Compilation Tools For Digital Computer Forensics:

By Author: Paul Bromby
Total Articles: 1
Comment this article

During a civil litigation suit, it is always important to carry out digital forensics. This can include computer and mobile phone forensics to obtain data. However, in some cases, it may not be possible to compile all the data. Nevertheless, there are certain things your rules need to observe when duplicating, shifting or storing data.

There are a number of computer forensics tools that you can use when collecting data from these device. These comprise:

FTK Imager – A lightweight collection tool that can be used to create both full (physical) acquisitions and targeted (logical) acquisitions of data, from both servers and computers.

EnCase Enterprise – A collection tool that enables us to make targeted forensic copies of data remotely over a corporate network without the knowledge of the target custodians.

XRY – XRY is a reliable and highly respected forensic tool which supports a wide variety of mobile devices including mobile phones, Sat Navs and tablets. The software supports the recovery of ‘live’ and ‘deleted’ data from devices and is presented in a user friendly and clear format.

Cellebrite ...
... – Cellebrite can perform ‘live’ and ‘deleted’ analysis of a number of mobile devices including mobile phones and tablets. One of the main features of Cellebrite is that it can extract a ‘file system/file structure’ read from a device and will then display the evidence in the exact same way that it is stored on the device. Cellebrite is also an excellent tool for recovering ‘deleted’ data from mobile devices.

Pre-Processing Tools For Digital Computer Forensics

Pre-processing tools are designed to quickly reduce data volumes prior to loading into an e-disclosure platform. Some pre-processing tools on the market are charged on a per GB basis, or a per day pricing model. The per day pricing allows us to undertake high data volume projects at a lower cost than had per GB pricing been applied.

We were asked to undertake an e-disclosure exercise across 5TB (5,000,000MB) of data. Had all of this data been loaded straight into a review platform the cost would have been approaching £1 million in processing costs alone. By utilising a pre-processing engine we were able to undertake the exercise for tens of thousands instead.

Pre-processing tools includes the following:

Nuix – Excellent for large volumes of data, Nuix is able quickly to index and search almost all commonly encountered data types, allowing us to rapidly cull out irrelevant data. Nuix is capable of loading all data sources at once enabling us to de-duplicate across exhibits. In a recent exercise we were able to reduce the volume of data that needed to be loaded into the review platform from over 11TB to less than 50GB using Nuix.

EnCase – Historically a tool for forensic practitioners, EnCase can be used for e-disclosure to reduce data volumes and recover previously deleted information if required. EnCase is an ideal pre-processing tool for smaller cases with fewer data sources, but can become labor-intensive on larger cases. Recently, we used EnCase to recover deleted information for inclusion in document review, in total over 1,000 previously deleted files were recovered.

FTK – Can be used in a similar capacity to EnCase for e-disclosure. FTK indexes all data on adding to a case allowing fast keyword searching. FTK is ideal for use on cases with large volumes of emails as it is effective at maintaining document families such as emails and their attachments, which is often vital for the e-disclosure process.

Processing and Review Tools For Digital Computer Forensics

A suite of processing and review tools will initially process the data to enable de-duplication (where not undertaken at a pre-processing phase) and indexing of the data to make it fully searchable for review. This allows us to omit the pre-processing phase where data volumes are small, saving time and effort.

We host all our review platforms so that clients do not have to go through the trouble of running the system. This ensures that the only task they have is document review. There are specialists who can easily be reached by phone for advice on technical matters during review. Here are some of the tools used for manipulation and evaluation of digital forensics data:

Clearwell- This is largely considered among the top e-disclosure manipulation and evaluation platforms. The 2013 Gartner Magic Quadrant ranked it as the “leader’ in similar software. Clearwell has an interface that is simple and perceptive. It is charged based on GB and clients can use it on any computer by using a protected portal.

FTK- this is the best option for smaller cases. It can be accessed from our review suites that are custom-made in our Laboratory at Startford-upon-Avon. It has a lower functionality as compared to Clearwell and can only be used by one reviewer per case. However, it is not charge based on GBs so it is an affordable solution in some situations.

Paul Bromby is the author of this article on Computer Forensics.
Find more information, about Computer Investigations here