As a result, we will start anew with Kali and I’ll try to develop this series in a logical and sequential manner that a forensic investigator would follow. I will also include units in here on anti-forensics, or ways you can stymie the forensic investigator.
Although, I know you are all anxious for me to show you how to evade detection, you first need some background in the tools and techniques of the forensic investigator. Without that background information, you will be left at the whim of ever changing and improving forensic techniques. Only by understanding the tools and techniques of the forensic investigator can you stay ahead of the game and, more importantly, stay out of custody.
Kali Forensic Tools
Kali has a number of forensic tools built into its toolbox. Although many of these tools are outstanding in Kali, there are many more forensic tools available and I will not limit myself to those included in Kali, but we will start with these.
We can find those tools at Kali Linux -> Forensics.
- Anti-Virus Forensic Tools
- Digital Anti-Forensic Tools
- Digital Forensics
- Forensic Analysis Tools
- Forensic Craving Tools
- Forensic Hashing Tools
- Forensic Imaging Tools
- Forensic Suites
- Network Forensics
- Password Forensics Tools
- PDF Forensic Tools
- RAM Forensic Tools
Each one of these areas includes multiple tools for doing similar tasks. I will try to demonstrate the best tools and include the theory behind the techniques.
Commercial Forensic Tools
There are a large number of companies that produce commercial forensic tools, primarily for law enforcement use. The two dominant players areEnCase and the Forensic Tool Kit (FTK). These forensic suites tend to be all-encompassing, with tools for all types of cases and investigations. In addition, they have case management and reporting capabilities that go far beyond those of the open-source tools.
Areas That We Will Address Here
In the real world (anyone ever been there?), Linux systems are attackers and Windows systems are victims. As a result, we will focus our attention on understanding what artifacts the attacker (us?) might leave behind on a Windows system.
To be able to benefit from this discussion and tutorials, I have to assume that you have functional Linux knowledge and skills, a good understanding of TCP/IP and networking, and have reasonable Windows skills. In addition, to grasp the work of the forensic investigator, you will need to understand the close-grained anatomy of a Windows filesystem (usually NTFS) and the Windows registry.
Few hackers, and for that matter, few system admins, have that deep understanding of the NTFS and the registry, so I will have separate tutorials on those two subject matters.