The world of computer forensics, like everything related to computing, is developing and changing rapidly. While there are commercial investigative software packages, such as EnCase from Guidance Software and FTK from AccessData, there are other software platforms that offer a solution for obtaining computer forensic results. Unlike the two packages mentioned above, these open source alternatives don’t cost hundreds of dollars; they are free to download, distribute and use under various open source licenses.
Computer forensics is the process of obtaining information from a computer system. This information can be obtained from a live system (one that is working) or from a system that has been shut down. The process usually involves taking steps to obtain a copy or image of the target system (often an image of the hard drive is obtained, but in the case of a “live” system, this can even be the other memory areas of the computer).
After making an “image” or exact copy of the target, in which the copy is verified by “checksum” processes, the computer specialist can begin to examine and obtain a wide range of data. This copy is obtained via write-protected media to preserve the integrity of the original evidence. Information such as images, videos, documents, browsing history, email addresses, and phone numbers are just some of the data (or evidence if collected for potential legal purposes) that can often be obtained. Even deleted items can often be recovered.
Some of the open source packages available for free download include SAN SIFT (SANS Investigative Forensic Toolkit), DEFT (Digital Evidence & Forensics Toolkit) and CAINE (Computer Aided INvestigative Environment) Boot CD. These powerful packages are based on a Windows-like Linux Ubuntu operating system (graphical environment) and feature dozens of tools, with each disc containing many of the same open source tools, offering similar capabilities. Some of these tools are The Sleuth Kit (a complete platform in itself), Photorec (great for recovering all types of deleted files), Scalpel (another deleted file recovery tool), Bulk Extractor (bulk email extraction tool and URL), Chntpw (a utility to reset the password of any user with a valid local account on a Windows NT/2k/XP/Vista/7/8 system), Gparted (a partition editor for creating, reorganizing, and removing disk partitions), and Log2timeline (a timeline generation tool).
So if you’re into the technical stuff, download one of these discs and start becoming a computer detective today.