Tool Kit: Computer Forensics Tools

As personal technology becomes increasingly ubiquitous, the need grows for user-friendly forensic analysis of these devices. This issue’s Tool Kit (continuing through Page 7) provides you with just a few of the newer technologies available to help with that analysis.

The UltraDock v5 from CRU-DataPort/WiebeTech offers digital forensic investigators fast access to bare 2.5- and 3.5-in. SATA and 3.5-in. IDE hard drives via five host-interface connections, including USB 3.0. The aluminum-constructed hardware device provides a way to make copies of evidence gathered in an investigation. It features a user-friendly menu, LCD screen, and access to S.M.A.R.T. drive data. UltraDock v5 provides important drive information such as model, serial number, and SMART data (hours used, power cycles, and disk health). It can detect, create, or modify HPA and DCO.
EnCase Portable enables both computer forensic professionals and those who have little to no computer forensics training to quickly search, preview, and collect information from computers without damaging the integrity of data. With this portable device, organizations can expand their digital investigation capacity by empowering everyone—not just the forensic experts—to perform forensic triage and data collection outside of the lab. EnCase Portable is an easy way to extend your forensic team, deliver results quicker, and overcome your case backlog today.’s USB 3.0/eSATA to SATA Standalone 1:3 Hard Drive Duplicator Dock enables users to perform 1:3 sector-by-sector duplication from a single SATA hard drive onto three others simultaneously, without needing to connect the dock to a host computer. The device also includes a SATA-to-IDE adapter that provides the option of connecting an IDE hard drive in one of the SATA slots. The duplicator dock can also be used as an external 4-bay hard-drive dock, connected through USB 3.0 or eSATA.
At validated speeds of more than 13 GB/min, the Image MASSter Solo-4 is a high-speed forensic hard-drive duplicator that offers investigators the ability to image one “suspect” to two “evidence” drives, or two separate “suspect” drives to individual “evidence” copies simultaneously. It natively supports SAS, SATA, and USB drives and features secure drive encryption, hard-drive sanitization, a built-in Gigabit Ethernet connection, and more. It authenticates with SHA-1, SHA-2, and MD5.
The SSD-7250 MKIII was developed by Adams Evidence Grade Technology, Inc. to satisfy the requirement for copying USB devices or digital flash memory cards to CD-R or DVD± R as a standalone secure data system for evidentiary use. There are no edit functions and no connectivity to any external computers—providing sound chain of custody and elimination of evidentiary cross-contamination. Should “captured” data forensic analysis ever be required, the company’s copy/duplication product line authenticates with the SHA-1 or MD5 Hash Algorithm examination process. Both the flash memory and duplicator sections of the SSD-7250 MKIII use the latest in multi-format LG and Pioneer Drives to assure the most accurate copies possible. Both sections can be run independently.
Perform a complete forensic acquisition of user data stored on iPhone, iPad, or iPod devices running any version of iOS. Elcomsoft iOS Forensic Toolkit allows eligible customers to acquire bit-to-bit images of file systems, to extract device secrets (passcodes, passwords, and encryption keys), and to decrypt the file-system image. The toolkit offers access to much more information compared to that available in backups, including access to passwords and usernames, e-mail messages, SMS, and mail files. Typical acquisition of an iPhone device takes around 20 minutes (depending on model and memory size).
XRY Complete is a purpose-built, software-based, mobile forensics solution with all the hardware needed for recovering data from mobile devices in a forensically secure manner. With a combination of logical- and physical-analysis tools for supported devices, XRY Complete can produce a combined report containing both live and deleted data from the same handset. The user interface of the supplied Windows-based XRY software application is simple to navigate, with a wizard designed to help walk the user through the entire process.
Secure View 3 boasts three primary features: 1) Support for a wide variety of mobile devices, regardless of the platform; 2) a comprehensive analytics module that goes beyond mere data display and instead gets to the core of forensics to find clues; and 3) data redundancy (works with other acquisition tools for data validation) and flexible reporting that allows creation of evidence reports on key data—not the entire content. You can learn more at:
