Computer Forensic Tools

Computer Forensics: A Brief Overview• Scientific process of preserving, identifying,

extracting, documenting, and interpreting data on computer

• The field of computer forensics began to evolve more than 30 years ago in the United States.

• With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.

Computer Crimes

Computer crimes

Pure computer crime

Computer is the medium of a

crime

Computer content related

crime

• Illegal access to a system or network

• Illegal transmission of data• Data deletion, damage, alteration • Serious hindrance to computer

• Identity theft• Fraud• E-theft

• Incriminating information stored in computer

• Child pornography• Information that unleashes

hostility/violence

Tools for Computer Forensics

Computer forensic

tools

Integrated GUI based tools

Specialized single task tools

• Process information• Network connection information

• List of processes• Process to port mapping• Service/driver information

• Registry analysis• Executable file analysis

Integrated GUI Based Tools

• Advantages:– More effective for analyzing content related crime– Useful for searching storage devices, for retrieving

deleted files and folder, reconstructing graphic files

• Disadvantages: – Very expensive– Very complex in design, uses up a lot of resources– Requires trained professionals to use the tools

Specialized Single Task Tools

• Advantages:– More effective for investigating malware attacks,

intrusion etc– Useful for live response and live analysis– Simple in design, most tools can be used from

command line– Inexpensive, easy to learn and use– Very effective for pedagogical purposes– Can be modified/customized

Specialized Single Task Tools

• Disadvantage:– Has compatibility issues with different versions of

operating systems

Windows Forensic Analysis

• Windows Forensic Analysis by Harlan Carvey– Teaches simple but effective

analysis techniques for investigating malware attacks

– Provides CLI based tools for complete analysis of Windows Operating Systems

Compatibility Issues with Newer Windows Operating System

• About 50% tools are not compatible with Windows XP and Vista

Tool Windows XP Vista Windows 7 Description CommentBonus\poladt.exe Yes No No Parse the raw Security file and display the audit policy

Bonus\srv_sort.exe Yes No Noretrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current"

ch3\code\lspd.exe Yes No parse process details from a Windows 2000 phys. memory/RAM dump,ch3\code\lspi.exe Yes No parse process image from a Windows 2000 phys. memory/RAM dump

ch3\code\lspm.exe Yes No dump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump,ch3\code\lsproc.exe Yes No parse Windows 2000 phys. memory/RAM dump, looking for processes.

ch4\code\pref_ver.exe Yes NoPerl script to parse the contents of the XP layout.ini file, locate executables (.exe, .dll, .sys) and locate those files and then extract any file version information

ch4\code\sr.exe Yes No Use WMI to get Restore point settings from XP (local or remote)ch4\code\old\bho.exe Yes No retrieve listing of installed BHOs from a local systemch4\code\old\pnu.exe Yes No list the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time

ch4\code\old\regp.exe Yes Noraw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems.

ch4\code\old\sam_parse.exe Yes No retrieve user information from a raw Registry/SAM filech4\code\jt\regslack.exe Yes No No DOSch4\code\RegRipper\rip.exe Yes No Use this utility to run a plugins file or a single plugin against a Reg# hive file.ch4\code\RegRipper\rr.exe Yes No Parse a Registry hive file for data pertinent to an investigation No pluginsch5\code\lscl.exe Yes No read/parse restore point change logs for datach5\code\pdfdmp.exe Yes No Attempt to extract metadata from PDF filesch5\code\pdfmeta.exe Yes No Attempt to extract metadata from PDF filesch5\code\sr.exe Yes No

ch5\code\EVT\evt2xls.exe Yes No

Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net

ch5\code\EVT\evtrpt.exe Yes NoTool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records.

ch5\code\EVT\evtstats.exe Yes No parse the contents of Event Log files and display statistics

Compatibility Issues with Windows Forensic Tools

Tool Windows XP Vista Windows 7 Description Comment

Bonus\poladt.exe Yes No No Parse the raw Security file and display the audit policy

Bonus\srv_sort.exe Yes No No

retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current"

ch3\code\lspd.exe Yes No parse process details from a Windows 2000 phys. memory/RAM dump,

ch3\code\lspi.exe Yes No parse process image from a Windows 2000 phys. memory/RAM dump

ch3\code\lspm.exe Yes Nodump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump,

ch3\code\lsproc.exe Yes No parse Windows 2000 phys. memory/RAM dump, looking for processes.

ch4\code\pref_ver.exe Yes No

Perl script to parse the contents of the XP layout.ini file, locate executables (.exe, .dll, .sys) and locate those files and then extract any file version information

ch4\code\sr.exe Yes No Use WMI to get Restore point settings from XP (local or remote)

ch4\code\old\bho.exe Yes No retrieve listing of installed BHOs from a local system

ch4\code\old\pnu.exe Yes Nolist the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time

ch4\code\old\regp.exe Yes Noraw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems.

ch4\code\old\sam_parse.exe Yes No retrieve user information from a raw Registry/SAM file

ch4\code\jt\regslack.exe Yes No No DOS

ch4\code\RegRipper\rip.exe Yes No Use this utility to run a plugins file or a single plugin against a Reg# hive file.

ch4\code\RegRipper\rr.exe Yes No Parse a Registry hive file for data pertinent to an investigation No plugins

ch5\code\lscl.exe Yes No read/parse restore point change logs for data

ch5\code\pdfdmp.exe Yes No Attempt to extract metadata from PDF files

ch5\code\pdfmeta.exe Yes No Attempt to extract metadata from PDF files

ch5\code\sr.exe Yes No

ch5\code\EVT\evt2xls.exe Yes No

Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net

ch5\code\EVT\evtrpt.exe Yes No

Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records.

ch5\code\EVT\evtstats.exe Yes No parse the contents of Event Log files and display statistics