Sunday, April 6, 2014
This blog will be a reference and reminder for me as I begin the process of using Linux and the Sleuth Kit (TSK) to perform computer forensics. In time I would like to become proficient and comfortable enough with these tools to use them in place of current commercial tools like Access Data's Forensic Tool Kit or Guidance Software's EnCase Forensic.
It is important to note that these, along with many other commercial tools, are very functional commercial tools and that each tool has its own merit. I have had the opportunity to use EnCase, FTK, IEF, Cellebrite, and other tools since I began working as a forensic examiner and I have found each tool to be successful. The problem is that each of these tools provides a limited range of functionality.
The primary reason these tools functionality stops is because it is just a single tool. No single tool will ever be able to support the many different challenges that present themselves in the computer forensics world. There are many different reasons for these challenges but I will only discuss a few to give you an idea of the scale.
Here is a list of possible issues that if missing may prevent a forensic tool from being successful:
-File System Support (NTFS, FAT16, FAT32, Ext2, Ext3, Ext4, HFS+, BTRFS, zfs, and so on)
-File Type Support (a failure to interpret one of the millions of different file types)
-Encryption Support (Full Disk, Directory/Container, File)
- and Hardware Support (a failure to communicate with a device)
Any one of these (and others), if not supported by your forensic tool, may bring your investigation to an immediate halt. We can't expect any tool to be able to work in every scenario including TSK. However, the era of "push button forensics" is upon us and TSK just doesn't work that way. As a result it may be prove to be useful in providing us more information on how things work and how to defeat the road blocks that we encounter.
My hope is that I will help someone else with this process of learning while showing the value of these tools. I will attempt to provide you with enough information to duplicate these results. I will provide you with links to any practice images that I use for a scenario. At times I will be receiving instruction from people I know or other resources. I will provide that information to you as well.
Finally I want to thank John Lehr for his guidance and instruction. He has helped me get started down this path and has helped me when I can't seem to make it work. He also has a blog that, while being more advanced than I plan on being, is a great tool for overcoming certain challenges. He covers a lot of information on cell phone and tablet forensics so if you are looking for that you should absolutely take the time to look at it HERE.