We often watch experts in movies using forensic tools for their investigations but what cyber forensic tools are used by experts? Well, here are top 7 cyber forensic tools preferred by specialists and investigators around the world.
“Torture the data and it will confess to anything” Ronald Coase.
Cyber forensic: As the title says, it is collecting evidence for investigation after an unwanted activity has occurred. Cyber/Computer Forensics is a department that comes under Digital Forensic Science for improving cybersecurity. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving “The preservation, identification, extraction, documentation, and interpretation of computer data”.
So what do the Forensic Investigators do?
They basically follow a certain standard procedure of investigation. First, they physically isolate the infected device from the network and make sure it’s been backed up and cannot be contaminated by the outer intrusion. Once they safeguard the device, it is kept aside for further procedures and the investigations are done in the cloned one.
To understand the facts about computer better we can assume that the computer is a reliable witness and it definitely cannot deceive. Until acted upon by any external character and the sole purpose of the Cyber/Computer forensic is to search, preserve and analyze the information obtained from the victim device and use it as evidence.
So what are the tools used by these professionals? Here’s a list of top 7 tools (referred by InfoSecInstitute) used with a brief description and key features.
1) SIFT- SANS Investigative Forensic Toolkit
SIFT has the ability to examine raw disks (i.e. the data in byte level secured directly from the hard disk drive or any other storage devices), multiple file systems and evidence formats. It is basically based on Ubuntu and is a Live CD including the tools one needs to conduct an in-depth forensic investigation or response investigation. The best thing about the SIFT toolkit is that it’s Free and Open Source.
SIFT can match any modern day incident-response and forensic tool suite which is also featured in SANS Advanced Incident Response course. So what sort of evidence formats does SIFT support? It supports anything ranging from Advanced Forensic Format (AFF) to RAW (dd) evidence formats and even more.
Key features of SIFT would be
- Ubuntu LTS 14.04 Base.
- 64-bit base system.
- Better memory utilization.
- Auto-DFIR package update and customizations.
- Latest forensic tools and techniques.
- VMware Appliance ready to tackle forensics.
- Cross compatibility between Linux and Windows.
- Option to install stand-alone via (.iso) or use via VMware Player/Workstation.
- Online Documentation Project at ReadTheDocs
- Expanded Filesystem Support.
2) ProDiscover Forensic
ProDiscover Forensic is that Computer/Cybersecurity tool which can enable the professionals to locate all the data from a particular computer storage disk and also simultaneously protects the evidence and creates the documentation report used for legal orders.
This tool has the ability to recover any deleted files from the victim system and examine the slack space. It can access Windows Alternate Data Streams and allows you to have a preview and search or capture the process (i.e. take a screenshot or any other means) of the Hardware Protected Area (HPA). ProDiscover Forensic uses its own technology to conduct this exercise.
Hardware Protection for the data in any system or organization is a very important thing and also equally tough for anyone to break through it. ProDiscover Forensic reads the disk at the sector level and hence you can say that no data can be hidden from this tool.
Key features of ProDiscover Forensic would be
- Create a Bit-Stream copy of the disk to be analyzed, including hidden HPA section (patent pending), to keep original evidence safe.
- Search files or an entire disk, including slack space, HPA section, and Windows NT/2000/XP Alternate Data Streams for complete disk forensic analysis.
- Preview all files, even if hidden or deleted, without altering data on disk, including file Metadata.
- Examine and cross-reference data at the file or cluster level to ensure nothing is hidden, even in slack space.
- Utilize Perl scripts to automate investigation tasks.
3) Volatility Framework
Volatility Framework is a framework which was exclusively released by Black Hat. It directly relates to the Advance Memory Analysis and Forensics. Advance Memory Analysis and Forensics are basically about analyzing the volatile memory in the victim system. Volatile memory or Volatile data is the data that changes frequently and can be lost when you restart any system. This data analysis can be done using Volatility Framework. This framework introduced the world to the power of monitoring runtime processes and state of any system using the data found in RAM (Volatile memory).
This framework also provides a unique platform that enables the Forensic research towards better efficiency which can be immediately taken up by Digital Investigators. This tool is used by the Law Enforcement of the country, the defense forces or any commercial investigators all over the world.
Key features of Volatility Framework would be
- A single, cohesive framework
- It’s Open Source GPLv2
- It’s written in Python
- Runs on Windows, Linux, or Mac
- Extensible and scriptable API
- Unparalleled feature sets
- Comprehensive coverage of file formats
- Fast and efficient algorithms
- Serious and powerful community
- Forensics/IR/malware focus
4) Sleuth Kit (+Autopsy)
The Sleuth Kit (+Autopsy) a command line interface is a mode of interacting with a computer program. Here the users/clients issue commands to the program successive lines of text known as commands in a programming language.
Similarly Sleuth Kit is a collection of such command line interfaces/tools. It allows the user to examine the disk images os the victim device and recover the damaged files. It is generally used in Autopsy along with many other Open Source or Commercial Forensic tools.
Autopsy® along with Sleuthkit is a GUI-based program. It allows the user to examine the hard drives and smartphones with better efficiency than other tools.
Autopsy feature list
- Multi-User Cases: Collaborate with fellow examiners on larger cases.
- Timeline Analysis: Displays system events in a graphical interface to help identify activity.
- Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
- Web Artifacts: Extracts web activity from common browsers to help identify user activity.
- Registry Analysis Uses RegRipper to identify recently accessed documents and USB devices.
- LNK File Analysis: Identifies shortcuts and accessed documents
- Email Analysis: Parses MBOX format messages, such as Thunderbird.
- EXIF: Extracts geolocation and camera information from JPEG files.
- File Type Sorting: Group files by their type to find all images or documents.
- Media Playback: View videos and images in the application and not require an external viewer.
- Thumbnail Viewer: Displays thumbnail of images to help quick view pictures.
5) CAINE (Computer Aided Investigative Environment)
Caine is built upon a Linux environment. It is actually a live CD containing a number of forensic tools required for. Since the latest version of CAINE is built on the Ubuntu Linux LTS, MATE, and LightDM, anybody who is familiar with these need not put in extra effort to work on CAINE.
Key features of Caine include
- Caine Interface – a user-friendly interface that brings together some well-known forensic tools, many of which are open source.
- Updated and optimized environment to conduct a forensic analysis.
- Semi-automatic report generator.
Xplico is yet another Open Source Network Forensic analysis tool which can reconstruct the content of any acquisitions performed by packet sniffer such as Wireshark, ettercap etc. This tool can extract and reconstruct the content from anywhere.
Features of Xplico include
- Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6.
- Port Independent Protocol Identification (PIPI) for each application protocol;
- Output data and information in SQLite database or Mysql database and/or files;
- At each data reassembled by Xplico is associated with an XML file that uniquely identifies the flows and the pcap containing the data reassembled;
- No size limit on data entry or the number of files entrance (the only limit is HD size);
- Modularity. Each Xplico component is modular.
Xplico is installed by default in some of the digital forensics and penetration testing Operating Systems Kali Linux, BackTrack and even more.
7) X-Ways Forensics
X-Ways Forensics is the advanced work environment used extensively by Forensic Examiners. One of the problems faced by the professional while using any Forensic toolkit is that they are resource-hungry, slow, incapable of reaching all nook and corners. Whereas X-Ways Forensics is not resource-hungry, faster, finds all the deleted files and comes with additional features. This forensic tool is user-friendly and fully-portable and can be carried on a USB stick. It doesn’t require any extra installation on Windows systems.
- Key features of X-ray forensic include
- Disk cloning and imaging
- Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD and VMDK images
- Complete access to disks, RAIDs, and images more than 2 TB in size
- Automatic identification of lost/deleted partitions
- Viewing and editing binary data structures using templates
- Recursive view of all existing and deleted files in all subdirectories