Monday, June 13, 2011

No trust in a single tool.

"If the only tool you have is a hammer, you tend to see every problem as a nail."
Abraham Maslow

More and more often I find myself working on a case with at least two forensic tools simultaneously. Depending on a task I select EnCase and X-Ways or FTK and X-Ways in pairs.

All three are great and one is better than another at certain tasks.I like working with EnCase to analyse registries, automate things with enscipts or searching and bookmarking hits in unallocated space. FTK is best with emails and has excellent ‘indexed’ searching capability. X-Ways Forensics is simply fast and reliable.

There is no point in doing ALL operations with a pair of these tools. There are always several the most important pieces of evidence supporting the hypothesis that need extra attention. This is especially true when confirming the absence of certain evidence.

I don’t just use two tools in parallel, in addition I attempt to utilise different methods to confirm the facts. This becomes some sort of Devil's Advocate Peer Review Activity.

Lately, forensic tools became more complex and attempting to provide more interpretation for the sake of convenience. Not surprisingly, I frequently observe different interpretations by different tools and have to dig dipper to find the true.

Although I often use a bunch of open source or free tools like Harlan’s RegRipper or Mandiant’s Highlighter etc., having another full featured forensic tool provides an additional layer of protection. Several times I had a situation when the main tool would start constantly crashing, or be unable to process certain types of evidence in the middle of examination. Sounds famialiar? When time is limited and vendor’s technical support is slow or sometime useless, having a back up tool ready to go is as good as gold.

Selecting the right tools for different investigations requires a good knowledge of forensic tools in your arsenal. For example, Lotus Notes is very popular in the corporate environment, with over 140 million corporate licensees sold worldwide. EnCase would normally work with NSF files and handle emails quite well. You will need FTK, or some other solution, to handle Lotus Notes databases, because EnCase …. well, may be EnCase 7 will do a better job. X-Ways Forensics can’t handle NSF at all. For the sake of completeness I should mention here that since Lotus Notes version 8.5 Databases are now called Applications.

Obviously one needs to be trained on using all of these tools and this might not be economically possible for small organisations or Rookie examiners. In this case there are Open Source Resources/Tools that each examiner must become proficient with and have them ready to go. The new book by Cory Altheide and Harlan Carvey called Digital Forensics with Open Source Tools should provide you with the necessary knowledge and insight.

No comments: