Open Source Computer Forensics Investigations

The world of computer forensics — like all things computer — is rapidly developing and changing. While commercial investigative software packages exist, like EnCase by Guidance Software and FTK by AccessData, there are other software platforms which offer a solution for obtaining computer forensic results. Unlike the two aforementioned packages, these open sources alternatives do not cost hundreds of dollars — they are free to download, distribute and use under various open source licenses.

Computer Forensics is the process of obtaining information from a computer system. This information may be obtained from a live system (one that is up and running) or a system which has been shut down. The process typically involves taking steps to obtain a copy, or an image of the target system (often times an image of the hard drive is obtained, but in the case of a “live” system, this can even be the other memory areas of the computer).

After making an exact “image” or copy of the target, in which the copy is verified by “checksum” processes, the computer specialist can begin to examine and obtain a wide range of data. This copy is obtained through write protected means to preserve the integrity of the original evidence. Information like pictures, videos, documents, browsing history, email addresses, and phone numbers are just some of the information (or evidence if being collected for possible court purposes), which can often be obtained. Even deleted elements are often retrievable.

Some of open source packages available for free download include SANs SIFT (SANS Investigative Forensic Toolkit), DEFT (Digital Evidence & Forensics Toolkit), and CAINE (Computer Aided INvestigative Environment) bootable CD’s. These powerful packages are built upon a Linux Ubuntu windows type (graphical environment) operating system and feature dozens of tools, with each disk containing many of the same open source tools, offering similar capabilities. Some of these tools are The Sleuth Kit (a complete platform in and of itself), Photorec (great for recovering all sorts of deleted files), Scalpel (another deleted file recovery tool), Bulk Extractor (bulk email and URL extraction tool), Chntpw (a utility to reset the password of any user that has a valid local account on a Windows NT/2k/XP/Vista/7/8 system), Gparted (a partition editor for creating, reorganizing, and deleting disk partitions), and Log2timeline (a timeline generation tool).