Digital forensics is a scientific field that involves the identification, collection, examination, and analysis of digital data for use as evidence in court. It has several sub-disciplines including computer forensics, network forensics, mobile device forensics, digital image/video/audio forensics, memory forensics, and cloud forensics. The goal of digital forensics is to recover electronic evidence from computers, networks, mobile devices, and digital media in a forensically sound manner.
3. Digital forensics is a constantly evolving scientific
field with many sub-disciplines. Some of these sub-
disciplines are:
1) Computer Forensics: the identification,
preservation, collection, analysis and reporting on
evidence found on computers, laptops and
storage media in support of investigations and
legal proceedings.
2) Network Forensics: the monitoring, capture,
storing and analysis of network activities or
events in order to discover the source of security
attacks, intrusions or other problem incidents, i.e.
worms, virus or malware attacks, abnormal
network traffic and security breaches.
3) Mobile devises Forensics: the recovery of
electronic evidence from mobile phones,
smartphones, SIM cards, PDAs, GPS devices,
tablets and game consoles.
4. Digital forensics is a constantly evolving scientific field
with many sub-disciplines. Some of these sub-disciplines
are:
4) Digital Image Forensics: the extraction and analysis
of digitally acquired photographic images to validate
their authenticity by recovering the metadata of the
image file to ascertain its history.
5) Digital Video/Audio Forensics: the collection,
analysis and evaluation of sound and video recordings.
The science is the establishment of authenticity as to
whether a recording is original and whether it has been
tampered with, either maliciously or accidentally.
6) Memory forensics: the recovery of evidence from the
RAM of a running computer, also called live acquisition.
7) Cloud Forensics: Cloud Forensics is actually an
application within Digital Forensics which oversees the
crime committed over the cloud and investigates on
it.
6. Admissibility: It must be in conformity with common law and
legislative rules.
Reliability: The evidence must be from indisputed origin.
Completeness: The evidence should prove the culprit ’s actions
and help to reach a conclusion.
Convincing to Judges: The evidence must me convincing and
understandable by the judges.
Authentication: The evidence must be real, related to the incident and
reliabile.
7. Cross-drive analysis: correlates information found on multiple hard drives
Live analysis: occurs in the operating system while the device or computer is running. It involves
using system tools that find, analyze, and extract volatile data, typically stored in RAM or cache.
Recovery of Deleted files: searching a computer system and memory for fragments of files that
were partially deleted in one place but leave traces elsewhere on the machine
Stochastic forensics: analyze and reconstruct digital activity without the use of digital artifacts.
Stochastic forensics is frequently used in data breach investigations where the attacker is thought
to be an insider, who might not leave behind digital artifacts
Reverse Steganography: Steganography is a common tactic used to hide data inside any type of
digital file, message or data stream. Compare the hash of the file and comparing it to the original
image (if available.)
9. ROLE OF FORENSICS INVESTIGATORS
Confirms or dispels whether a resource/network is compromised.
Determine extent of damage due to intrusion.
Answer the questions: Who, What, When, Where, How and Why.
Gathering data in a forensically sound manner.
Handle and analyze evidence.
Prepare the report
Present admissible evidence in court
10. Forensic readiness is the ability of an organization to maximize its potential to use digital
evidence whilst minimizing the costs of an investigation.
11. to gather admissible evidence legally and without interfering with business
processes
to gather evidence targeting the potential crimes and disputes that may
adversely impact an organization
to allow an investigation to proceed at a cost in proportion to the incident
to minimise interruption to the business from any investigation
to ensure that evidence makes a positive impact on the outcome of any legal action
12. act in an organization's defence if
subject to a lawsuit
used as a deterrent to the insider
threat
in the event of a major incident,
an efficient and rapid
investigation can be conducted
and actions
can significantly reduce the costs
and time of an internal
investigation
can reduce the costs of any court
ordered disclosure or regulatory
or legal need to disclose data (e.g.
