Key to the start: the best software and hardware for computer forensics

    This is how one of the business cards of Igor Mikhailov, a specialist in the Laboratory of Computer Forensics Group-IB, looked like before. On it are the hardware keys of the programs that the expert used when conducting forensic examinations. The cost of these software products alone exceeds 2 million rubles, and there is still free software and other commercial products. What tools to choose for work? Especially for Habr readers, Igor Mikhailov decided to talk about the best software and hardware tools for computer forensics.

    The author is Igor Mikhailov, a specialist in the Laboratory of Computer Forensics Group-IB.

    Cybercriminal's Suitcase

    Computer forensics examines a wide variety of digital devices and data sources. In the course of research, both software and hardware can be used - many of them are expensive. Not every company, let alone an individual specialist, can afford such expenses. At Group-IB, we do not save on tools, which allows us to conduct research efficiently and efficiently.

    Naturally, the list of programs in my ranking is different from the global one. This is due to both regional peculiarities - for example, some foreign programs cannot extract data from Russian messengers, and in general they are not friends with the Russian language (in search tasks) - and export restrictions, because of which Russian specialists are not able to use the whole world Arsenal of similar tools.

    Mobile forensics, hardware

    Cellebrite UFED Touch 2 is a product originally developed for field use. Conceptually divided into two parts:
    · Cellebrite UFED Touch 2 proprietary tablet (or UFED 4PC - software analogue of Cellebrite UFED Touch 2 installed on a specialist’s computer or laptop): used only for data extraction
    · UFED Physical Analyzer - software designed for data analysis extracted from mobile devices.

    The concept of using the equipment assumes that using Cellebrite UFED Touch 2, a specialist extracts data in the field, and then analyzes it in the laboratory using the UFED Physical Analyzer. Accordingly, the laboratory version is two independent software products - UFED 4PC and UFED Physical Analyzer - installed on the researcher’s computer. Today, this complex provides data extraction from as many mobile devices as possible. During the analysis, part of the data may be lost by the UFED Physical Analyzer program. This is because in new versions of the program old bugs periodically pop up, which seem to be fixed, but then for some reason they reappear. Therefore, it is recommended to control the completeness of data analysis,

    MSAB XRY / MSAB XRY Field is an analogue of Cellebrite products developed by the Swedish company Micro Systemation. Unlike the Cellebrite paradigm, Micro Systemation suggests that in most cases their products will be used on desktop computers or laptops. A branded USB hub, called a “puck” on the slang, and a set of adapters and data cables for connecting various mobile devices are attached to the product being sold. The company also offers versions of MSAB XRY Field and MSAB XRY Kiosk- hardware products designed to extract data from mobile devices, implemented in the form of a tablet and a kiosk. This product is less common in Russia than Cellebrite products. MSAB XRY has proven its worth when retrieving data from legacy mobile devices.

    From a certain moment hardware solutions for chip-off (a method of extracting data directly from memory chips of mobile devices), developed by the Polish company Rusolut, began to be popular. Using this equipment, you can retrieve data from damaged mobile devices or from devices locked with a PIN code or graphic password. Rusolut offers several sets of adapters for extracting data from certain models of mobile devices. For example, a set of adapters for extracting data from memory chips, mainly used in "Chinese phones". However, the widespread use by mobile device manufacturers of encryption of user data in top models has led to the fact that this equipment is gradually losing relevance. It is possible to extract data from the memory chip, but it will be in encrypted form, and their decryption is a non-trivial task.

    Mobile forensics, software

    Watching the development of mobile forensics, you can easily see that as the functionality of mobile devices developed, programs for their analysis also developed. If earlier the person conducting the investigation, or another customer, was content with data from the phone book, SMS, MMS, calls, graphic and video files, now the specialist is asked to extract more data. In addition to the above, as a rule, it is required to extract:

    • data from messaging programs
    • email
    • Internet browsing history
    • geolocation data
    • deleted files and other deleted information

    And this list is constantly expanding. All of these types of artifacts can be extracted with the software described below.

    Oxygen Forensic Suite : today it is one of the best programs for analyzing data extracted from mobile devices. If you want to extract the maximum amount of data from a mobile device, use this program. Integrated viewers of SQLite databases and plist files allow you to more thoroughly examine specific SQLite databases and plist files manually.

    Initially, the program was developed for use on computers, so using it on a netbook or tablet (devices with a screen size of 13 inches or less) will be uncomfortable.

