Computer Forensics: Tools of the Trade and Practical Application (Part 1)

Last week, we introduced the topic of Computer(Digital) forensics, and today, we're looking deeper into the investigative process. Imagine a scenario where a colleague at work was suspected of saving sensitive company data on a separate file and attempted to cover their tracks by deleting all folders. As an investigator who gains access to the PC, you need to follow an investigative process to confirm the presence of evidence in line with the report. How do we achieve this? With the right tools!

Digital forensics encompasses various tools, each serving a specific purpose in the investigative process. Here are some of the main types of digital forensics tools you'll encounter:

1. Disk/Data Capture Tools: These tools are essential for capturing the contents of storage media such as hard drives, ensuring that no data is lost during the investigation. 
2. File Viewing Tools: These tools help investigators view and analyze files, making it easier to identify relevant evidence. 
3. Network and Database Forensics Tools: Network and database forensics tools are used to investigate network traffic and database breaches, crucial for cases involving cyberattacks. 
4. Specialized Analysis Tools: There are specialized tools for file, registry, web, email, and mobile device analysis, tailored to specific investigative needs.

Before we jump into the investigation, there's a pivotal step we need to look into: creating a disk image of the hard drive. This is like creating a digital snapshot to maintain data integrity. Here's a quick guide on creating a disk image from a Windows Operating System:

• Start by opening the System Backup Image Tool. In Windows 10, it's tucked away in Control Panel > Backup and Restore (Windows 7) > Create a System Image.
• Choose where to save this backup image – preferably on an external device or network storage.
• Handpick the drives you want to back up, typically the entire hard drive.
• Get the backup rolling. As a bonus, consider crafting a system repair disc that can help you kickstart your computer and restore a backup image if needed.

Remember, always work on a duplicate copy to avoid potential data loss in the original during the investigation. 

Now, before moving further into the investigation, it's essential to check the integrity of your data by comparing hashes. To achieve this, you can utilize tools like HashCalc, which is an MD5 calculator. HashCalc allows users to generate hashes for files based on various hashing algorithms, including SHA, SHA1, SHA256, SHA384, SHA512, MD4, MD5, and more. It also enables the creation of HMAC hashes, which are essential for data integrity verification.

To confirm data integrity, compare the generated hash with the original hash. If they match (indicated by an "=" sign), you can proceed confidently with the tools we have confirmed.

In the first part of this series, I’ll introduce 4 tools and how these tools work in real-life scenarios. Let's dive in:

1. Autopsy: 

Autopsy simplifies digital investigations through its user-friendly interface and powerful features. Here are the key steps to using Autopsy effectively: 

a. Create a New Case: Create a “new case” in Autopsy, where you'll manage all the evidence and findings related to your investigation. 

b. Add Data Source: Import the disk image or storage device you want to investigate into your case. 

c. Analyze Data: Autopsy will automatically analyze the data source, presenting you with a hierarchical view of files and folders. Use the built-in search and filter capabilities to pinpoint specific evidence. 

d. Review Findings: Examine file metadata, content, and any artifacts or digital footprints left behind by users. Autopsy's integrated viewers make it easy to assess the relevance of discovered data. 

e. Generate Reports: Create comprehensive reports to document your findings, which can be crucial for legal proceedings. 

2. Recuva:

Recuva is a handy tool for data recovery, especially when dealing with accidental file deletions. Here's how to use Recuva:

a. Select Drive: Choose the drive or location from which you want to recover files, and click "Scan." 

b. Scan for Deleted Files: Recuva will scan the selected drive for deleted files. You can use the "Deep Scan" option for a more thorough search. 

c. Recover Files: Recuva will display a list of recoverable files once the scan is complete. Select the ones you want to recover and click "Recover." 

d. Specify Recovery Location: Choose a safe location to save the recovered files to avoid overwriting data.

3. SleuthKit: 

SleuthKit is a powerful command-line toolset for analyzing disk images and file systems. Here's a simplified overview of its usage: 

a. Create a Case: Create a new case to manage your investigation. 

b. Add Data Source: Import the disk image or storage device you wish to examine. 

c. Use SleuthKit Commands: SleuthKit offers various command-line utilities like "fls" to list file and directory information, "ils" to list inode details, and "icat" to extract specific file content. Take a look at this cheatsheet from TemplateRoller

d. Analyze File System: Explore the file system structure and recover deleted files using SleuthKit's utilities. 

e. Document Findings: As with any investigation, it's essential to document your findings and actions for legal and reporting purposes. 

4. WinHex: 

WinHex is a versatile hexadecimal and disk editor. While it serves multiple purposes, here's how to use it in a digital forensic context: 

a. Open Disk Image: Load the disk image you want to investigate in WinHex. 

b. Navigate Disk Structures: Use WinHex's features to navigate through disk structures, including partitions, file systems, and raw data. 

c. Examine and Edit Data: Analyze binary data directly, searching for specific patterns or evidence. You can also use it to recover deleted files by identifying their headers and footers. 

d. Backup and Documentation: Always make backups of your original data and document your actions thoroughly during the investigation. 

These tools empower digital forensics experts to uncover critical evidence and shed light on complex cases when used proficiently. By next week, we will be looking at anti-forensics techniques.

Here's to another week of exciting digital discoveries!