Forensic science - computer criminalistics

[Teacher]

Hello, running in the shadows! Hello, random carders. Big FAQ on computer forensics rolled up. If you have ever had to understand someone else's computer, and not just format it, it means that you have already been involved in computer forensics, i.e. forensic science! The only difference is that specialists in this field have much more tasks. Let's take a closer look at what it is?

Go:

The tasks of computer forensics specialists include: analysis of traffic, system failures, user errors and various information security incidents, keeping records of them and searching for hidden data and other possible traces of hacking, detecting uncontrolled system changes and software failures, violations of access rules and non-compliance with the "Information Security" policy or recommendations. In this article, we'll look at utilities and links to useful resources that will help you gain a deeper understanding of the art of forensic science.

Forensic science — computer forensics

The word "Forensic science" appeared in Russian from the English word Forensics, which means the science of investigating evidence or, simply put, computer forensics.

Experts in the field of forensic analysis are indispensable if you need to quickly detect and analyze information security incidents, for example, hacking a web server or the causes of confidential information leakage, encryption of confidential data, etc. In such cases, forensic experts are assigned the following tasks::

• understand how to implement hacking;
• build an attack scenario;
• restore the attack history;
• Collect the remaining traces of the attack;
• develop the necessary security measures to prevent such attacks and, if possible, other attacks, improving the overall information security process.;
• reduce and repair the damage caused.

If necessary, their tasks also include forming an expert opinion on the fact of an information security incident in the event of such an investigation, for example, by judicial authorities. After all, according to the legislation, it is necessary to first confirm the fact of the crime itself and determine its composition, and only then can a criminal case be initiated, in this case on the facts of computer crimes.

Currently, more and more large and not-so-large companies are required to organize a specialized department or at least a staff of several forensic experts. These companies include not only companies in the field of information technology, but also companies that are far from it, for example, financial (since most of the evidence can be found in computer systems when investigating financial crimes), etc.

A separate topic is the investigation of targeted attacks, or APT. Their essence boils down to hacking target systems using a variety of attack vectors, tools, sophisticated techniques and methods that are unknown until now. By the way, there are quite a few good articles on this topic on our channel.

Needless to say, predictive tasks are traditionally present in CTF as well? Therefore, knowledge of at least basic investigative techniques is essential. And we'll look at some of the commonly used tools that are used on CTF below.

Classification of computer forensics

Any science tends to be divided into smaller topics. To finally feel at the institute, let's estimate the classification map of computer forensics.

• Computer forensics - it includes everything related to the search for hacking artifacts on the local machine: analysis of RAM, HDD, registry, OS logs, and so on.
• Network forensics, as the name implies, is related to investigations in the field of the network stack — for example, dumping and parsing network traffic to identify such interesting things as RAT, reverse shell, backdoor tunnels, and the like.
• Forensic data analysis is dedicated to analyzing files, data structures, and binary sequences left over from an attack or used in an intrusion.
• Mobile device forensics deals with everything that concerns the features of data extraction from Android and iOS.
• Hardware forensic - examination of hardware and technical devices. This area is the least popular and most difficult. This includes analyzing data at a low level (microcontroller, firmware or BIOS), studying the specific features of the device, for example, the frequency range of the Wi-Fi transmitter or the internal skimmer device installed on ATMs.

Methods and techniques of computer forensics
As with malware analysis, there are two main approaches to examining a compromised machine:

• static
• dynamic analysis

Static analysis. Static analysis tasks include creating (copying) a hard disk image or RAM dump, identifying and restoring deleted files, remnants of abnormal files in %TEMP% and system directories, collecting web browser browsing history, system logs (authorization events, auditing access to files and directories, and so on), and getting a list of processes running in memory and open network connections.

Dynamic analysis, or live analysis, uses slicing from snapshots of a system running under various conditions to get a complete picture of what is happening. For example, malware tends to delete its code and traces of infection after certain actions. And if a snapshot of the hacked system was taken before this point, there is a real chance to get data about what this malware was doing on the victim's computer. Accordingly, screenshots, logs of network connections, transmitted traffic, and a comparison of the state of the OS file system before and after the incident can serve as a file of electronic certificates.

There is a good article (PDF) in English, which briefly describes and compares these methods.

Basic forensic tools

The first thing you need to do at the beginning of a computer forensic examination is to collect and store information so that you can then restore the chronology and behavioral picture of the incident.

Let's take a look at what tools should be included by default in the tools of a forensic expert. Let's start with the most important thing-removing the disk image for further analysis in the laboratory.

Always be clear and clear about what action you are taking and why you are doing it. Incorrect use of the programs listed in the text of the article may lead to loss of information or distortion of the obtained data (evidence). Neither the author of the channel nor the admins are responsible for any damage caused due to improper use of the materials in this article.

That's all for today, cyberstalkers! Read the continuation of this article on the channel next. Stay tuned.

The big FAQ on computer forensics continues. If you've ever had to understand someone else's computer, then this article is for you. If you want to learn how to understand this, then this is also for you. The beginning of this article on our channel earlier.
Go:

Creating a disk, partition, or individual sector image:

• FTK Imager is a good tool for cloning storage media in Windows.
• dc3dd (and also adulau/dcfldd) - improved versions of the standard dd console utility in Linux.
• Guymager is a specialized application for creating exact copies of media (written in C++, based on Qt).
• Paragon or Acronis — all-in-one combines for viewing, creating, modifying, copying any data, partitions, or individual sectors.
• Mount it with the o-ro attributes
• Connect via blockdev-setro
• Mount as -o ro, loop

Processing generated disk images:

• Imagemounter is a Python utility that works from the command line and helps you quickly mount disk images.
• Libewf is a tool and along with it a library for processing EWF (Encase Image file Format) formats.
• Xmount is a tiny CLI utility for converting disk images to a convenient format while preserving all information and metadata.

Collecting data from hard drives:

• DumpIt is a utility for creating a dump of the machine's RAM. Simple and convenient.
• Encase Forensic Imager - software for creating a database of evidence files.
• Encrypted Disk Detector is another tool for cryptanalysts that helps you search for encrypted TrueCrypt, PGP, and Bitlocker volumes.
• Forensics Acquisition of Websites is a special browser designed to capture web pages and then investigate them.
• Live RAM Capturer is a useful utility for extracting a RAM dump, including applications protected by an anti-debugging or anti-dumping system.
• Magnet RAM Capture - like the previous tool, it is designed to capture RAM of all versions of Windows - from retro Windows XP to Windows 10 (including Windows Server releases).

Pay close attention to correctly creating a system image for further study. This will allow you to be sure that the results obtained are reliable. Before any actions that affect system performance or data security, be sure to take snapshots and backup files.

Analysis of files found on hard drives

• Crowd Inspect - helps you get information about network processes and lists of binaries associated with each process. It also links to VirusTotal and other online malware analysis and reputation services.
• DCode - converts different data types to date and time values.
• Bstrings - a program for searching in binary data, there is support for regular expressions.
• eCryptfs Parser - recursively analyzes the headers of each eCryptfs file in the selected directory or disk and displays a list of encrypted files.
• Encryption Analyzer - a utility for analyzing password-protected and encrypted files with other algorithms, which at the same time analyzes the complexity of encryption and offers decryption options.
• File Identifier - a program for online analysis of the file type based on its own database of signatures, of which there are already more than two thousand.
• Memoryze is a utility for analyzing RAM images, including paging files and extracting data from them.
• ShadowExplorer is a utility for viewing and further extracting files from shadow copies in the Windows system.
• HxD is a small and fast HEX editor.
• Synalyze It! is a HEX editor with template support, but it is fast and there is nothing superfluous in it.
• wxHex Editor is a cross-platform HEX editor with the ability to compare files and a bunch of other features.

Extracting data from files

• Bulk_extractor is a utility for extracting email, IP addresses, and phone numbers from files.
• PhotoRec is a utility for extracting data and image files.

Processing data in RAM

• Forensics, Memory Integrity & Assurance Tool by invtero - a cool and sophisticated framework that works quickly.
• volatility - an open source set of utilities for versatile analysis of physical memory images.
• Rekall is a script for analyzing RAM dumps written in Python.
• KeeFarce - a program for extracting KeePass passwords from memory.

