December 2nd, 2002, 11:28 PM
Building your forensics toolkit
Building your forensics toolkit
Forensic tools can be costly, but even with these expensive tools it is often necessary to supplement your forensics toolkit with other utilities. The purpose of this paper is an effort to list free utilities that will be a useful addition to any forensics toolkit.
The most important things in forensic investigation is preservation and handling of the evidence. It is important to understand the laws in your country relating to evidence as well as take every effort to non-intrusively examine that evidence. Informational links provided in this document pertain to United States law. Also note that most of these tools pertain to Microsoft operating systems. If you are using a nix environment you will want to check out the Coroners Tool Kit at www.fish.com/forensics
At http://www.usdoj.gov/criminal/cybercrime/ you will find the latest edition of "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" as well as links to a variety of other information relating to computer crime. I highly recommend that anyone performing forensics read this document, and browse the information at this site.
The United States Code in searchable format is available at http://uscode.house.gov/usc.htm
I would also recommend that you read the FBI's "Handbook of Forensic Services" located at
Best practices dictate that you make a copy of the evidence hard drive. This copy is then used to conduct your analysis while keeping the original evidence untouched. It is difficult to find free software that will enable you to accomplish this task neatly but you can do it using the information and free software available here:
Note that software like this could touch dates and other information on the hard drive and you should be prepared to explain how that happens.
Equally important when making the copy of the data is ensuring that you have no left over information on the drive you are making the copy to. You will want to make sure that the drive is clean and has no left over residue from a previous use. You can do this using one of these free utilities.
http://www.tolvanen.com/eraser/ (my personal favorite)
Now that you have made an exact copy of the data you will want to start your investigation. If you made an exact copy you can attempt to salvage any deleted files using (free of course):
http://paradiseprogramming.tripod.com/flopshow.html (Floppy disk deleted file recovery)
You may need to examine the drive at the sector level, which can be done using this free tool:
In many cases, you will be looking for images on the suspect drive. I like to use IrfanView for this task because it enables you to thumbnail browse, supports several formats, does not touch the time and date on the file, can fit on a floppy disk, and most importantly does not require installation on the target machine. IrfanView can be found here:
I recently discovered Jpegger at http://www.vallen.de/freeware/index.html but have not had a lot of time to fully experiment with it. This company also has a free ZIP program and a CD file compare utility, which I have not had the opportunity to look at in detail.
Now onto sites that offer multiple tools of interest to the Forensics examiner. Because each of these sites offer a wide range of tools I can not fit them into any one category. I will point out a few tools that are of special interest, but will leave it up to you to look through the list and determine which would be useful to you.
www.foundstone.com/knowledge/free_tools.html has a forensic toolkit which includes a utility to quickly find hidden files and another that will identify files with hidden streams.
www.dmares.com/maresware/freesoftware.htm has many tools for file level examination including CRC and Hash checking.
www.atstake.com Mostly Unix based tools for forensic analysis. Many include the source code.
http://sysinternals.com/ Contains a wide range of utilities for all MS operating systems. Note that not all of the utilities here are free.
www.forensics-intl.com/download.html Forensics International also offers a suite of tools for sale besides the free ones listed here.
www.forensics-intl.com/suite7.html I wanted to point out this suite at Forensics International that is free for law enforcement. If you qualify it would be worth your time to get it.
www.all.net This site has many articles that are worth reading. I am currently playing with the Deception toolkit. Although this isn't exactly forensics related, it is a utility that is worth looking at if you are in the security field.
www.incident-response.org/tools.html Windows, Nix, and response tools. Mostly older stuff, but may be just what you need.
www.digital-detective.co.uk HTML file viewer, cookie viewer, hash utility, date and time decoder and much more. The MS Access password decoder works great. He also has an AOL Instant Messenger password decoder, which is free to qualified law enforcement. Net Analysis is not free, but is a nice tool for investigating Internet activity on a suspect computer.
If you find that you need to get into a Windows NT or 2K systems and can only do so by breaking into it you might find this free tool useful. Be aware that this tool can cause damage to the system and is only recommended as a last resort. ome.eunet.no/~pnordahl/ntpasswd
That's all for now, I have included links to the free utilities that are most useful to me in forensic examinations and hope that it will provide a starting point for anyone beginning to build their own forensics toolkit.
If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.