in response to a request under
data protection legislation)
13. it demonstrates due diligence and
good corporate governance of the
company's information assets
it can demonstrate that regulatory
requirements have been met
improve and facilitate the
interface to law enforcement if
involved
improve the prospects for a
successful legal action
provide evidence to resolve a
commercial dispute
support employee sanctions based
on digital evidence (for example to
prove violation of an acceptable
use policy)
14. Define the
business
scenarios
that require
digital
evidence
Identify
available
sources and
different types
of potential
evidence
Determine the
evidence
collection
requirement
Establish a
capability for
securely
gathering legally
admissible
evidence to meet
the requirement
Establish a
policy for secure
storage and
handling of
potential
evidence
Steps for Forensic Readiness Planning
15. Ensure
monitoring is
targeted to
detect and
deter major
incidents
Specify
circumstances
when escalation
to a full formal
investigation
should be
launched
Train staff in
incident
awareness, so that
all those involved
understand their
role in the digital
evidence process
and the legal
sensitivities of
evidence
Document an
evidence-based
case describing the
incident and its
impact
Ensure legal
review to
facilitate action in
response to the
incident
16.
17. Never mishandle the evidence (Imaging,
Chain of custody)
Never work on the original evidence
(integrity, authenticity and admissibility
in court).
Never trust the SUBJECT‟S operating
system
Document all the findings
Results should be repeatable, reproducible
and verifiable by third party
(cryptographic hash value, MD5 or SHA-1)
18.
19. SEARCH AND
SEIZURE
PREPARATION
PHASE
•Nature of crime under
investigation
•Suspect’s Technical
knowledge
Location of
data
storage
•The authorization for the seizure
• Obtaining forensic images (“on-site” or
not)
• Analysis of the devices “on-site”
•Use of applications to obtain access
passwords
• Authorization to change the password of
email accounts or social networks, etc.
SEARCH AND SEIZURE OF DIGITAL EVIDENCE
20.
21. Equipment preparation
The following is a list that the
officer must take into account
consisting of the minimum
forensic tools needed for a
successful search and seizure
activity:
Laptop with the necessary standard forensic tools
installed
22. Equipment preparation
Hardware write blockers
Forensic tools dongle licenses
Enough memory storage
media (external HDDs)
HD with extra forensic software or bootable devices
23. Tools to Dismantle
Screwdrivers (flat, star,
hexagonal and other specific for
certain models)
Pliers (standard and
pointed)
Clamps (for cutting cables)
Small tweezers
24. Exhibit Documentation
Photo or video camera (to take
pictures of the scene and the
screen content)
Permanent markers (to
encode and identify the
investigated material)
Labels (to mark and identify parts of the equipment,
power supplies)
Evidence tags
25. Resources needed for packaging and transport/Consumables
Evidence bags and seal
Evidence carton boxes for media
storage devices such as USB
devices, DVDs, or CDs;
Anti-static zip-lock
evidence bags
Faraday Bags to inhibit signals
to mobile phones and other
devices that may receive data
from mobile/Wi-Fi network
Other items: Small torch with stand,
Gloves, Large rubber bands, Magnifying
glasses, Network cables (crossed and
braided), Mask
26. Secure the scene
(Remove/locate/che
ck/refuse)
Assessment
Document the scene
(Type, Brand and
model, Storage
capacity, Serial
number, State:
Damaged, on, off, etc.,
Location, Security:
Access password, PIN,
Comments
Collection and
the handling of
digital evidence
(equipment
turned off, on,
modifications
made)
Seizure Phase
(Uniquely and
properly
registered and
labelled, label
details of
cloning/copying
process,
Packaging ) and
Transport :
protection from
shock, EM wave,
Humidity etc
SEARCH AND SEIZURE EXECUTION PHASE
28. Guidelines Avoid tools that use a GUI interface.
Command line tools are best here. Use
safe and tested tools you know that
work.
Create two or three floppy disks
containing your volatile collection tools
and write protect them.
Generate a checksum and validation for
each of your tools and store it safely
within your toolkit
29.
30.
31. Some of the tools for the collection of volatile data are
Srvcheck.exe: displays the shares locally or remotely.
Kill.exe: A Windows Support tool for terminating a selected task or
process.
Rasusers.exe: lists all user accounts on a domain or server that
have been granted permission to dial in to the network.
Dumpel.exe: copy of the Event Viewer Logs.
Filemon: displays all file system activity in real time.
Regmon: displays all registry activity in real time.
32. Some of the tools for the collection of volatile data are
Tokenmon: displays logons, logoff, privilege usage and impersonation.
