Getting started with computer forensics-Tools you'll need.

22/06/2011 16:05

 Hey guys as the title says this is a thread about PC forensics that will show you what are the basic tools.My source is Google.I do not own any of the sites mentioned.

What is Computer Forensics

Computer forensics (sometimes known as computer forensic science[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.


Getting started:
First of all you'll need a VM(Virtual Machine).There are some free solutions like:
Code: [Select] new, still in beta)
o if you are using windows there is this one
Code: [Select] recommended)
o the Oracle one(virtual box)
Code: [Select] BEST IMO)
and some that are commercial:
VMWare(really powerful)
 there is a HUGE list here
Code: [Select] the ones I mentioned are considered the best.

Operating System:

Any linux distro is advised. 
I personally recommend :
                                        - Backtrack (
Code: [Select] to test security and penetrations.
                                        -  SANS Investigative Forensic Toolkit (SIFT) Workstation  focuses on forensics analysis.
Code: [Select] is out now
Windows is not recommended BUT since there are some tools  only for windows it's good to have a dual boot or a VM of the latest windows Edition.

Some more tools and techniques:
This is something I found via Google and I believe it will be of some help getting started.
Tools and Techniques

One of the first things that you'd need to do is take the compromised system out of the picture. Live View, an open source utility, creates a virtual machine out of the existing system. And if it doesn't detect Workstation 5.5 or VMware Server 1.x, it will download it for you.

Live View creates a virtual disk out of the system that allows you to then safely investigate a copy of the system without interfering with anything installed. On another basis, you could use VMware Converter to create a vmdk (virtual machine disk) to use in more recent versions of Server or Workstation.

Once you've rebooted the system you can then go to Merijn and download StartupList. This is a great way to start the investigation of a system and determine what things might have potentially been put on the system to restart each time the system does. Of course, you can use HijackThis as an additional tool and rule out obvious malware or other items that tie themselves into the registry.

The next trick is to determine what additional files, other than the usual, are open. In Linux we use lsof, which lists open files but for Windows, by default, there is no similar command. Instead, there is OpenFilesView, a Windows executable that lists all the files and processes – both local and network based – on the system.

While that's running, Wireshark can let you review all network traffic to see if anything unexpected is being sent out to another location. If there is, it's worthwhile to enable a firewall to block the traffic or better yet, just yank out the network cable to avoid the possibility of intellectual property from being stolen from the system.

This allows us to determine if anything suspicious exists in the system while it's running live. Once this has been completed, you can look into determining what has been changed.

Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the disk safely to see what has been finally changed. Forensics of a system is critical to know what has been compromised. It is one thing to know if we've been attacked but it's another to find out what those attackers have done to the system.

If we don't look into what happened we may miss out on critical data being compromised or learn how the system was first broken into. Once this investigation is done, we can then rebuild the system with appropriate additional security in place to prevent the attack from happen.

And we can do this all at minimal cost, an important factor to consider in this day and age of economic belt-tightening.

Source: google,
Code: [Select]
If you need more advanced tools have a look on google (search for computer forensics tools, the is an unlimited # of pages)

The End