Network Forensic Tools

• Stage 1: Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools.

• Stage 2: Primary analysis and drive-image acquisition. This stage usually entails obtaining the hard disk of a suspect machine and investigating it in a controlled (not live) environment. AccessData Forensic Toolkit, Encase Forensic Edition and the open-source Sleuth Kit fit this stage. Any one can be used as the primary investigative tool in environments that don't require a network-capable acquisition application. All these products can acquire a full sector-by-sector drive image of any hard disk under investigation; additional sleuthing functionality varies by application.

• Stage 3: Fine-grained keyword searches through disk or partition contents, e-mail-specific searches or Internet history analysis. Paraben's NetAnalysis, E-Mail Examiner and Net E-Mail Examiner, and dtSearch's dtSearch excel here. These tools operate on disk images created by any of the applications from Stages 1 or 2.

Environmental Factors

The applications you select will depend on your environment and the types of incidents you expect to deal with. It's a good idea to have a primary forensic tool that's supplemented with specialized applications. For example, text searches using the Stage 1 products EnCase Enterprise or ProDiscover failed to find text embedded in common formats, such as PowerPoint and Adobe PDF files. Fortunately, ProDiscover is relatively inexpensive, and even shops with small budgets could afford supplemental tools.

Obviously, if your company can afford all the bells and whistles of EnCase Enterprise, it should be on your shortlist. Guidance Software's combination of client state monitoring and network-capable forensic-image acquisition lives up to its everything-but-the-kitchen-sink reputation. But keep in mind that even the enterprise-network-capable products we looked at require other tools for a thorough investigation.

With remote functionality, a first responder can create an image of an affected system without having to shut down or transport the computer in question. Two of the products we tested can do this: EnCase Enterprise and ProDiscover. Of the two, EnCase Enterprise has the more polished interface, and the functionality to match, but, again, the cost may be prohibitive--$98,500 as tested. ProDiscover does just enough to be useful as a remote image-acquisition tool, without EnCase Enterprise's automated incident alert or advanced scripting functionality, and at $2,995, it's a fraction of EnCase Enterprise's price. Both tools claim to be able to remotely image any Windows file system, as well as Linux and Solaris file systems. Our tests included the remote acquisition of both FAT and NTFS Windows file systems.

If network drive preview and image acquisition aren't necessary, EnCase Forensic Edition or AccessData Forensic Toolkit can serve as your initial image-analysis tool. Supplement them based on your network configuration: Paraben's Network E-Mail Examiner, for example, is of no value in a Unix environment, but it's a necessity for Exchange users. If you are a Unix shop, Sleuth Kit is the answer.Of course, even the best tool is useless if first responders and incident investigators aren't properly trained. In "CSI: Enterprise" (page 32), we outline steps for building an incident-investigation team with the expertise to secure your business and minimize risk--more important than any application.

A first responder--the first person to identify and access a system involved in an incident--must be aware of the importance of preserving evidence. Under no circumstances should a first responder modify, delete or change data on the evidentiary system. This is where the network-capable features of the products we tested are valuable. Note: All product write-ups are listed alphabetically. Our features chart on page 50 gives a summary of each product's capabilities.

Guidance Software EnCase Enterprise Edition 4.19

Any investigation begins with discovery and analysis of the incident. EnCase Enterprise Edition can do both: Guidance markets its enterprise product as an intrusion-detection system as well as an incident-response tool. EnCase Enterprise monitored the known-good state of our networked clients and automatically created a preview image of any system that changed from its established state. This was all done through hash verification of files installed on the network clients. Additionally, we could configure EnCase Enterprise to remove any suspicious services or programs on client machines automatically.

On the surface, having one application that both detects and responds to an incident makes sense. However, we think Guidance should separate the product into two offerings--one for IDS and one for response--or simply remove the incident-detection features and lower the price.EnCase Enterprise Edition's as-tested cost includes one EnCase Examiner installation, the SAFE (Secure Authentication For EnCase) authentication server and an unlimited number of installed client servlets. It's a significant investment for organizations unsure of their forensic needs. The extra functionality is useful, but it would be better to have the option to acquire drive images remotely without the big price increase from Guidance's Forensic Edition product. While EnCase muddied the water by marketing its product as an IDS, it's still the single most useful application for investigators.

