Forensic Tools Categorization
Forensic Tools Categorization
These are used to verify the integrity of a sequence of data bits. Two files with exactly the same bit patterns should hash to the same hash value using the same hashing algorithm, e.g. MD5, SHA-1, HMAC-MD5. On the other hand, if the hashes for the file do not match, then the user can conclude that the files are not the same.
Data Carving Tools
Sometimes data cannot be identified or extracted from its source because it has been either accidentally or intentionally removed from the file system. However in most cases the file is either available in the lost clusters, unallocated clusters or in slack space of the storage media. In order to extract this file we need to have the “File Header and File footer” which is invariably available in the file signature; the data between these two points is extracted and analyzed to validate the file.
Binary Search Tools
These tools are used to search patterns in binary format.
Imaging tools allows you to create a clone of the source data. These are largely divided into two sub-types:
Bit Copy Tools: Copy data at the bit level to create an exact clone of the original without any regard for the underlying file system.
File System Tools: Copies the entire file system of the original based on the underlying platform/file system.
Deep Retrieval Tools
Sophisticated data recovery tools that recover lost data by reading the disk at a low level.
Document Metadata Extraction Tools
Here are tools that will extract metadata from files. These tools help identify auxiliary information about the file instead of the contents.
Memory Imaging and Analysis Tools
The physical memory of computers can be imaged and analyzed using a variety of tools. These tools are OS specific as each operating system has a separate way of memory management. The main challenge remains to verify that the memory contents have been recreated correctly. Once memory image has been created, memory analysis tools are utilized to deduce meaningful information from the artifact.
Network Forensic Tools
Aimed at capturing the state of the network for both real-time and passive examination.
Steganography tools allow detecting and decrypting unnoticeable information patterns hidden within other objects, e.g. a message hidden within an image.
Internet History Tools
Allows recovery and reconstruction of deleted internet history.
Log management Tools (SIEM)
Security Incident Event Management tools manage an incident lifecycle end to end from reporting to remediation and serve as a reference point/knowledge base for effective incident handling and management.
Case Management System
Automates the steps and procedures which are critical to effective case handling through well-designed processes, supported by powerful and proven tools.
File Chain Navigation Tools
These tools reconstruct broken file chains to extract lost information.
File System Navigation Tools
The file system of a computer is where most files are stored and where most evidence is found. These tools facilitate navigation of file systems for compromised system.