The Value of Professional Certifications - Computer Forensics

EnCase

EnCase is a widely used forensic toolkit. EnCase:

Allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.

Prevents the examiner from making any accidental changes to the suspect machine.

 

Forensic Toolkit (FTK)

The Forensic Toolkit (FTK) is another widely used forensic analysis tool that is popular with law enforcement. FTK:

Is particularly useful at cracking passwords.

Provides tools to search and analyze the Windows Registry. The Windows Registry is where Windows stores all information regarding any programs installed, including viruses, worms, Trojan horses, hidden programs, and spyware.

Has a robust set of tools for examining email.

Allows for distributed processing. Processing and analysis can be distributed on up to three computers, allowing all three computers to process the analysis in parallel, significantly speeding up the forensic process.

Has an Explicit Image Detection add-on that automatically detects pornographic images. This is very useful in cases involving allegations of child pornography.

 

OSForensics

Full product is $899, which is a fraction of the cost of many other tools.

Very easy to use.

Will do most of what Encase and FTK will do, but lacks a few of those products’ specialized features. For example, OSForensics does not have a Known File Filter, as does FTK.

Helix

Helix is a customized Linux Live CD used for computer forensics. Basically, you boot the suspect system into Linux using the Helix CDs and then use the tools provided with Helix to perform your analysis. Helix is full of features but it has not become as popular as FTK and EnCase.

 

Kali Linux

Kali Linux (formerly BackTrack) is a Linux Live CD that you use to boot a system and then use the tools. Kali Linux is a free Linux distribution. It is not used just for forensics and has a wide number of general security and hacking tools. It is probably the most widely used collection of security tools available.

 

AnaDisk

AnaDisk turns a PC into a sophisticated disk analysis tool. It scans for anomalies that identify odd formats, extra tracks, and extra sectors. It can be used to uncover sophisticated data-hiding techniques.

 

CopyQM Plus

CopyQM Plus essentially turns a PC into a disk duplicator. In a single pass, it formats, copies, and verifies a disk. This capability is useful for system forensics specialists who need to preconfigure CDs for specific uses and duplicate them.

 

The Sleuth Kit

The Sleuth Kit is a collection of command-line tools that are available as a free download. This tool set is not as rich or as easy to use as EnCase, FTK, or OSForensics, but can be a good option for a budget-conscious agency. There are options to search for a given file or to search for only deleted versions of a file, which is useful when you know the specific file you are searching for. However, it is not a good option for a general search.

 

Disk Investigator

This is a free utility that comes as a graphical user interface for use with Windows operating systems. It is not a full-featured product but it is easy to use. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal. From the View menu, you can view directories or the root. The Tools menu allows you to search for a specific file or to recover deleted files.

 

EnCase Case File