    A feature of the program is the tight binding of the paths along which the files are located - application databases. That is, if the database structure of an application remains the same, but the way the database is located in the mobile device has changed, Oxygen Forensic Suite will simply skip such a database during the analysis. Therefore, the study of such databases will have to be done manually, using the file file of the “Oxygen Forensic Suite” and auxiliary utilities.

    The results of a study of a mobile device in the Oxygen Forensic Suite program:

    The trend of recent years is the "mixing" of the functionality of programs. So, manufacturers traditionally engaged in the development of programs for mobile forensics are introducing functionality into their products that allows them to investigate hard drives. Manufacturers of forensic programs focused on the study of hard drives, add to them the functionality necessary for the study of mobile devices. Both add functionality to extract data from cloud storage and so on. The result is versatile “harvester programs” that can be used to analyze mobile devices, analyze hard disks, retrieve data from cloud storage, and analyze data extracted from all these sources.

    In our ranking of programs for mobile forensics, such programs occupy the following two places: Magnet AXIOM - the program of the Canadian company Magnet Forensics, and Belkasoft Evidence Center - the development of the St. Petersburg company Belkasoft. These programs, in terms of their functionality in extracting data from mobile devices, are of course inferior to the software and hardware described above. But they do their analysis well and can be used to control the completeness of the extraction of various types of artifacts. Both programs are actively developing and rapidly increasing their functionality in the field of mobile device research.

    AXIOM mobile data source selection window:

    Results of a study of a mobile device by Belkasoft Evidence Center:

    Computer forensics, hardware recording locks

    Tableau T35U is a tableau hardware blocker that allows you to safely connect the studied hard drives to the researcher's computer via USB3. This lock has connectors that allow you to connect hard drives to it via IDE and SATA interfaces (and, if there are adapters, hard drives with other types of interfaces). A feature of this blocker is the ability to emulate read-write operations. This can be useful when examining drives infected with malware.

    Wiebitech Forensic UltraDock v5- hardware lockout company CRU. Has the functionality similar to Tableau T35U blocker. In addition, this lock can be paired with a researcher’s computer via a larger number of interfaces (in addition to USB3, pairing via eSATA and FireWire interfaces is also available). If a hard drive is connected to this lock, access to which is limited by the ATA password, a message will appear on the display of the lock. In addition, when a hard drive with a DCO (Device Configuration Overlay) technology zone is connected, this zone will be automatically unlocked so that a specialist can copy the data in it.

    Both recording locks use the USB3 bus connection as the main connection, which provides comfortable working conditions for the researcher when cloning and analyzing storage media.

    Computer forensics, software

    Old men for unusual situations

    15 years ago, the unchallenged leaders of computer expertise were Encase Forensics and AccessData FTK. Their functionality naturally complemented each other and allowed to extract the maximum number of different types of artifacts from the studied devices. These days, these projects are outsiders of the market. The current functionality of Encase Forensics lags far behind today's software requirements for researching computers and servers running Windows. Using Encase Forensics remains relevant in “non-standard” cases: when you need to examine computers running Mac OS OC or a server running Linux, extract data from rare file formats. Ensripts macro language built into Encase Forensics contains a huge library of ready-made scripts implemented by the manufacturer and enthusiasts: using them, it is possible to analyze a large number of different operating and file systems.

    AccessData FTK tries to maintain the functionality of the product at the required level, but the processing time for the drives significantly exceeds the reasonable amount of time that an average specialist can afford to spend on such a study.

    Features AccessData FTK:

    • very high level keyword search
    • analytics of various cases, allowing to identify relationships in devices seized for various cases
    • the ability to customize the program interface for yourself
    • support for rare file formats (such as Lotus Notes databases)

    Both Encase Forensics and AccessData FTK can handle massive amounts of raw data, measured in hundreds of terabytes.

    Young and growing

    The undisputed leader in computer forensics is Magnet Axiom . The program does not just gradually develop, but covers entire segments with added functionality: research on mobile devices, retrieval from cloud storage, research on devices running the MacOS operating system and so on. The program has a convenient and functional interface, in which everything is at hand, and can be used to investigate information security incidents related to malware infection on computers or mobile devices or data leaks.

    The Russian analogue of Magnet AXIOM is Belkasoft Evidence Center. Belkasoft Evidence Center allows you to extract and analyze data from mobile devices, cloud storage and hard drives. When analyzing hard drives, it is possible to extract data from web browsers, chats, information about cloud services, detect encrypted files and partitions, extract files by a given extension, geolocation data, email, data from payment systems and social networks, thumbnails, system files , system logs, and so on. It has flexible customizable functionality for retrieving remote data.

