Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
Computer System Security: Forensic Tools Analysis
Forensic Tools Analysis
Table of Contents
In this report, we will see what kind of forensic tools are being used to recover data, data preservation and examination. In today’s world, recovering data from electronic devices are challenging work for the forensic investigator. Sometimes data has been deleted, hidden or modified by the victim. So forensic investigator has to make sure that he can recover the original data without making any changes to the data. There are some procedures for computer forensics which has to be followed. We will also discuss about how to use the forensic tools in real time along with their advantages and some limitations.
In this report we will discuss about the computer forensic tools which are used for data capturing, data preservation & data examination. We will also see how that tool can work and how we can use that tools. In today’s era computer forensics is very useful thing to recover or preserve the data. If someone has made a crime and he/she tries to remove the digital evidence then with the help of forensic tools we can recover the removed data. To perform computer forensic, firstly we have to do the cloning of the suspected device. After that we can start computer forensics.
Following steps should be perform by a digital forensic examiner.
- Extraction of data
Before the forensic investigator enters the crime scene he/she must identify what kind of findings must be collected or are available on the crime scene and act as a crucial part in the case. The forensic investigator must never mess up the integrity of the data which is retrieved from the crime scene. Along with this whole process the forensic investigator must maintain a proper documentation which is admissible in the court along with proof of evidence and chain of custody form.
Following are the tools about which we are going study in this report.
DSi USB write blocker is a software related write blocker tool which is used for cloning the devices like pc, laptop, mobile, USB drives etc. This tool prevents write access to USB devices, which means you cannot edit the data when using this tool.
Figure 1: USB Write Blocker
This is very important thing in write blocker that you cannot modify the metadata or timestamps because it plays vital role in investigation. When you start to use the DSi USB Write Blocker, it shows the box that allows you to enable or disable the USB Write Blocker. Once you edited the data and exit the application then you can watch over the status from the padlock icon in the taskbar. When you are doing an investigation of a USB drive, then you must have to activate the USB write blocker first as shown in the figure below then plug the USB drive in.
Figure 2: DSi USB Write Blocker
There is another way to use this tool. It is by using command line. This tool works by modifying the registry entry. It will block USB drives from being overwrite. To operate this tool, just execute the batch file and select first option to change the mode of USB ports to read-only as shown in below figure. 
Figure 3: Write Blocker using command line
Bulk extractor is a forensics tool which examines different sources like disk image, file or directory of files and pull out information from that like credit card numbers, domains, e-mail addresses, URLs and Zip files. The extracted information is a result to bunch of many text files that can be examine manually or analyzed using other forensic tools.
With the help of bulk extractor you can pull out any digital media from devices like hard drives, SSDs, optical media, camera cards, cell phones and other kind of digital information.
Following are the output directories that is created by bulk extractor:
- ccn.txt – For Credit card numbers.
- dcn_track2.txt – For Credit card ‘track 2’ information.
- domain.txt – To find Internet domains on the drive.
- email.txt – Tosee email addresses.
- ether.txt – To find Ethernet MAC addresses via IP packet carving of swap files and file fragments.
- exif.txt – To see EXIFs from images and video segments. This file have all of the EXIF fields.
- find.txt – To see the results of particular regular expression search requests.
- Ip.txt – To see IP addresses by IP packet carving.
- Telephone.txt – To see US and other international telephone numbers.
- url.txt – URLs are found in browser caches, email, messages, and pre-compiled into executables.
- url_searches.txt – History which used in Internet searches from services such as Google, Bing, Yahoo and others.
For each file of above there are two more files may be created. That are “*_stopped.txt” and “*_histogram.txt”.
- In *_stopped.txt file there are some list of data which is not necessary to be seen by the investigator. But sometime this data may contain some important evidence that should not be hidden from anyone. So, these stopped entries are saved in the stopped files.
- In *_histogram.txt file which is created by bulk extractor, the history of features are created. From the experience it shows that the things like email addresses, URLs, domain names, user accounts and other information which show up in mobile phones or SSD drives often may be create a design of life report.
There are 3 post processing programs for bulk extractor output.
This program shows the variation of two bulk extractor runs. The purpose is to clone a computer, start bulk extractor on an image file, let the computer run the analysis, re-clone the computer and run bulk extractor on that re-cloned image, then report the deviations. This is habituated to keep an eye on user’s activities in a certain time period.
This tool is in development now. This tool shows various bulk extractor reports from various runs against various drives and executes multi-drive relations by using Garfinkel’s Cross Drive Analysis technique.
This program seizes the bulk extractor feature file as input and DFXML file which includes the locations of each files on drive and generates a feature file which contains offset, feature and file which have the feature. 
Below fig shows the data is being extracted from a forensics image. Bulk extractor tool comes as two types, a command-line tool or a GUI tool. In the above example we have shown the bulk extractor tool to extract the data from forensic image we have taken and save the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer. 
