In the world of digital Forensic IT, the well prepared investigator needs a forensic toolkit. The tools that this person will use will help her or him gather evidence of white collar crime or fraud, document the evidence of the occurrence, and, perhaps, place that investigator on the witness stand for expert testimony in what ever legal proceedings come out of the process. The tools used by these investigators are primarily software tools, though there are a few hardware considerations as well.
The basic computer forensic toolkit will probably be contained on a CD or DVD and be presented primarily in a word processing format. Any computer forensic investigation produces a mammoth amount of paperwork, since the goal of the investigation is to document absolutely everything that is found. These toolkit CD’s are designed to supply the investigator with tried and true forms and templates that will allow to investigator to document everything that is found. They also serve as an effective check list to aid the investigation team in ensuring that no step is missed and that everything is done in the correct order.
Another major component of the toolkit will be templates and tools to assist in the presentation of the findings of the investigation to management. It is vital that all findings be reported in a manner that is professional, unbiased, complete, and scientifically sound. This is the end product of the investigation, and what management sees as being what they paid the investigators to actually do. This reporting may also end up being the basis (and exhibits) of the legal proceedings that may arise from the process, so it is vital that these reports and presentations be accurate, clear, and completely aligned with the law.
The main non software tool that is used in a computer forensic toolkit is an imaging device. Making an exact image of the hard drive (or other storage medium) of the computer is the most common first step in the capture of data. It is absolutely required that a “clean” copy of the computer’s memory and stored data be in place, so that the investigators are sure that they are looking at and analyzing the data in the same precise pattern in which it occurs on the computer in question. There are many brands of device available, and they all have the same basic function.
First, these devices must make an exact copy of the data. Secondly, the usually perform the copy at the sector level of the disk as a bit stream process (as opposed to a simple file copy process). This method makes a more complete and accurate copy of the data, which, in turn, allows for a more thorough and accurate analysis.
by Louis ZW Zhang from ArticleFactory