Digital Forensics Tools

If we want to study and work in Computer Forensics, we should have a deep technical knowledge about file systems and how to recover files. Therefore, we have to know about raw file recovery, how to get metadata as well as we should understand how file systems work like FAT, Ext4, NTFS, HFS+, etc. On the other hand, choosing the right tools to get reliable information and preserve evidences is too important thus I’m going to write about some interesting tools we can use to analyse digital evidences.

Once we have digital evidences, it’s important to preserve evidences and they shouldn’t be modified under no circumstances for keeping valid evidences. There are many tools to do this but, for instance, we can use AccessData FTK Imager for hashing verification and read only access. In addition, this tool can be also used to know what files have been deleted as well as to recover files. Next, we can see a deleted file into the root directory from VOL02 partition, which has a FAT16 file system.

AccessData FTK Imager

 

Another interesting tool is Active Disk Editor which is a freeware tool available for Windows and Linux to view and edit raw sectors on physical disks, partitions, and files content in hexadecimal form. This is an excellent tool for opening partitions and volumes and searching into the file system as well as analysing the boot record like MBR (Master Boot Record) and partition table like GPT (GUID Partition Table). What’s more, there are many templates which are useful to highlight sectors by colours and they contain hyperlinks for easily navigation.

Active Disk Editor

 

PhotoRec is another file recovery freeware, older than FTK Imager at the moment, available for Windows and Linux. We can use this software for recovering files like video, documents, and archives from hard disks, CD-ROMs, USB memory sticks, memory cards, etc. Moreover, PhotoRec is able to recover more than 480 file extensions and it uses read-only access for recovering lost data which is mandatory to preserve digital evidences.

PhotoRec

 

As you can see, there are many file recovery tools and Recuva is another one. This is an easy to use tool, with a free version, to recover lost files from damaged or newly formatted drives. Furthermore, Recuva can be used to delete files securely thanks to industry and military standard deletion techniques for overwriting drives.

Recuva

 

Getting metadata information is powerful because we can have lots of interesting information from hidden data. I already knew FOCA from Eleven Paths but ExifTool is another excellent free and open-source software for reading, writing and manipulating image, audio, video and PDF metadata. ExifTool is used by the image hosting site Flickr to parse the metadata from uploaded images and it uses many types of metadata like Exif, IPTC, etc.

ExifTool

These are just some interesting tools useful for the examination and analysis process of Computer Forensics. However, we’ll need more tools and lots of technical knowledge when we are with a real evidence but this is a good point to start with analysis of digital evidences.

Regards my friends and keep studying!