Handle: displays what files are open by which processes
ListDLLs: lists all Dynamic-link library (DLLs) that are currently loaded
including the version and the full path names of the loaded modules, etc.
Process Explorer: A tool that displays open files, object processes,
registry keys, DLLs and owners of object processes.
MD5sum: generates the checksum of a file and provides verification.
Fport: maps application processes to the NETWORK ports they listen
on.
TCPView: shows the endpoints of all open TCP and UDP
connections.
Cmd.exe: The command prompt for Win NT/2000
35. There are three types of partitions: primary partitions,
extended partitions and logical drives.
36. First Incident Response A. Shut downed machines
Tag every connection and take photo.
Search for the physical evidence first.
Open and find out the storage device
Make enough documentation (serial no,
size, manufacturer of disk, etc.)
Seal it in a proper way and go for further
operations.
37. B. Live machines with no harmful
activity
Take a photo of current activity first.
Ensure that after shutting down the
system, it will not harm the
investigation.
Hibernate option will be beneficial so
after imaging we can directly resume
the system.
C. Live machine with harmful activity
going on (destroying data etc.)
Capture a snapshot
As soon as possible, remove the power
cord to avoid further damage.
Then start with imaging of the disk
38.
39. In disk imaging, we make exact copies of storage devices or its partition and
then store it in a larger storage or directly burn it on another device.
integrity of the evidence : Several standard algorithms like MD5 (message-
digest algorithm) , SHA (Secure Hash Algorithm) etc
The different tools available for Imaging and Cloning are:
SOLO 4
Forensic Dossier
SuperSonix
WinHex
FTK Imager
EnCase Forensic Imager
Acronis True Image Home
CloneZilla
DriveImage XML V2.50,
40. Precautions for Disk Imaging
Cloning hardware has a built in write blocker so there is
no need to connect any additional write blocker hardware.
Original device is never connected directly to the
investigation machine; it may increase the possibility of
damage.
Source device should be used only once and that too for the
imaging only. For further requirements, replicas are made
from first copy.
41. the file system removes the file logically
(the meta-data and stamps). However, the file
still resides in the disk as a physical entity
until it is overwritten.
Retrieving cached files
The cache file of an
application can be searched
by using typical keywords
elated to the case or probable
websites
Software: Chrome cache
viewer
Retrieving files in unallocated
space
a deleted file can be searched
sequentially or structurally by
looking for file headers or extensions.
Metadatatools: Meta Viewer,
Metadata Analysis, iscrub
.
43. Type of Social Networking Platforms
Media Sharing Networks:
Social Networks
Discussion Forums
Bookmarking and Content Curation Networks
(E/S/E/D Trending content and media)
44. Consumer Review Networks
S/R/S reviews/opinions
Blogging and Publishing Networks
Sharing Economy Networks
Anonymous Social Networks
45.
46. The Three Basic Stages of Social Media Forensics
Evidence
Identification :social
networking
victim/culprit
Collection
Examination
•Manual documentation
•Screen scrape/Screenshot
•Open source tools (HTTrack)
•Commercial tool (X1)
•Web service (Page freezer)
•Forensic recovery
•Content subpoena
social networking footprints (Facebook
Artifacts/Twitter Artifacts with
timestamp)
48. capturing, securing and analyzing, and reporting
email evidence
study the source and contents
of e-mail messages for evidence
identification of the actual
sender and recipient
date and time when it was sent,
etc.
also involves the investigation of
clients or server computers
suspected of being used or
misused to carry out e-mail
forgery.
53. EMAIL FORENSIC TOOLS
Various software tools have been developed to assist in e-
mail forensic investigation.
1.eMailTrackerPro (http://www.emailtrackerpro.com/)
2. EmailTracer (http://www.cyber forensics. in)
3.Adcomplain(http://www.rdrop.com/users/billmc/adcompla
in.html)
4. Aid4Mail Forensic(http://www.aid4mail.com/)
5. AbusePipe(http://www.datamystic.com/ abusepipe.html)
6.AccessData’s FTK (www.accessdata.com/)
7. EnCase Forensic (http://www.guidancesoftware.com)
8. FINALeMAIL(http://finaldata2. com)
9.SawmillGroupWise (http://www.sawmill.net)
10. Forensics Investigation Toolkit
(FIT)(http://www.edecision4u. com/FIT.html)
11.Paraben (Network) E-mail
Examiner(http://www.paraben.com/email-examiner.html) ;
54.
