Forensics is becoming very important in today’s digital age where many crimes are committed using digital technology, having an understanding of forensics it’s a process of analyzing data created or contained within a computer system with the intention of finding out what, how and when it’s happened and the people involved.
It is collects the data, analyzes, and preserves electronically stored information, so that the data can later be used as evidence.
- Kali Linux OS
- Updated Python Version
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. In the Forensic tab maintains a collection of devices that are created with the explicit purpose of performing digital forensics.
It is used by the military, law enforcement and other entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach into one neat application with a web browser based UI.
It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at http://9999:Localhost/autopsy.
It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Hostname, Host time zone, etc.
Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It accepts disk images in RAW or E01 formats and generates reports in HTML, XLS and body file depending on what is required for a particular case.
Its robustness is what makes it such a great, it case management, analysis or reporting, which has you covered in it.
Binwalk is used while dealing with binary images, it has the capability of finding the embedded file and executable code by exploring the image file. It is a very powerful for those who know what they are doing, if used right, it can be used to find sensitive information hidden in firmware images that can be lead to uncovering a hack or used to find a loophole to exploit.
It is written in python and uses the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.
3. Bulk Extractor
The Bulk Extractor is a very interesting suite, when an cyber investigator is looking to extract certain kind of data from the digital evidence file, it can carve out email addresses, URL’s, payment card numbers, etc.
It works on directories, files, and disk images. The data can be partially corrupted or it can be compressed, it will find all the way into it.
Bulk Extractor comes with features which help create a pattern in the data that is found repeatedly, such as URL’s, email ids and more and presents them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.
This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.
It has the capability to detect system binaries for rootkit modification, last log deletions, quick and dirty string replacements, and temp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.
Deleted files which might help solve a digital incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. The filename itself might not be recovered but the data it holds can be carved out.
Foremost was written by US Air Force special agents. It can carve files by referencing a list of headers and footers even if the directory information is lost, this makes for fast and reliable recovery.
When following a trail of cookies, it will parse them into a format that can be exported into a spreadsheet program.
Understanding cookies can be a tough nut to crack, especially if the cookies might be evidence in a cyber-crime that was committed, this program can lend a hand by giving investigators the capability to structure the data in a better form and letting them run it through an analysis software, most of which usually require the data to be in some form of a spreadsheet.
This program is a must when dealing with hashes. Its defaults are focused on MD5 and SHA-256. It can be existing files that have moved in a set or new files placed in a set, missing files or matched files, Hashdeep can work with all these conditions and give reports that can be scrutinized, it is very helpful for performing audits.
One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when the time is of the essence.
PhotoRec is a reliable file retrieval suite that allows you to recover various types of file documents, multimedia, archives and from a variety of storage mediums such as USB drives, hard disk drives, android phones, memory cards and more. Apart from these, the device is also capable of recovering data from digital cameras and it works with all common file systems.
Also Read: How to recover delete or lost files
It is using for memory analysis, that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.
Volatility is one of the most popular frameworks when it comes to memory forensics. It is a python based suite that lets investigators extract digital data from volatile memory (RAM) samples. It is compatible to be used with the majority of the 64 and 32-bit variants of windows, selective flavors of Linux distros including android.
It accepts memory dumps in various forms, be it raw format, crash dumps, hibernation files or VM snapshots, it can give a keen insight into the run-time state of the machine, this can be done independently of the host’s investigation.
Here’s something to consider, decrypted files and passwords are stored in the RAM, and if they are available, investigating files that might be encrypted in the hard disk can be a lot easier to get into and the overall time of the investigation can be considerably reduced.