Paraben's Mobile Field Kit is a completely portable handheld forensic solution. The kit includes everything you need to perform a comprehensive digital forensic analysis of over 4,000 cell phones, PDAs, and GPS devices anywhere, anytime. Better yet, you can use the Device Seizure dongle that comes in the kit on any lab machine, making it more than just a field kit. Additionally, the kit is expandable, allowing you to install other forensic software and take your entire toolbox anywhere you go.
The Apple iPhone offers an advanced multimedia experience that integrates cutting-edge phone, web, and media functions in one device. Forensically secure data recovery from such complex equipment requires a specialist solution. iXAM provides non-invasive data recovery from 2G, 3G, 3GS, and iPhone 4 models, as well as iPod Touch and iPad 1. iXAM delivers a range of information potentially vital to law enforcement investigation, providing anything from a stored contact or text message to an e-mail, photograph, or specific map location.
You can make field investigations easier and save time in the lab with Mobile Phone Examiner Plus (MPE+) from AccessData. A standalone mobile forensics software and optional preconfigured touch screen tablet, it supports 3,500+ phones, offers file system support for 80% of CDMA devices, and gives you a robust, affordable mobile phone forensics solution. MPE+ integrates seamlessly with FTK to let you correlate data on multiple phones, as well as mobile phone data with computer data.
The Steganography Analyzer Artifact Scanner (StegAlyzerAS) is designed to scan suspect media, or forensic images of suspect media, for known file and Windows Registry artifacts of 1,025 digital steganography applications. Examiners can quickly determine if the suspect downloaded or installed a steganography application on their computer. Detecting steganography applications during forensic examination means there is very high likelihood the suspect used the application to conceal information that may be crucial to the investigation.
The Eclipse screen capture tool is designed for efficiency and ease-of-use when conducting manual examinations in full digital forensics labs, cell phone examination kiosks, prisons, and even for field use. Intuitive software for evidence capture allows the user to easily take screen shots, record video and audio, and annotate evidence. Case export functionality provides an easy method of transferring cases to other users or labs.
The Applied Discovery Leverage Suite is an Internet-based SaaS solution that combines cloud technologies with a solid security and service infrastructure. It consists of three modules: Leverage Data Analytics (early and ongoing case assessment and data analysis tools); Leverage Review (review toolset capable of handling even the largest data sets efficiently, including: search, review, batching, and production tools); and Leverage Review Analytics (dashboard view of review rates, time against schedule, and quality/accuracy).
EMail Detective, a forensic software tool from Hot Pepper Technology, Inc., is for use with all versions of America Online, MBox Mail, GigaTribe, Facebook, and Yahoo chats. Any AOL or MBox e-mail that has been cached or saved on a user’s disk drive is extracted, complete with all embedded pictures. Online chat logs from GigaTribe, Facebook, and Yahoo are decoded and parsed for the investigator. A report is produced for the examiner.
Registry Decoder, developed by Digital Forensics Solutions, LLC, is a new tool for analyzing Windows registry files. The Microsoft Windows registry contains a large amount of forensically interesting information, including a history of attached devices, a list of user accounts, visited URLs, and more. Features of the Registry Decoder include registry-hive browsing and searching, plugins for targeted analysis, visualization of “differences” across registry files, data timelining, and automated reporting. Learn more at the Digital Forensics Solutions website:
The LBA Technology EMFaraCage is a convenient, radio-frequency secure-storage enclosure for the evidence room or laboratory. It is effective against RF frequencies to over 6000 MHz, and HEMP, solar flare, and power line electrical fields. The EMFaraCage may be configured for storage only, or with filtered power and data connections for use in evidence testing or “black hat” functions requiring isolation from external RF fields.
< Prev   Next >

Interview with an Expert

One of the more specialized areas of crime-scene investigation has to do with searching for evidence of arson. To get some background in this area, we spoke with an individual who has had more than 46 years in fire service, 24 of which have focused specifically on fire/arson investigation.