    Advantages of the program:

    • a wide range of artifacts retrieved from various storage media
    • good built-in SQLite database viewer
    • collecting data from remote computers and servers
    • integrated functionality for checking detected files on Virustotal

    The basic program is sold for a relatively small amount. Other modules that extend the functionality of Belkasoft Evidence Center can be purchased separately. In addition to the basic configuration, it is strongly recommended to buy the “File Systems” module, without which working with the media under investigation is not always convenient in the program.

    The disadvantages of the program are the inconvenient interface and the non-obviousness of the performance of individual actions in the program. To use the program effectively, you must undergo appropriate training.

    The main window of the Belkasoft Evidence Center program, which displays statistics of the forensic artifacts found when examining a specific device:

    Gradually, the Russian market conquers X-Ways Forensics . This program is a Swiss computer forensics knife. Versatile, accurate, reliable and compact. A feature of the program is the high speed of data processing (compared with other programs in this category) and the optimal functionality that covers the basic needs of a specialist in computer forensics. The program has a built-in mechanism to minimize false-positive results. That is, the researcher, when recovering files from a 100 GB hard drive, sees not 1 TB of recovered files (most of which are false positive results, as is usually the case when using recovery programs), namely those files that were actually recovered.

    With X-Ways Forensics, you can:

    • find and analyze email data
    • analyze the history of web browsers, Windows OS logs and other system artifacts
    • filter results, get rid of unnecessary, leave only valuable and relevant
    • build a timeline and see activity in the period of interest
    • rebuild raids (RAID)
    • mount virtual disks
    • scan for malware

    This program has proven itself very well in the manual analysis of hard drives extracted from DVRs. Using the X-Tension functionality, it is possible to connect third-party modules in the program.

    Disadvantages of X-Ways Forensics:

    • ascetic interface
    • lack of a full built-in SQLite database viewer
    • the need for in-depth study of the program: the implementation of certain actions necessary to obtain the result necessary for a specialist is not always obvious

    Data Recovery, Hardware

    Currently, only one manufacturer of such equipment dominates the Russian market - ACELab , which produces hardware for analysis, diagnostics and recovery of hard drives (PC-3000 Express, PC-3000 Portable, PC-3000 UDMA, PC-3000 SAS) , SSD drives (PC-3000 SSD complex), flash drives (PC-3000 Flash complex), RAID (PC-3000 Express RAID complexes, PC-3000 UDMA RAID, PC-3000 SAS RAID). ACELab's dominance in the market for hardware solutions for data recovery is due to the high quality of the above products and the ACELab pricing policy, which does not allow competitors to enter this market.

    Data Recovery, Software

    Despite the large number of different recovery programs, both paid and free, it is very difficult to find a program that would correctly and fully restore various types of files in a variety of file systems. To date, there are only two programs that have approximately the same functionality that allow this: R-Studio and UFS Explorer . Thousands of recovery programs from other manufacturers either do not reach the specified programs in their functional capabilities or are significantly inferior to them.

    Open source software

    Autopsy is a convenient tool for analyzing computers running the Windows operating system and mobile devices running the Android operating system. Has a graphical interface. It can be used in the investigation of computer incidents.

    Photorec is one of the best free data recovery software. A good free alternative to paid counterparts.

    Eric Zimmerman Tools - a set of free utilities, each of which allows you to explore a particular Windows artifact. As practice has shown, the use of Eric Zimmerman Tools increases the efficiency of a specialist in responding to an incident in the field. Currently, these utilities are available as a software package - Kroll Artifact Parser and Extractor (KAPE).

    Linux based distributions

    SIFT is a Linux distribution developed and supported by the commercial organization SANS Institute, which specializes in training cybersecurity professionals and investigating incidents. SIFT contains a large number of current versions of free programs that can be used both to extract data from various sources and to analyze them. SIFT is used as part of company training and its content is constantly updated. Convenience of work is determined by the specific tool located in this distribution, with which the researcher has to work.

    Kali Linux- A unique Linux distribution that is used by specialists both for conducting a security audit and for conducting investigations. In 2017, Packt Publishing published a book by Shiva V.N. Parasram (Shiva V. N Parasram) "Digital Forensics with Kali Linux". This book provides tips on how to copy, research and analyze computers, individual drives, copies of data from RAM and network traffic using the utilities included in this kit.


    This study is the result of my empirical experience with the described hardware and software used in the forensic investigation of computer technology and mobile devices. I hope that the information presented will be useful to specialists planning to purchase software and hardware for conducting computer forensics and investigating incidents.

    Also popular now: