Forensics has become a much maligned discipline in the information security realm as of late. To quote forensics maven Thomas Rude, "have dongle, am expert." As tools get more advanced, the need for true understanding appears to become less, but, in reality, there is just no substitute for knowledge and experience. To offset the knowledge gap that can occur, many manufacturers are offering certifications on their products, but often the certification requires the purchase of the product, and the certification is not just based on knowledge alone.
There are also several vendor neutral certifications emerging in the marketplace. Perhaps the leader is the Certified Hacking Forensic Investigator from the EC-Council. Which certification, or certification in general, is not really the true need. What is needed is knowledge of forensics. A shortage of qualified investigators has arisen as college campuses, local police departments and even private citizens in civil lawsuits all need to have forensic analysis performed. This has led to a growth in availability of tools that are much easier to use than the tools of the past. These tools are designed to help flatten the learning curve for many individuals.
This Group Test focuses not on the knowledge of the investigator, but the quality of the tools being used. Another twist in the world of forensics is the multitude of changes in where data resides. The smart phone of 2008 was the laptop of 2001. Storage in the GB range can be in any of several formats.
As phones and PDAs continue to increase in processing power and storage, the need for forensic analysis of these devices becomes more critical. There are several challenges to performing forensics on a hand-held device, and most of the trouble is due to the difficulty of capturing data in a way that is forensically sound. Most forensic packages are including hand-held device forensic capabilities, and those which currently do not include it are announcing updates which will perform the functions soon. When it comes to gathering forensic data from a phone, you might wonder how much data there can possibly be on this type of device. Some of the common places on cell phones that include data storage -- of interest to the forensic analyst -- are contacts, call history, calendar, SMS, images and videos, ringtones and music, expansion cards and SIM cards.
Since most of these non-computer devices use dynamic storage, one of the most critical steps is to block USB write access from your forensic machine. A little unheralded change, which was part of Windows XP Service Pack Two (SP2), can make the process of performing forensic analysis of hand-held devices easier. With SP2, Windows XP has the ability to change USB ports from the standard read/write mode to a new read-only mode. This feature is simple to integrate and only requires a registry change. The process is quite simple and only takes a few minutes to complete.
This process helps protect the evidence from modification, and also allows us to use less expensive digital media readers to collect evidence. Software takes greater configuration than a hardware device write blocker. For more information about the Windows XP SP2 USB write block, check out the knowledge base entry located here. . A graphical interface USB write blocking utility is available at https://www.m2cfg.com/usb_writeblock.htm. If you prefer hardware blockers there are several on the market.
How we tested
To truly test the software packages -- which were not specific to hard drive forensics, but to cell phone forensics -- we used either a Palm Treo 755p or a Motorola RAZR V3. To test hard drive forensic machines, we used a 1GB flash drive loaded with office files, ZIP files, pictures and executables. We password-protected some ZIP files, and also some of the office files. We also deleted files and directories, and used steganographic tools to hide a picture inside another picture file, and also to hide text inside of a picture file.
Buying media forensic tools
As always, the first step to buying tools is determining how they will be used. In this case the task is relatively easy. If you need to analyze cell phones and PDAs, you need a specific tool to do that. The tools should be comprehensive and should cover all of the data capture and analysis tasks that you will need to perform. In that regard you will need to compare general purpose tools and specific tools for these small devices.
In some cases you may benefit financially from putting all of your forensic eggs in one basket and buying a generic tool with lots of capabilities. That may or may not be a good idea depending on the product. We recommend purchasing specialized tools, even if the general purpose ones cover most of your bases.
It never hurts to have more than one computer forensic tool. Many organizations are opting for a commercial tool and an open source tool. We cover both in this review.