Network stack and browser analysis

• SiLK - a program for collecting, storing, and analyzing network flow data. It is ideal for analyzing traffic on the backbone or border of a large distributed enterprise or medium-sized provider.
• Wireshark is a world-famous network packet sniffer. It has a graphical user interface and a wide range of options for sorting and filtering information.
• NetworkMiner is a network analysis tool for detecting the OS, hostname, and open ports of network nodes by intercepting packets in PCAP format.
• chrome-url-dumper is a tiny program for extracting information from the Google Chrome browser.
• hindsight is another utility for analyzing the history of Chrome.

Analysis of email messages

• EDB Viewer is a powerful utility for viewing Outlook (EDB) files without connecting an Exchange server.
• Mail Viewer is a utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, Mozilla Thunderbird message database, and individual EML files.
• OST Viewer is a utility for viewing Outlook OST files, again without binding to the Exchange server.
• PST Viewer - a variant of the previous utility used to view Outlook PST files.

Search for artifacts on HDD and peripherals

• FastIR Collector is a powerful functional collector of information about the Windows system (registry, file system, services, processes, environment settings, startup, and so on).
• FRED is a cross-platform fast registry analyzer for Windows.
• NTFS USN Journal parser — a parser of USN logs for NTFS volumes.
• RecuperaBit is an NTFS data recovery utility.

Specialized packages and frameworks

• Digital Forensics Framework is an open source platform for data extraction and research. There are options for CLI and GUI.
• The Sleuth Kit and Autopsy are another open source library and collection of command-line tools for analyzing disk images.
• Oxygen Forensic Detective is a universal forensic tool for studying mobile device data. The package of utilities included in it allows you to perform complete data extraction, conduct a comprehensive analysis of data stored on phones and in cloud storage. Available are Forensic Cloud Extractor - a built-in utility program that collects data from cloud storage services; and Forensic Maps, a program that works with geographic information system (GPS)data; Forensic Call Data Expert is a program for importing call data records (so-called CDR files) from any wireless service provider and visually analyzing subscriber connections.

Of course, cyberstalkers are not all tools that can be useful, but only well-known and frequently encountered programs. But even this will be more than enough for you to start your journey in the difficult field of cybercriminalism. And in the final part of this article, we will look at what you need to make your own cyber lab for forensic science classes.

 

[Teacher]

The big FAQ on computer forensics is coming to an end. If you have ever had to understand someone else's computer, and not just format it, it means that you have already been involved in computer forensics, i.e. forensic science! If you have carefully read and studied the previous parts of our article, and even more so, have started to act and want to improve in this direction - this article is for you.

Go:

Building your own lab

To analyze and collect artifacts, we will need a special laboratory.[/B] Since we will focus only on the software component of expertise, that is, without picking hardware, a pool of several virtual machines and specialized distributions with the necessary software will be enough for us as a basis. I suggest that you choose a hypervisor to suit your taste, it can be either free VirtualBox or VMware.

For more information about what distributions are available, see our article "Distributions for forensic Analysis". Of course, you can build your own, but why, if there are specialized ones? Personally, I prefer DEFT or, alternatively, Remnux, but CAINE and Parrot OS are also worthy of attention, not to mention the paid Encase and SMART Linux.

Materials for studying computer forensics:

Books:
It just so happens that there is practically no Russian-language literature on computer forensics[/B]. Yes, it is not surprising, forensic science as an applied activity has become popular in the Russian Federation relatively recently.

