Description
Review
Pros
Cons
Usage
Links
Resources
Friday, February 6, 2015
Belkasoft Evidence Center
Belkasoft Evidence Center
Description
Belkasoft Evidence Center is a comprehensive suite that allows the investigator to search, analyze and store information gathered in an investigation. The suite is focused on reading dumps such as mobile and windows dumps.
Review
The program provided a very to use interface and robust features. I was not able to do an extensive test due to the licence limitations (demo mode).
The program did not work as expected. I was not able to read the memory dump using this program. I would suggest using a different tool for memory dumps.
Pros
The interface was very clean and easy to navigate.
The programs includes wizards which h
Cons
Program did not read the dump. It tried to open the file but was unable to view anything. I tried different views and settings but ended with the same results.
Usage
After capturing the memory dump i attempted to use this program to try and read it.
Resources
Belkasoft Evidence Center can be bound at:
http://belkasoft.com/en/ec
Description
Belkasoft Evidence Center is a comprehensive suite that allows the investigator to search, analyze and store information gathered in an investigation. The suite is focused on reading dumps such as mobile and windows dumps.
Review
The program provided a very to use interface and robust features. I was not able to do an extensive test due to the licence limitations (demo mode).
The program did not work as expected. I was not able to read the memory dump using this program. I would suggest using a different tool for memory dumps.
Pros
The interface was very clean and easy to navigate.
The programs includes wizards which h
Cons
Program did not read the dump. It tried to open the file but was unable to view anything. I tried different views and settings but ended with the same results.
Usage
After capturing the memory dump i attempted to use this program to try and read it.
I selected my dump file and pressed Next.
The next screen did not provide any information about the dump. I tried to selected different views and folder but without any success.
This program did not work. I do not know if it was due to it being in 'Demo' mode or a different reason.
I would suggest using a different memory dump tool.
Resources
Belkasoft Evidence Center can be bound at:
http://belkasoft.com/en/ec
Belkasoft Live RAM Capture
Belkasoft Live RAM Capture
Description
Belkasoft Live RAM Capture dumps the volatile memory of a system.
Belkasoft RAM Capturer offers forensic specialists the ability to take snapshots of the computer’s volatile memory (memory dumps) even if an anti-dumping protection is active. The supplied kernel-mode driver can successfully capture memory content of applications protecting their working set against dumping, including chats occurring in Karos and other MMORPG games.
Review
The program was very easy to download, install and run. I found it to be overall ok and would recommend using other solutions.
Pros
It was very easy to use, it has a wizard which guided me through the process.
Cons
After doing the memory dump it wanted to download another program (Belkasoft Evidence Center) in order to read the memory dump.
Before allows me to download the program it wanted to gather information such as name and email address. After entering the information, the link was sent to my email. I found this process to be very annoying. I will have to add them to my spam filter because we all know what is coming.
Usage
Using a windows 8.1 machine I dumped the memory and analyzed the contents.
I downloaded extracted the program.
After running the program it dumped a file with a .mem extention
Resources
http://belkasoft.com/en/
Description
Belkasoft Live RAM Capture dumps the volatile memory of a system.
Belkasoft RAM Capturer offers forensic specialists the ability to take snapshots of the computer’s volatile memory (memory dumps) even if an anti-dumping protection is active. The supplied kernel-mode driver can successfully capture memory content of applications protecting their working set against dumping, including chats occurring in Karos and other MMORPG games.
Review
The program was very easy to download, install and run. I found it to be overall ok and would recommend using other solutions.
Pros
It was very easy to use, it has a wizard which guided me through the process.
Cons
After doing the memory dump it wanted to download another program (Belkasoft Evidence Center) in order to read the memory dump.
Before allows me to download the program it wanted to gather information such as name and email address. After entering the information, the link was sent to my email. I found this process to be very annoying. I will have to add them to my spam filter because we all know what is coming.
Usage
Using a windows 8.1 machine I dumped the memory and analyzed the contents.
I downloaded extracted the program.
After running the program it dumped a file with a .mem extention
After the file was created it asked me to download Belkasoft Evidence Center in order to view the dump.
Please see Belkasoft Evidence Center tool
Resources
http://belkasoft.com/en/
Autopsy
Autopsy
Description
Autopsy is a GUI version of the Sleuth Kit and assists with a forensics investigation. It was created with the principles of being extensible, supporting frameworks and being easy to use. The program attempts to gather as much information as possible about the given file or folder.
Review
I found the program to be very easy to use but did lack some core functionality.
Pros
The program includes and easy to use interface with a starting wizard which helps the user through the different menus.
