Computer forensics is of much relevance in today’s world. Though forensic analysis refers to searching and analyzing information to aid the process of finding evidence for a trial, computer forensic analysis is specially focussed on detecting malware. Computer forensic analysis tools help detect unknown, malicious threats across devices and networks, thus helping secure computers, devices and networks.
At a time when computers have become an integral part of our day-to-day lives, computer forensics is an area that evolves very rapidly. The technologies, the features and the methods used are changing and evolving very fast.
Let’s take a look at some of the best forensic analysis tools that we have today:
HackerCombat, one of the most sought-after computer forensic analysis tools available today, provides free forensic analysis. The software does a comprehensive scan of devices and networks for all kinds of unknown malicious threats. Many leading organizations today use HackerCombat to protect themselves from new, sophisticated kinds of malware and to prevent data breaches.
The features of HackerCombat Free computer forensic analysis software are:
- Helps identify known good files, known bad files and unknown files, thereby identifying threats.
- Takes just 15 minutes to complete.
- Covers all systems in a network, looking for malicious files and detecting threats lurking on endpoints.
- Givers detailed forensic analysis summary report on finishing the malware scan, helping get a detailed idea about the overall security posture of the network.
- Newly discovered unknown files sent for analysis; the analysis gives a verdict of “good” or “bad” on all unknown files.
SIFT (SANS Investigative Forensic Toolkit), also featured in SANS’ Advanced Incident Response course (FOR 508), is a free Ubuntu-based Live CD with tools for conducting in-depth forensic analysis. SIFT supports analysis of different evidence formats- Expert Witness Format, Advanced Forensic Format (AFF), and RAW (dd) and includes tools like Scalpel for data file carving, Timeline for system logs, Rifiuti for examining the recycle bin etc. The features are:
- Latest forensic tools, techniques and provides better memory utilization.
- Auto-DFIR package update and customizations.
- Cross compatibility between the Windows and Linux operating systems.
- There’s the option to install stand-alone via .iso or else use via VMware Player/Workstation.
- Better memory utilization system and expanded filesystem support.
- Online Documentation Project at http://sift.readthedocs.org/
Many organizations today use CAINE (Computer Aided Investigative Environment) for forensic analysis. CAINE, which contains many digital forensic tools, is a Linux Live CD. The latest version of this forensic analysis tool is based on the Ubuntu Linux LTS, MATE, and LightDM. The features are:
- Has a user-friendly interface.
- Updated, optimized environment for conducting forensic analysis.
- Of the forensic tools included, many are open source.
- User-friendly GUI, Semi-automated report generator.
This is a powerful computer security tool that reads data at the sector level and helps recover deleted files, examine slack space and access Windows Alternate Data Streams. ProDiscover Forensic dynamically allows a preview, search, and image-capture of the Hardware Protected Area (HPA) of the disk and helps locate all data on a computer disk, protecting evidence and creating detailed reports. The features are:
- Creates a Bit-Stream copy of the disk (including the hidden HPA section) for analysis.
- Searches files on the entire disk; this includes slack space, HPA section, and Windows NT/2000/XP Alternate Data Streams.
- Previews files without altering data on disk, including file Metadata.
- Examines data at the file or cluster level.
A network forensic analysis tool (NFAT), Xplico reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng). The tool helps extract and reconstruct all web pages and their contents (files, images, cookies etc). This tool is installed by default in the major descriptions of digital forensics and penetration testing, including Kali Linux, DEFT, BackTrack, BackBox, Matriux etc.
The features are:
- Supports different protocols HTTP, POP, IMAP, SIP, TCP, SMTP, UDP, IPv4, IPv6.
- Provides an input module to handle the input of data.
- Also provides an output module to organize the decoded data and to present them to the end user.
- PIPI (Port Independent Protocol Identification) for each application protocol.
- There is no limit on size as regards data entry or the number of files entrance.
- Modular components.
A very advanced work environment for forensic professionals, X-Ways Forensics is a fully portable, efficient, fast tool that finds deleted files too and has some unique features. The features are:
- It runs off a USB stick on any given Windows system without installation.
- Can read partitioning and file system structures inside raw image files, ISO, VHD and VMDK images.
- Disk cloning and imaging, offers automatic identification of lost or deleted partitions.
- Views and edits binary data structures using templates.
Julia Sowells is a security geek with almost 5+ years of experience, writes on various topics pertaining to network security.