±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36575
New Yesterday: 4 Visitors: 167

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensic Tools

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Forensic Tools

Post Posted: Apr 18, 05 20:10

What tools or applications are considered the best and are easy to utilize? When collecting evidence, what method is preferred? Do you place the evidence onto a CD or other media? Thanks


Re: Forensic Tools

Post Posted: Apr 19, 05 09:57

Hi Jeff

good question. We find that giving the client a choice is a pretty good way of doing things. There is no way we are going to print of 1000 images for a report for a client unless they ask - and pay! but we do offer to provide sdamples on CD and with a couple fo our clients we provide them with a free imaged hard drive so they can see all the evidence as view only. This also means for us that if they want reports on different images for example they can refer to them and locate them easily. So no stndard method but entirly the clienst chice, whatever suits their own investigation needs. Hope that helps.
Andy Fox
Digital Forensics Director
Audax Digital Forensics

Senior Member

Re: Forensic Tools

Post Posted: Apr 19, 05 13:58

As far as evidence, it is generally always copied to hard drives as part of the imaging process. I archive all evidence files to DVD's as the next step. At the conclusion of an analysis these preserved as evidence for any future needs. The hard drive is then wiped and re-used. I backup the evidence files immediately after acquisition because you really never know when a hard drive will fail. Some will last years and some days, you just can't be sure.

As for which tool is best that's really a matter of preference. I would caution a new examiner to stay away from the hacker type tools. You don't want to have to explain in court that your application was written by someone named "demonhacker". It's just not going to sound very professional. Encase and Forensic Toolkit (FTK) are very popular window's based applications. Winhex is another very good product. If you're in law enforcement you can get I-look free of charge as well as the training through NWC3. If you prefer Linux there are several products available like Penguin Sleuth (http://www.linux-forensics.com/). There's a lot out there. I'm not sure any are easy to use, or master, but if you are more familiar with Windows for instance I would lean towards a Windows application.

When you say collecting evidence I am thinking acquisition. Whatever method you use the primary concern is that you don't alter the original in any way. Attaching it to a computer and booting it will alter it. Write blocking devices are very popular now. They prevent any writes to the drives attached and offer very fast acquisition speeds (around 1 gig per minute). There are dos and linux applications for acquisitions as well. Most of the popular applications have acquisition capabilities.
Greg Marshall, EnCE 

Page 1 of 1