Lesson 5, Topic 1
In Progress

Forensic Tools Categorization

Lesson Progress
0% Complete

Forensic Tools Categorization

Hashing Tools

These are used to verify the integrity of a sequence of data bits. Two files with exactly the same bit patterns should hash to the same hash value using the same hashing algorithm, e.g. MD5, SHA-1, HMAC-MD5. On the other hand, if the hashes for the file do not match, then the user can conclude that the files are not the same.

Data Carving Tools

Sometimes data cannot be identified or extracted from its source because it has been either accidentally or intentionally removed from the file system. However in most cases the file is either available in the lost clusters, unallocated clusters or in slack space of the storage media. In order to extract this file we need to have the “File Header and File footer” which is invariably available in the file signature; the data between these two points is extracted and analyzed to validate the file.

Binary Search Tools

These tools are used to search patterns in binary format.

Imaging Tools

Imaging tools allows you to create a clone of the source data. These are largely divided into two sub-types:

Bit Copy Tools: Copy data at the bit level to create an exact clone of the original without any regard for the underlying file system.

File System Tools: Copies the entire file system of the original based on the underlying platform/file system.

Deep Retrieval Tools

Sophisticated data recovery tools that recover lost data by reading the disk at a low level.

Document Metadata Extraction Tools

Here are tools that will extract metadata from files. These tools help identify auxiliary information about the file instead of the contents.

Memory Imaging and Analysis Tools

The physical memory of computers can be imaged and analyzed using a variety of tools. These tools are OS specific as each operating system has a separate way of memory management. The main challenge remains to verify that the memory contents have been recreated correctly. Once memory image has been created, memory analysis tools are utilized to deduce meaningful information from the artifact.

Network Forensic Tools

Aimed at capturing the state of the network for both real-time and passive examination.

Steganography Tools

Steganography tools allow detecting and decrypting unnoticeable information patterns hidden within other objects, e.g. a message hidden within an image.

Internet History Tools

Allows recovery and reconstruction of deleted internet history.

Log management Tools (SIEM)

Security Incident Event Management tools manage an incident lifecycle end to end from reporting to remediation and serve as a reference point/knowledge base for effective incident handling and management.

Case Management System

Automates the steps and procedures which are critical to effective case handling through well-designed processes, supported by powerful and proven tools.

File Chain Navigation Tools

These tools reconstruct broken file chains to extract lost information.

File System Navigation Tools

The file system of a computer is where most files are stored and where most evidence is found. These tools facilitate navigation of file systems for compromised system.