Computer forensics can be seen as a blending of investigation and computer science. There are many tools used in the process of examining digital evidence and evaluating system security. Familiarity with at least some of these programs is required for positions in the field. Most computer forensics colleges focus a majority of courses on industry software for this reason.
When a computer forensics tool is put to work it gathers two main types of data: volatile and persistent. Volatile data is any information that will be lost when the computer is turned off. Persistent data is found on a computer's hard drive. Tools allow analysts to explore this data and gather evidence or evaluate security measures.
The main categories of computer forensics tools are data acquisition, bootable environments, volume systems, file systems, application, network, memory and frameworks. Data acquisition tools are used to collect data for a dead or live suspect system. Bootable environments are used to boot a suspect system into a trusted state. Volume systems tools examine data structures that organize media (such as partition tables or disk labels). File system tools are used to examine a file system or disk image and show the file content along with other meta data. Application tools are used to analyze the contents of a file. Network tools analyze network packets and traffic. Memory tools are used to analyze memory dumps from computers. Finally, frameworks are used to build custom tools.
Common software applications within these categories include:
- CAINE (Computer Aided INvestigative Environment) is a GNU/Linux live distribution created as a project of Digital Forensics. It offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
- DEFT Linux v5 is an Italian project that uses the LXDE desktop environment and thunar file manager in conjunction with free and open source applications dedicated to incident response and computer forensics. It is commonly used by police, investigators and system administrators.
- Autopsy Forensic Browser is a graphical interface to the command line tools in The Sleuth Kit and allows an investigator to view deleted and allocated files, perform keyword searches, and create timelines of file activity.
- File System Investigator is a platform-independent file system viewer and data extraction tool. It allows the user to view the contents of the target file system in a forensically safe manner, bypassing the normal operating system mechanisms. It can extract files and whole directory trees of files from the source file system.
- Pyflag is an acronym for "Forensic and Log Analysis GUI". The tool was written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images. It includes support for the Volatility framework and supports file carving to recover known file types.
- NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).
- DFF is a simple but powerful open source tool with a flexible module system written in C++ and Python. The tool aims to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact.
Learning to use these tools and many others requires either completing a computer forensics degree online1 or years of hands-on experience. With training and dedication, it is possible to master these programs and use them to effectively fight cyber crime.
1 Westwood prepares graduates for certification. Graduates wishing to attain certification must take and pass any applicable test/exams.