• N. N. Fedotov. Forensic science — computer forensics with materials from the book and PDF, available for download. This is the only one in Russian and the most complete work that systematically tells about forensic science. Of the minuses, many of the things described in the book are outdated today. However, this is still a must read for both beginners and those who are already engaged in high-tech criminology.
• Network Forensics 1st Edition-this work is devoted to the features of system expertise at the network level. A good tutorial that starts with the basics and goes through the steps to learn about the network stack and how to analyze it.
• File System Forensic Analysis 1st Edition — a work similar to the previous one, but devoted exclusively to the analysis of files and the file system of hacked machines.
• Practical Mobile Forensics is a good option for beginners who want to do mobile forensics.
• The Basics of Digital Forensics:The Primer for Getting Started in Digital Forensics is another book that you can recommend to beginners for a confident start.
• Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8 - the very title of the book speaks about advanced examination techniques and application features in Windows 8.
• Practical Windows Forensics Paperback — a good guide to the forensics of the OS, file system, registry, network and removable media.
• Digital Forensics with Kali Linux — you can say that this is a guide to the built-in utilities from the forensic section of the Kali Linux distribution.
• Windows Registry Forensics: Advanced Digital Forensic Analysis - the book focuses on the features of Windows registry parsing, data extraction, and features introduced with Windows 8.
• Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage (CHFI) by EC-Council — the official manual for the CHFI training course with a focus on studying artifacts of Wi-Fi networks and data carriers.
• Malware Forensics Field Guide for Windows Systems - although this book is not directly related to the" classic " forensics, it is still worth reading, especially if you are investigating incidents with a bias towards malware.
• CHFI Computer Hacking Forensic Investigator Certification All-in — One Exam Guide 1st Edition-the official edition of the CHFI training course. All the main topics and questions from the exam are considered.
• Practical Forensic Imaging: Securing Digital Evidence with Linux Tools is a book devoted entirely to the correct approach to creating a correct image of a hacked system for its further research in laboratory conditions. I believe that this is a must read for those who are starting to engage in the craft of high-tech forensic expertise.

Materials and courses:

• FOR500: Windows Forensic Analysis — a course on learning the basics of forensic science from the reputable SANS Institute.
• Free Online Computer Forensics Training Class-CHFI is another option for the CHFI program.
• Android Forensics & Security Testing — materials for the mobile forensics training course.
• Computer Forensics Fundamentals-a basic training course on the Udemy platform, the stated cost is $ 50, but the promotion price is $ 14.
• Computer Hacking Forensic Investigator (CHFI) — another course on the Udemy platform for advanced students, cost $ 200, on sales days — only 14.
• Certified Cyber Forensics Professional (CCFP) and Certified Hacking Forensics Investigator (CHFI) exams — a professional training course with further certification under the CHFI program.

For those who want to test their knowledge of computer forensics, the free online Computer Forensics Fundamentals test is available.

Useful links:

• Flash Memory: Challenges for Computer Forensics

Training grounds
After learning about matchmaking, I'm sure some of you are ready to jump into battle to test your skills. But it is unlikely that everyone will have the opportunity to immediately get to the "live" investigation. It is better to start training, as it was said in the classic movie, "on cats". In this case, the role of porcelain cats from
Operation Y is played by pre-prepared images with artifacts that need to be extracted and analyzed.

• Memory samples - a set of memory dumps from Windows to Linux with artifacts embedded in them.
• p0wnlabs Sample Challenges - a set of freely downloadable tasks on the topics of web sleuthing and deleted file recovery.
• Wireshark Sample Captures - a repository of network traffic dumps.

Quick guides and examples of parsing network traffic dumps can be found here, and here.

• Computer Forensic Reference Data Sets (CFReDS) - a repository of images for training forensic skills.
• Digital Forensics Tool Testing Images — another archive of FS images.
• Digital Corpora is a portal of the Digital Corpora organization, created for cyberforce enthusiasts, with samples to test their skills.
• BlackLight is a commercial set of tools and a demo pack for testing skills.

Other useful resources:

• A huge archive of links, materials, and descriptions on the topic of forensic science on GitHub.
• Cheat Sheets & Posters - cheat sheets and cheat sheets on forensic science, created at the SANS Institute, and not only!
• Forensic Computer Analyst Salary-an article about how much forensic experts earn abroad. Agree, not bad!
• Forensic Workstations, Forensic Hardware, Forensic Duplicators_Bridges, Forensic Software - hardware for hardware forensics.

Conclusion
So, running in the shadows, our rather concise educational program on forensic science came to the final. I hope that you were interested, you learned something new about incident investigation, became interested in the topic of computer forensics and got a good impulse to pump up your materiel, your skills and develop further!

 

[Brother]

Best software and hardware tools for computer forensics​

This is how one of the business cards of Igor Mikhailov, a specialist at the Group-IB Computer Forensics Laboratory, looked before. It contains the hardware keys of the programs used by the expert during forensic examinations. The cost of these software products alone exceeds 2 million rubles, and there is also free software and other commercial products. What tools should you choose for the job? Especially for the readers of "Habr" Igor Mikhailov decided to talk about the best software and hardware for computer forensics.
The author is Igor Mikhailov, a specialist at the Group-IB Computer Forensics Laboratory.

