|
UnixReview.com
May 2007
More Forensic Tools
by Kristy Westphal
I recently spent a week in class learning about a forensic tool made by the IRS that is for use only by Law Enforcement. I really, really, really liked it, but I also learned a few new things about forensic processing of hard drives that I had not considered before. So, even though I may not be able to use the tool for my job, I was inspired to seek out the latest and greatest tools (or even find some old ones) that I could actually use today while doing forensic processing of hard drives and other magnetic media.
One method to help ease the pain of weeding through all the files on a hard drive image is to do a hash match of known files. Essentially, you search the drive for files, such as known operating system files, and when you have a match, you can eliminate them from your examination "landscape". This can in fact reduce your landscape significantly.
Luckily, there are databases easily available to help with this analysis. I got excited while checking out the ForInSect site, which has a plethora of information on forensics, as there are several listed. The owner of this Web site used to maintain an updated version of a hash database by Dan Farmer, but it looks like neither of those are maintained any longer. This is still a worthy site to check out, though, because the list of forensic tools is long and useful.
The NIST site is still maintained, however. Called the National Software Reference Library, they have sets for operating systems, applications, as well as images and graphics.
|
