Welcome to computer forensic portal - your online resources to all computer foreniscs
 
Knowledge Articles
Books Database
Legal Cases
Forensic Dictionary
PDF documents
Web Resources
FAQ

 

Image Acquisition (Windows)
Expert Witness
Helix (Windows)
Helix (Linux)

 
  Home > Knowledge Articles > Computer Forensic Tools

Computer Forensic Tools

Certain evidences in the computer are hidden from casual users, therefore different types of software and tools are used to acquire computer evidence. There are a few types of computer forensic software used to aid in accomplishing required forensic tasks.

  • Disk Imaging software
  • Hashing tools
  • File recovery programs
  • Analysis software
  • Encryption decoding software / Password Cracking software
  • Viewers
  • CD-R Utilities
  • Text Searches
  • Forensic Programs

In the event that the hard drive which may contain valuable evidences for trial is physically damaged, for example, accidentally dropped or destroyed by the suspect, data recovery services by professional data recovery companies may come in to help recover back lost data which was deemed impossible using software recovery tools.

Disk Imaging Software

It is very important that the computer forensic examiner make an exact image copy of the media rather than working on the original because it is absolutely necessary to provide assurance the evidence you acquire is valid. After the copy, be sure to verify the copy before examination.

Instances where you may need to work on the original media may occur, i.e. if you need to produce evidence during investigations which will not be presented in court. This is also possible or desirable in cases where copying media would cause service interruptions.

Hashing Tools

After an image copy, you may want to verify that the copy is 100% identical to the original. Hashing tools does the job where the hash numbers are compared with the original.

File Recovery Programs

File recovery programs are useful when searching for deleted or lost files. For deleted files, these programs will search for files marked “deleted” but not yet overwritten. Sometimes files recovered may be incomplete due to partial overwriting which may be more difficult to analyse.

Analysis Software

Analysis software scans the media for specific files or folders required by the investigator. However, it can be difficult and time consuming to search files manually due to the increasing storage capacity of most media today.

 

Encryption Decoding Software / Password Cracking Software

This is useful when you need to decrypt protected files or unlock password files.

 

File Viewers

File viewers are an important tool for a computer forensic examiner as they are more efficient that using applications such as Word. They have the capability of viewing files of different formats. As file viewers do not provide editing or saving capabilities, they are much faster for examining large amount of data and you do not have to worry about overwriting the data while examining it.

 

CD-R Utilities

When collecting CDs as evidence, it is important that they be examined as thoroughly as you would do for a hard drive. Modern operating systems support the ability to write multiple sessions on a single disk. As you write a new session or additional data on the CD, previous sessions of data will be completely invisible without the use of CD diagnostics software.

 

Text Searches Utilities

Text utility like dtsearch is very useful as it can search through gigabytes of text from different popular file formats in a very fast speed. It also includes a fuzzy search which enables you to find misspelled words and also a thesaurus to include synonyms in the search.

Dtsearch also have the ability to search through Microsoft outlook .pst files. Normally, if you have Microsoft Outlook software, you would open the .pst file in the application and let it search for a specific word that you indicated. After the search is complete, you have to open the mail to process it. Fortunately, with dtsearch it reduces lots of unnecessary time by creating an index of every word in the hard drive. After indexing, the search will display all related records for manual review and takes you to the words in the index.

More details of the software can be found at:

http://www.dtsearch.com/

 

Forensic Programs

No doubt about it, forensic program is designed specially to suit the computer forensic needs to collect relevant data and analyze the data related to a specific case.

There is lots of computer forensic software in the market and you should test the program that meets your satisfaction. One thing we can conclude is that no one single product can do everything. So the more tools you have, the more likely you are able to find that important data you need.

Some examples of forensic software:

  • Forensic Toolkit
  • ForensiX
  • EnCase

Back to Top
 

© 2009
Computer Forensics Portal
All Rights Reserved

Disclaimer | Privacy Policy

Home | Contact | Sitemap

Knowledge Articles | Books Database | Legal Cases | Forensic Dictionary | Web Resources | Frequently Asked Questions