Figure 4: Bulk extractor
Free Hex Editor Neo is a hexadecimal editor which is made for investigate very large files. This tool can be used to investigate database files or forensic images. You can also perform some kind of actions like manual data carving (which is used for recovering the deleted images, videos, documents, etc.), low level file editing, collecting data or finding hidden data.
Figure 5: Hex Editor Neo
To use this tool go to ‘File > Open’ to load the file in Hex Editor Neo. The whole data of the image file will show in the center portion, from where you can start your investigation manually or by pressing CTRL + F to search particular things. 
Advantages of Hex Editor Tool:
- It permits users to discover the patterns of data in very big files in seconds which shows how much time saving tool is this.
- It has all the functionality and you can use it for free.
- It permits users to make the file patches in just one click.
- It sustains multi core processing. This means it is efficient.
The basic functionality of this tool like copy, paste, cut, fill, delete, insert, import, export are free in this tool. You can also try some advanced features also. You can insert or overwrite with the help of this tool because both modes are supported in this tool. With the clipboard function you can change the binary hexadecimal data in other application. The free binary file editor feature allows you to perform the actions like: infinite Undo/Redo (you can go to the previous action and/or you can go to next action), Save/Load operation history (you can save the actions you have perform and/or you can directly load the file in which you have performed the actions), 32bit/ 64bit Patch Creation, Find/ Replace for hex/decimal/octal/binary codes/float.
Figure 6: Installation of Hex Editor Neo
You can select numerous hex data or text in Hex editor. This feature is known as ‘multiple selection’. In most of the editors you are not allowed to select both data and text. But this tool allows you to do this, so you can select as many blocks as per your requirement. As the default action, the multiple selection feature is enabled in Hex Editor. So, when you tries to select the data, the previously selected data stay selected. Below figure shows this feature.
Figure 7: multiple selection of blocks
You can also see the hidden data from this tool. There are four auto hide bars in four application window side. If you want to auto hide the frame then just click on Auto Hide button. Now you will see a dialogue box in which you have to select that what kind of data you want to see. If you want to see the archive data, hidden data, system data or just read-only data then you have to select it according to your choice. Below fig. shows this feature.
Figure 8: To see hidden data
Who can use this tool?
- This tool can be used by software and hardware developers, coders and engineers.
- Students from college and universities and private users use this tool.
- Gamers or technological lovers use this.
- Most important users of these tools are computer forensics analysts, investigators and digital experts.
Where this tool can be use?
- To create binary patches which are used for microcode programs.
- To study the internal patterns of exe, dll, dat or bin files and many more like this.
- For inspect binary files, hex codes and exe programs.
- In PC, smartphone, tablet, laptop as a game hex editor to make new games. 
Computer Online Forensic Evidence Extractor (COFEE) is a forensic tool which is developed by Microsoft to assist forensic analysts to take out evidence from windows PCs. If this tool is installed in USB pen drive or other SSD hard drive then it works as an automatic forensic tool throughout a live investigation.
The device is operated by inserted into USB port. It has 150 tools and a GUI to assist investigators collect data. Firstly, COFEE is designed in forward with an analyst chooses the information he want to extract, then it is saved to a USB device for choking into the aimed pc. COFEE has tools for password decoding, Internet history extraction. This tool also retrieve the information which was saved in volatile memory which can be deleted if the pc was shut down. 
COFEE is purposed to use minimum resources so to change as small as possible in the operating atmosphere when granting the collection of information like process, file, network status and so forth. It is done by representing a normal user interface and running duplicates of other software programs included on USB gadget to collect information. In this way, COFEE is not different from the other like ForensiX or the old menu-related systems to run programs. There are lots of ‘live’ forensic tools which are same or in most of cases which looks much forensically sound and large group of, jobs of analyze the data from the systems as they were operated.
What kind of programs run by COFEE?
The programs which are used in COFEE are listed below, which I have retrieved from internet sources. These programs have existed long enough in Operating environments examples are Windows, Linux, UNIX, etc. Operations of these are considered and some of these are even available for examination for their properties. It also helps in the authentications of such operations in legal purposes because they are well considered tools and can be used in day to day life. Even though this tool may sound to be perfect but it still got some limitations.
The consistency of this tool is commendable when it comes to the normal legal processes and also its writings are admissible in court proceedings.
Following are the programs used in COFEE:
- Arp.exe – It displays Address Resolution Protocol (ARP) entries from the cache saved on local PCs.
- At.exe – It displays list program scheduled for future and periodic execution.
- Autorunsc.exe – Shows programs scheduled to be ‘auto run’ at bootstrap.
- Getmac.exe – Shows the MAC address of the network interface.
- Handle.exe – It is same to the Unix Isof command, shows information about file, port, registry key, synchronization and thread.
- Hostname.exe – This will show the name of the host.
- Ipconfig.exe – Shows configuration information for network interfaces.
- Msinfo32.exe – MSINFO32 displays a comprehensive view of your hardware, system components and software environment.
- Nbtstat.exe – Shows local NETBIOS name status information of an IP address sessions and their IP addresses and remote machine names.
