File000173

Module LX - Computer Forensic Tools

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Linux Tool Speeds up
Computer Forensics for Cops
Source: http://news.zdnet.com/

EC-Council
Module Objective
• Software Computer Forensic Tools
• Visual TimeAnalyzer
• Evidor
• Forensic Sorter
• Directory Snoop
• Decryption Collection Enterprise
• Prodiscover DFT
• R-Tools
• Forensic Toolkit
• EnCase® Forensic
• SIM Card Seizure
• PE Explorer
• Hardware Computer Forensic Tools
• PDBlock
• Firewire Drivedock
• Write Protect Card Reader
• ImageMASSter Solo-3 IT
This module will familiarize you with:

EC-Council
Module Flow
Forensic Toolkit
PE Explorer SIM Card Seizure
Write Protect Card ReaderFirewire Drivedock
PDBlock
EnCase® Forensic
ImageMASSter Solo-3 IT
EvidorVisual TimeAnalyzer
R-Tools
Forensic Sorter
Prodiscover DFT Directory Snoop
Decryption Collection
Enterprise

EC-Council
Hardware Computer Forensic Tools
Software Computer Forensic Tools

EC-Council
Visual TimeAnalyzer
http://www.neuber.com/timeanalyzer/
Visual TimeAnalyzer automatically tracks all computer usage and presents detailed and
illustrated reports

EC-Council
X-Ways Forensics
http://www.x-ways.net/
• Disk cloning and imaging, even under DOS with X-Ways Replica
(forensically sound)
• Examine the complete directory structure inside raw image files, even
spanned over several segments
• Native support for FAT, NTFS, Ext2/3, CDFS, UDF
• Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks
• View and dump physical RAM and the virtual memory of running processes
• Various data recovery techniques and file carving
• Hard disk cleansing to produce forensically sterile media
• Gather slack space, free space, inter-partition space, and generic text from
drives and images
Features of X-Ways forensics:
X-Ways Forensics is an advanced work environment for computer forensic
examiners

EC-Council
X-Ways Forensics: Screenshot 1

EC-Council
X-Ways Forensics: Screenshot 2

EC-Council
Evidor
http://www.x-ways.net/
Evidor is a small subset of just the search functionality in X-Ways Forensics
It allows to search text on hard disks and retrieves the context of keyword
occurrences on computer media
It examines the entire allocated space, even Windows swap/paging and
hibernate files, and currently unallocated space of the hard disk
It finds data from files that have been deleted, if physically still existing
It cannot access remote networked hard disks

EC-Council
Evidor: Screenshot 1

EC-Council
Evidor: Screenshot 2

EC-Council
Slack Space and Data Recovery
Tools: Ontrack
http://www.ontrackdatarecovery.com/
• Repairs and restores corrupt or inaccessible Microsoft® Office and Zip
files into readable files
EasyRecovery™ DataRecovery software:
• It includes capabilities of EasyRecovery DataRecovery, EasyRecovery
FileRepair and EasyRecovery EmailRepair
• General capabilities – data recovery, file repair, disk diagnostics
EasyRecovery™ Professional software:
Ontrack EasyRecovery™ software products provide complete solutions for data
recovery, file repair, and disk diagnostics
It allows investigator to recover deleted files, folders, and complete partitions quickly
and easily, making it the ultimate do-it-yourself solution for causes of data loss

EC-Council
Ontrack EasyRecovery
Professional: Screenshot 1

EC-Council
Ontrack EasyRecovery
Professional: Screenshot 2

EC-Council
Data Recovery Tools
Forensic Sorter classifies data into 14 different
categories, recovers deleted files, and Filters Out
Common Hashes (FOCH)
Directory Snoop is a cluster-level search tool that
allows Windows users to snoop FAT and NTFS
formatted disk drives to see the data hidden in the
cracks
Source: http://www.paraben-forensics.com/ Source: http://www.briggsoft.com/

