Computer forensics: a closer look at three tools
Nowadays we mainly speak of digital forensics. With the advent of mobile technology, investigating computer data seems to be increasingly relegated to the background. But is this really the case? The following analysis of three leading software tools for digital investigation will show that it is not.
In order to conduct a thorough and forensically sound investigation, it is important that investigators have the right tooling at their disposal. This tooling can support experts in their search for useful evidence in the cloud and on mobile devices. Computers and laptops are also regularly found in an investigation. It is not always easy to determine what tool should be used when. The experts of DataExpert Investigations will gladly advise you on this matter. They have an investigation lab equipped with various forensic software and hardware solutions that all have their own specialty and strength. The tooling used depends on the type of investigation, the data carriers encountered, the operating system used and the investigation question. For example, EnCase, FTK and Intella are used for digital investigation of computers and laptops. Below we explain how these three solutions contribute to an efficient investigation.
EnCase
EnCase is the best-known software solution for computer investigations, created by Guidance Software, now part of the portfolio of OpenText. For restoring and filtering data on a computer, EnCase is a powerful and efficient solution. EnCase can use filters and conditions to quickly show which files are relevant. It is then possible to select this data easily and view it more accurately using conditions. Conditions are set within EnCase and are used to select files by document type or path. The conditions are quite easy to build in EnCase yourself. This allows investigators or the experts from DataExpert to easily put together a toolbox for each investigation that matches the requirements for that specific investigation. In the image below, you find an example of the possible conditions within EnCase.
It is also possible in EnCase to select by dates and times when an action/incident has taken place. Finally, EnCase offers the possibility to record found evidence in clear reports.
FTK
Forensic Toolkit (FTK) is made by AccessData (Exterro) and is best known for the FTK Imager, which is used by many digital investigators to copy computer data. Forensic Toolkit offers the possibility to index found data on a computer. In order to make a case, the indexation of data is a requirement within FTK. Every word that occurs in a dataset therefore appears in a database. If search terms are entered, FTK then automatically looks through the database and shows all the variants which are similar to the search terms entered.
In addition, FTK provides a powerful Timeline feature that can be used to search for a specific date or time in a computer's e-mail traffic. This timeline is constructed based on the mail. The times of sending and/or receiving are arranged chronologically by year, month or even day. This makes it easy to select a period and to search within this selected period. An example of this Timeline feature is shown in the image below.
Intella
A powerful tool for e-mail investigation is Intella. This tool is not limited to just e-mail, as Office data and data from the Cloud can also be searched without any problem. The interface makes Intella very user friendly and pleasant to work with. Intella is especially recommended for non-technical investigators and people with little to no experience.
In recent years, Intella has been further developed by its creator Vound Software. The software is very powerful when it comes to analysing large e-mail environments and can also be used to extract data from the cloud, as is needed for Office 365 environments. Within the e-mail traffic it is possible to look for connections, such as who has had contact with whom. Also, any exculpatory evidence is made transparent because the entire e-mail conversation is available.
Furthermore, Intella offers the possibility to link the evidence found in a case about a person to identities. After Intella has indexed the data, an Insight Report can be easily shared with the team. This gives a good overview of what kind of data has been found while also steering in the direction one wants to search. An example of this report is shown below.
In addition to the tooling described above, there are many other software and hardware solutions suitable for digital investigation. We would be happy to advise you on this or to relieve you of all your worries by conducting the forensic investigation for you. Do you have questions? Then be sure to contact us.