Forensics

 
HomeProjects & InfosCP/M ComputerCommodoreCP/M Software
Detection of a virus 
Protect yourself 
Forensics 
Linux BootCDs 
Analyzing Tools 
ProxyFailover 
EXE Types 
FreeDOS CD 
Outpost Distribution Tool 
Overclocking PIII 
About Z80 
About me 
Disk/file transfer service 

 

 

Computer Forensics - many ways to examine data

Main goal: Finding of facts or prior use, but avoid data contamination

Possible restrictions: Physical access (but can be done by using remote access software also), respect of legal requirements (e.g. constitutional law, regulations, moral aspects)

See also technical reasons why it can fail at the end of this page.
 

Forensic tools to examine networks

netcat -  Network utility to read (and write!) data across network connections (TCP/IP related, and unfortunately meanwhile outdated)

A windows version of netcat can be downloaded also.

Socat -  A (network) relay for bidirectional data transfer

A windows version of socat can be downloaded also.

TCPREPLAY - A set of tools e.g. to replay tcpdump files (Linux and Windows)

Not to forget Ethereal and it's successor, WireShark

These are based on pcap/winpcap, a driver to capture network data, see http://www.winpcap.org/ or your man pages of pcap (Packet Capture library)


Forensic tools to examine storage devices (e.g. harddisks)

Forensic acquisition utilities - a set of tools, similar to UNIX utilities, but for Windows)

ProDiscover for Windows  - inspects at sector level, GUI based, commercial

EnCase Forensic Windows based, commercial tool, often used

Forensic Toolkit FTK - an integrated computer forensics solution, e.g. for analyzing an image, commercial

SMART from ASR Data, also bootable, Linux based, very sophisticated, commercial

TestDisk - free console based tool, really good also to recover JPGs from formatted flash memory, small and handy

WinDD  (saves a complete memory dump)

X-Ways Forensics - commercial forensic tool, can also dump memory, see also Winhex ... a hex editor to examine storage devices/images

Paraben forensic tools - Commercial Handheld and Hard drive forensics

RegRipper  - member of a set of tools, e.g. to examine and save a Registry database, done from a Live Linux CD

DD enhanced  dcfldd, a Linux enhanced DD e.g. with hash creation

Air Imager - Automated Image and Restore, GUI based Linux tool

TCT Coroners' Toolkit - Memory dumper for UNIX based systems

The sleuth kit - a library of tools to investigate volume and file system data

Enhanced loopback - loopback driver to "emulate" a harddisk with an image file (Linux)

Professional equipment (expensive, but very effective and safe)

Forensic Talon - Harddisk duplication

CPR TOOLS Psiclone - also for harddisk duplication

Very useful: Helix 3 - a Linux based forensic software kit

Anti forensic tools

All kind of wiping tools (for storage devices like harddisks)

Encryption (fully or partial, e.g. with PGP or Truecrypt)

Steganography (hiding data in pictures or music files)

Some weaker tools like tools for deletion of traces like browser history, temp folders etc. (not really effective)

Used ATA (user and master) password (but can be erased by special equipment, often stored in EEPROMs)

 

Copyright (c) 2005-2009 Peter Dassow. All rights reserved.

peter.dassow@NOSPAM.z80.eu