Guide to Computer Forensics and Investigations, Fifth Edition 6-1
Chapter 6
Current Digital Forensics Tools
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 6-2
Lecture Notes
Overview
Chapter 6 explains how to evaluate needs for digital forensics tools. Students will first
review several available digital forensics tools. Chapter 6 also lists some considerations
for digital forensics hardware tools. Finally, students will learn various methods for
validating and testing these tools.
Chapter Objectives
• Explain how to evaluate needs for digital forensics tools
• Describe available digital forensics software tools
• List some considerations for digital forensics hardware tools
• Describe methods for validating and testing digital forensics tools
Teaching Tips
Evaluating Digital Forensics Tool Needs
1. Explain that you should look for software that is versatile, flexible, and robust. Suggest
2. Present to your class a list of some characteristics they should consider when buying
forensic software. The list should include:
a. OS support
b. Versatility
c. Supported file systems
Teaching
Tip
Mention that you should read as much information as you can about the product
and look out for comparison with similar tools.
Guide to Computer Forensics and Investigations, Fifth Edition 6-3
Types of Digital Forensics Tools
1. Illustrate the two major categories of forensic tools:
a. Hardware
i. Single-purpose components
Tasks Performed by Digital Forensics Tools
1. Point out that when testing new tools, following guidelines set up by NIST’s Computer
2. Explain that digital forensics tool functions are divided into the following five major
categories:
a. Acquisition
b. Validation and verification
3. Define acquisition as the task of making a copy of the original drive.
4. Describe the acquisition subfunctions, including:
a. Physical data copy
5. Explain that there are two types of data-copying methods are used in software
6. Explain that the formats for disk acquisitions vary from raw data to vendor-specific
7. Mention that creating smaller segmented files is a typical feature in vendor acquisition
8. Define validation as ensuring the integrity of data being copied. Verification involves
9. Illustrate the major subfunctions for data validation and verification, including:
10. Mention that National Software Reference Library (NSRL) has compiled a list of
11. Explain that many digital forensics programs include a list of common header values.
12. Mention that most forensics tools can identify header values.
13. Explain that extraction represents the recovery task in a digital investigation. It is the
14. Describe the subfunctions of the extraction phase, including:
a. Data viewing
b. Keyword searching
15. Explain that from an investigation perspective, encrypted files and systems are a
problem. Many password recovery tools have a feature for generating potential
17. Explain to your students several techniques you can use to re-create a suspect’s disk
drive. You should include:
a. Disk-to-disk copy
18. Explain that to complete a forensics disk analysis and examination, you need to create a
report.
20. Mention that newer forensics tools can produce electronic reports in a variety of
formats. Discuss the subfunctions of the reporting function, including:
a. Bookmarking or tagging
Tool Comparisons
1. Use Table 6-1 to compare various forensics tools functions.
Other Considerations for Tools
2. Mention the need to keep a library with older versions of your tools as a backward
Quick Quiz 1
1. ____, the first task in digital forensics investigations, involves making a copy of the
original drive.
2. Verification proves that two sets of data are identical by calculating _____ or using
another similar method.
3. The ____ function is the recovery task in a computing investigation and is the most
demanding of all tasks to master.
4. Many password recovery tools have a feature for generating potential password lists for
a(n) ____ attack.
5. The purpose of having a(n) ____ function in a forensics tool is to re-create a suspect
drive to show what happened during a crime or an incident.
Guide to Computer Forensics and Investigations, Fifth Edition 6-6
Digital Forensics Software Tools
1. The following sections explore some options for command-line and GUI tools in both
Windows and UNIX/Linux.
Command-Line Forensics Tools
1. Mention that the first tools that analyzed and extracted data from floppy disks and hard
2. Explain that one advantage of command-line tools is that they require few system
resources because they’re designed to run in minimal configurations.
Linux Forensic Tools
1. Mention that UNIX has been mostly replaced by Linux and it is gaining popularity due
2. Explain that SMART was designed to be installed on numerous Linux versions. You
3. Mention that another useful option in SMART is its hex viewer.
4. Explain that Helix is one of the easiest suites to begin with. You can load it on a live
Windows system and it loads as a bootable Linux OS from a cold boot.
5. Mention that Kali Linux was formerly known as BackTrack. Explain that it includes a
6. Explain that Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI/browser
Other GUI Forensic Tools
2. Describe the advantages of using GUI forensic tools, including:
3. Describe the disadvantages of using GUI forensic tools, including:
a. Excessive resource requirements
Teaching
tip
GUI forensic tools are no different from other GUI tools when compared with
their equivalent command-line utilities.
Digital Forensics Hardware Tools
1. Emphasize the fact that hardware will eventually fail, so you need to carefully plan for
Forensic Workstations
1. Start by describing the types of workstations you can find, including:
2. Mention that you need to balance what you need and what your system can handle.
3. Explain the differences in planning the hardware for a digital forensics lab for a police
4. Mention that building your own workstation is not as difficult as it sounds.
5. Describe the advantages of building your own forensic workstation, including:
6. Describe the disadvantages of building your own forensic workstation, including:
7. Explain that you can buy a forensic workstation from a vendor as an alternative, such as
8. Mention that you can always mix and match components to get the capabilities you
Using a Write-Blocker
1. Explain that a write-blocker prevents data writes to a hard disk.
2. Explain that software write-blockers are OS dependant. Hardware options are ideal for
3. Mention that when you use a write-blocker, you can navigate to the blocked drive with
4. Describe some of the connecting technologies used by write-blockers, including:
a. FireWire
Recommendations for a Forensic Workstation
2. Describe some of the recommendations for a forensic workstation, including:
a. Data acquisition techniques such as: USB 3.0 and FireWire
b. Expansion devices requirements
c. As much memory and processing power as budget allows
d. Power supply with battery backup
3. Mention that if you have a limited budget, one option for outfitting your lab is to use
Guide to Computer Forensics and Investigations, Fifth Edition 6-9
Validating and Testing Forensic Software
Using National Institute of Standards and Technology (NIST) Tools
1. Mention that the NIST’s CFTT project manages research on digital forensics tools.
2. Explain that NIST has created criteria for testing digital forensics tools based on
3. Mention that your lab must meet the following criteria and keep accurate records so
that when new software and hardware become available, testing standards are in place
for your lab:
a. Establish categories for digital forensics tools
b. Identify digital forensics category requirements
4. Explain that the National Software Reference Library (NSRL) project collects all
5. RDS can be used to filter known information. You can also use the RDS to locate and
Using Validation Protocols
1. Explain the importance of verifying your results. For that, you must use at least two
2. Explain that one way to compare results and verify a new tool is by using a disk editor,
3. Describe the steps involved in the digital forensics examination protocol, including:
a. Conduct the investigation with a GUI tool
4. Describe the steps involved in the digital forensics tool upgrade protocol, including:
a. Test new releases, OS patches, and upgrades
Quick Quiz 2
1. The first tools that analyzed and extracted data from floppy disks and hard disks were
____ tools for IBM PC file systems.
2. A useful option in SMART is the _____, which color-codes hex values to make it easier
to see where a file begins and ends.
3. A forensic workstation that is usually a laptop computer built into a carrying case with a
small selection of peripheral options is known as a _____ workstation.
4. ____ are used to protect evidence disks by preventing you from writing data to them.
5. NIST created the ____ project with the goal of collecting all known hash values for
commercial software and OS files.
Class Discussion Topics
1. Ask students to compare write-blockers, both hardware- and software-based. Discuss
2. Ask students to discuss the advantages and disadvantages of using ISO standards for
testing and validation purposes. The discussion should be oriented but not limited to
Guide to Computer Forensics and Investigations, Fifth Edition 6-11
Additional Projects
1. Ask students to analyze the content of a Microsoft Outlook PST file. Can they read its
contents?
Additional Resources
1. Brute force attack:
2. The Sleuth Kit & Autopsy:
3. Kali Linux:
4. Hash algorithms Web sites:
Key Terms
➢ acquisition — The process of creating a duplicate image of data; one of the five
required functions of digital forensics tools.
➢ extraction — The process of pulling relevant data from an image and recovering or
reconstructing data fragments; one of the five required functions of digital forensics
tools.
➢ keyword search — A method of finding files or other information by entering relevant
characters, words, or phrases in a search tool.
➢ National Software Reference Library (NSRL) — A NIST project with the goal of
collecting all known hash values for commercial software and OS files.
➢ password dictionary attack — An attack that uses a collection of words or phrases
