Introduction
This report covers five digital forensics software tools that vary in user difficulty from the beginner to intermediate level. These five tools cover various aspects of digital forensics to include memory analysis, mobile forensics, network forensics, decryption and various other aspects and functions. The five tools listed in this report are designed to service various customers and environments in the digital forensics industry such as law enforcement, academic, government and business.
Each of the five tools is analyzed based on six aspects which are price, availability, performance, functionality, use cases and the ideal customer. Some of the tools in this list are free while others have paid options for additional features. The tools in this list are designed to service various types of customers depending on their budget and availability needs. Each tool has been picked as to not sacrifice performance and functionality for price and availability. As you will learn each of the tools in this list are feature rich and would prove to be useful in any investigative toolkit.
Lastly the tools are analyzed in terms of their best use case and ideal customer. Certain tools are more suitable for law enforcement due to their functionality. For law enforcement units pricing may not be as much of a barrier to entry as it may be for small businesses and individuals. Additionally, some tools have a more broad or narrow use case depending on their scope of functionality. Law enforcement environments may require a more robust tool with a multitude of features as compared to a rudimentary software designed for just one function.
Autopsy Digital Forensics
Autopsy is a digital forensics software that is commonly used throughout the world for a variety of digital forensics tasks. Autopsy’s functionality is centered around memory acquisition and analysis of physical and logical drives. Autopsy can be used to examine data on computers, mobile devices and other information systems that store electronic data. Autopsy is more of a suite or collection of digital forensics tools in one program that can be easily utilized depending on the user’s specific needs. Autopsy is routinely used by law enforcement, business and government customers for its ease of use, feature rich utilities and cost (Autopsy, n.d.).
Pricing & Availability
Autopsy is a free open source digital forensics suite that is accessible through the manufacturer’s website. Autopsy can be quickly downloaded onto the users computer by going to ‘www.Autopsy.com' and clicking the download button in the menu at the top of the page. Autopsy is designed to function on a Windows operating system which the only limitation placed on the user. The website offers several different variants of Autopsy for download but the most common is the 64 bit version.
Downloading Autopsy is quite easy and the installation only takes a few minutes. Once the software is successfully downloaded and installed you will be able to open the software. From here the user can start a new case and choose either a physical or logical drive for acquisition. The tool then allows the user to generate a copy of the hard drive to preserve the original evidence. After this the user will then open the copy of the original data as a logical drive where they can begin their analysis of the electronic evidence.
Performance & Functionality
Autopsy offers a multitude of unique features and options for investigators that can be tailored to each investigation. Once the user has successfully set up their logical drive for analysis they can choose from a list of analytic tools to filter the evidence for later viewing. The first tool that will be discussed is the keyword search tool which allows the user to create a list of keywords they want to search for during analysis. This can be used for common terms associated with illicit activities or terrorism. The tool also allows for the search option to be conducted in multiple languages which is a helpful add on (Cybervie, n.d.).
The next tool within Autopsy is the Central Repository Tool which allows the user to automatically spot trends and associations between various different devices and case files. This tool is extremely helpful if the investigator is analyzing multiple electronic devices across a long period of time during an investigation. Items such as IP addresses, names, MAC addresses and much more can be identified to help the investigator spot trends that would be to complex or detailed to notice in real time.
Autopsy offers a variety of other tools and functions within the software that will autonomically extract, filter and analyze large quantities of data relevant to an investigation. These additional tools include the Picture Analyzer which will extract photos and their subsequent metadata, the File Extractor which will decompress various useful files of interest within a drive and the Deleted Files View which scrapes the drive for deleted files that were wiped by one of the users (Cybervie, n.d.).
When Autopsy is up and running the user has a quad screen that shows them a logical map of the entire drive. This is a hierarchical file system that they can use to explore various items on the drive. On this screen the user has access to multiple viewing options that allow the user to explore different sections of the drive such as file metadata, operating system information, user account data, network card data, program files and much more (Infosec Institute, 2018).
Use Cases & Ideal Customer
The most common use case for Autopsy is the extraction, preservation and analysis of physical hard drives associated with computers, laptops and mobile devices. The user will need physical access to the device in order to run it through the Autopsy software. Autopsy is a tool used for digital forensics after an incident has occurred unlike some of the tools described below that can capture data in real time. Autopsy is commonly used by law enforcement professionals to investigate electronic devices associated with a crime. The wide variety of tools and filtering options makes Autopsy an easy to use platform that is ideal for users that with a need to quickly start forensic conducting tasks. Since Autopsy is free it is also an ideal option for customers who do not have a substantial budget for forensic tools.
WireShark
WireShark is a network forensics tool which acts as a protocol analyzer or a packet sniffer. WireShark is routinely used by a variety of customers with business, law enforcement and government applications. As a protocol analyzer WireShark allows the user to view packet captures that are being transmitted on a network. WireShark has dozens of tools that allow the user to investigate various aspects of network packets all through the use of an easy to learn graphical user interface. WireShark is the industry standard for network forensics and deserves a place in any forensics toolkit (CompTIA, n.d.).
Pricing & Availability
WireShark is a free open source digital forensics software that can be downloaded at 'www.wireshark.org'. The developer’s website offers several options for downloading Wireshark which include an option for Windows operating system and Mac operating system. The site also offers the stable release of the tool’s source code for custom applications. The current version of WireShark is version 4.0.0 however, older versions are available for download going back to version 3.6.8 (WireShark, n.d.).
Performance & Functionality
WireShark has many features for a free network forensics software which include VoIP analysis, decryption of various protocols and dozens of refined search filters. Running the program and capturing packets is intuitive once the software has been downloaded. When capturing packets the graphical user interface shows the user three unique screens displayed in three rows. The top row is called the packets list which shows the network traffic passing through the software. Here the user can clearly see source and destination IP addresses, MAC address, network protocols, port numbers and other relevant details (CompTIA, n.d.).
The second row is called the details view which allows the user to conduct further analysis of a specific packet. By clicking on a packet in the packets view the details view will automatically open up a hierarchical list of details about the packet. This section will show amplifying information about the packet selected such as encryption details, frame details and potentially message traffic on an open network. The third view is called the bytes view which displays the selected packet in its raw byte form. The data will be displayed in a hexadecimal format which can be used for further analysis.
WireShark also offers a large section of search filters that can help the investigator find specific information in the total packet capture or within a specific packet. Search queries can easily be typed into the top bar above the packets view and the program will automatically begin the search. This can be used for searching specific items such as IP addresses, port numbers and protocol types. Additionally there are other features in the packet capture statistics tab at the top of the page. This will show the user additional details such as the protocol hierarchy, conversations between nodes and a flow graph showing a visual representation of the traffic (Orgera, 2020.)
Use Cases & Ideal Customer
WireShark is a unique tool in that it is relatively easy to learn and is also packed with unique features that could be considered advanced. This is likely why WireShark is such a highly regarded network forensics software within the industry. It can easily be downloaded and used by beginners and is also highly capable making it useful for more advanced functions. WireShark is commonly used throughout the world in a variety of settings to include law enforcement, business and academic environments. Due to its low cost and ease of use the barrier to entry for getting started with WireShark is quite low. Any investigator needing to conduct network protocol analysis would find WireShark to be an ideal tool for the job especially where price was a deciding factor when building a forensics toolkit.
Network Miner
Network Miner is another open source network forensics tool that can be used for similar functions as WireShark. Network Miner is a considered a passive protocol analyzer which allows the user to intercept traffic on a network. Network Miner can be used to investigate highly refined details of each packet within a network conversation such as port number being used, network protocols and encryption information. Network Miner is considered the runner up in comparison to WireShark due to its increased cost and functional limitations.
Pricing & Availability
Network Miner is available for free download on the developer’s website at 'www.netresec.com'. However, it must be noted that the version available for free download has limited functionality compared to the professional version which is currently listed for $1,200 USD. The free version of Network Miner appears to only have around fifty percent of the features as the professional version making it less available for price conscious users. With this being said the free version still has numerous valuable functions that an investigator can use such as live packet sniffing, OS fingerprinting, hash extraction and other advanced features (Netresec, n.d.).
Performance & Functionality
The professional version of Network Miner is on par with WireShark and may be more advanced in some respects. In addition to all of the free features the professional version of the software offers advanced functions such as extraction of VoIP calls, advanced OS fingerprinting, and command line scripting options. The software comes with additional built in tools such as an open source intelligence (OSINT) tool for looking up hash files and other packet specific details. Another professional tool is web browser tracing which allows the user to examine highly specific browsing activity over a network (Helmvik, 2016).
Use Cases & Ideal Customer
Network Miner is similar to WireShark in that it offers an easy to use graphical user interface that is relatively intuitive. The application is however much less intuitive than WireShark making it slighter more difficult to learn. In terms of functionality Network Miner is on par with other free network sniffers on the market but is greatly limited when compared to the professional version.
The ideal customer for Network Miner is a customer that has access to more funding for digital forensics tools. In order to get the most functionality out of Network Miner it is best to purchase the professional option which likely exceeds the budget of hobbyists, academic students and individuals. However, a law enforcement unit or small business could easily cover the cost of the professional version of Network Miner unlocking its advanced features. The professional version of Network Miner would likely be a better option for a serious user when compared to the functionality of WireShark.