55. Mobile devices can be used to save several types of personal information such as contacts, photos,
calendars and notes, SMS and MMS messages, video, email, web browsing information, location
information, and social networking messages and contacts.
56. • Storage capacity has increased
• mobile devices are used constantly evolve.
• Hibernation behavior
57. a) 802.11or WiFi :
MOBILE COMMUNICATION
b) Bluetooth:
Infrared(IrDA):
58. EVIDENCES IN A MOBILE DEVICE
Service provider logs
Subscriber identification module (SIM)
Mobile Logs
Phone books/contact lists
Text messages
Application files
60. Mobile devices can be isolated in many ways; the following ways can be
used to isolate a mobile on seizure
Isolating its wireless
features: By using a
Faraday bag or a jamming
device mobile phones can be
isolated to the network till
the battery drains
completely.
Switch off the device: This
method is fine however, on
switching on the phone lock
or sim lock can be activated
which can lead the phone
unusable.
Airplane mode: When the
"airplane mode" is activated, it will
disable all cellular services (GSM,
UMTS, LTE) as well as other signal-
transmitting technologies such as Wi-
Fi and Bluetooth. Wi-Fi and Bluetooth
can be enabled separately even while
the device is in airplane mode.
61. Mobile FORENSIC ACQUISITION TOOLS
There are two categories of forensics acquisition tools.
They are:
a) Hardware acquisition tools.
b) Software acquisition tools.
Acquisition involves:
Identifying the type of cellular network
Manufacture information is seen on the logo, serial number, and
manufacturing code (IMEI: international mobile equipment
identification)
Phone characteristics such as Operating system, wireless access
mode, camera, manufacturer application, internet access methods,
messages etc.
63. Software acquisition tools.
a. www.MobileForensicsCentral.com
This website provides access to
a comprehensive database of
phones supported by various
software suppliers. A user of
the website can enter a model of
a phone and the site will return a
detailed report of which software
and cables support it, as well as
what information can be retrieved
from the device with the
software.
64. CELLDEK: The revolutionary celldek has been
developed in cooperation with the UK's
forensic science service. The portable celldek
acquires data from over 200 of the most
popular cell phones and PDAs. Built to
perform in the field (not just in the lab),
investigators can immediately gain access to
vital information, saving days of waiting for a
report from a crime lab.
65. Cell Seizure: Cell seizure allows you to acquire, analyze,
and report cell phone data for certain models of GsmSim
Cards, Nokia, Samsung, Motorola, Sony-Ericsson, Lg, And
Siemens cell phones.
It can also acquire data from CDMA/TDMA phones.
Designed for computer forensic examiners, cell seizure offers
complete forensic examinations that can be presented in court
with md5 & sha1 hash verification, write protection, HTML
reporting, and full data dumps on some models.
66. Mobilyze: Mobilyze is a mobile data triage tool,
designed to give users immediate access to data from
iOS and Android devices.
67. Oxygen Phone Manager II (Forensic
Version)5: A special software for police departments, law
enforcement units, and all government services that wish to
use the power of Oxygen Phone Manager II for investigation
purposes. The forensic edition secures phone data to remain
unchanged during extraction and exporting.
phonebook, call register, calendar, todo lists, SMS and MMS
messages, logos, tones, profiles, phone dictionary, FM
stations, Java games, and applications.
68. Paraben's SIM Card Seizure: SIM
card seizure includes the software as well as a forensic SIM
card reader.
Paraben's PDASeizure: Paraben's PDA seizure is a
commercially available forensic software toolkit that allows
forensic examiners to acquire and examine information on
PDAs for both the pocket pc (PPC) and palm OS
platforms HotSync.
69. The forensics toolkit: The forensics toolkit
gives today's law enforcement agencies the capability to safely
and confidently recover digital evidence from GSM SIM and 3G
USIM devices.
70. EVIDENCES IN A MOBILE DEVICE FOR ANALYSIS
Service provider logs
Subscriber identification module (SIM)
Mobile Logs
Phone books/contact lists
Text messages
Application files
Editor's Notes
GPS: The Global Positioning System
personal digital assistant, also known as a handheld PC
the cloud is the Internet—more specifically, it's all of the things you can access remotely over the Internet.