Cybercriminal's briefcase​

Computer forensics examines a wide variety of digital devices and data sources. Research can use both software and hardware - many of which are expensive. Not every company, let alone an individual specialist, can afford such expenses. At Group-IB, we do not save on tools, which allows us to conduct research efficiently and quickly.

Naturally, the list of programs in my rating differs from the global one. This is due to both regional peculiarities - for example, some foreign programs do not know how to extract data from Russian messengers, and in general they are not friendly with the Russian language (in search tasks) - and export restrictions, due to which Russian specialists are not able to use the entire world. an arsenal of similar tools.

Mobile forensics, hardware​

Cellebrite UFED Touch 2 is a product originally designed for use in the field. Conceptually divided into two parts:
Branded tablet Cellebrite UFED Touch 2 (or UFED 4PC - software analogue of Cellebrite UFED Touch 2, installed on a computer or laptop of a specialist): used only for data extraction.

UFED Physical Analyzer is a software part designed to analyze data extracted from mobile devices.
The concept of using the equipment assumes that using the Cellebrite UFED Touch 2, a specialist extracts data in the field, and then analyzes it in the laboratory using the UFED Physical Analyzer. Accordingly, the laboratory version consists of two independent software products - UFED 4PC and UFED Physical Analyzer - installed on the researcher's computer. Today this complex provides data extraction from as many mobile devices as possible. During the analysis, part of the data may be missed by the UFED Physical Analyzer program. This happens because old bugs periodically pop up in new versions of the program, which seem to be fixed, but then for some reason they appear again. Therefore, it is recommended to control the completeness of data analysis.

MSAB XRY / MSAB XRY Field is an analogue of Cellebrite products developed by the Swedish company Micro Systemation. Unlike the Cellebrite paradigm, Micro Systemation assumes that most of their products will be used on desktop or laptop computers. The product being sold is accompanied by a proprietary USB hub called “washer” in slang, and a set of adapters and data cables for connecting various mobile devices. The company also offers versions of MSAB XRY Field and MSAB XRY Kiosk - hardware products designed for data extraction from mobile devices, implemented in the form of a tablet and a kiosk. This product is less common in Russia than Cellebrite products. MSAB XRY has proven itself to be good at extracting data from legacy mobile devices.

From a certain moment, hardware solutions for chip-off (a method of extracting data directly from memory chips of mobile devices), developed by the Polish company Rusolut, have become popular. With this equipment, you can extract data from damaged mobile devices or from devices locked with a PIN or picture password. Rusolut offers several sets of adapters for extracting data from certain models of mobile devices. For example, a set of adapters for extracting data from memory chips, mainly used in "Chinese phones". However, the widespread use of encryption of user data by manufacturers of mobile devices in top models has led to the fact that this equipment is gradually losing its relevance. You can use it to extract data from a memory chip by

Mobile forensics, software​

Observing the development of mobile forensics, one can easily see that as the functionality of mobile devices developed, programs for their analysis also developed. If earlier the person conducting the investigation or another customer was content with data from the phone book, SMS, MMS, calls, graphic and video files, now the specialist is asked to extract more data. In addition to those listed, as a rule, it is required to extract:

• data from messaging programs
• email
• history of visiting Internet resources
• geolocation data
• deleted files and other deleted information

And this list is constantly expanding. All of these types of artifacts can be retrieved with the software described below.
Oxygen Forensic® Suite: today it is one of the best programs for analyzing data extracted from mobile devices. If you want to extract the maximum amount of data from your mobile device, use this program. Integrated SQLite and plist viewers let you explore specific SQLite databases and plist files in more depth by hand.
Initially, the program was developed for use on computers, so it will be uncomfortable to use it on a netbook or tablet (devices with a screen size of 13 inches or less).
A feature of the program is the rigid binding of the paths along which the files are located - application databases. That is, if the structure of the database of any application remains the same, but the path along which the database is located in the mobile device has changed, Oxygen Forensic® Suite will simply skip such a database during the analysis. Therefore, the investigation of such databases will have to be done manually using the Oxygen Forensic Suite file browser and auxiliary utilities.

The trend of recent years is the "mixing" of the functionality of programs. For example, manufacturers that have traditionally developed software for mobile forensics are introducing functionality into their products that allows them to examine hard drives. Manufacturers of hard drive forensic software are adding the functionality needed to investigate mobile devices. Both those and others add functionality for extracting data from cloud storage and so on. As a result, universal "combine programs" are obtained, with the help of which one can analyze mobile devices, and analyze hard drives, and extract data from cloud storages, and analyze data extracted from all these sources.

In our rating of programs for mobile forensics, such programs occupy the following two places: Magnet AXIOM - a program by the Canadian company Magnet Forensics, and Belkasoft Evidence Center - developed by the St. Petersburg company Belkasoft. In terms of their functionality in extracting data from mobile devices, these programs are, of course, inferior to the software and hardware described above. But they are good at analyzing them and can be used to control the completeness of extraction of various types of artifacts. Both programs are actively developing and are rapidly increasing their functionality in terms of researching mobile devices.

AXIOM mobile data source selection window:

Results of the study of a mobile device by the Belkasoft Evidence Center program:

Computer forensics, hardware record blockers​

Tableau T35U is a hardware lock from Tableau that allows you to securely connect the hard drives under study to the researcher's computer via the USB3 bus. This blocker has connectors that allow you to connect hard drives to it via IDE and SATA interfaces (and, if there are adapters, hard drives with other types of interfaces). A feature of this blocker is the ability to emulate read-write operations. This is useful when examining drives that are infected with malware.

Wiebitech Forensic UltraDock v5 is a hardware blocker from CRU. Has functionality similar to the Tableau T35U blocker. Additionally, this blocker can be paired with the researcher's computer via a large number of interfaces (except for USB3, eSATA and FireWire are available). If a hard disk is connected to this blocker, access to data on which is limited by an ATA password, a corresponding message will appear on the blocker display. In addition, when a hard disk with a DCO (Device Configuration Overlay) technological zone is connected, this zone will automatically be unlocked so that a specialist can copy the data in it.
Both write blockers use the USB3 bus connection to the researcher's computer as the main connection, which provides a comfortable working environment for the researcher when cloning and analyzing information carriers.

Computer forensics, software​

Old men for them non-standard situations​

15 years ago, the undisputed leaders in computer forensics were the Encase Forensics and AccessData FTK programs. Their functionality naturally complemented each other and made it possible to extract the maximum number of different types of artifacts from the investigated devices. These days these projects are the outsiders of the market. The current functionality of Encase Forensics lags far behind today's software requirements for researching Windows computers and servers. The use of Encase Forensics remains relevant in "non-standard" cases: when it is necessary to investigate computers running MacOS or servers running Linux, to extract data from files of rare formats. The Ensripts macro language built into Encase Forensics contains a huge library of ready-made scripts,

AccessData FTK tries to maintain the functionality of the product at the required level, but the processing time of the drives by them significantly exceeds the reasonable amount of time that the average technician can afford to spend on such research.

Features of AccessData FTK:

• keyword search implemented at a very high level
• analytics of various cases, allowing to identify interconnections in devices seized in various cases
• the ability to customize the program interface for yourself
• support for files of rare formats (for example, Lotus Notes databases)

Both Encase Forensics and AccessData FTK can handle huge amounts of raw data in the hundreds of terabytes.

Young and growing​

The undisputed leader in computer forensics software is Magnet Axiom. The program not only gradually develops, but covers entire segments with added functionality: research of mobile devices, extraction from cloud storages, research of devices running the operating system MacOS, and so on. The program has a convenient and functional interface, where everything is at hand, and can be used to investigate information security incidents associated with infection of computers or mobile devices with malware or data leaks.

The Russian analogue of Magnet AXIOM is Belkasoft Evidence Center. Belkasoft Evidence Center allows you to extract and analyze data from mobile devices, cloud storage and hard drives. When analyzing hard drives, it is possible to extract data from web browsers, chats, information about cloud services, detect encrypted files and partitions, extract files by a given extension, geolocation data, e-mail, data from payment systems and social networks, thumbnails, system files, system logs, and so on. Has flexible customizable functionality for retrieving deleted data.