EC-Council
PDWIPE (Physical Drive WIPE) is a DOS application capable of wiping large
hard drives with capacity greater than 8.4 Gb in a short time
It supports any drive which is accessible to the system via Interrupt 13 or the
MS/IBM Interrupt 13 Extensions
Permanent Deletion of Files: PDWIPE
http://www.digitalintelligence.com/
It has three basic modes of operation
• Command line interactive
• Command line confirmation
• Batch file operation

EC-Council
Permanent Deletion of Files: Darik's Boot
and Nuke (DBAN)
http://www.dban.org/
Darik's Boot and Nuke ("DBAN") is a self-
contained boot floppy that securely wipes
the hard disks of most computers
It automatically and completely deletes the
contents of any hard disk that it detects
It is a way of preventing identity theft and a
good way of cleaning a Microsoft Windows
installation of viruses and spyware

EC-Council
DBAN: Screenshot

EC-Council
File Integrity Checker
FileMon monitors and displays file system
activity on a system in real-time
File Date Time Extractor looks through
binary files, 'sniffing out' hidden,
embedded 64 bit date and times
Source: http://technet.microsoft.com/
Source: http://www.digital-detective.co.uk/

EC-Council
File Integrity Checker
Decode - Forensic Date/Time Decoder utility was designed to decode the
various date/time values found embedded within binary and other file types

EC-Council
Disk Imaging Tools: Snapback Datarrest
http://www.snapback.com/
The ‘Snapback Datarrest’ software has a user-friendly interface backed by
powerful operation to create mirror images of variety of operating systems
It performs successful back-up and restoration
It is compatible with all IBM computers containing any OS
If a DOS floppy is booted, data can be seized quickly, accurately, and
completely
It gathers every bit from the hard drive

EC-Council
Partition Managers: Partimage
http://www.partimage.org/
It supports file systems:
• Ext2fs/Ext3fs
• Reiser3
• FAT16/32
• HPFS, JFS, UFS
• XFS, HFS
• NTFS
Partimage is a Linux/UNIX utility that saves partitions having a
supported file system to an image file
The image file can be compressed in the gzip/bzip2 programs to save
disk space

EC-Council
Partimage: Screenshot 1

EC-Council
Linux/Unix Tools: Ltools
http://www.it.hs-esslingen.de/
• Ltools access Linux files from Windows 9x/ME and Windows
NT/2000/XP
• It consists of set of command line tools for reading and writing Linux
ReiserFS, ext2, and ext3 file systems
• They have Java and .NET based GUI, an Explorer-like interface in a
Web browser, providing remote access to file systems
• They are used in DOS environment to repair Linux , if the Linux system
does not boot
Ltools

EC-Council
Ltools: Screenshot

EC-Council
Linux/Unix Tool: Mtools
http://www.gnu.org/
• Mtools is a collection of utilities to access MS-DOS disks from
Unix without mounting them
• It supports Win'95 style long file names, OS/2 Xdf disks and
2m disks (store up to 1992k on a high density 3 1/2 disk)
• It handles the long filenames of Windows NT and Windows 95
Mtools

EC-Council
Password Recovery Tool
@stake reduces security risk by helping
administrators to remove vulnerabilities
caused due to weak or easily guessed
passwords
Decryption Collection recovers more
passwords, from more programs, in a shorter
amount of time using method such as the advanced
XieveTM attack method
Source: http://www.securityfocus.com/ Source: http://www.paraben-forensics.com/

EC-Council
Password Recovery Tool
AIM Password Decoder utility was
designed to decrypt the login password for AOL
Instant Messenger
MS Access Database Password Decoder
utility was designed to decrypt the master
password stored in a Microsoft Access database

EC-Council
Internet History Viewer
CookieView - Cookie Decoder was originally
written as an external viewer for Encase or iLook
Cookie Viewer discovers the
information that web sites store on
computer

EC-Council
Internet History Viewer: Cache
View
Cache View is a viewer for the Netscape
Navigator, Mozilla and Firefox, Opera, and
Internet Explorer web caches
FavURLView utility decodes Internet Shortcut
(*.URL) files to allow user to compare the
Shortcut Description with the actual link

