Security Reference Guide

PC Forensics Software

Last updated Mar 18, 2004.

There are numerous software-based tools that are available for the forensic investigator. They range from simple tools like dd (data dump) that perform very explicit functions, to the every popular Guidance EnCase that tries to do it all, and then some. However, as we hope to illustrate, each tool has its own niche or special feature that makes it different than the others. Some of these tools are more focused on data recovery, which would be required if searching a formatted and fdisked hard drive, and others are focused on providing hard and undeniable forensics evidence for use in a legal trial. In other words, if you want the best possible search and recovery statistics, you should be familiar with a wide selection of tools, the operating system required to run the tools, and how to use several tools in tandem if you want to get the best results. This will not only help corroborate each of the programs, but it will also help you get a better picture of what type of data you possess. In this section, we will look at several popular programs and toolkits that you will want to at least be familiar with, as well as some of the lesser-known programs that you might find are equally, if not more, valuable than their well known counterparts. This is not meant to be a standard review of forensics programs where we rate programs. If they are on this list, they have some value as a forensics too. Instead, we simply want to provide you with a list of valuable tools that help forensics experts do their work.

dd (data dump – *nix)

This program is first in the list due to its incredible simplicity, yet equally as remarkable functionality as a forensics tool (in addition to a backup tool, restore tool, and more). It short, dd is a data dumping program that can copy and convert files, hard drives, tapes, CD's, or any section of a drive as determined by skip and seek byte values. Regardless of all this, in the forensics world dd serves one main purpose, which is to create an exact duplicate of a data media that can facilitate the safe investigation of collected evidence. When you combined this functionality with *nix's ability to restrict write access to a hard drive using software (using read-only 'ro' during a mount), dd becomes a foolproof tool that can be used to extract a bit-by-bit duplicate of a hard drive that can be analyzed later by other forensics programs. As long as the data media is mounted as 'ro', it cannot be altered during the data extraction process, thus protecting the evidence.

There are other imaging software programs. However, what makes dd somewhat unique is that it copies EVERYTHING on a hard drive, including all slack space and delete files. In other words, if you used dd to copy a freshly formatted 1gig drive, the file it created would be 1gig. As a result, this allows other tools to quickly examine the dd image, which can help to speed up the analysis process and help protect the evidence from accidental deletion. Many other programs simply copy 'live' files that are usable and viewable using most any computer. Unfortunately, this could miss some of the most critical information that was previously deleted.

As previously mentioned, dd is a *nix tool. As such, it should come as no surprise that it is a command line tool. While dd is also more than just a forensics tool (i.e. image conversion and data backup), for this section we focus on data duplication. In general, an investigator will use dd to make an image of a drive that is connected to a computer, or of some other media that can be mounted to the *nix system, such as a backup tape or RAM disk. When connecting, the media MUST be mounted under 'ro' (read only) condition, which can be entered in the fstab file or when the mount command is executed from command line. The following outlines the general procedure for mounting a hard drive, creating a dd image, and remounting the newly created image file for further forensics investigation.

1. Mount the media ensuring you have the 'ro' option set.

2. Use the following command to make a copy of the first partition on the hdc drive.

dd if=/dev/hdc1 of=/home/images/case1-hdc1-c1-badguy

3. Once the image has been created, you can mount the dd image safely using the following command.

mount -o ro, loop, noatime /home/images/case1-hdc1-c1-badguy /mnt/case1-hdc1

Options explained (-o):

• ro: read-only. This is a must when mounting any drive. If a drive is written to during an investigation, its value as evidence is threatened.

• Loop: Allows a file to be mounted and accessed like a regular block device (hard drive partition).

• Noatime: Disables the last access time marker that is put on opened files.

4. Now that you have a mounted drive, it is time start investigating using the tools and techniques discussed in this section.

There are advanced options available when using dd that you should be familiar with that can help when imaging data media. For example, if you needed to backup and transfer a 40 gig drive on CD/DVD, you could break the image file into a series of files that could be reassembled at a later date. In addition, the time required to search a 40 gig data for the word 'sex' could be reduced by distributed chunks of the drive image to several computers.

Hopefully you can see how useful dd can be to an investigation. Since this program is free, and is considered a reliable form of image creation, it should be part of any forensics kit. Check out

Foremost (data search/extraction - *nix)

Foremost is a data detection/extraction tool that was developed by the Air Force Office of Special Investigations to assist forensics investigators with the recovery of deleted file. This is another console based program that is easy to use, free, and full of potential. Using the program is as simple as setting up the configuration file to filter according to your desires, defining the output folder, and point the program ot the image file that can be created from dd, Encase, and other similar data imaging programs. The following command will filter a hard drive image file for graphics, documents and more, assuming you are using the default configuration file.

./foremost –o /home/user/evidence/hdc-case1 hdac-case1.img

While this program is fairly straight forward, it is prone to error because it uses header/footer patterns to detect and copy out a file. However, if the program chances upon a series of bytes that matches a defined file type, but fails to locate the closing characters of that type of file, you will quickly fill up your hard drive with 340 MB document files that are not of any value. To reduce the risk of this happening, simply monitor the output folder for anything out of the ordinary and limit the types of files you look for at one time.