Computer Forensics Defined

“Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence.”*

“Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact.”*

Recovering Information the naked eye can no longer see.

Read More

Computer Forensic Tool: Encase Forensic

encase-forensicEnCase Forensic is the industry standard in computer forensic investigation technology. With an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to end. Law enforcement officers, government/corporate investigators and consultants around the world benefit from the power of EnCase Forensic in a way that far exceeds any other forensic solution.

-Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide.

-Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.

-Save days, if not weeks, of analysis time by automating complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.

-Find information despite efforts to hide, cloak or delete.

-Easily manage large volumes of computer evidence, viewing all relevant files, including “deleted” files, file slack and unallocated space.

-Transfer evidence files directly to law enforcement or legal representatives as necessary.

-Review options allow non-investigators, such as attorneys, to review evidence with ease.

-Reporting options enable quick report preparation.

Read More

What the role of the computer in the forensics is?

A computer can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime. In some cases, the computer can have multiple roles. It can be the “smoking gun” serving as the instrument of the crime. It can also serve as a file cabinet storing critical evidence. So when investigating a case, it is important to know what roles the computer played in the crime and then tailor the investigative process to that particular role.

In most cases, the computer forensics specialist will take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system:

1. Protect the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction.

2. Discover all files on the subject system.This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all (or as much as possible) of discovered deleted files.
4. Reveal (to the extent possible) the contentsof hidden files as well as temporary or swap files used by both the application programs and the operating system.
5. Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called unallocated space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as slack space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data but once again may be a possible site for previously created and relevant evidence).

7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provide an opinion of the system layout; the file structures discovered; any discovered data and authorship information; any attempts to hide, delete, protect, or encrypt information; and anything else that has been discovered and appears to be relevant to the overall computer system examination.

8. Provide expert consultation and/or testimony as required.

Read More

Computer Forensic Tool: MacLockpick

MacLockpickMacLockPick™ is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible. And also this is the only professional tool which can be use to extract the extensive encrypt information under the close-down condition of computer.

Read More

Computer Forensic Tool: F-Response

F-Response: The First Truly Vendor Agnostic Solution for Remote Forensics and eDiscovery

In the alibi or the enterprise inner investigation, how to completely do the physical data extraction from a running computer? How to do computer forensic on the running Mac OS, Linux, Window, the three different computer operation system? How to do computer forensic to the running server? How to do research on any computer in the local area network? With the F-Response software, all of these are possible. F-Response uses a patent-pending process based on well documented industry standards to create a secure, read-only connection between the examiner’s computer and the computer under inspection.

F-Response can be used with any kind of computer forensic tools. You may know that any error operation may change the source data, but F-Response connection is completely read-only, functioning much like a software write blocker, to make sure the data safe.

F-Response is available under the following three different licensing options which are designed to appeal to independent examiners, consultancies, and corporations:

The F-Response Field Kit Edition is a value priced single user version of the F-Response patent-pending software suite. An F-Response Field Kit, when physically connected to the remote computer, will give you access to all the physical drives on that remote computer via the network. Best of all the Field Kit is licensed for one year and priced at less than one typical hour of consulting time!

The Consultant Edition of F-Response was built and designed around the needs of larger and geographically distant consulting teams. Using F-Response Consultant Edition you will be able to simultaneously access multiple computer physical storage devices with a single Consultant Edition software key. F-Response Consultant Edition is an excellent choice for First Responders and Incident Response teams

The Enterprise Edition of F-Response is the service based (Non GUI) version, which is uniquely designed for Managed Services consulting and internal corporate wide deployments. F-Response Enterprise Edition provides all the features of F-Response Consultant Edition, streamlined for large network deployment, with a scriptable installation and is designed to support either an internal corporate investigations team or a managed services appliance. Best of all, F-Response Enterprise is not licensed on a seat basis.  One license of F-Response Enterprise provides unlimited usage on an unlimited number of client installations for a full year.

Read More

Computer Forensic Tool: X-way Forensics

X-Way Forensics: Integrated Computer Forensics Software

X-Way Forensics is an advanced work environment for computer forensic examiners. It provides a strong, compositive environment of forensic and analysis. It comprises all the general and specialist features known from WinHex, also it has more powerful functions:

It provides a function formidable, the synthesis evidence collection, the analysis environment, is also called the WinHex law card version

Disk cloning and imaging, even under DOS with X-Ways Replica (forensically sound)
Examining the complete directory structure inside raw (.dd) image files, even spanned over several segments
Native support for FAT, NTFS, Ext2/3/4, CDFS, UDF
Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks
Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors)
Viewing and dumping physical RAM and the virtual memory of running processes
Various data recovery techniques and file carving
File header signature database, based on flexible GREP notation
Hard disk cleansing to produce forensically sterile media
Gathering slack space, free space, inter-partition space, and generic text from drives and images
File and directory catalog creation for all computer media
Easy detection of and access to NTFS alternate data streams (ADS), even where other programs fail
Mass hash calculation for files (CRC32, MD5, SHA-1, SHA-256, …)
Unlike a competing product, does not depend exclusively on MD5 (collisions in MD5)
Powerful physical and logical search capabilities for many search terms at the same time
Recursive view of all existing and deleted files in all subdirectories
Automatic coloring for the structure of FILE records in NTFS
Bookmarks/annotations
Bates-numbering files

Read More

Computer Forensic Tool: OnScene Investigator

OnScene Investigator – the unique data recovery solution to Apple Macbook and Macbook pro

Onscene Investigator is the software which gets the data by crossover cable. Directly use it for quickly searching and/or imaging computer. The transmit speed is 1.2GB – 2GB

1. Viewing the contents of the internet cache in thumbnail view
2. Copying the suspect’s indec.dat for review in X-ways Trace or Digital Detective
3. Copying the suspect’s mail file for review in an email investigation software such as Paraben’s Email Examiner
4. Searching for keywords on a suspect computer before proceeding to imaging

Read More

Computer Forensic Tool: Final Forensics

FINAL Forensics — Would Class Forensics Analysis & Data Recovery Solution

1. Strong keyword Search function
2. Support regular expression equation
3. Check the file’s contents quickly
4. Support Unicode, can analyze, search multiple languages
5. Support various file types, such as HTML, Image and MS Office
6. Can recover and analyze various database types, such as Orale, Microsoft SQL, Access, DB2, etc.
7. Unique file analysis technical, can clear classify multitudinous data in the HDD, ensure you quickly and correctly find the evidence which you concerned. By using it, you needn’t cost your energy to memorize software’ use method. You just need use your energy and wisdom to find the clues.

Read More