It was able to scan the backup of my iphone with ease and gather basic information about the basic iPhone backup.
The program is free and it did not appear to have any kinds of limitations.
Upon finding pictures, it was able to show the metadata such as which device took the picture, latitude, longitude and altitude.
Cons
The program was easy to use but did not allow the amount of control that I would like. It was limited to using a wizard.
The program did not extract as much information as I would have liked. The only thing that the program was able to find was pictures.
Usage
Using Autopsy I wanted to gain as much information as possible about my iphone backup. I followed the wizard documents the results below.
I first opened the program and created a new case.
New case information screen
Enter a case name and location
Additional information
Enter case number and Examiner
Click 'Finish'
Add Data source
From the drop down menu select Logical Files
Add data source. Here is where added my iphone backup
Next
Next
Finish
Autopsy will being to gather as much information as possible concerning the folder that it was given (iPhone backup folder)
My iPhone backup was about 1.3gigs and took about 4 minutes to complete
NOTE: The iPhone backup was not encrypted
After completing, it was only able to find the photos stored in the backup.
As the screenshot shows, it was able to find the photos in the back up along with information such as the creation date, latitude, longitude, altitude, device model and device maker.
This information could be used to gather information regarding time and place of an individual.
Resources
The Autopsy program can be found for free at the following URL
http://www.sleuthkit.org/autopsy/
Description
Autopsy is a GUI version of the Sleuth Kit and assists with a forensics investigation. It was created with the principles of being extensible, supporting frameworks and being easy to use. The program attempts to gather as much information as possible about the given file or folder.
Review
I found the program to be very easy to use but did lack some core functionality.
Pros
The program includes and easy to use interface with a starting wizard which helps the user through the different menus.
It was able to scan the backup of my iphone with ease and gather basic information about the basic iPhone backup.
The program is free and it did not appear to have any kinds of limitations.
Upon finding pictures, it was able to show the metadata such as which device took the picture, latitude, longitude and altitude.
Cons
The program was easy to use but did not allow the amount of control that I would like. It was limited to using a wizard.
The program did not extract as much information as I would have liked. The only thing that the program was able to find was pictures.
Usage
Using Autopsy I wanted to gain as much information as possible about my iphone backup. I followed the wizard documents the results below.
I first opened the program and created a new case.
New case information screen
Enter a case name and location
Additional information
Enter case number and Examiner
Click 'Finish'
Add Data source
From the drop down menu select Logical Files
Add data source. Here is where added my iphone backup
Next
Next
Finish
Autopsy will being to gather as much information as possible concerning the folder that it was given (iPhone backup folder)
My iPhone backup was about 1.3gigs and took about 4 minutes to complete
NOTE: The iPhone backup was not encrypted
After completing, it was only able to find the photos stored in the backup.
As the screenshot shows, it was able to find the photos in the back up along with information such as the creation date, latitude, longitude, altitude, device model and device maker.
This information could be used to gather information regarding time and place of an individual.
Resources
The Autopsy program can be found for free at the following URL
http://www.sleuthkit.org/autopsy/
HashMyFiles
Description
HashMyFiles is a windows application that allows the user to import files and generate different file hashes, including: MD5, SHA1, CRC32, SHA-256, SHA512, SHA-384.
When working on any type of forensics case, it is best practice to hash the files upon receiving them. This hashing will provide a base point for each files. If the files are changed at any time point in time they can be rehashed and compared to the original hash. If the hashes are equivalent, the files have not be modified. If the hashes are different, the files have been modified.
Review
The tool only makes basic hashes and includes limited functionality. It is great for generating hashes but little else.
Pros:
Using a tool such as HashMyFiles generates more than one kind of hash. Although rare, it is possible to have a hash collision (the contents have been modified but generates the same hash). This program uses several algorithms when hashing to ensure there are no collisions.
The program is very straightforward and easy to use. The user is able to import files by using the included import options or dragging the files into the program
The program included the option to export the list of hashes as either a TXT or .html file. These files can be saved in order to be compared to later
Cons:
The output files are not very useful for anything other than looking at. They are either text or html. It should have included a file format that could have been parsed, such as csv.
The program could be greatly improved by including the ability to compare hashes from a previous time period to identify if there are changes.
Usage
The following is an example on how the use the basic functionality of the program.
Before analyzing my iphone backup data, I wanted to hash the individual files to ensure the files were not modified in any manner.
- Open the program
3. Add iPhone backup folder
File -> add Folders -> <select backup folder>
4. View files and associated hashes
5. Save hashes as an HTML file
View -> HTML Report - All items
Subscribe to:
Posts (Atom)