In the world of digital forensics, the well-trained investigator needs a set of forensic tools. The tools this person will use will help them gather evidence of a white collar crime or fraud, document the factual evidence, and perhaps place the investigator on the witness stand for expert testimony in any legal proceedings that arise. of the process. The tools used by these researchers are primarily software tools, although there are some hardware considerations as well.
The basic computer forensic toolkit will likely be contained on a CD or DVD and will be presented primarily in a word processing format. Any computer forensic investigation produces an enormous amount of paperwork, since the objective of the investigation is to document absolutely everything that is found. These Toolkit CDs are designed to provide the investigator with tried and true forms and templates that will allow them to document everything they find. They also serve as an effective checklist to help the investigation team ensure that no steps are missed and that everything is done in the correct order.
Another important component of the toolkit will be templates and tools to assist in presenting research findings to management. It is vital that all findings are reported in a professional, unbiased, complete, and scientifically sound manner. This is the end product of the investigation and what management sees as what they actually paid the investigators to do. This report can also end up being the basis (and annexes) of the legal procedures that may arise from the process, so it is vital that these reports and presentations are accurate, clear and fully aligned with the law.
The primary non-software tool used in a computer forensic toolkit is an imaging device. Making an exact image of the computer’s hard drive (or other storage medium) is the most common first step in data capture. It is absolutely necessary that there be a “clean” copy of the computer’s memory and stored data, so that researchers are sure that they are looking at and analyzing the data in the same precise pattern that occurs on the computer in question. . . There are many brands of devices available and they all have the same basic function.
These devices must first make an exact copy of the data. Second, they typically perform the disk sector-level copy as a bitstream process (as opposed to a simple file copy process). This method makes a more complete and accurate copy of the data, which in turn allows for a more complete and accurate analysis.