FTK Imager
FTK Imager is a memory analysis tool used for data preview and imaging of computer hard drives for digital forensics. FTK Imager operates similar to Autopsy in its functionality and allows the user to create a digital copy of the drive for later analysis. FTK Imager can be used to create a disk image file upon which the memory, image files, meta data and other files can be analyzed by investigators. FTK Imager is best known for its ability to create a hash function of original evidence to verify data preservation for chain of custody. This is an important aspect of digital forensics most notably in law enforcement cases.
Pricing & Availability
FTK Imager is a free and open source digital forensics software than can be downloaded on the developer’s website at ‘www.accessdata.com’. The download page is located under the ‘products & services’ tab on the top of the page. Before downloading FTK Imager the user must fill out a short form designed to capture customer data likely used for marketing purposes. After this the download will begin. FTK Imager is designed to work on a Windows operating system so users with non-compatible systems will need to use a virtual machine to power the software on devices with other operating systems (Access Data, n.d.).
Performance & Functionality
FTK Imager provides the user with an easy to use and understand graphical user interface that walks them through the process. First the software will instruct the user to create a new case file and then will allow them to connect the drive they want to copy. From here there are options for what type of copy will be made. Most users will select the ‘Raw DD” which is a standard bit-by-bit copy of the drive. Then the user will select the type of hash function they want to use to verify the copy (SANS, 2009).
After this the user will be able to open the disk image as a logical drive and they can begin the analysis of the drive with multiple filters and tools. FTK Imager offers many built in tools for analysis such as an option to view the recycle bin which is accessible by scrolling through the file viewer to the ‘recycle bin’ folder. From here users will be able to see deleted files by the computer’s owner.
Another function is the ability to view embedded thumbnail images which are tiny image files associated with various files. This function however requires the user to download an external tool known as a thumb cache viewer. From this view the investigator can examine multiple thumbnail images that are associated with files on the drive. Here the user may be able to find evidence of criminal activity on the device that the user was not aware of or tried to delete previously (Equivio, n.d.).
Next is the system resource usage monitor which is a tool associated with Windows devices that shows a multitude of information about the device. This tool allows the investigator to examine a spreadsheet that lists sensitive details about the device such as the energy usage, notifications and application data. This tool can also be used to user accounts and what applications they used along with timestamps. The investigator can also use this function to examine network data such as which SSID’s the computer historically connected to.
Use Cases & Ideal Customer
FTK Imager is slightly more advanced than Autopsy and offers additional functions that may be considered advanced. However, it is a free and open source tool so it has much more availability than some of the more expensive tools on the market. FTK Imager would be ideal for the intermediate level investigator with budget concerns. FTK Imager is a feature rich digital forensics tool that should be considered by most investigative teams as some of its features are essential to the digital forensics process. For a free tool this software is compatible to some of the paid options on the market. The only downside of this tool is that it only operates in a Windows environment however this problem can be solved by an individual skilled in information technology.
Andriller
Andriller is a digital forensics tool that is designed to collect mobile forensics data from Android devices. Andriller allows the investigator to extract hard drive data from the mobile device as well as cellular communications data. Mobile forensics is a growing field within digital forensics and is becoming more valuable each year as more people begin to use mobile devices. As mobile devices such as smartphones become more advanced their value from the perspective of digital forensics increases as they store and process more data that ca be used in an investigation.
Pricing & Availability
Andriller is a free and open source software that can be downloaded on the internet. Andriller works with Python so this functionality must be downloaded on the host devices in order to run the software. Andriller is available on GitHub which is a code repository for IT, computer science and cybersecurity professionals and hobbyists. The tool requires the user to download and run the software through the command line interface so this may make it a more advanced tool (Chirila, 2014).
Performance & Functionality
Andriller is a simple tool and is easy to operate once it is up and running. The user will see a small graphical user interface with only a few options. The investigator will need to connect the device and then verify its connection with the ‘check’ button on the software. Here the user will see a serial number that corresponds with the mobile devices. From here the investigator can begin the extraction of the data on the mobile device (GitHub, n.d.).
After the extraction the user will see a webpage link that is displayed on the software. By clicking this link a window will pop up that has several options for viewing the data. Information about the device such as MAC address, user accounts, emails and application data will populate the screen. The link for shared storage will show the investigator sensitive information such as call logs, text messages and a contacts list. The ‘Android Calendar’ link will show a list of events that took place on the devices categorized by data and time (OpenBase, n.d.).
Use Cases & Ideal Customer
Andriller is a great tool that investigators can use to quickly acquire important data from an Android device. The tool is free and open source so it is available to anyone with an internet connection and a compatible operating system. Downloading and starting Andriller may prove to be difficult to some users as it requires the use of the command line interface. Because of this the tool may be considered to be at the intermediate level. This tool is ideal for any investigator who expects to be investigating Android devices who does not want to spend thousands of dollars on expensive mobile forensics software. This tool would be perfect for small businesses and academic environments.