Guide to Computer

Forensics and
Investigations,
Second Edition
Chapter 4
Current Computer Forensics Tools

Objectives
Understand how to identify needs for computer
forensics tools, jgn beli semua tools, beli yang
dibutuhkan utk kasus saja.
Evaluate the requirements and expectations for
computer forensics tools
Understand how computer forensics hardware and
software tools integrate
Validate and test your computer forensics tools,
agar hasil yg diperoleh bisa diterima di pengadlan
Guide to Computer Forensics and Investigations, 2e

Computer Forensics Software Needs

Look for versatility, flexibility, and robustness (yg perlu
dipertimbangkan)
OS
File system, bisa baca file apa saja? hrs nya bisa semua jd tdk ribet
lg
Script capabilities, kemampuan penggunaan script (gui: mudah
digunakan, user friendly, tp makan resource: CPU/memori, bisa
ngehang)
Automated features, vendor up to date
Vendors reputation, brand oriented bisa dipertimbangakan dlm
memilih tools

Keep in mind what applications you analyze, kasus yg dianalis itu

apa? Jgn sampai salah beli tools, beli yg buat jaringan tp
ternyata kasusnya hardisk

Guide to Computer Forensics and Investigations, 2e

Types of Computer Forensics Tools

Hardware forensic tools, tergantung budget dan
kebutuhannya
Single-purpose components: utk kasus yg tdk terlalu rumit
Complete computer systems and servers: yg sudah
berhubung2an, lbh kompleks

Software forensic tools, terserah pd selera, tp lbh baik

yg cli
Command-line applications: bisa utk kasus apapun,
fleksibel, windows/unix
GUI applications

Guide to Computer Forensics and Investigations, 2e

Tasks Performed by Computer

Forensics Tools

Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting

Guide to Computer Forensics and Investigations, 2e

Acquisition
Akuisisi: mengambil alih, copy, mrp kategori pertama.
Acquisition categories:

Physical data copy: bawaan mesin

Logical data copy: yg diinput lalu tersimpan
Data acquisition format
Command-line acquisition
GUI acquisition

Guide to Computer Forensics and Investigations, 2e

Acquisition (continued)
Acquisition categories (continued):
Remote acquisition
Verification

Guide to Computer Forensics and Investigations, 2e

Acquisition (continued)
salah satu tools yg digunakan: hexa, mengambil
data dr physical, hexa: bisa liat perubahan2

Guide to Computer Forensics and Investigations, 2e

Validation and Discrimination

Validasi: utk menentukan apa data valid? Bisa digunakan utk barang bukti?
Diskriminasi: bedakan file2 mana yg bersifat umum dan khusus, utk mempermudah
analisis, dg bantuannya maka kita bisa mengurangi waktu analisis dg filtering, data ini
punya os? Tinggal di cocokan, kalau udah match maka bisa dilewatkan tdk usah dianalisis,
hingga ditemukan yg ganjal (tdk match)

Hashing, satu arah, data tdk berubah

Cyclic redundancy check (CRC)-32, MD5, Secure Hash
Algorithms (SHAs)

Filtering
Based on hash value sets

Analyzing file headers: hrs pintar2 baca hexa, jd tahu format2 file tsb,
bisa tahu file yg tersembunyi dlm file lain

Discriminate files based on their types

Guide to Computer Forensics and Investigations, 2e

Extraction
Termasuk kategori yg penting. Setelah 2, harus bisa extract (mengambil).
Teknik yg cukup urgent, harus bisa ditampilkan datanya, jgn tampilkan
bilangan hexa nya.

Major techniques include: tergantung toolsnya

Data viewing

Keyword searching

How data is viewed depends on the tool used

Recovers key data facts

Decompressing

Archive and cabinet files

Guide to Computer Forensics and Investigations, 2e

10

Extraction (continued)

Major techniques include:

Carving

Decrypting, ada kalanya file di password, maka bisa

gunakan:

Reconstruct fragments of deleted files, mengumpulkan

data2 yg sudah hancur jd utuh lg

Password dictionary attacks

Brute-force attacks

Bookmarking, stlh dapat buat laporan, jika tdk buat laporan

kemungkinan besar akan ditolak

First find evidence, then bookmark it

Guide to Computer Forensics and Investigations, 2e

11

Reconstruction
Utk mengetahui proses2/langkah2 kejadian, dr barang bukti, data2 yg
terhapus, dan kemudian buat kesimpulan: valid, tdk ada yg terlewatkan.

Re-create a suspects disk drive

Techniques
Disk-to-disk copy: hrs sama, dr ukuran, type, serial number,
ada tools yg bisa melakukan kloning (sediakan hw yg
sama, merk, mesku serial numb beda, jd bisa di kloning)
Image-to-disk copy: masukan dlm disk, simpan, copy ke
disk, tampilkan ke pengadilan copy an nya
Partition-to-partition copy
Image-to-partition copy
Guide to Computer Forensics and Investigations, 2e

12

Reporting
Dlm bentuk laporan ini mencerminkan investigasi
Configure your forensic tools to:
Log activities
Generate reports

Use this information when producing a final report for

your investigation

Guide to Computer Forensics and Investigations, 2e

13

Tool Comparisons

Guide to Computer Forensics and Investigations, 2e

14

Tool Comparisons (continued)

Guide to Computer Forensics and Investigations, 2e

15

Other Considerations for Tools

Flexibility
Reliability
Expandability
Keep a library with older version of your tools

Guide to Computer Forensics and Investigations, 2e

16

Computer Forensics Software

Example: Norton DiskEdit, tools lama tp msh
banyak digunakan
Advantages
Require few system resources
Run in minimal configurations
Fit on a bootable floppy disk

Disadvantages
Cannot search inside archive and cabinet files
Most of them only work on FAT file systems
Guide to Computer Forensics and Investigations, 2e

17

UNIX/Linux Command-line Forensic

Tools
Dominate the *nix platforms
Examples:

SMART
The Coroners Toolkit (TCT)
Autopsy
SleuthKit

Guide to Computer Forensics and Investigations, 2e

18

GUI Forensic Tools

Simplify computer forensics investigations
Help training beginning investigators
Most of them come into suites of tools

Guide to Computer Forensics and Investigations, 2e

19

GUI Forensic Tools (continued)

Advantages
Ease of use
Multitasking
No need for learning older OSs

Disadvantages
Excessive resource requirements
Produce inconsistent results
Create tool dependencies

Guide to Computer Forensics and Investigations, 2e

20

Computer Hardware Tools

Provide analysis capabilities
Hardware eventually fails
Schedule equipment replacements
When planning your budget
Failures
Consultant and vendor fees
Anticipate equipment replacement

Guide to Computer Forensics and Investigations, 2e

21

Computer Investigation Workstations

Carefully consider what you need
Categories:
Stationary: spt lab
Portable: laptop, bisa dibawa2
Lightweight: yg ringan2

Balance what you need and what your system can

handle, jgn dipaksakan suatu sistem

Guide to Computer Forensics and Investigations, 2e

22

Computer Investigation Workstations

(continued)
Police agency labs
Need many options
Use several PC configurations

Private corporation labs handle only system types

used in the organization
Keep a hardware library, ada jangka waktu
penyimpanannya, jd saat dibutuhkan ada.

Guide to Computer Forensics and Investigations, 2e

23

Building your Own Workstation

It is not as difficult as it sounds
Advantages
Customized to your needs
Save money
ISDN phone system

Disadvantages
Hard to find support for problems
Can become expensive if careless, karena coba2

Guide to Computer Forensics and Investigations, 2e

24

Building your Own Workstation

(continued)
You can buy one from a vendor as an alternative
Examples:
F.R.E.D. : paketan, semua satu merk, kalau ada
masalah balikin ke vendor
FIRE IDE :

Guide to Computer Forensics and Investigations, 2e

25

Using a Write-Blocker
Prevents data writes (penulisan data) to a hard disk
Software options:
Software write-blockers are OS-dependent
PDBlock

Hardware options
Ideal for GUI forensic tools
Act as a bridge between the disk and the workstation
Tujuan: agar hd tdk mengalami perubahan di os yg
baru.
Guide to Computer Forensics and Investigations, 2e

26

Using a Write-Blocker (continued)

Discards the written data
For the OS, the data copy is successful
Connecting technologies
FireWire
USB 2.0
SCSI controllers

Guide to Computer Forensics and Investigations, 2e

27

Recommendations for a Forensic

Workstation (yg dibutuhkan):
Data acquisition techniques:
USB 2.0
FireWire

Expansion devices requirements

Power supply with battery backup
Extra power and data cables
External FireWire and USB 2.0 ports

Guide to Computer Forensics and Investigations, 2e

28

Recommendations for a Forensic

Workstation (continued)
Ergonomic considerations
Keyboard and mouse
Display

High-end video card

Monitor

Guide to Computer Forensics and Investigations, 2e

29

Validating and Testing Forensic

Software
Evidence could be admitted in court
Test and validate your software to prevent
damaging the evidence
Selalu lakukan test an validasi spy tdk merusak brg
bukti

Guide to Computer Forensics and Investigations, 2e

30

Using National Institute of Standards

and Technology (NIST) Tools
Computer Forensics Tool Testing (CFTT) program
Based on standard testing methods
ISO 17025 criteria
ISO 5725

Also evaluate disk imaging tools

Forensic Software Testing Support Tools (FS-TSTs)

Guide to Computer Forensics and Investigations, 2e

31

Using NIST Tools (continued)

National Software Reference Library (NSRL)
project
Collects all known hash values for commercial
software applications and OS files
Helps filtering known information

Guide to Computer Forensics and Investigations, 2e

32

The Validation Protocols

Always verify your results
Use at least two tools
Retrieving and examination
Verification

Understand how tools work

Disk editors
Norton DiskEdit
Hex Workshop
WinHex
Guide to Computer Forensics and Investigations, 2e

33

The Validation Protocols (continued)

Disk editors (continued)
Do not have a flashy interface
Reliable tools
Can access raw data

Guide to Computer Forensics and Investigations, 2e

34

Computer Forensics Examination

Protocol
Perform the investigation with a GUI tool
Verify your results with a disk editor
WinHex
Hex Workshop
Hampir sama, analisis dengan hexa, untuk
perbandingan

Compare hash values obtained with both tools

Guide to Computer Forensics and Investigations, 2e

35

Computer Forensics Tool Upgrade

Protocol
Test
New releases
Patches
Upgrades

If you found a problem, report it to your forensics

tool vendor, jgn coba lakukan sendiri, malah
tambah rusak
Use a test hard disk for validation purposes, jgn
gabungkan brg bukti, amankan brg bukti
Guide to Computer Forensics and Investigations, 2e

36

Summary
Create a business plan to get the best hardware
and software
Computer forensics tools functions

Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting

Guide to Computer Forensics and Investigations, 2e

37

Summary (continued)
Maintain a software library on your lab
Computer forensics tools types:
Software
Hardware

Forensics software:
Command-line
GUI

Guide to Computer Forensics and Investigations, 2e

38

Summary (continued)
Forensics hardware:
Customized equipment
Commercial options
Include workstations and write-blockers

Always test your forensics tools

Guide to Computer Forensics and Investigations, 2e

39