Criminal forensics: Focus is on forensically sound data extraction and producing report/evidence in simple terms that a lay man will understand.
. Intelligence gathering This type of investigation is often associated with crime, but in relation to providing intelligence to help track, stop or identify criminal activity. Unless the evidence is later to be used in court forensic soundness is less of a concern in this form of investigation, instead speed can be a common requirement.
Electronic discovery (eDiscovery) Similar to "criminal forensics" but in relation to civil law. Although functionally identical to its criminal counter part, eDiscovery has specific legal limitations and restrictions, usually in relation to the scope of any investigation. Privacy laws (for example, the right of employees not to have personal conversation intercepted) and human rights legislation often affect electronic discovery.
Intrusion investigation The final form of investigation is different from the previous three. Intrusion investigation is instigated as a response to a network intrusion, for example a hacker trying to steal corporate secrets. The investigation focuses on identifying the entry point for such attacks, the scope of access and mitigating the hackers activities. Intrusion investigation often occurs "live" (i.e. in real time) and leans heavily on the discipline of network forensics.
Never Trust the Subject’s Operating System Computer criminal can modify the routine operating system commands to perform destructive commands. Using the subject’s operating system could easily destroy data with just a few keystrokes. When the subject computer starts, booting to a hard disks overwrites and changes evidentiary data. To make sure that data is not altered, we need to monitor the subject’s computer during initial bootstrap to identify the correct key to use access the CMOs setup.
Document Everything To document the evidence chain-of-evidence form is created. It serves the following functions. Identify the evidence A legal authority copy should be obtained. Chain of custody including initial count of evidence to be examined, Information regarding the packaging and condition of the evidence upon receipt by the examiner, Lists the dates and times the evidence was handled. Documentation should be preserved according to the examiner’s agency policy
The results should be repeatable and verifiable by a third party The fifth cardinal rule says that the analysis done on the evidence should be completely audited by the third party. To establish the integrity of information a cryptographic hash value, such as MD5 or SHA-1 are calculated so that it can be proven to the courts. Chain of custody forms are created if evidence are used in court or verified by any third party. The same process can be conducted and verified by any expert or person.
Remove and forbid unauthorized personnel from accessing the scene. They must be kept away from computers, mobile phones or any other sensitive items, including power supplies. In addition, suspects should not be able to communicate with anyone who is not on-site to prevent remote data destruction.
• Quickly locate the most obvious elements, computers and mobile phones, especially those that are connected to the Internet and those that need special assurance measures to prevent data loss.
• Check the existence of wireless networks that allow access and modification of data from outside.
• Refuse any help offered from unauthorized personnel in the investigation.
The following are examples for proper documentation of the scene: - Laptop computer: evidence number EVI001 - Internal hard drive: evidence number EVI001A - USB Thumb drive: evidence number EVI001B - DVD: evidence number EVI001C
The process performed will have to be documented: ● The procedure used: cloned, image or any other system used. ● Tool: Hardware duplicator, write blocker, software, etc., ● Destination location: Destination disk, file with the data obtained from a telephone, etc., ● HASH: Algorithm used and the signature obtained. ● Observations: Any incident arising during the copy process.
Before collecting volatile data there are a few guidelines to follow:
Command line tools are best here. Use safe and tested tools you know that work.
Create two or three floppy disks containing your volatile collection tools and write protect them.
Generate a checksum and validation for each of your tools and store it safely within your toolkit.
Command-line:
A command-line interface needs a client to type in commands from a list of commands. This kind of interface can consume a lot of time to learn, it is not inborn
Graphical user interface:
The interface which is graphical in nature is known as graphical user interface. It is a user interface which consists of graphical elements, such as icons, buttons and windows.
Form-based:
The operating system is developed for the business where an employee has to enter a lot of details. There are field names, where it should be entered next to the place where information must be entered
Menu-driven:
The operating system is designed sometimes with a menu based user interface. The user IT skills cannot be assured in menu-based user interface.
