and the SANS Investigative Forensics Toolkit (SIFT).

Specialist forensic tools
Specialist tools focus on a particular aspect of forensic investigation; for example categorising images or recovering internet artefacts. The range of tools and software is vast, including commercial and free offerings.

One of the better known is a free tool called "Categoriser 4 Pictures" which is a helper tool for classifying images and presenting your results. C4P is a class of tool that relies on output from EnCase, using an EnScript to parse and extract images for processing. We discuss C4P in more detail in "../Image investigations/".

Another common theme for specialist tools is internet artefacts; this can range from recovering internet cache data (web pages and other fragments) to analysing internet history or recovering chat transcript. Internet artefacts often contain a large amount of useful evidence and it is a common focus for investigations. Some notable tools include:
 * Netanalysis; commercial tool, parses internet history files (.dat) and allows searching/analysis of the data.
 * Internet Evidence Finder; commercial, scans digital media for a variety of internet artefacts (i.e. chat, webmail and internet history)
 * Virtual Forensic Computing; allows digital media containing an operating system to be mounted as a virtual machine

Case management
We already touched on case management in "../Documenting evidence/", but it is included here for completeness. Very few (if any) software tools exist for complete case management (although some practitioners adapt case management tools from the law field). Several free case note tools exist for creating audit-able notes; the primary example being CaseNotes.

Many analysts still use paper documents, partly because this is an audit trail that courts understand and accept!

Useful software
A wide variety of tools exist that are adaptable for forensic investigation; system administration tools, for example, can often tell you a lot about a system. VMWare is a commercial/free tool that can be used to view digital media as virtual machines. VLC media player can be useful for handling a diverse collection of media.