Page287

Forensic Tools

With the complexity and volume of data pertinent to investigations both steadily increasing, the use of tools proves vital to forensic analysts for performing efficient analyses. While the use of any particular tools might not be overtly required for reliable presentation of evidence, forensic tools do warrant further scrutiny than would most tools used in information security. To this end, NIST maintains the publicly available Computer Forensics Tool Testing Program in an effort to “ensure the reliability of computer forensics tools” [2].

Forensic Workstation

Given the volume of data relevant to modern investigations, systems used by forensic investigators typically need to be supplied with substantially higher-end hardware including at least: fast, recent generation, processors; lots of RAM; large volume of high-speed disks; discrete graphics cards. The term forensic workstation is often used to suggest a collection of higher-end hardware components that fits this need.

Write Blockers

A write blocker is a portable device physically situated between a computer and a storage device that prevents modification of data. As there are various types of physical media and associated interfaces, write blockers are designed to accommodate these different physical connectors. Write blockers assist in the preservation of data by limiting both intentional and unintended modification of data stored in the connected physical media.

Dedicated Imaging Hardware

Write blockers can facilitate a forensic analyst acquiring an image of media in a manner that preserves data, but they still require the analyst to connect the evidence to their forensic workstation, supply media, and wield software to perform image acquisition. Dedicated imaging hardware allows faster and easier acquisition of media by providing the hardware and software necessary for forensic acquisition in standalone hardware. The analyst simply needs to connect the original media and target media. Write-blocking capabilities are built into the imaging hardware.

Mobile Device Acquisition

The explosion in mobile devices naturally leads to their being commonly pertinent to forensic investigations. Historically, forensic acquisition has focused on traditional secondary storage media such as hard disk drives or, more recently, solid state drives. Mobile devices do not typically allow separating secondary storage to allow for media acquisition. Dedicated mobile device acquisition hardware and software is generally needed that can perform forensic acquisition simply by connecting the mobile device to the acquisition platform.

Forensics Suites

The software side of forensics investigations is just as important as the hardware-based forensics tools. After forensic images have been acquired the real work associated with an investigation can begin. Forensics suites are simply software meant to facilitate and make more efficient the process of data extraction, analysis, and reporting. While not required, the use of standard forensics suites or tools can help demonstrate that the results of forensic analysis would be able to be replicated by another competent forensic analyst provided with the same media.