DFIR Training Blog



Does your DFIR tool have substantial updates?

There are few things cooler than finding that one of your forensic tools was updated with new features.  It does not matter which tool, or which new feature. There are times when some of the new features don’t apply to what I work on but are cool nonetheless as it shows that a tool is constantly being developed.  Small, new features are neat, but the major updates are usually so good that I have to immediately test it out.

Using Belkasoft Evidence Center (BEC) as an example, the latest version, 9.7 added quite a bit of new features. I previously blogged about BEC as an all-in-one forensic suite that has a place in my forensic analysis right next to other tools, and the mobile device features added really expand upon the all-in-tool suite concept.

BEC added a lot, which you can read the bullet points here: https://belkasoft.com/whats_new_in_version_9_7

The mobile acquisition and analysis features are a welcome addition. Anyone doing forensic analysis more than a week knows that not every tool is capable of doing absolutely everything you need with either a specific type of media or specific type of artifact (or database!).  There is no clearer example of this than examining mobile devices as many times the difference in output of mobile device data can be extreme between different tools.

In one case, I testified to a number of text messages that I recovered from a mobile device. I recovered tens of thousands of messages, probably close to a hundred thousand messages.  The opposing expert recovered a few thousand, way short  of what I recovered. We used different applications, and I actually used three different tools, each giving me different results in numbers. The opposing expert used one tool and did not recover much at all.  I can only imagine what the judge and jury were thinking when one side recovers nearly a hundred thousand messages and the other side only recovers barely four or five thousand messages. So, when I have a tool that does something my other tools do, I generally use it in conjunction to verify, corroborate, or recover data in a manner that another tool cannot.

The short story to this is…

Not every tool gets all the data, or all the data in the same manner. Seriously. Not every tool. Not all the data. And not with the same output.

Old school tools

My Dongle Tree* has clusters of dongles hanging with lanyards from various conferences and training. Some of the dongles are expired because they are old, but I keep them because I still have occasions of peer reviewing old cases (and my own old cases) where these tools were used. The interesting thing about my Dongle Tree is that a few of the companies are no longer in business. Some of the others have been in business for longer than I have been doing forensics. And some are fairly new applications.

For the companies that have been in operation for more than a decade, I have found that they regularly update their tools, and that makes all the difference. I remember speaking to a CEO of a forensic company more than a few years ago who only believed in command line tools. The CEO did not want any part of a “GUI” in the company’s suite of command line tools, even though competitors were already headed that way. It took about a year before the company’s command line tools were outdated, along with the business going out of business.

The point of that story

The data today is different than the data of yesterday, and the tools have to keep up with the new and improved ways of doing things.   Tools that do not evolve do not survive . Process and methods are in the same boat. Some things in this field remain constant, but for the most part, it is like we are running after a runaway train trying to keep up. This applies to any field, but seems pointedly applicable to the DFIR field.

Tools that work; I hope they last.

I have had tools that I liked that have fallen to the wayside, either due to a single developer abandoning their project or due to the company being sold, re-sold, and eventually dissolved. One of the most important and most evolving targets for forensic applications is that of storage media. Data has gone from being stored most commonly on a hard drive with one most common operating system to now being stored on mobile devices, flash media, SSDs, and stored remotely around the planet on multiple types of operating systems. This is the runaway forensics train that developers have to keep up if they plan on staying relevant (aka: "staying in business").

Tools that keep chasing the runaway forensics train generally stick around for some time because they keep adding features to deal with changing file systems, artifacts, and types of data storage devices. My favorite tools are those with full-time development, a supportive community of users, and good (responsive!) customer support.

The new and improved forensics

Actual forensics doesn’t really change, in that data is still data. But there is just so much of it, and so many different places where it lives compared to any year prior. This is only going to continue. Going back to the case where I recovered more data than the opposing expert, the reason was that the opposing expert’s tool was not capable of even seeing the data that the tools I used could. Simple as that. Pick the best tool for the job. When the tool can't see the data, you won't know what you can't know without using a more appropriate tool.

I have forensic suites that are practically useless on some types of data, even though they are “all-in-suites” that should do “everything”. It just doesn’t work that way. Different suites for different data. Let’s use BEC as an example to this.  BEC’s v9.7 update adds quite a few artifacts that some suites don’t even try to examine. Even as these same tools can do other things extremely well, but for that which they don’t do, you need something that does.

BEC added dozens of artifact capabilities, which makes the work much easier than using tools that you need to constantly fight with to work with the data.

  • iOS
    • iMessage
    • Instagram Direct
    • Hot or Not
    • MeetMe
    • Pinterest
    • Snapchat
    • Telegram
    • WeChat
    • Whisper
    • Yubo
    • Zello
  • Android
    • Calls
    • Ctrip (including map, transportation and location)
    • Facebook
    • Hot or Not
    • Instagram Direct
    • Kakao Talk
    • Kik
    • MeetMe
    • MMS
    • ooVoo
    • Pinterest (geolocation data supported)
    • Skout
    • Snapchat
    • Tango (call duration extracted)
    • Telegram X
    • TextMe
    • VK (added extraction of geolocation, photo and video)
    • WhatsApp (performance significantly improved)
    • Whisper
    • Zalo
  • macOS
    • aMSN (owner name is now extracted)
  • Windows
    • Chrome (unallocated carving improved)
    • Chromium passwords (creation date is now extracted)
    • Mail app
    • LNK carving supported
    • Shareaza
    • Telegram Desktop
    • Yandex.Browser (password modification date is extracted)

It’s a new world in forensics (has been for a few years…)

I have lived in hex for a long time, because data is always going to be data. But I have come up for air with forensic suites to at least get a high-level view of all the data so that I can plan for what I am looking at to examine. BEC automates a lot of processes, which is good for that high-level view, but also good for connecting dots, like the connection graph. Many suites are incorporating these types of intelligence tools in the suites, and like I mention, this gives you a look at the data that you can’t see in hex (so to speak).

A big selling point

I push some tools because I like them and use them. I want them to succeed and keep evolving (because I use them!). One of the biggest selling points of BEC is the price. Belkasoft is in that price range between X-Ways and FTK , so I get a lot of out it for the price.

Some tools are very expensive, but I need them, and there are no viable alternatives, but that’s a different story. For the tools in this price range, and for the intelligence analysis aspects, BEC is a good value; actually, it’s a very good value.

 Push button forensics

Eventually, "AI" will do all the forensics for us. At least that is what we are led to believe. Until then, your brain and your eyes are the only intelligence available for forensic analysis. We have to be smart enough to dive deep into data and get into the weeds. But we also have to be able to step back to look at the data as a whole, the computer as a whole, and the person as a whole. No one tool can do that, at least not yet. But the right collection of tools, which you put to appropriate use, can help you do it.

Know data.

Know analysis.

Know case management.

Then you know DFIR.

*My Dongle Tree is actually a real tree…made of wood, cut out in the shape of a tree, to hang my dongles on..

Written by :Brett Shavers

{rscomments option="com_rsblog" id="120"}