Advantages of the program:

• a wide range of artifacts extracted from various storage media
• nice built-in SQLite database viewer
• collecting data from remote computers and servers
• integrated functionality for checking detected files on Virustotal

The basic program is sold for a relatively small amount. The rest of the modules expanding the functionality of Belkasoft Evidence Center can be purchased separately. It is strongly recommended to purchase the "File systems" module in addition to the basic configuration, without which it is not always convenient to work with the media under investigation in the program.

The disadvantages of the program are the inconvenient interface and the non-obviousness of performing individual actions in the program. To use the program effectively, you must complete the appropriate training.

The main window of the Belkasoft Evidence Center program, which displays the statistics of the forensic artifacts found when examining a specific device:

X-Ways Forensics is gradually conquering the Russian market. This program is the Swiss knife of computer forensics. Versatile, accurate, reliable and compact. A feature of the program is the high speed of data processing (in comparison with other programs in this category) and optimal functionality that covers the basic needs of a specialist in computer forensics. The program has a built-in mechanism to minimize false positives. That is, a researcher, while recovering files from a 100 GB hard drive, sees not 1 TB of recovered files (most of which are false positive results, as is usually the case when using recovery programs), but the files that were actually recovered ...

With X-Ways Forensics you can:

• find and analyze email data
• analyze the history of web browsers, Windows OS logs and other system artifacts
• filter the results, get rid of the unnecessary, leave only valuable and relevant
• build a timeline and see activities in the period of interest
• reconstruct raids (RAID)
• mount virtual disks
• check for malicious software

This program has proven itself very well in manual analysis of hard drives extracted from DVRs. Using the X-Tension functionality, it is possible to connect third-party modules to the program.

Disadvantages of X-Ways Forensics:

• ascetic interface
• lack of a full-fledged built-in SQLite database viewer
• the need for a deep study of the program: the implementation of some actions necessary to obtain the result the specialist needs is not always obvious

Data recovery, hardware​

Currently, the Russian market is dominated by only one manufacturer of such equipment - ACELab, which produces hardware for analysis, diagnostics and recovery of hard drives (PC-3000 Express, PC-3000 Portable, PC-3000 UDMA, PC-3000 SAS complexes ), SSD drives (PC-3000 SSD complex), flash drives (PC-3000 Flash complex), RAID (PC-3000 Express RAID complexes, PC-3000 UDMA RAID, PC-3000 SAS RAID). ACELab's dominance in the data recovery hardware market is due to the high quality of the above products and ACELab's pricing policy, which does not allow competitors to enter this market.

Data recovery software​

Despite the large number of different recovery programs, both paid and free, it is very difficult to find a program that would correctly and completely restore various types of files in various file systems. Today, there are only two programs that have approximately the same functionality that allow you to do this: R-Studio and UFS Explorer. Thousands of recovery programs from other manufacturers either do not reach the specified programs in terms of their functionality, or are significantly inferior to them.

Open source software​

Autopsy is a handy tool for analyzing Windows computers and Android mobile devices. Has a graphical interface. It can be used to investigate computer incidents.
Photorec is one of the best free data recovery software. A good free alternative to paid counterparts.

Eric Zimmerman Tools is a set of free utilities, each of which allows you to explore a particular Windows artifact. Practice has shown that the use of Eric Zimmerman Tools increases the efficiency of a specialist in responding to an incident in the field. Currently, these utilities are available as the Kroll Artifact Parser and Extractor (KAPE) package.

Linux distributions​

SIFT is a Linux distribution developed and supported by the commercial organization SANS Institute, which specializes in cybersecurity training and incident investigation. SIFT contains a large number of up-to-date versions of free programs that can be used both for extracting data from various sources and for analyzing them. SIFT is used as part of the training provided by the company and its content is constantly updated. The convenience of work is determined by the specific tool in the given distribution kit, with which the researcher has to work.

Kali Linux is a unique Linux distribution that is used by experts for both security audits and investigations. In 2017, Packt Publishing published a book by VN Parasrama (Shiva V. N Parasram) "Digital Forensics with Kali Linux". This book provides tips on how to copy, research and analyze computers, individual drives, copies of data from RAM and network traffic using the utilities included in this kit.

Summarize​

This research is the result of my empirical experience with the described hardware and software used in the forensic investigation of computers and mobile devices. I hope that the information presented will be useful to specialists planning to purchase software and hardware for computer forensics and incident investigation.