Tuesday, May 29, 2012

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS

No comments:

Post a Comment