EC-Council
Internet History Viewer
http://www.digital-detective.co.uk/
NetAnalysis automatically rebuilds HTML web pages from an extracted cache

EC-Council
Multipurpose Tools: Maresware
http://www.dmares.com/
Maresware suite provides an essential set of tools for
investigating computer records plus powerful data analysis
capabilities
It is used in computer forensics for the purposes such as:
• Discovery of "hidden" files (such as NTFS Alternate Data Streams)
• Incident response and evaluation of timelines
• Powerful key word searching and comparing and file verification
• Forensic diskette imaging
• Drive wiping for information privacy and security
• Disk wiping to overwrite a hard drive to DOD standards
• Completely documenting the examiner's steps and procedures

EC-Council
Multipurpose Tools: LC
Technologies Software
• It is designed to recover images, movies, and sound
files from various types of digital media
Photorecovery:
• It scans and finds lost partitions, boot sectors, and
other file system components
File RecoveryPro:
• This tool completely removes data from disks to avoid
passing private/secret information
FILExtinguisher:
• It recovers all kinds of data from the hard diskSanDiskRescuePRO:
• It allows fast, safe, and reliable file recovery with
Windows environment
Data Recovery kit:
• It is a software used for reportingIntelli-SMART:
The LC Technologies Software comprises of the below software/tools:

EC-Council
Intelli-SMART: Screenshot

EC-Council
Multipurpose Tools: Winhex
Specialist Edition
WinHex is a hexadecimal editor, helpful in
the realm of computer forensics, data
recovery, low-level data processing, and IT
security
Prodiscover is a law enforcement tool used to
find all the data on a computer disk while
protecting evidence and creating evidentiary
quality reports
Source: http://www.x-ways.net/ Source: http://www.techpathways.com/

EC-Council
Toolkits: NTI Tools
http://www.forensics-intl.com/
• It is a floppy diskette analysis tool for security reviews and
to identify data storage pattern anomalies
AnaDisk:
• It is a utility tool that is used to securely destroy computer
data on a disk drive
DiskScrub:
• It captures data stored in the file slack associated with all of
the files on a target computer hard disk drive
GetSlack:
• It determines the past Internet-based computer usage of a
specific computer system
NTA Stealth:
• It is a Hard disk’s bit-stream backup softwareSafeBack 3.0:
Some of the important NTI tools:

EC-Council
Toolkits: R-Tools
http://www.r-tt.com/
R-Tools Technology Inc. is the provider of forensic utilities for Windows OS
family
• It is an undelete and data recovery software recovering files
from FAT12/16/32, NTFS, NTFS5, HFS/HFS+ (Macintosh),
Little and Big Endian variants of UFS1/UFS2
R-Studio:
• It is a file undelete solution for FAT and NTFS file systemsR-Undelete:
• It is a drive image and backup software that creates disk
image files with exact, byte-by-byte copies of a hard drive,
partition or logical disk
R-Drive Image:
• It protects computers present in a local network and/or to
the Internet against intrusions, attacks, Trojans, spyware,
and other external and internal threats
R-Firewall:

EC-Council
Toolkits: R-Tools (cont’d)
• It is a data security tool for advanced access right
control, encryption, and audit
R-guard:
• It recovers damaged files and deleted messages
created by Microsoft Outlook and Microsoft
Outlook Express software
R-mail:
• It is designed to recover corrupted Microsoft
Word documents
R-word:
• It deletes private records of user’s on-line and off-
line activities, such as temporary internet files,
history, cookies, passwords, swap files, etc.
R-Wipe&Clean:
• It is a file recovery utility for the Ext2FS file
system used in the Linux OS and several Unix
versions
R-Linux:

EC-Council
R-Tools: Screenshot
R-Studio R-Guard

EC-Council
R-Tools: Screenshot (cont’d)
R-mail R-Wipe&Clean

EC-Council
Toolkits: Datalifter
http://www.datalifter.com/
DataLifter is a forensics toolkit built by StepaNet
Communications Inc
It has a set of 10 tools that helps in forensics investigations
It has two versions: DataLifter v2.0 and DataLifter.Net Bonus
The utilities that are grouped together along with DataLifter
include:
• Active reports, Disk2File, File extraction, Image linker
• Internet history, File signature generator, Email retriever,
• Ping/Trace route/WHOIS, Recycle Bin history, Screen capture

