Computer forensics is the use of inquiry and analysis techniques in efforts to assemble and maintain proof from a certain computing machine in a manner that is presentable in a court of law. The aim of computer forensics is to carry out a designed investigation and at the same time preserving a written sequence of evidence to investigate the actual occurrence on the computing machine and the person accountable for it. Normally, forensic investigators follow a structured combination of events: Once the machine is physically isolated to certify that it cannot be contaminated unintentionally, investigators create a digital duplicate of the machine’s storage media. After the original media has been duplicated, it is kept in a protected or supplementary secure facility in order to preserve its perfect state. The entire investigations are carried out in the digital duplicate.
In efforts to inspect the duplicate, look for enclosed folders and unallocated disk space for copies of erased, encrypted, or spoiled files, investigators employ a wide range of systems and proprietary software forensic appliances. Whichever proof established on the digital duplicate is vigilantly listed in a finding report and certified with the primary in the course of preparation for lawful events that encompass invention, depositions, or authentic legal actions. Computer forensics is its own area of proficiency accompanied by assignments and documentation. Alternatively, forensic tools are used in order to perform investigations. Each of the tools has its individual function in the entire process. Among them is the Guymager.
Guymager is a forensic tool used in media achievement. It has the capability to investigate all disks linked with the target device and the devices that are put on scrutiny. Every local hard disk is signified with its serial number, model, and trademark. Guymager also has the strength to obtain the image of the disk and duplicate the disk to view the duplicate of the primary machine devoid of transforming or flashing the information. In favor of the duplicating disk, Guymager prompts the default possession in order to complete the information such as case number, proof number, examiner’s name, and portrayal of the machine. Guymager supports entire major systems of possession like the DD, encase, and AFF. It is contained on live CDs such as FCCU, GRML, CAINE, DEFT, DFLCD, PeriBR, Matrius, Forelex and forens*nix. I chose DEFT Live Boot CD because it has different applications such as accessories, disk forensics, forensic network, sound & video, system tools, and preferences. Under disk forensics, Guymager launches into the acquisition process. To start the acquisition process, “Acquire Image” consents to obtain the image with another dialog to complete a new case.
In addition, Gymager has a number of benefits which are as follows: First, it has a simple user interface which is found in diverse languages. Secondly, it is not difficult to perform Windows tools under Linux. Thirdly, it is easy to employ multi-threaded and multi-threaded data compression for the imaging procedure. Lastly, it is simple to generate flat (dd), EFW (E01) and AFF images and holds on disk copying. On the other hand, Guymager cannot observe the image after obtaining the image on the local hard disk drive. Paraben’s P2 Explorer Free edition is able to build up the image although the program cannot view or investigate all the content.
Another tool that is very essential in computer forensics is the Live View. It is a distinct device that is mandatory in every forensic investigator arsenal. Live View is different from other tools that offer support in looking for information from raw disk images. However, the Live View tool renovates the raw disk image into a set-up that is bootable via VMware. It also preserves the reliability of the disk image in a forensically sound way. The Live View tool is very helpful since from its foundation, the typical line of consideration has not been to boot the system that is being investigated. Again, this tool helps to work off a duplicate of the disk and boot practically on ones forensic workspace devoid of compromising the reliability of the information. Given that VMware simply changes the VMware specific information records and not the authentic raw disk image, the device can be used in maintaining the reliability of the disk duplicate, and therefore not necessary in creating copies of the copy for momentary usage.
There are a number of uses to be able to boot into an imaged scheme. First, the investigator is acknowledged on how the user had utilized the computing device. Individual favorites, display adjustments, and relevant customizations are not likely to be viewed through the normal investigative model of folder organization searches, directory schedules, and information carving, among others. Again, the investigator is given an outlook into the users attention procedure which may offer concepts on where and how to look for interrelated information. Several things are a much faster to explore from a live scheme in order to find out if there is availability of interesting information. A leading example is the Windows event viewer. In this, the investigator can easily observe the logs in their usual situation instead of carving from a disk image and importing into a live system.
The appliance procedure is a few hundred kilobytes although it requires an operating version of VMware workspace or server to even inaugurate. This can make it hard to fix in a fast response kind setting as the suitable version of VMware server is approximately 150MB. In addition, it is not easy to introduce propriety image designs like the Encase. When the default administrator account is put out of action and the user’s account has a sturdy password, it will be very hard for the investigator to login if the system is booted. The investigator will be required to receive information concerning the passwords or split the user’s password in order to get entrance into the system.
The forensic tools discussed above are essential assets for Windows forensic investigation. Each of these tools is essential on an individual level, but when combined, they form a broad way to safely attain data from a compromised Windows computer. Due to the “quiet” and hands off nature of all these tools, they can be used safely by the forensic inspector without fear of insignificant repercussions. These tools are also designed and distributed as open source; hence the capability to modify the tool to fit the specific needs of a specific situation is a great asset to any forensic examiner. Generally, these tools are mandatory for any examiner’s Windows investigation toolkit.