Natural – language user interface:
Natural language user interface is a kind of computer-human interface. Where linguistic facts such as verbs, clauses and phrases act as UI controls for innovating, selecting, changing data in software application. Siri, Alexa, Google Assistant or Cortana
A lost cluster is a series of clusters on the hard disk drive that are not associated with a particular file. A bad sector is a sector on a computer's disk drive or flash memory that is either inaccessible or unwriteable due to permanent damage, such as physical damage to the disk surface or failed flash memory transistors. The boot sector is the first sector of a hard drive (cylinder 0, head 0, sector 1), it contains the main partition table and the code, called the boot loader, which, when loaded into memory, will allow the system to boot up
After visiting scene or site, there are many possibilities, they are as follows:
A. Shut downed machines
Tag every connection and take photo.
Search for the physical evidence first. Open and find out the storage device
Make enough documentation (serial no, size, manufacturer of disk, etc.)
Seal it in a proper way and go for further operations.
B. Live machines with no harmful activity
Take a photo of current activity first. Ensure that after shutting down the system, it will not harm the investigation.
Hibernate option will be beneficial so after imaging we can directly resume the system.
C. Live machine with harmful activity going on (destroying data etc.)
Capture a snapshot
As soon as possible, remove the power cord to avoid further damage.
Then start with imaging of the disk
Disk Imaging
Disk Imaging
Precautions for Disk Imaging
Disk cloning hardware are dedicated tools used for replication. They have their own system, designed especially for cloning.
Cloning hardware has a built in write blocker so there is no need to connect any additional write blocker hardware.
Original device is never connected directly to the investigation machine; it may increase the possibility of damage.
In case of Software imaging tools, investigator must place a hardware write blocker in between device and system to avoid damages.
Source device should be used only once and that too for the imaging only. For further requirements, replicas are made from first copy. Image files are better for distributed investigation environment and when we want to perform operation ‘on’ the device
Retrieving cached files
One can find the webpage visited by the suspect or the victim by looking into the cache. The cache file of an application can be spread across in the system storage. We can confine only search by using typical keywords elated to the case or probable websites
Retrieving files in unallocated space
In general, a deleted file can be searched sequentially or structurally by looking for file headers or extensions. However, certain tools help us to scan and look for broken headers and use supplementary headers to retrieve data or at least retrieve blocks of a lost file for unallocated space. These retrieved blocks can later be studied and reformed using other tools to retrieve lost files to a great extent. This is also called as file carving. Meta data of the files can be found from the applications used to create the files however there can be certain tools available to view the metadata of a files like Meta Viewer, Metadata Analysis, iscrub etc.
7. Sharing Economy Networks
It is also known as ‘collaborative economy network’. These networks enable people to connect online for advertising, finding, sharing, trading, buying and selling of products and services online.
Use: To find, advertise, share, and trade products and services online.
Examples: Airbnb, Uber, Task rabbit
8. Anonymous Social Networks
As the name itself states, such social networks enable users to share content anonymously. Thus, miscreants are increasingly misusing such platforms for cyberbullying.
Use: To anonymously spy, vent, gossip, and sometimes bully.
Examples: Whisper, Ask.fm, After School
Sender policy framework:
GSM stands for Global System for Mobile Communications, UMTS stands for Universal Mobile Telecommunications System, and LTE stands for Long Term evolution
c. Cable connections: With the multitude of mobile devices now on the market, having just one mobile device connector seriously hampers your ability to do an investigation. Different mobile device manufacturers have not only different data cable connections but also different power connection interfaces. At the top of your list should reside the standard USB cable followed by the USB cable with a mini-USB connection.
SIM Card
USIM Card
Full Form
Subscriber Identity Module or Subscriber Identification Module Card
Universal Subscriber Identity Module
Definition
SIM is a memory chip which is used in mobile phones. It stores data for GSM/CDMA Cellular telephone
subscribers.
USIM card is the logical extension of the SIM card specifically designed for 3G environment.
j. The forensics toolkit: The forensics toolkit gives today's law enforcement agencies the capability to safely and confidently recover digital evidence from GSM SIM and 3G USIM devices. Acquisition, analysis, and reporting form the three key stages of the forensically sound process that will save critical time and provide a cost-effective solution to SIM card examinations. As an increasing number of mobile devices use high-level file systems, similar to the file systems of computers, methods, and tools can be taken over from hard disk forensics or only need slight changes. Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewers such as any hex editor to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. Since no tool extracts all possible information, it is advisable to use two or more tools for examination.