Chapter 23: Tool Kits to Aid in Forensic Analysis

Overview

In Chapters 21 and 22, we reviewed tools that can acquire a forensic duplication of a source hard drive. That is the first phase of a two-phase process to perform a successful forensic investigation. The second phase is the analytical component. This chapter discusses the tools used to analyze the data we previously acquired. All of the forensic analysis tool kits we review are capable of importing more than one forensic image format. The most useful format, a dd image, can be used with all of these tools, and since it is open-source, it costs nothing to create (other than your time).

\

Chapter 24: Tools to Aid in Internet Activity Reconstruction

Overview

Forensic investigators are frequently asked to reconstruct the online activities of a suspect under investigation. Most important online activities can be generalized into two categories: electronic mail and web-browsing habits. E-mail has become one of the fastest growing forms of communication and one of the most common means for transferring information about people, places, and activities. Likewise, the emergent properties of online accessibility mean more people are using the Internet to conduct their business, whether legitimate or not. This chapter discusses the toolset a forensic analyst needs to use to reconstruct the online activity of a suspect’s machine. It also highlights the intricacies we have discovered during field testing.

Chapter 25: Generalized Editors and Viewers

Overview

Choosing appropriate editors and viewers is the fundamental basis of all suc

Part V: Appendixes

Chapter List

Appendix A: Useful Charts and Diagrams

Appendix B: About the CD-ROM  

cessful forensic analysis. Without the means to view suspicious files properly, an investigator could come to an incorrect conclusion. For example, imagine an analyst who depends on an image viewer to provide the proper results for a file named image.tiff. If the file image.tiff is actually an MP3 music file, it will not be displayed correctly in a viewer designed specifically for images. Therefore, a more generic viewer must be utilized. Lucky for the analyst, such generic viewers are available.

This chapter is dedicated to the editors and viewers used during a typical forensic analysis. These viewers are defined as generic in the sense that they support many different file types. Some of the viewers presented will even support an unlimited number of file formats. Moreover, even though “editing” is not typically performed during an investigation, this chapter will illustrate that editors, too, can add powerful features to the analyst’s tool kit.