If cost is not a huge concern, there's a lot to love about this product. Any EnCase Enterprise installation is helped along by a dedicated Guidance Software sales engineer. Configured as directed, the EnCase client servlet should be installed on all the client machines on your network. This is a huge administrative task for an established enterprise-level network, but the functionality offered by this configuration will reduce time lost to frequent anomaly investigations.

The EnCase SAFE authentication server manages user and group access to any beginning or ongoing investigation. Before opening any case or communicating with installed client servlets, users must provide login credentials to the SAFE server over a 128-bit AES connection. Authentication is based on a public-key cryptosystem, using public and private key verification between the SAFE server and the investigator.

Configuring user roles and privileges wasn't difficult. We could assign role-based permissions to users or groups to access individual clients or ranges of client addresses. For our tests, we created both a primary investigator user as well as an assistant user with lesser privileges to access clients on our test network. In this environment, Encase Enterprise detected the KeySnatch Trojan running on one of our clients and automatically provided a preview of the infected drive. As configured, our assistant user could assess the drive preview to verify the findings, while only the primary user could delete the Trojan file. In an actual incident, this role separation allows more granularity in responsibility and response, which can reduce the time and interruption caused by initial investigation.

By previewing the system, we could perform cursory investigation or navigation of a remote drive without creating an entire drive image, as if we had mounted the entire remote drive as a network share. All services and processes running on the remote machine can be viewed and assessed. We detected and removed a Trojan servlet running on the client machine, though EnCase Enterprise can be configured to remove this type of file automatically upon discovery. The documentation is complete and mature, but we wish it were available under the help menu--an expected standard for most applications. Beyond the networking functionality, EnCase Enterprise has the same interface and feature set as the less-expensive Forensic Edition.EnCase Enterprise Edition 4.19. Guidance Software, (626) 229-9191. www.guidancesoftware.com

Technology Pathways ProDiscover Incident Response 3.2

ProDiscover is a better choice for small and midsize businesses, mainly because of its $2,995 price, which includes one concurrent user on as many as three installed machines and an unlimited number of client agent installs. Our installation included the ProDiscover Investigator interface running on a Windows XP system, connecting to a remote client agent installed on a Windows 2000 Professional machine. We acquired images of the remote drive over a 100-Mbps LAN used only for this test.

ProDiscover can image a system remotely in proprietary mode or in "dd" format, which can be read by any forensic tool later in the investigation. We used the "dd" format most of the time so that the created images could be read by additional investigative tools. The ProDiscover interface is less daunting than the EnCase interface, because it simply does less--only what's needed for initial analysis of an affected system. Our biggest concern was a persistent network time-out we obtained initially in testing on the Windows XP platform; luckily, the release notes contained instructions on how to fix this. The company says an updated version of ProDiscover (3.5) will fix the problem and add significant functionality (it was released just as we were completing this article).

Network client machines don't have the ProDiscover client agent up and running continuously as an additional network service, so initial investigation requires that the ProDiscover client CD be introduced to the suspect machine. ProDiscover comes with batch-file scripts to push the agent onto a target machine--but this will modify the drive contents of the machine in question. Because the client agent can run as a service on Windows machines, it's feasible to have it running on all your intranet clients, as EnCase Enterprise does. However, we wish Technology Pathways would address this specific scenario clearly in its documentation, as modifying a target during investigation is forensically unacceptable. Throughout our tests, we had no problems keeping the client agents running on all our network clients, which let us obtain previews of existing clients without modification.

The filtering and scripting functions aren't as useful or robust as those in the EnCase suite; however, remotely acquiring an image worked to forensic standards, and we could open that image for analysis in a separate application. ProDiscover doesn't feel like it's undergone the same level of quality assurance as EnCase. For example, error messages are sometimes poorly written, and one of the dialog menus contains a misspelling, though none of these flaws prevented a complete product analysis.

ProDiscover Incident Response 3.2. Technology Pathways, (888) 894-5500, (619) 435-0906. www.prodiscover.com

On a live system, cursory analysis can be performed to determine whether you need continued investigation, even without a network-capable enterprise forensic package. For this initial analysis, the investigator must use only trusted tools and applications because the programs and files on the evidentiary system may have been modified. Typically, this means having an investigative CD ready for use. An investigative CD is created with initial analysis in mind. It contains a number of trusted tools for navigating a file system and moving or copying files and drive images. Operating off of a CD ensures that the data on the system is not modified from its discovered state.

Once evidence has been identified and an initial analysis determines that more investigation is required, it's necessary to preserve the state of the data. How this is done depends on the type of investigation and the availability of investigative tools and applications. In a typical environment--that is, an organization without enterprise-level forensic investigation applications--physical access to the hard drive is required to create a hashed bitstream copy of the drive, partition or files involved. Under no circumstances should the data be altered. Doing so may render the evidence inadmissible in court.Once a bitstream copy of all data has been created, it must be verified for integrity. This is done by computing a hash (see "Slinging Hash: The Electronic Fingerprint" on page 52) of the original drive, data or files; creating a duplicate image of this data; then rehashing the image to be certain that it exactly matches the original hash. Any image created should be duplicated and archived on optical media in the event the originals are damaged or destroyed.

The products reviewed below are for primary analysis and drive-image acquisition, and for performing an investigation in a controlled environment.

AccessData Forensic Toolkit

Although EnCase Forensic is the product most widely used by forensic investigators, it has strong competition from AccessData's Forensic Toolkit 1.50. Forensic Toolkit automatically retrieves and sorts deleted and partially overwritten files, just as EnCase Forensic does. However, the interface is more straightforward and easier to understand, especially for first-time users. It also has significantly more powerful and efficient text-search functionality, thanks to dtSearch Text Retrieval Engine integration. Integrating dtSearch eliminates the need to buy a separate text-search tool.Although Forensic Toolkit file filtering isn't as customizable as EnCase Forensic's, added view filters make file viewing easier. Any time we added evidence to an open case within the program, the file was hashed for integrity and indexed for searching automatically. We love that it completed these two steps simultaneously, saving time. Our only complaint was with the progress reporting for this initial hash computation and index creation. Hashing and indexing large disk images can take a long time, and while Forensic Toolkit reports elapsed time, the program doesn't report remaining time or even provide a status bar for estimating time remaining. This is aggravating when opening a disk image; if an operation may take all day or night, some notice should be provided. Additionally, Forensic Toolkit would benefit from more powerful script-based file viewing and acquisition, similar to that in EnCase Forensic. Overall, however, Forensic Toolkit approaches EnCase Forensic in functionality, and it deserves to be considered as a primary investigative tool.

Forensic Toolkit. AccessData Corp., (801) 377-5410. www.accessdata.com

Guidance Software EnCase Forensic Edition

EnCase Forensic Edition is widely recognized as the gold standard for forensic investigation and comes highly recommended for the first step in any full system analysis.

Its interface is nearly identical to that of Guidance's Enterprise Edition package, without the remote capabilities and network functionality. EnCase Forensic can perform a sector-by-sector acquisition of a hard drive to collect and identify orphaned or deleted files still on the drive, including partially overwritten files (even deleted files can still be available and readable on a drive; only completely overwriting a file will make it inaccessible by any standard means), bad sectors and slack space. Because of the product's superiority in this area, we recommend that even images obtained using the conventional Unix "dd" utility be examined with Encase Forensic prior to additional investigation.

If you need to conduct an investigation with a single tool, EnCase Forensic Edition might be that tool. Its filtering was fast and intuitive once we'd conquered the selection interface, and the default filters are nearly complete. The application displayed all graphic files quickly in a simple gallery format, so finding unauthorized images was easy.

