Module 4 (1)

MODULE 4 - TOOLS USED FOR DATA RECOVERY

Branches of digital forensics
Computer forensics, mobile device forensics, network forensics, database forensics, and forensics
data analysis are five main branches of digital forensics. The recovery and preservation of digital
evidence from computer systems and storage media, such as hard drives, comes under computer
forensics. Recovering and preserving digital evidence from mobile devices, such as smartphones
and tablets, falls under mobile device forensics. Network forensics consists of monitoring any
computer network intrusions and the analysis of the network traffic that is being transmitted to and
from the computer network. The branch of digital forensics that deals with the examination of the
digital evidence found in databases is called database forensics. The branch that deals with the
structure of the digital evidence data and that is used to find any patterns that may be present within
the data is called forensics data analysis.

Digital forensics tools
For performing digital forensics examinations, digital forensics examiners can use both software
and hardware tools are either available for free or can be bought from a vendor. Both, commercial
as well as open-source tools are available for an investigator to use. Almost all the tools are mostly
focused on mobile device or computer forensics. The reason for this is the fact that both these
digital forensics branches are very predominant. The computers used in the realm of digital
forensics require big memory, hard disks with greater capacities, central processing units or CPUs
that have very high speeds, etc.

Hardware tools
Hardware tools are designed in a way that they can prevent the integrity of the evidence present
on a storage media intact. A hardware write blocker can be used by a digital forensics examiner to
prevent the modification of the data present on the device being investigated while the examiner
tries to read the data. In other words, it is a read-only device and prevents anything from being
written onto the device from which data is being read. There is also a device known as a disk write-
protector, which is used for storage devices and it stops the data present in the storage device from
getting deleted or altered. If all the data present on a suspect drive needs to be copied to a clean

drive, then a hard-drive duplicator could be used. It creates an exact image of the suspect drive on
the new drive. SD cards or flash drives can also be copied using a hard-drive duplicator. The
passwords for any password protected storage devices can be cracked using a password recovery
device. The password recovery device uses various types of password cracking attacks, such as a
dictionary attack, to recover the passwords.

Software tools
The software tools that are used for digital forensics examination purposes can be used to perform
many different functions. A single tool usually has the ability to do a lot of tasks according to the
investigator's needs. A lot of tools are available the source code for which can be customised by
programmers according to the needs of the users of those tools. These tools are open-source and
prove to save money for the people who want to use them. Multiple operating systems can be
managed by some tools, and they can even be used on several devices simultaneously. Different
features of these tools can be used in different branches of digital forensics.

Computer forensics software complement the hardware tools available to law enforcement. While
the hardware tools such as write-blockers primarily focus on preserving the evidence in a target
device, software applications can acquire and analyze the digital evidence collected from the
suspect device. Suspects often hide or delete their files or partition the hard drives of their
computers so that evidence is difficult to discover; however, forensic software applications can
assist investigators in recovering this evidence. Windows Registry records when, where, and how
a file is created, renamed, viewed, moved, or deleted, and some applications can perform registry
analysis to collect and analyze these traces. In short, certain user activities can be recovered and
investigated with digital forensics software.

Mobile forensics tools are mainly designed for investigating mobile phones, but they can also be
used for investigating devices that have a memory and some communication features. All
activities, such as any digital evidence sent from a mobile device to another device, that happen
on a mobile device can be investigated by these tools. Timelines can be established and any
defences can be validated through any phone call logs that are recovered by these tools. Digital

evidence can also be the instant messages sent via various apps and to aid the investigation these
messages can be searched for evidence by performing keyword searches using mobile forensics
tools. Recovery of the data that is stored in the flash memory of a mobile device can be performed
using these tools, and the geolocations can also be found out to establish a record of where all the
device was used. The geolocations can be recovered either from the mobile device itself or if
location-based services are enabled on the device, then the geolocations can also be obtained from
those location-based services.

If any digital evidence is encrypted, then that could be an issue for digital forensics examiners as
that would slow down the investigation process. The encrypted evidence can also not be ignored
as it might contain important information that could be helpful in the investigation process and be
admissible in the court. Suspects use encryption to secure their files and prevent anyone from
accessing the information that is contained in those files. Technically, someone can decrypt the
suspect files only with the correct password, however, there are tools and algorithms that can be
used to crack the encryption on the evidence files. But, if the encryption algorithm is very strong,
then the process will take time and require skilled personnel and highly powerful computer systems
and resources.

Other toolkits
Updates to crucial digital forensics tools are made frequently. Digital forensics examiners should
regularly monitor any changes made to the digital forensics tools.
Free tools and the ones that do not have a high price could be beneficial for a wide variety of
institutions. Organisations that have a huge budget that they can spend on many of the paid tools
can leverage from all of the state-of-the-art tools that are available from major vendors.

Functionally, there are five categories of forensic hardware:
(i) Computer systems that can be used all the activities from the capture of the
evidence to the analysis and the presentation.
(ii) The write blockers, storage media devices, and interfaces that can be used for
capturing the digital evidence.
(iii) The storage media for storing the digital evidence during and after the evidence
capturing phase.
(iv) The storage media that can be used for storing the data while performing
duplication of data, while testing the networks, and while analysing data.
(v) The consumables and equipment required for the protection of the devices in
question, for pulling apart and rebuilding those devices, for labelling and
processing, and for cleaning the devices.

The following are the two kinds of forensic software:
(i) Integrated software that can be used throughout the entire lifecycle of the digital
forensics investigation.
(ii) Special software that is used for a specific forensics task only.

Encase and FTK are two of the most widely used software suites in the digital forensics realm.
Mobile device and email forensics can easily be done by using Paraben’s P2 Commander. It is an
integrated software suite which has numerous tools built into it. Another tool is the XWays
Forensic Toolkit, which is also widely used by digital forensics practitioners, and is built upon the
WinHex tool. It is a very simple looking tool with basic features.

Digital Detective Group and PassMark Software also provide some good digital forensics tools. A
good tool that uses PassMark Software and is sponsored by JISC is the Forensic Investigation of
Digital Objects or FIDO project. Another tool which would fall under the special tools category is
InfinaDyne’s CD/DVD Inspector.

Open-sourced digital forensics frameworks and toolkits
The Linux operating system can be used to setup an open-source examination platform. The Ruby,
Perl, and Python programming languages, FUSE (Filesystem in User SpacE) and the modules
related to it can be integrated into the examination setup. Great utility can be obtained for reading
and interpreting file containers that can be used to access a file's contents, file systems, and
volumes by using all the previously discussed components. Some forensics tools that can be used
in the previous context include:

• XMount
• MountEWF
• AFFuse

Some famous frameworks and toolkits are as follows:
• AFFLib
• PyFlag
• The Sleuth Kit (TSK) with Autopsy
• Digital Forensics Framework (DFF), also known as Open Source Digital Investigation
Framework from ArxSys.
• Open Computer Forensics Architecture (OCFA) by the Dutch police
• Fiwalk or ‘file&inode walk’

The fiwalk.py is script made with the Python scripting language. Forensics tools can be created
that take advantage of fiwalk’s features. The Python language can be given access to the libraries
included in the Sleuth Kit with the help of pytsk, which is another Python project. The bulk
extractor is a tool programmed in C++, which can be used to search the digital evidence that is
under investigation for any URLs, credit card number, email addresses or other data.