Tools:

USB : USBDView

Registry Viewer : FTk registry viewer

HEX Analysis : Hexa editor

COFEE (Computer Online Forensic Evidence Extractor)

Windows Event Tool : EventViewer

Computer Forensic and Bit-stream Imaging Software

A combination of imaging tools is ideal because each tool has its own strengths in
terms of recognizing partitions, the type and number of files recovered, filtering,
and decryption.

>Sleuth Kit (TSK) and Autopsy Forensic Browser—Sleuth Kit is an open

source computer forensics tool that is comprised of a group of command-line tools.
The tool allows an investigator to examine file systems and a hard disk drive’s
volume. This tool supports NTFS, FAT, UFS 1, UFS 2, Ext2, Ext3, Ext2FS, Ext3FS, and
ISO 9660 file systems. Raw dd images can also be analyzed using the tool. Autopsy
is a graphical user interface (GUI) that is used in conjunction with Sleuth Kit.
These tools can be used on either Windows or UNIX systems. Further information
about this tool is available at www.sleuthkit.org.

>ILook—The ILook Investigator suite of tools was developed by Eliot

Spencer in conjunction with the IRS Criminal Investigation Electronic Crimes
Program. Further information about this tool can be found at www.ilook-
forensics.org.

>Image DriveSpy—This forensic tool provides detailed information about

a hard disk drive, including DOS and non-DOS partitions, slack space, allocated and
unallocated disk space, and many other features. The tool logs when files are added
or deleted from a location. More important, the tool allows the investigator to
create a disk-to-disk forensic duplicate. The downside to using this tool is that
it uses a DOS command-line interface instead of a nice user-friendly interface.

>Image X-Ways Forensics—This tool is a well-recognized forensic imaging

tool. It supports numerous file systems (FAT12, FAT16, FAT32, exFAT, TFAT, NTFS,
Ext2, Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, and UDF). The tool has a particularly
effective file-filtering feature, which is important for culling through hundreds
of thousands of files.

>Image WinHex—Like X-Ways Forensics, this software is produced by X-

Ways Software Technology AG. This is not a forensic tool because it has write
capabilities. Sometimes files are recovered by forensic tool but cannot be viewed
in their natural format because the file is damaged or has been marked for
deletion. WinHex comes with a hex editor that allows the user to recover files. In
other words, editing a file with a hex editor might make an unreadable file
viewable.

>Image FTK—Forensic Toolkit (FTK) is bit-stream imaging software

produced by AccessData. The software has been well documented in many court trials,
including the Scott Peterson murder trial.

A free version of the software, called FTK Imager, is also available.

It can be downloaded to a USB flash drive or burned to a CD. This tool allows the
user to create a forensic image of a storage device and view the contents of the
file system using the built-in hex editor. Beyond that, it has very few
capabilities.

netstat (network statistics). This line-command tool shows network connections,

protocol statistics, and other valuable information.