Cyber Forensics is the Very Large Domain to Work into And Having Several branches of Digital Forensics. For digital investigation of any computer system after the cyber crime it is important to first Know the Forensics Investigation Process. Every Forensics investigator must know the Computer Forensics Tools and techniques to investigating the case through their skill sets. If you are the Investigator then you must know the every technique to solve the case related to computer crime and professional forensics Investigator knows every tools and techniques in Linux and windows systems because cyber crime can occur from any operating system.
Let me give you some important and useful Computer Forensics Tools names and its usages. I have performed the Computer forensics using all that tools so it easier for me to explain how to use that tools to collects the evidences as a trails.
This is the first and very popular computer forensics tool that you should know as a professional forensics Investigator. This tool allows you to capture the evidences from the computer system and also having interface to analyze the captured evidences inside that tool. From the File menu you can capture the Live memory of the RAM also and then you can open the captured RAM Dump into the AccessData FTK Imager from File Menu by using the “Add Evidence Items” Option. Which allows to add the ‘content of a folders’ and you can analyze the dump.mem file to find what happened in computer. There are also more usage of this tool but you can learn more by using it more and more.
Memory dump is the tool which used to capture the Live memory which we can do by using the FTK Imager as mentioned above. RAM capturing is the only function of this tool. It is also available as the name with RamCapturer.
This Computer forensics tool is the large collection of small small utilities and is used most frequently by the most of the computer forensics investigator because it is having the Network monitoring tools, Password recovery utilities, Web browser tools, System utilities, Disk utilities, Internet utilities, command line utilities, office utilities and much more. It is the Computer forensics suite having large number of useful tool sets.
OS (Operating System) Forensics is best and used in professional investigation process because it contains the case management facility. Like you can create the case with number and description and all that evidences are arranged in the same folder. It is having features and utilities like Hashing, SQLite DB browser, Web browsers, Passwords, Hash Sets, Create and verify the file signature and much more. You can also call it as suite.
This is the best tool for the Computer Database Forensics. Yes it analyse the .sqlite file inside your computer. You can open your sqlite file created by the Firefox or any web browser located at the AppData folder of the computer system drive. It is the hidden file location inside the system drive which contains the .SQLite file. Even after deleting the browser history you’ll find some evidences from that file like browsing URL and date and time along with.
Sys Internals suite is same as the Nirsoft and having large collection of utilities which are helpful in any case. Utilities like RootkitRevealer, ShareEnum, Tcpvcon, Tcpview, ZoomIt are the most popular and most used utilities of it.
WEFA (WebBrowser Forensics Analyzer) –
It is the best Forensics tool and used most for the Browser related crime. It revels the Actual URL access by the User directly or Indirectly and also tells the Date and Time along with the type of the webpage(Blog, News, Website etc.) accessed by the user. The most powerful feature is that it can also carve the Index.dat file of the Internet Explorer and restore the old browsing content by the User even user deleted it from the computer system. This is the very Under ground forensics tools that no one is talking about but best Browser Forensics Tool.
Windows Registry Forensics is the Tool which is used to analyze the newly created and edited entry of the Windows registry. It revels all the modified entry with date and time.
Autopsy (The Sleuth Kit) –
For windows it is Autopsy and For Linux it is The Sleuth Kit. It is the open source toolkit and having the several forensics utilities like Hash Filtering, Timeline Analysis, File System analysis and more. Here you can also create new case and load the file to be analyzed and save the case so you can re-open it.
This is the nice utility which works as the bridge between windows and Linux file system. For quick access of any file system it is important and very useful and does not allows you to record the activity data in the partition so it is safe to work and also available for free.
It is the Linux Ubuntu based Forensics system and is collection of linux forensics tools like dd file analysis, log2timeline, data carving, examine recycle bin and much more. You can get it from available official website.
