Forensic Tools For Mac
Micol Cohn
Network forensic tools are incredibly useful when it comes to evidence collection, especially in a day and age when most people are constantly within reach of a cell phone, laptop and other technology. In this blog post we explore nearly two dozen types of network forensics tools and techniques that cybersecurity professionals are using to aid in investigations.
The Master of Science in Cyber Security Operations and Leadership, which is 100% online, is ideal for professionals who are interested in gaining leadership skills and a deeper understanding of cybersecurity topics, theories and concepts.
Law enforcement uses digital forensics tools when solving crimes. Businesses also use them to conduct incident response and recover data. For example, organizations can use digital forensics tools to analyze how a breach occurred, whether attackers accessed or exfiltrated data, and how the malicious actors moved through the network.
With this information, organizations can accurately describe an attack to affected stakeholders and law enforcement. The tools' widespread use provides information on the tactics, techniques and procedures of cybercriminal groups.
Digital forensics products range from all-encompassing suites of tools to dedicated single products designed for specific tasks. Listed below and arranged alphabetically are five tools used and respected by digital forensics experts for either criminal investigations, incident response or both.
Cellebrite is the go-to tool provider for mobile forensics, offering broad support of mobile devices and advanced data exfiltration. Cellebrite offers multiple mobile device forensics platforms, including Cellebrite Universal Forensic Extraction Device, Cellebrite Premium Enterprise, Cellebrite Premium as a Service and Cellebrite Inspector. Its products can be used in concert with other digital forensics tools. For example, a cybersecurity investigator can do computer forensics with Magnet Axiom and then switch to Cellebrite for mobile data extraction and analysis.
Magnet Axiom is commonly used for high-level analysis. It supports investigation and analysis of computer, mobile, cloud and vehicle data. Beneficial features include automation and an accessible UI designed to be simple to use. Axiom offers a less clunky display and formats investigation results in a cleaner manner, making it a useful tool for less-technical investigators.
Velociraptor is an open source tool designed for internal security teams to gather evidence across all endpoints. It can rapidly gather and store event logs from an organization's endpoints so security teams can examine them for suspicious activity. The lightweight digital forensics tool is still relatively new to the market but boasts consistent development and an active community on Discord for troubleshooting and more.
Wireshark is an open source tool for network analysis that has been in use for more than 20 years. It can show every network packet sent from and received by a device, enabling an investigator to break down the type of traffic, as well as its source and destination. It suits analyzing a potential data breach to see where the attacker is sending compromised data. Wireshark can examine wired and wireless network traffic for connection information and even what a single packet contains.
X-Ways Forensics is a tool for investigators who like to manually dig deep for analysis, rather than rely on automation. It boasts advanced technical features for disk analysis, such as capturing and detailing drive contents, slack space and interpartition space. It can operate even on limited hardware. Forensics experts can start their analysis with other tools, such as Magnet Axiom, and then delve into in-depth analysis using X-Ways.
Forensic Droplets:
A "Droplet" is small desktop application in Adobe Photoshop, (v.7 and later) that automatically processes image files that are dragged onto its icon. A Droplet can be a nearly "seamless" interface for quickly examining certain features of a scientific image in Photoshop while reading the publication in the FULL TEXT (html) form or in some forms in an Internet Browser. Droplets can be used to automate the batch processing by dragging and dropping a group of image files.
An "Action" is the sequence of steps that was pre-recorded in Photoshop, but unlike the Droplet the Action is activated by command from within the Photoshop program. A Forensic Action sequence is more flexible than the Droplet; It can be customized by toggling certain features "on" or "off"; and it can be used to create a corresponding Droplets for automated batch processing. Because Actions tend to be "upwardly" compatible, they can be used to create Droplets that work with a new version of Photoshop.
Two Sets of Upgraded Forensic Imaging Tools are now Available:
ORI's upgraded Tools for image forensics have evolved considerably from their original form* that was introduced in February 2005. The upgraded tools are provided as two distinct sets.
Advanced Forensic Actions allow for analysts to save an analysis and then go back and try different conditions on each adjustment layer to provide an optimal result. These tools have extended features that will be more useful to institutional committees who are assessing image evidence in their inquiries and investigations. In particular, some of these Forensic Actions utilize "Adjustment Layers" that allow reexamination of the result of a forensic test retrospectively. The original image is retained (and recoverable), since all changes are made only in the separate overlying layers that superimpose commands which can be modified or rearranged. The size of the image file is increased, but each additional layer preserves a detailed record the analytic step that is resident within forensic test. Results are easier to share.
The added flexibility requires more stops for queries in an Advanced Forensic Action sequence, and so it is slightly less streamlined than the comparable Action sequence from the first set. Once the user gains familiarity with the sequence, however, the dialogue and decisions steps can be toggled "off" to speed the sequence for the initial result; at this point the settings for individual steps can be adjusted retrospectively as required. Analysis can be far more efficient, since the need to run multiple sequences to get a result is eliminated.
The Advanced Forensic Action set also include additional convenient routines for "Setting up" a Forensic Work Space, the logging a record of the analysis as a automatically saved history text, and a "stop" for customizing Keyboard shortcuts. The advanced set also come with additional look-up tables for multiple forms of visualizations and contour overlays for comparing difficult images. Because these features add more decision points, the attached "Read Me" comments are important to understanding the consequence of using adjustment layers.
Considerations, Sample Images, and Forensic Test-Patterns:
This section discusses the methods, gives samples of images from past cases, and provides Forensic Image Test Patterns to evaluate the performance of the Droplet (or Action).
When you click on a sponsoring school or program advertised on our site, or fill out a form to request information from a sponsoring school, we may earn a commission. View our advertising disclosure for more details.
Digital forensics tools are all relatively new. Up until the early 1990s, most digital investigations were conducted through live analysis, which meant examining digital media by using the device-in-question as anyone else would. However, as devices became more complex and packed with more information, live analysis became cumbersome and inefficient. Eventually, freeware and proprietary specialist technologies began to crop up as both hardware and software to carefully sift, extract, or observe data on a device without damaging or modifying it.
New tools are developed daily, both as elite government-sponsored solutions and basement hacker rigs. The recipe for each is a little bit different. Some of these go beyond simple searches for files or images and delve into the arena of cybersecurity, requiring network analysis or cyber threat assessment. When there is a tool for everything, the most pressing question is which one to use.
Autopsy
Autopsy is a digital forensics platform and graphical interface that forensic investigators use to understand what happened on a phone or computer. It aims to be an end-to-end, modular solution that is intuitive out of the box. Select modules in Autopsy can do timeline analysis, hash filtering, and keyword search. In addition, they can extract web artifacts, recover deleted files from unallocated space, and find indicators of compromise. All of this can be done relatively rapidly.
Autopsy runs background jobs in parallel so that even if a full search takes hours, a user will know within minutes whether targeted keywords have been found. In addition, investigators working with multiple devices can create a central repository through Autopsy that will flag phone numbers, email addresses, or other relevant data points.
Developed by the same team that created The Sleuth Kit, a library of command line tools for investigating disk images, Autopsy is an open-source solution, available for free in the interests of education and transparency. Unfortunately, the latest version is written in Java, and it is currently only available for Windows.
Bulk Extractor
Bulk Extractor scans a file, directory, or disk image. It extracts information without parsing the file system or file system structures, allowing it to access different parts of the disk in parallel, making it faster than the average tool. The second advantage of Bulk Extractor is that it can be used to process practically any form of digital media: hard drives, camera cards, smartphones, SSDs, and optical drives.