EC-Council
Datalifter: Screenshot

EC-Council
Toolkits: AccessData
http://www.accessdata.com/
AccessData contains set of programs used for computer forensics such as:
• The Password Recovery Toolkit recovers passwords from well-known applications
Password Recovery Toolkit:
• It recovers the password for protected files
Distributed network attack:
• Registry Viewer views independent registry files and generates reports
Registry viewer:
• Wipe drive is used to overwrite and remove all the data present in a computer
Wipe drive:

EC-Council
FTK – Forensic Toolkit
http://www.accessdata.com/
Features:
• An integrated solution
• Integrated oracle database and enhanced
searching
• Powerful processing speed
• Intuitive interface and functionality
Forensic Toolkit (FTK) offers forensic professionals the ability to complete a task
systematically, by providing accurate information
It has full text indexing, advanced searching, deleted file recovery, data-carving,
email, and graphics analysis

EC-Council
Image MASSter Solo and
FastBloc
• It is a hard drive duplicator for workstation cloning
• It can load any operating system and application
software including: Windows95/98, NT, SCO, Unix,
OS/2, and Mac OS
Image MASSter Solo:
• It is a data acquisition software, which connects
through an IDE channel. Does not require SCSI
controller cards or SCSI drivers
• The common IDE write-blocked architecture allows
data from any IDE hard drive to be gathered safely in
Windows OS
FastBloc:
Source: http://www.guidancesoftware.com/
Source: http://www.ics-iq.com/

EC-Council
EnCase® Forensic
http://www.guidancesoftware.com/
• Acquires data in a forensically sound manner using software with
an unparalleled record in courts worldwide
• Investigates and analyzes multiple platforms
• Finds information despite efforts to hide, cloak or delete
• Manages large volumes of computer evidence
• Transfers evidence files directly to law enforcement or legal
representatives as necessary
Features of EnCase:
EnCase® provides investigators with a single tool, capable of conducting
large-scale and complex investigations from beginning to end

EC-Council
EnCase® Forensic: Screenshot 1

EC-Council

EC-Council
Email Recovery Tools
E-mail Examiner is e-mail
examination tool that recovers active and
deleted mail messages
Network E-mail Examiner allows investigator
to examine Microsoft Exchange (EDB), Lotus
Notes (NSF), and GroupWise e-mail stores
Source: http://www.paraben-forensics.com/

EC-Council
Case Agent Companion
http://www.paraben-forensics.com/
• Enhanced reporting options for professional and
comprehensive output of examined data
• Customized by examiner so each case can be loaded
based on the specifics of that case
• Note taking and bookmarking capabilities built in for
easy reference to examined data
• Case logging feature tracks all parts of analysis in detailed
log file
Features of Case Agent Companion:
Paraben's Case Agent Companion is designed to optimize both the time of the
forensics examiner and the agent working the case
It has built in viewers for over 225 file formats, searching, and reporting that
makes forensics process faster, more efficient, and more effective

EC-Council
Case Agent Companion: Screenshot

EC-Council
Chat Examiner
Chat Examiner is a specialized tool to perform a thorough analysis of chat logs

EC-Council
Paraben Hard Drive Forensics: Forensic
Replicator
• Supports for creating and viewing VHD (Virtual Hard Disk)
• Supports for WiebeTech write block devices
• Supports for viewing Linux EXT2 and EXT3 partitions
• Creates bit-stream images of removable media, partitions, or an entire
physical hard drive
• Creates images of USB micro drives
Forensic Replicator Features:
Paraben's Forensic Replicator is used to bit-stream imaging of hard drives and
media
It acquires a wide range of electronic media from a floppy to a hard disk
Captured images can be compressed, segmented, and easily read into the
forensic analysis programs

EC-Council
Forensic Replicator Screenshot

EC-Council
Registry Analyzer
Paraben's Registry Analyzer is a component of Paraben's P2 forensic collection
and is used for viewing, analyzing, and reporting the Windows registry files

EC-Council
• On-site or remote preview of a target system
• Post mortem analysis of dead systems
• Testing and verification of other forensic programs
• Conversion of proprietary "evidence file" formats
• “Knock-and-talk” inquiries and investigations
Features of SMART:
SMART is a software utility that has been designed and optimized to support
data forensic practitioners and Information Security personnel in pursuit of
their respective duties and goals
ASR Data’s SMART
http://www.asrdata.com/SMART/

EC-Council
SMART: Screenshot 1

EC-Council
SMART: Screenshot 2

EC-Council
Oxygen Phone Manager
http://www.oxygensoftware.com/
Oxygen Phone Manager supports all the models of Nokia mobile phone
Supported different connection types such as InfraRed, Bluetooth, and
Various USB
It backs up and restores all information from mobile phone
Highly customizable imports
Export of phonebook to all the popular formats
Supports three storage types: SIM card, phone memory and disk

EC-Council
Oxygen Phone Manager:
Screenshot 1
Main Window
SMS
Manager

EC-Council
Oxygen Phone Manager:
Screenshot 2

EC-Council
SIM Card Seizure
SIM Card Seizure is a tool that analyzes SIM card data and recovers deleted data

EC-Council
Text Searcher
Paraben's Text Searcher is a text searching tool that will make any forensics
examiner more effective and more efficient

EC-Council
Autoruns
http://technet.microsoft.com/
Autoruns shows what programs are configured to run during system bootup or login,
and the entries in the order Windows processes them

EC-Council
Autostart Viewer
http://www.diamondcs.com.au/
Autostart Viewer allows you to see all known autostarts on your system, all on the one
screen
It also gives you complete control over the autostart references, and allows you to modify
or delete them

EC-Council
Belkasoft RemovEx
http://belkasoft.com/
Belkasoft RemovEx allows user to disable Internet Explorer and Windows Explorer plug-ins

EC-Council
HashDig
http://ftimes.sourceforge.net/
HashDig technology is a collection of utilities designed to help practitioners automate the
process of resolving MD5 and SHA1 hashes
It was designed to work in conjunction with FTimes
This method can be implemented quite effectively by manipulating hashes and
comparing them to one or more reference databases
The HashDig format:
•hash|category
The reverse HashDig format:
•category|hash

EC-Council
Inforenz Forager
http://www.deticaforensics.com/
• Identifies relevant data through its highly flexible and sophisticated searches that perform
simultaneous high-level and meta-data level filtering
• Mines down into .zip container files recursively to obtain meta-data from deeply nested files, as well
as providing meta-data from the .zip container files themselves
• Generates an index for all or part of your search area to speed up investigations, or to work without
the original data
• Produces rapid reports on multiple documents, including document time-lines and document
history (where available) without needing to open the original application
• Allows investigation and analysis of known files without needing to perform a search
• Analyzes the history of Microsoft Word and Excel documents created on any platform (including
Microsoft Windows and Mac OS)
• Provides detailed property values for a growing number of file types
Features of Inforenz Forager:
Inforenz Forager is a forensic investigation tool that enables to search for, identify, analyze, and
report on information about computer files
It is the first commercially available forensic investigation tool to collate and link the metadata of
different computer files

EC-Council
KaZAlyser
http://www.sandersonforensics.com/
• Lists all database entries in a tabular form
• Displays the file integrity tag
• Allows the investigator to tag and comment each record
• Identifies files that appear (from title, keywords etc.) to be related to Child
Pornography
• Identifies files that have a known Child Pornography hash value
• Identifies all graphics/movie files
• Exports the content of a database to a CSV file
It provides the following functions:
KaZAlyser is the successor to the popular P2PView KaZaA/Morpheus database viewer
It provides significant enhancements to the investigation process

EC-Council
DiamondCS OpenPorts
DiamondCS OpenPorts is a command line interface tool that allows to see all open TCP
and UDP ports on your system
It displays information about the sockets/ports on your system

EC-Council
Pasco
http://www.foundstone.com/
Pasco is designed to examine the contents of Internet Explorer's cache files

EC-Council
Patchit
MESSAGE <"message">
Displays a message during script execution
DIR <"directory path">
Optional directory path to search for files. For compatibility it is advisable not to use specific drive names in
the path
FILE <"filename"> [filesize]
Filename to patch. Optional filesize specifies the size that the file must match to be accepted
FIND [<*>]...
Performs a search on the current file for the sequence of bytes that match ... up to max 256. Use the keyword *
to match any byte. If a match is found then the PATCH file position value is set to the file position at which
the found pattern begins
Patchit is a file byte-patching utility
It can patch sequences of bytes in any file, search for byte patterns (with wildcards)
and also extract and utilize DLL exported function addresses
The total command list is shown below:

EC-Council
Patchit (cont’d)
FUNCTION <"funcname">
Sets the current patch position to the file position of the given exported function name (case sensitive). It is
assumed that the file being patched is a DLL
PATCH [[POS ] | [OFFSET ]] ...
Patches the current file at optional file position/offset. Replaces orig_byte with new_byte. Fails if original byte
read from file is not orig_byte
COPY <"orig_file"> <"new_file">
Copies "orig_file" to "new_file“
DELETE <"filename">
Deletes the specified file
INIFILE <"filemame">
Specifies an INI file to be used in subsequent INI commands. This filename is relative to the last DIR directory
path
INISECTION <"section">
Specifies an INI section name for use in subsequent INIWRITE commands
INIWRITE <"keyname"> <"value">
Writes the given string value to the INI keyname in the previously specified INI file's section

EC-Council
PE Explorer
http://www.pe-explorer.com/
• Works with PE files such as .EXE, .DLL, .SYS, .ACM, .OCX, .DPL, and
.BPL
• Opens broken or packed files in Safe mode
• Verifies PE file's integrity
• Supports custom plug-ins to perform any startup processing
Features of PE Explorer:
PE Explorer tool is used for inspecting the inner workings of user software, third party
application and libraries for which user do not have source code
Once user select the file that wish to examine, it analyzes the file and displays a summary
of the PE header information, and all of the resources contained in the PE file
It allows user to explore the specific elements within an executable file

EC-Council
PE Explorer: Screenshot
Syntex Description
Editor
Expert properties display details about selected function
Log Window Syntex Details Window

EC-Council
Port Explorer
Features of Port Explorer:
• Configurable interface
• Multi-language support
• Hidden server detection
• Port-to-process mapping
• Socket send/receive blocking
• Packet-sniffing
• IP-to-country resolving
• Traffic volume reporting
Port Explorer is the premier port-to-process mapper that allows user to view all the open
network ports/sockets on the system
It is a network monitoring utility and has an intuitive GUI that allows user to monitor all
the network activity, your computer is involved in

EC-Council
Port Explorer: Screenshot

EC-Council
PowerGREP
http://www.powergrep.com/
PowerGREP is a Windows grep tool that searches through large number of files
on user’s computer or network

EC-Council
Process Explorer
Process Explorer tool shows you information about which handles and DLLs
processes have opened or loaded
Its display consists of two sub-windows
• Top window always shows a list of the currently active processes, including the names of their
owning accounts
• Bottom window information depends on the mode that Process Explorer is running
Features of Process Explorer:
• Supports for full handle viewing on Win9x/Me
• Processes icons and tree display
• Services process highlighting
• Configurable refresh rate
• Refreshes highlighting
• DLL descriptions in the DLL view
• Highlights relocated DLLs
• Jump-to-entry in the find dialog

EC-Council
Process Explorer: Screenshot

EC-Council
PyFLAG
http://www.pyflag.net/
PyFLAG is a web based tool used for the analysis of large volumes of log files
and forensic investigations
It can be deployed on a central server and shared with a number of users
simultaneously
It has the ability to load many different log file formats, perform forensic
analysis of disks and image
It uses a database as a backend to assist in managing the large volumes of
data
It analyzes network traffic as obtained via tcpdump quickly and efficiently

EC-Council
PyFLAG: Screenshot 1

EC-Council
PyFLAG: Screenshot 2

EC-Council
Registry Analyzing Tool: Regmon
Regmon is a Registry monitoring utility that shows user which applications are
accessing the Registry, which keys they are accessing, and the Registry data that
they are reading and writing in real-time

EC-Council
Reverse Engineering Compiler
http://www.backerstreet.com/
REC is a portable reverse engineering compiler, or decompiler
It reads an executable file, and attempts to produce a C-like representation of
the code and data used to build the executable file
Features of REC:
• Multitarget: REC can decompile 386, 68k, PowerPC and MIPS R3000 programs
• Multiformat
• Multihost: REC is available for Linux 3.0 (i386), Windows 95 and SunOS 4.1.4
• Supports high-level symbolic information in COFF, ELF+STAB, AOUT+STAB
• Scalable user interaction
• HTTP server mode allows using an HTML browser as user interface

EC-Council
Reverse Engineering Compiler:
Screenshot 1

EC-Council
Reverse Engineering Compiler:
Screenshot 2

EC-Council
SafeBack
http://www.forensics-intl.com/safeback.html
SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make
a mirror-image copy of an entire hard disk drive or partition
The process is analogous to photography and the creation of a photo negative
It is an industry standard self-authenticating computer forensics tool that is used to create
evidence grade backups of hard drives
It is a DOS-based utility to back up and restore hard disks
It is used:
• To create evidence grade backups of hard disk drives on Intel based computer systems
• To exactly restore archived SafeBack images to another computer hard disk drive of equal or larger
storage capacity
• As an evidence preservation tool in law enforcement and civil litigation matters
• As an intelligence gathering tool by military agencies

EC-Council
TapeCat
http://www.sandersonforensics.com/
TapeCat is a Windows-based Tape Forensics package
It has the following functionality:
• Creates a FAT formatted image file and extracts the content of an archive tape directly
into the image file for subsequent direct import into forensic investigation tools such
as Encase or ILook
• Extracts the contents of an archive tape to disk (i.e. restore) maintaining file dates
and times
• Displays a catalogue of all volumes on a given tape (supported formats only)
• Supports out of sequence backup tapes (NTBackup and Backup Exec only)
• Filters (include or exclude) files based on file extension, file signature, and hash
values - search for known files or exclude known files
• Extracts only unique files
• Raw dumps the contents of a tape to disk
• Duplicates tape to tape
• Duplicates via hard disk
• Creates tape images
• Maintains a forensic log of all activity

EC-Council
Vision
Vision is a host based forensics tool that shows all of the open TCP and UDP
ports on a machine, displays the service that is active on each port, and maps
the ports to their respective applications

EC-Council
Hardware Computer Forensic
Tools
• PDBlock
• Write-blocker
• NoWrite
• FireWire DriveDock
• Write Protect Card Reader
• Serial-ATA DriveLock Kit
• ImageMASSter Solo-3 IT
• ImageMASSter 4002i
• ImageMasster 3002SCSI
• Image MASSter 3004SATA
List of hardware computer
forensics tools:

EC-Council
Hard Disk Write Protection Tools: PDBlock
and Write-blocker
http://www.digitalintelligence.com/
• PDBlock tool is designed to prevent unexpected writes to a
physical disk drive
• It write protects hard disks on a system and prevents write
requests to particular hard disks on a system
• It has an option to select specific write protected hard drives
• Safeguard any particular drive accessed from the system through
Interrupt 13 or the MS/IBM Interrupt 13 extensions
PDBlock
• Write-blocker prevents data from being written to a hard disk
during investigations
• It allows sample access to the forensic examiner to download,
examine and investigate the data present in a system
Write-blocker

EC-Council
Hard Disk Write Protection Tools: Nowrite
http://www.mykeytech.com/nowrite.html
Features:
• True IDE to IDE connections
• Transparent to hardware and software
• Blocks any writes to the drive
• Supports large drives (+130Gigs)
• Supports identifying host protected area
NoWrite is a write blocker for IDE hard drives
Figure: NoWrite

EC-Council
Hard Disk Write Protection Tools:
Firewire Drivedock
http://www.wiebetech.com/
• Dual FireWire 400 Ports for daisy chaining
• USB 2.0 Port for attachment of USB hosts
• Disk Drive Power In LED for powering from standard 4-pin
drive power connectors
• FireWire Host Detection LED to identify valid FireWire
host attachment
• USB Host Detection LED to identify USB attachment
Features of Wiebetech’s FireWire
DriveDock:
Wiebetech’s FireWire DriveDock v4 is a forensic tool for investigators who deals with
bare 3.5" IDE drives
This tool attaches drives through dual FireWire 400 or USB that allows daisy-chaining
for more versatility
Figure: Firewire Drivedock

EC-Council
Write Protect Card Reader
http://www.ics-iq.com/
Write Protect Card Reader transfers data to a PC from digital camera, digital camcorder
PDA, MP3 player, and digital voice recorder
It can read multiple types of flash memory while blocking any writes to it
Features of Write Protect Card Reader:
• USB 2.0 connection
• Backward compatible to USB 1.1
• Complete plug and play
• Read 12 different popular digital media
• Can read data among four different media simultaneously
• Maximum data throughput up to 480 Mbits/sec
• Unique icon for each media type under My Computer folder
• Size small enough to fit in most jacket pocket
• Bus powered - no AC adapter needed
Figure: Write Protect Card Reader

EC-Council
Serial-ATA DriveLock Kit
Features:
• Write Protection through P-ATA and
S-ATA Interface
• Multiple media support
• High speed operation
• Ease of use and portable
Figure: Serial-ATA DriveLock Kit
The Drive Lock S-ATA device is a hardware write protect solution which
prevents data writes to S-ATA and P-ATA hard disk drives
It is designed to block write command sent to the hard drive while previewed
or duplicated

EC-Council
ImageMASSter Solo-3 IT
• MD5 and CRC32 hashing
• Touch screen user interface
• Copy to two target drives simultaneously
Features of ImageMASSter Solo-3 IT:
Figure: ImageMASSter Solo-3 IT
The ImageMASSter Solo-3 IT is a complete, inclusive High Speed Data Duplication Tool
that integrates all the latest advanced features in data imaging
It can copy data from IDE and laptop drives, Serial ATA and SCSI drives as well as Flash
Cards

EC-Council
ImageMASSter 4002i
Features of ImageMASSter 4002i:
• Copy to multiple drives simultaneously
• Copy between different drive models and sizes
• 48-Bit support
• Multiple user defined settings
Figure: ImageMASSter 4002i
ImageMASSter 4002i product provides the tools necessary to mass duplicate regular and
notebook P-ATA and S-ATA hard drives for high volume drive deployments
It can duplicate to 2 drives simultaneously at speeds greater than 2GB/min

EC-Council
ImageMASSter 3002SCSI
The Image MASSter 3002S hard drive duplicator is a tool for
SCSI Hard Drives duplication
It is designed to copy data from 1 to 2 SCSI hard drives
It supports IDE hard drives duplication as well as Serial ATA
hard drives duplication
Features of Image MASSter 3002S:
• Copy to multiple drives simultaneously
• Multiple copy methods
• Bad sector handling
Figure: ImageMasster 3002SCSI

EC-Council
ImageMASSter 3004SATA
• Duplicates to multiple drives simultaneously
• Multiple copy methods
• WipeOut: erases data on up to 5 SATA hard
drives simultaneously
Features of Image MASSter
3004SATA:
Figure: Image MASSter 3004SATA
The Image MASSter 3004SATA Hard Drive Duplicator is an advanced, cost-
effective drive duplicator with multi data copy and drive cloning functionalities
Data Duplication Speeds can exceed 1.6 GB/min

EC-Council
Summary
This module has provided information on computer forensics software and
hardware tools that are important in forensic investigation
Data recovery plays a crucial role during investigations
Tools that perform various functions are known as Multi-purpose tools

File000173

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to File000173

Similar to File000173 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000173