- Net.exe – Lists network information, network shares, resource usage, open shared files, users account settings such as password, age, minimum length, etc. lists computers in a workgroup and shared resources available per computer can start local services, list and selectively delete connected sessions, lists members of groups, administrators, guests, etc. and can add, delete, view or manage network groups.
- Netdom.exe – On a Domain Controller can get information on the domain.
- Netstat.exe – Shows protocol statistics and current network connections including IP addresses, ports and process IDs.
- Openfiles.exe – Lists files and folders that have been remotely opened on the system. It must requires admin privileges.
- Psfile.exe – Local and Remote Network File Lister.
- Pslist.exe – Shows status and details of processes tree format.
- Psloggedon.exe – This shows who has logged in.
- Psservice.exe – Lists services on a local or remote system.
- Pstat.exe – Shows the status of processes and drivers currently running on the computer.
- Psuptime.exe – Displays the systems current “up time”.
- Quser.exe – Lists information of users who has logged in.
- Route.exe – This command displays routing information.
- Sc.exe – Inquires the status for a service, or enumerates the status for types of service and extended version.
- Sclist.exe – It shows the services on local machine.
- Showgrps.exe – Shows the groups which has members in it.
- Srvcheck – This checks the server information on localhost.
- Tasklist.exe – Displays services hosted on each process.
- Whoami.exe – Displays the user currently logged in. 
Figure 9: How COFEE works
The most broadly utilized advanced scientific programming tool is EnCase. EnCase is utilized by Air Force, FBI, Navy and a few police divisions. The product is intended for legal, security examination, digital examinations and disclosure. This toolkit is court admissible and is mainly known for its speed, usability. It gives far most preparation and ordering in advance so it loads quicker than other tools this means that you can focus on a specific finding accordingly which interns drastically expand your examination speed.
There are numerous obstructions that a forensic investigator should worry about on the crime scene. A new finding is always generating seamless possibilities. So, consistent training is important for this. Sudden increase of technology and larger storage devices have led the forensic investigator to analyze the data thoroughly. Which leads to large cases piling up. It is very rare that a forensic investigator gets the result in the first go. But EnCase has come very handy to the new coming and professional forensic investigators.
Key Features of EnCase are as follows:
- Enhance Indexing Engine – With the enhanced indexing built into Encase, investigators are empowered to conduct their investigations with powerful processing speeds, advanced index searching and optimize performance.
- Reliable Acquisition of Evidence – With EnCase Forensic, examiners can be confident that the integrity of the evidence will not be compromised. All evidence captured with EnCase Forensic is saved in the court accepted EnCase evidence file formats.
- Deep Forensic Analysis – EnCase Forensic is known for its ability to uncover evidence that may go unnoticed if analyzed with other solutions.
- Mobile Collection – With over 27,000 mobile device profiles supported, Encase Forensic supports the latest smartphones and tablets.
- Broad OS/ Decryption Support – Offering the broadest support of operating and file systems, artifacts, and encryption types, Encase Forensic enables the investigator to provide conclusive results with a detailed analysis of findings.
- Easy Reporting – A completed case is only as good as its final report. Using customizable templates with Encase Forensic, examiners can create compelling, easy to read, professional reports that can be shared for every case. 
In this report I have explained about some forensic tools. How this tools works, how you can use this tools on everyday basis. The main aspects of this tools are also covered in this report. The tools which I have explained are DSi USB write blocker, bulk extractor, Free HEX Editor Neo, Computer Online Forensic Evidence Extractor (COFEE) and EnCase. I have also included the advantages and who can use these tools, benefits of these tools, features of these tools in real time. I have also included the images of these tools so anyone can get the ideas of how to use these tools in day to day life.
Computer forensics is a widespread success in today’s world (in cyber world) and also tech related crimes. Many high end multinational companies and large law firms are hiring computer forensic investigator. In order to avoid any misuse of their confidential information, software and hardware components, etc.
The core of digital forensics has increased effectively in the last decade. Main focus of digital forensic is to prevent any sort of tech related mishap and for that forensic investigators are always working hard.
A. Tabona, “TechTalk,” 10 July 2018. [Online]. Available: https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/.
“Bulk Extractor,” [Online]. Available: http://www.forensicswiki.org/wiki/Bulk_extractor.
“HHD Software,” [Online]. Available: https://www.hhdsoftware.com/free-hex-editor.
“Wikipedia,” August 2018. [Online]. Available: https://en.wikipedia.org/wiki/Computer_Online_Forensic_Evidence_Extractor.
“COFEE And The State of Digital Forensics,” [Online]. Available: https://www.experts.com/Articles/COFEE-And-The-State-Of-Digital-Forensics-By-Dr-Frederick-B-Cohen.
“encase forensic product overview,” [Online]. Available: https://www.guidancesoftware.com/product-brief/encase-forensic-product-overview.
If you need assistance with writing your essay, our professional essay writing service is here to help!Find out more
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please: