First published September 2004
by Jamie Morris, Forensic Focus
In common with many other professions, the field of computer forensic investigation makes use of tools to allow practitioners to carry out their tasks effectively and efficiently. This article describes some of the most commonly used software “tools” and explains how and why they are used.
Although most real world tools are designed to carry out a specific task (the hammer to hammer nails, the screwdriver to turn a screw, etc.) some tools are designed to be multi-functional. Similarly some computer forensic tools are designed with only one purpose in mind whereas others may offer a whole range of functionality. The unique nature of every investigation will determine which tool from the investigator’s toolkit is the most appropriate for the task in hand.
As well as differing in functionality and complexity, computer forensic tools also differ in cost. Some of the market-leading commercial products cost thousands of dollars while other tools are completely free. Again, the nature of the forensic examination and the goal of the investigation will determine the most appropriate tools to be used.
Before examining the tools themselves, a short discussion of some key concepts of computer forensic examination may be beneficial for readers new to this field:
In general, a computer forensic investigator will use a tool in order to gather data from a system (e.g. a computer or computer network) without altering the data on that system. This aspect of an investigation, the care taken to avoid altering the original data, is a fundamental principle of computer forensic examination and some of the tools available include functionality specifically designed to uphold this principle. In reality it is not always easy to gather data without altering the system in some way (even the act of shutting a computer down in order to transport it will most likely cause changes to the data on that system) but an experienced investigator will always strive to protect the integrity of the original data whenever possible. In order to do this, many computer forensic examinations involve the making of an exact copy of all the data on a disk. This copy is called an image and the process of making an image is often referred to as imaging. It is this image which is usually the subject of subsequent examination.
Another key concept is that deleted data, or parts thereof, may be recoverable. Generally speaking, when data is deleted it is not physically wiped from the system but rather only a reference to the location of the data (on a hard disk or other medium) is removed. Thus the data may still be present but the operating system of the computer no longer “knows” about it. By imaging and examining all of the data on a disk, rather than just the parts known to the operating system, it may be possible to recover data which has been accidentally or purposefully deleted.
EnCase, from Guidance Software, is a fully-featured commercial software package which enables an investigator to image and examine data from hard disks, removable media (such as floppy disks and CDs) and even Palm PDAs (Personal Digital Assistants). Many law enforcement groups throughout the world use EnCase and this can be an important factor for forensic investigators to consider where there is a possibility that an investigation may be handed over to the police or used in a court of law.
An investigation carried out with EnCase begins by using the software to create an image of the medium in question (e.g. hard disk, floppy disk, CD, PDA). This image, called an Evidence File in EnCase terminology, can be analysed in a variety of ways using the EnCase program, common examples of which might include searching the data for keywords, viewing picture files or examining deleted files.
EnCase is one of the more expensive commercial tools although a discount is available to the law enforcement community. The price does however reflect the broad range of functionality within the package, a good example of which is the eScript scripting language. This simple language allows forensic examiners to write small programs, or scripts, which can perform highly customized searching and filtering of the data which has been imaged.
Vogon Forensic Software
Vogon International offers a range of commercial computer forensic software with a product line-up divided into imaging, processing and investigation software. The imaging software is used to create an exact replica of the data on a drive which can then be indexed by the processing software to allow fast searching by the investigation component.
In broad terms Vogon’s offering provides similar functionality to that of EnCase by simplifying the process of data imaging and searching for the examiner.
SafeBack is another commercial computer forensics program commonly used by law enforcement agencies throughout the world. SafeBack is used primarily for imaging the hard disks of Intel-based computer systems and restoring these images to other hard disks. It is a DOS based program which can be run from a floppy disk and is intended only for imaging, i.e. it does not include the analysis capabilities of EnCase or Vogon’s forensic software.
The origins of computer forensic analysis lie not with the Windows operating systems which have achieved such popularity today but with UNIX, an operating system with its roots in the early 1970s. The developers of UNIX preferred to create a fairly large number of small programs which could be used together to perform more complex tasks rather than one program which could do everything and it is from these small programs that the sophisticated commercial computer forensic packages available today have grown. The small programs are still found in modern versions of the UNIX operating system and many are also available for Windows.
Imaging a computer’s hard disk can be a lengthy process but it need not be expensive. dd (short for data dumper) is a freely available utility for UNIX systems which can make exact copies of disks suitable for forensic analysis. It is a command line tool, meaning that the dd program is run by typing a command rather than double-clicking an icon, and requires a sound knowledge of the command syntax to be used properly. Modified versions of dd intended specifically for use as a forensic utility are also available.
Once an image has been made, how do we know that it was made correctly? How can we be sure that the copy is exactly the same as the original? The answer lies with an algorithm called MD5. This procedure results in the creation of a large number called a “message digest”, or “hash”, the exact value of which is determined by the layout of data found on a disk (MD5 can also be used to create message digests for files). Crucially, were the disk contents to be altered in any way, through deleting or changing a file for example, running the MD5 algorithm would result in a radically different message digest. This is true regardless of the extent of the alterations made, even a change to one bit of information on a large drive packed with data would result in a new message digest. md5sum is a freely available utility for creating MD5 message digests which, by comparing message digests of original disks and copies thereof, can be used in computer forensic examinations to ensure that an image made is an exact replica of the original.
The grep program allows files to be searched for a particular sequence of characters: the word “meeting” or the phrase “the meeting is at 4” for example. The real power of grep, however, lies in its ability to utilize metacharacters. Metacharacters are certain characters which have a special meaning to the grep program and allow great flexibility while searching. For example the metacharacter “.” (i.e. a full stop, without the quotation marks) means “any character” to grep, thus searching for “ca.” might result in matches for “can”, “cat”, “cab” and so on if these sequences of characters were present in the file being searched.
Grep has for a long time been one of the most useful tools for forensic investigators and as well as being a standard program on UNIX systems is also included as part of EnCase.
The Coroner’s Toolkit
The Coroner’s Toolkit is a collection of (essentially) free tools designed to be used in the forensic analysis of a UNIX machine. Whereas the tools mentioned so far can be used in a wide variety of investigations The Coroner’s Toolkit is specifically designed to be of use in the investigation of a computer break-in. The tools included help to reconstruct the activities of an intruder by, amongst other things, examining the recorded times of file accesses and recovering deleted files.
Live response tools
There are a number of free utilities (i.e. small, usually single-task oriented programs) available to the computer forensic investigator which are most commonly used during a “live response” to an incident, a situation where an investigator has decided to examine a computer while it is still running. Although such an approach may have significant implications as far as the principle of not altering data on a system is concerned, within the context of an entire investigation there may be circumstances where such an action is desirable or necessary. Here is a selection of some of the most commonly used tools:
A built-in Windows tool which lists details of connections between one computer and another. In cases where there is a suspicion of unauthorized access to data netstat can be an invaluable tool in gathering evidence which might otherwise be lost were the system to be shut down or powered off.
Available for free, Fport allows an investigator to identify which software applications on a computer system are communicating with or listening for connections from other computers. This can be of great use when an investigator suspects that a rogue program requiring network access may be running on a computer. Fport runs on Windows NT4, 2000 and XP.
Also available for free, the PsList program lists all processes (i.e. running programs) on a system. Again this is of great use to forensic investigators who need to track down an unauthorized program. Unauthorized programs (programs which should not be running on a system) can be harmless but may also be malicious in nature. Computers which have been infected by a virus or a Trojan Horse (a malicious program masquerading as something useful) will often exhibit unauthorized program activity.
Most operating systems include the ability to record certain aspects of their behavior and usage by saving this data to files called “log files”. The exact nature of what is recorded is determined partly by the options made available by the operating system for logging and partly by how these options are configured by the system administrator. Common uses, however, are to record when users log on and log off from a system or to determine when and by whom a file was accessed. Even in the absence of any other computer based evidence, a log file can potentially allow an investigator to reconstruct all the relevant aspects of a computer’s usage.
Commercial products exist to aid in log file analysis. Unfortunately, the variety of log files which are liable to be encountered by an investigator makes using a single program for this job very difficult. Consequently, some computer forensic examiners prefer to write their own programs, thus allowing themselves the flexibility to extract precisely the information they need from a particular type of log file. The Perl programming language is commonly used to write such programs as it is ideally suited for searching and extracting text.
Log files may or may not provide an investigator with useful information. When a logging system is incorrectly configured, or worse yet, not functioning at all, any information gained is likely to be of limited value. While of considerable forensic value it is rare that logging is permitted promiscuously. Aggressive logging may consume too much valuable disk space or other computer resources. System administrators attempt to achieve a sensible balance when developing a system of logging procedures based on the level of perceived threat to a system.
Although not always thought of as a “tool” for forensic investigation, appropriately configured log settings and careful analysis of the data recorded can often deliver very valuable information to an investigator. The great benefit of effective logging is that it provides a clear insight into past activity should an incident be discovered at a later date.
Investigations which require the capture of data as it travels over a computer network require the use of special software or hardware. Many of these solutions also include the ability to analyze the captured data.
When information travels over a computer network it does not do so all at once as a single stream of data but is instead split up into small sections called “packets” which are then sent individually. Although it may seem counterintuitive at first, this technique actually helps to ensure that data travels efficiently. Should an error occur during transport over a network, only the packet with the error needs to be retransmitted, not all of the original information. Capturing and viewing these packets as they traverse a network is known as “packet sniffing” and the programs designed for this purpose are called “packet sniffers” (other terms such as “networks sniffers” or “network protocol analyzers” are also used).
One of the more popular and freely available packages is Ethereal which runs on both UNIX and Windows systems. Using Ethereal on a computer connected to a network allows all traffic traveling over the network to be captured and analyzed either in real time or at a later date, allowing such activities as web surfing and network file accesses to be reconstructed. Of course, legitimate forensic investigators are not the only ones who know how to use packet sniffers and these programs are sometimes used for malicious reasons such as collecting network data in order to capture a user’s password.
Gathering useful evidence in a computer forensic investigation involves more than just collecting data. The investigator will often need to be able to show a link between the data gathered and a particular person or persons. In cases where a single computer is known to have been used by a particular person and has not been attached to a network it may be relatively simple to establish the link, but where, for example, a computer’s security has been breached by an attacker over the Internet an investigator may need to spend much more time and effort in determining the attacker’s identity. Fortunately there are a number of widely available tools to help the investigator:
Every computer attached to the Internet requires an IP address, a number with which other Internet-connected computers can contact it. However, as human beings generally find names rather than long numbers easier to remember, a system for associating names with numbers called the Domain Name System (DNS) was developed so that computers could be referred to by name instead (when computers communicate the names are translated to the relevant numbers by the DNS and the number is then used by the computers “behind the scenes”). In order to use this system the person or organization responsible for a computer or computer network must register a domain name with one of the many domain name registrars. Every time a domain name is registered certain information is required to be registered along with it such as the registrant’s name and contact details. These details are held within the Whois database which is maintained by a number of authorities throughout the world. By using the whois program anyone can query this database over the Internet and view information about a domain’s administrative and technical contact persons.
When a domain name is uncovered during an investigation, warranting further investigation, perhaps in relation to web surfing or in an e-mail address, these details can prove essential to an investigator either because they provide more information about a suspect directly or because they provide a contact point through which more information can be gathered. The whois program comes as a standard utility in most UNIX software and can be downloaded for Windows systems. Alternatively, the functionality of the program can be accessed through certain Web sites.
Search engines and newsgroups
In addition to the Whois database there are many other information sources on the Internet which can aid in the quest to find out more about individuals or groups linked to an investigation. The simplest method is to use one of the popular search engines such as Google (www.google.com) where investigators can search for more information on a particular person by name or e-mail address (or indeed any other information which may be relevant). You can try this yourself by entering your own name or other personal information into the Google search engine and seeing what happens, you might be surprised by the results! Another area of the Internet which can deliver interesting search results is the huge collection of Usenet newsgroups (discussion forums held online). These can be searched on the Web (see groups.google.com) or by using a software program called a newsreader. Results returned are likely to be based either on a match found in the contents of a message previously posted to a newsgroup or an e-mail address found in the headers of such a message.
The collection of tools available to the investigator continues to expand and many tools are regularly updated by their developers to enable them to work with the latest technologies. Furthermore, some tools provide similar functionality but a different user interface, such as the products from Guidance Software and Vogon, whereas others are unique in the information they provide to the examiner. Against this background it is the task of the computer forensic examiner to judge which tools are the most appropriate for an investigation, bearing in mind the nature of the evidence which needs to be collected and the fact that it may at some stage be presented to a court of law. Without doubt, the growing number of both civil and criminal cases where computer forensic tools play a significant role makes this a fascinating field for all those involved.