Software

There are a number of software tools on the commercial and freeware market today. The digital forensics laboratory should have access to several tools to perform similar functions. At a minimum, the lab should have software that can perform imaging of evidence drives, examine images, analyze memory captures, and report findings.

There are several different types of forensic software that a digital forensic analyst can utilize. The first of these are forensic applications. These applications are purpose designed to perform a variety of digital forensic tasks. They are often commercially available and are in wide use in the law enforcement and government communities as well as private industry. The following three forensic applications are the most common and widely deployed:

  • EnCase: Developed by Guidance Software, EnCase is a full spectrum digital forensic application performing the entire rainbow of tasks in examination of digital evidence, primarily from hard drives and other storage media. Besides analyzing digital evidence, EnCase has a reporting capability that allows examiners to output case data in an easy to digest format. EnCase is widely deployed in government and law enforcement agencies. One drawback is the cost associated with the application. Some CSIRTs and forensic examiners on a limited budget will have trouble justifying the cost.
  • FTK: Forensic Tool Kit (FTK) is another full service forensic application that is in wide use by government and law enforcement. With many of the same features as EnCase, this may be an alternative that digital forensic analysts will want to explore.
  • X-Ways: Another option is the application X-Ways forensics. With similar functionality, this is a great lower-cost option for CSIRTs who may not have need for the functionality found in other applications. Linux forensic tools.

There are also a number of Linux distributions that have been created for digital forensic purposes. These distributions, often provided for free, provide tools that can aid a digital forensics investigator. These tools are divided into two main types. The first of these are distributions that are indented as boot CD/DVD or USBs. These are useful for conducting triage or to obtain access to files without having to image the drive. These distributions can be placed onto a CD/DVD or more commonly now, a USB device. The examiner then boots the system under investigation into the Linux distribution. There are a number of these distributions available.

The following are two that are popular with digital forensic examiners:

  • Deft 8.2: Digital Evidence and Forensic Toolkit (DEFT) is based upon the GNU Linux platform. DEFT can be booted off of a USB or CD/DVD. Once booted, the DEFT platform includes a number of tools that can be utilized by a digital forensic examiner to perform such functions as the acquisition of mass storage such as the hard drive on the system being booted from. DEFT minimizes the risk of altering the data on the system by not booting into the swap partition and does not use automated mounting scripts, thereby ensuring the integrity of the system's storage:
  • Paladin: Paladin is another Live Linux distribution based on the Ubuntu OS. Paladin has a number of tools that aid in digital forensic tasks such as malware analysis, hashing, and imaging. The forensic toolset includes a number of packages that can be utilized for a wide range of different operating systems:

Another category of Linux distributions are those designed as platforms for conducting examination of evidence such as RAM captures and network evidence. There are several distributions available, but, in this book, we will be using two of these:

  • SANS SIFT: The SANS Investigate Forensic Toolkit is a comprehensive forensic tool set based upon the Ubuntu 14.04 platform. Tools are included for imaging, memory analysis, timeline creation, and a host of other digital forensics tasks. The SIFT is provided for free by SANS as a standalone virtual machine provided at https://digital-forensics.sans.org/community/downloads. Alternatively, the SIFT can be installed onto an existing Ubuntu 14.04 installation. Once Ubuntu has fully installed, run the following command:
wget --quiet -O - https://raw.github.com/sans-dfir/sift- bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y

Once installed, there is a desktop based upon the Ubuntu distribution with additional tools run from the command line or through a GUI:

  • CAINE: Computer Aided Investigative Environment (CAINE) is another forensic distribution that will be put to use further in this book. CAINE is a GNU / Linux platform that includes a number of tools that assist digital forensic examiners:
  • REMNUX: REMNUX is a specialized tool that has aggregated a number of malware reverse engineering tools into an Ubuntu Linux based toolkit. There are a number of tools available on REMNUX such as tools specifically designed for analyzing Windows and Linux malware, examining suspicious documents, as well as the ability to intercept potential malicious network traffic in an isolated container:
  • REMNUX can be downloaded as a virtual machine from https://remnux.org for a standalone virtual system. REMUX can also be added to either the SIFT workstation or CAINE utilizing the following command:
       wget --quiet -O - https://remnux.org/get-remnux.sh | sudo       
       bash
  • When incorporating different tools into a CSIRT digital forensics capability, it is important to keep in mind several factors. First, tools that have been developed by outsiders should absolutely be tested for efficacy. This can be done through the use of test data commonly available on the internet. Second, open source tools such as Linux distributions are sometimes not adequately maintained. Digital forensic analysts should ensure that tools such as SIFT, CAINE, and REMNUX are not past support or the tools will not receive updates. Finally, some tools that we will explore in this book are derived from network monitoring tools, but can also serve as tools in incident response. When using these tools, it is critical to document their use and the justification. If ever there were a question as to the entirety of the evidence obtained or analyzed with these tools, proper documentation can lessen the potential that their use would be seen as forensically unsound.
The National Institute of Standards and Technology have provided guidance on the proper testing of forensic tools through the Computer Forensics Tool Testing Program found at http://www.cftt.nist.gov/. In addition to specific guidance on testing, there are a number of reports on different forensic hardware and software products. Having this information available for the tools utilized, provides validation in the event that the tool use is ever challenged in a courtroom.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.16.23