Computer Forensics is the processes of analysing and evaluating digital data as evidence. Computer forensics is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. It’s considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve information which is magnetically stored or encoded.
Uses of Computer Forensics
Computer forensics is used for:
- Law enforcement
- Enforce employee policies
- To gather evidence against an employee that careful to follow the legal requirements for an organization wishes to terminate
- Recover data in the event of a hardware or software
- Understand how a system works.
Computer Forensics Steps
- Preparation: To identify the purpose as well as the resource required during the investigation.
- Acquisition: To identify the sources of digital evidence and preserve it.
- Analysis: To extract, collect and analyze the evidence.
- Reporting: Documenting and presenting evidence.
Free Tools for Computer Forensics
One of the most important steps in the process of digital forensics is the process of data mirroring, more commonly known as disk imaging. Disk imaging takes a sector by sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered. It is the process of disk imaging that allows a forensic investigator to view the contents of a storage media or asset without altering the original data in any way.
Tool: FTK Imager
This is a data preview and imaging tool with which one can study files and folders on a hard drive, network drive, and CDs/DVDs. It allows you to:
- review forensic memory dumps or images.
- create MD5 or SHA1 file hashes that are already deleted from the recycle bin, if their data blocks have not already been overwritten.
- mount forensic images to view their contents in browser
Tool: Live View
Live View is a forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.
The end result is that one need not create extra “throw away” copies of the disk or image to create the virtual machine.
DumpIt is used to generate a physical memory dump of Windows machines. It works with both 32-bits and 64-bits machines. Perfect to deploy the executable on USB keys, for quick incident responses needs.
The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
Registry Forensics involves extracting information and context from a largely untapped source of data and knowing the context which creates or modifies Registry data.
Tool: MuiCache View
Whenever a new application is installed, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.
This allows you to easily view and edit the list of all MuiCache items on your system. You can edit the name of the application, or alternatively, you can delete unwanted MUICache items.
Tool: Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process activity.
Regshot is a registry compare utility that allows you to quickly take a snapshot of your registry and then compares it with a second one – done after doing system changes or installing a new software product.
Results of comparisons between 2 shots are shown in the following manner.
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used. For each USB device, extended information is displayed: Device name, description, device type, serial number (for mass storage devices), the date and time that device was added, Vendor ID, Product ID, and more.
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.
The process of acquiring and analyzing the data stored on physical storage media. Disk forensics includes both the recovery of hidden and deleted data and also files identification, the process of identifying who created a file or message.
Tool: ADS Locator
The ADS Locator can be used to find files that have alternate ADS streams attached. ADS is a technology used to store additional data related to files and has a lot of legit uses by the system already. So this tool will only find those ADS entries that are of the user type alternate, which is sometimes used by spyware, malware and viruses.
Tool: Disk Investigator
Disk Investigator helps you to discover all that is hidden on your computer hard disk. It can also help you to recover lost data. Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors. It helps to view and search raw directories, files, clusters, and system sectors. Verify the effectiveness of file and disk wiping programs. Undelete previously deleted files.
Recuva is a free file Recovery program and capable of recovering lost or deleted files from local drives and external drives. And with an integrated wizard, users will be guided onto the whole recovery process with ease. It also supports removable media like Smart media; secure digital cards, Memory stick, digital cameras, flashcards and many more.
Tool: Encrypted Disk Detector
Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker volumes.
Encrypted Disk Detector is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
Tool: Passware Encryption Analyzer
It scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file. With EA you get all password recovery and decryption options that are available for the files and hard disk images of the cases you are investigating.
Network forensics is related to monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. The ultimate goal of network forensics is to provide sufficient evidence to allow the criminal perpetrator to be successfully prosecuted. The practical application of Network Forensics could be in areas such as hacking, insurance companies, fraud, defamation etc.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real-time and display them in a human-readable format. Wireshark includes filters, colour-coding and other features that let you dig deep into network traffic and inspect individual packets.
Tool: Network Miner
Network Miner is a Network Forensic Analysis Tool for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. Network Miner can also extract transmitted files from network traffic.
Erasing or deleting an email doesn’t necessarily mean that an email is gone forever. Often emails can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional detective work. It is used for retrieving information from mailbox files.
Tool: MiTec Mail Viewer
It is a viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files. It displays a list of contained messages with all needed properties as an ordinary e-mail client. Message can be viewed in a detailed view including attachments and HTML preview. It has powerful searching and filtering capability and also allows extracting all email address from all emails in the opened folder to list by one click. Selected messages can be saved to eml files with or without their attachments. Attachments can be extracted from selected messages by one command.
Tool: OST and PST Viewer
Nucleus Technologies OST and PST viewer tools help you view OST and PST files easily without connecting to MS Exchange server. These OST and PST file viewer lets the user scan OST and PST files and displays the data saved in it including email messages, contacts, calendars, notes etc in a proper folder structure.
During most investigations, an individual’s web browsing activity often provides investigative leads. Evidence of Internet web browsing typically exists in abundance on the user’s computer. Most web browsers utilize a system of caching to expedite web browsing and make it more efficient. This web browsing Internet cache is a potential source of evidence for the computer investigator. Following are the tools for browser forensics.
ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, and more.
You can easily select one or more items from the cache list, and then extract the files to another folder, or copy the URLs list to the clipboard.
It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file. It can read the cookies file created by any version of Netscape/Mozilla browser.
MyLastSearch utility scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines and with popular social networking sites. The search queries that you made are displayed in a table with the following columns: Search Text, Search Engine, Search Time, Search Type, Web Browser, and the search URL.
You can select one or more search queries and then copy them to the clipboard or save them into text/html/xml file.
PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename.
In application forensics we can extracts logs of applications those were stored during the execution of respective application. For any application we can see the restricted information of the application without knowing the password.
SkypeLogView reads the log files created by Skype application and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. You can select one or more items from the logs list, and then copy them to the clipboard, or export them into text/HTML/CSV/XML file.
Computer forensics is all about collecting evidences from computers those are sufficiently reliable to stand up in court. The goal of computer forensics is to do a structured investigation and find out exactly what happened in a digital system, and who was responsible for it. There are many tools that are used in the process of examining digital evidence and evaluating system security. Some of the free tools those are described above will help you conduct a digital forensic investigation in a well defined manner.