This is the best utility for malware analysis and having the good capability of volatile memory analysis which includes running Network process, Network sockets, DLL files, cached Registry hives and more. This is one of the best command line utility and used most frequently by Incidence response team for malware analysis or forensics examination of volatile data.
DD (Disk Duplication) comes as default in most of the Linux distribution. You must use this utility with care otherwise you lose all your important data by wrong selection of partition. You can run the Terminal in Linux and start using it by typing the ‘dd’ command inside. It is having several features like Digital evidence acquisition, Pattern writing, Hashing, Split output files, Pattern writing etc.
This is best tool for Mobile Forensics. It is having several mobile data and information extraction features like IMEI, Manufacturer, OS, Serial, email, contacts and more. File browser allows to view the videos, photos and mobile databases. It is best for the mobile forensics. It is available free to download.
Free hex editor neo allows you to find data patterns in large files, Regular expression search, make file patches and multiple core processing and is available for free. This is mostly used in the Malware Analysis by the Incidence response team.
It is the large collection of forensic utilities like Data Recovery, Mobile Forensics, Network forensics etc. It gives nice user friendly experience and is available as Linux live CD to download. You can boot up to test it on your existing system.
Deft is also the Linux live CD distribution Having the large collection of tools and you can say it as suite. Same as the CAIN you can use it on your machine with booting it up with live Linux image. very Large collection of tools of Mobile Forensics, Network forensics, File analysis and hashing etc.
It is best and popular tool for analyzing image, file and contents of the directory at a time to extract the useful information from it. Extracted information contains Email, Zip, Contacts and much more. It is more speedy response tool because it ignores the file system structure and examine the different part of the disk in parallel. Bulk Extractor can be used to collect the information from the Memory cards, digital camera, Mobile phones, Optical media and more. If you haven’t used this then its worth to give it try.
Helix is the Linux live distribution based forensics system. Used as incidence response and digital forensics. It is collection of several open source tools including Carving, Hex editors, hashing and more. You can boot directly to use or you could also install on your machine if you need daily.
HxD allows to view and allows low level memory editing. It handles large file very smoothly and having features like Search, replace, checksums, shredder and more. It is very user friendly and most popular hex editor.
Xplico is the network forensics analysis tool which allows to analyze the network traffic. It supports protocols like TCP, UDP, HTTP, IMAP, SIP etc. Output data file can be generated in SQLite or mysql database. After successful installation you can use it by accessing the URL in the Browser like Http://IP:port and then by logging with normal user it gives you the interface to work with. Now you can create the new case to start working.
It is the open source digital investigation software. It is used by professional more and you can also use it to collect, preserve and reveal evidences from the system. Having several cool features like VM disk reconstruction, Linux and windows forensics, Access local and remote drives, Recover hidden and deleted digital artifacts and much more.
PlainSight is the environment which allows inexperienced forensic practitioners to work using powerful tools. It can perform operations like Collect hard disk and partition info, Firewall examination, user and group extraction, Discover USB storage info, Physical memory dumps examination and much more.
Mandiant is used for specific host analysis and gives signs of malicious activity through memory and file analysis. By using it you can collect all host running processes, memory drivers, registry, event log, metadata of file system, web history and much more. It is best for malware analysis ans used by Incidence response team more frequently.
It is the Image mounting tool you can use by just mounting as read only local logical and physical disks. Then after mounting you can analyze the deleted data, unallocated and slack spaces of the image. It is having Mounting features as Mount smart images, Mount encase images, mount Paraben’s Forensic Replicator images (PFR), Mounts vmware snapshots, Mounts RAW images from Linux DD & other tools and more mounting features, also Mount several images at a time, MD5 hash verification, Auto-detects image format, Write-protection for preserving evidence and much more.
These all are the Computer forensics tools which helpful in several digital forensics branches like Database Forensics, Mobile Forensics, Network Forensics, Browser forensics and more. As a professional crime investigator you must follow the Digital Forensics investigation process.
I hope you found this guide helpful and helps to discover more using this Forensics Tools.