Encase Forensic's scripting interface lets investigators fine-tune evidence collection--perhaps the product's best feature. An investigator we spoke with says he uses EnCase Forensic on every investigation for one 10-minute stretch, just to have access to its scripted filtering. In our test environment, we used a machine to gather documents and blueprint images as if we were stealing corporate information. We easily reduced an entire drive image down to only the relevant files by first running default file filters and then modifying the C-like scripts for those filters within EnCase Forensic's script-editing interface. Once evidence has been collected from an image within EnCase Forensic, it's ready for more thorough analysis with additional products.

EnCase Forensic's help documentation is excellent, but the real value lies in the user community--we found mailing lists and bulletin boards active and the participants responsive. But we have a few complaints: EnCase Forensic has several long single-word list menus that should be alphabetized. When first learning to use the interface, it's difficult to find certain functions. Trivial? Yes, but so is the development time necessary to correct this shortcoming. Additionally, working with files through the selection interface can be confusing; the tutorial given by the sales engineer during the Enterprise Edition install helped us, but EnCase Forensic doesn't come with an in-person training session. Further, EnCase Forensic's text search supports hundreds of character sets, but we'd have used it more if it were even half as efficient as more specialized applications, such as dtSearch. The Internet History reporting falls short as well--the format isn't easy to read, nor can it be quickly and accurately analyzed for specific data. For this, we like Paraben's NetAnalysis. An ideal incident-response implementation of EnCase Forensic requires several other forensic applications to be truly complete.

EnCase Forensic Edition. Guidance Software, (626) 229-9191. www.guidancesoftware.comSleuth Kit 1.72

Several free tools available under the GPL in the Sleuth Kit 1.72 package can perform initial analysis of data on a suspect system. Now maintained by Brian Carrier, Sleuth Kit is a collection of investigative command-line tools that can analyze FAT, NTFS, UTF, EXT2 and EXT3 file systems. Sleuth Kit runs only on Unix--including Linux, BSD, Apple OS X and Sun Solaris--so familiarity with a Unix command-line environment is a must.

Many of the tools included in Sleuth Kit are similar to their common Unix counterparts, modified to operate outside the logical file system. They include "ffind" and "ifind," for meta-searches performed across the entire drive image as opposed to only the logical file system; "dcalc," for piecing together where deleted and unallocated files originated; and "dcat," for viewing data structures independent of any existing file system. All the included utilities let us perform the same investigative functions as the Windows applications reviewed, but the command-line interface was daunting at first. There is a Web front end for Sleuth Kit, called Autopsy, but the interface feels underdeveloped and the case-management features are not as advanced as those in the commercial packages we looked at. For example, text-field input validation didn't stop us from stumbling into a couple of errors. Still, the price is right, and if you're an open-source house, chances are you're familiar with the rough-around-the-edges style of applications in active development.

That said, don't let the open-source nature of this package scare you. Sleuth Kit has been in use by professional forensic investigators for some time. Despite our misgivings about Autopsy, we recommend that you get familiar with the Sleuth Kit suite, especially for instances where the system being investigated is a production Linux/Unix server that can't be taken offline for initial analysis. The various tools, when compiled as statically linked binaries, can be run off of a CD, redirecting all output to a program (netcat) listening on a separate machine. Although this isn't as pretty a package as ProDiscover or EnCase Enterprise, it does the job and should fit well in shops that are already familiar with Linux/Unix utilities.

As with many active open-source projects, resources and information are easy to come by, and the help documentation is actually helpful. Sleuth Kit even publishes a newsletter containing useful technical instruction.Sleuth Kit 1.72. www.sleuthkit.org/sleuthkit/index.php

No single application performs well enough across the board to execute every investigative task. Once initial analysis with one of the previously described forensic packages has been performed, a complete, specialized investigation can begin. This will typically consist of a more substantial keyword search through the disk or partition contents, e-mail-specific searches or Internet history analysis. For instance, if we suspected that an employee downloaded illegal files or restricted information from the Internet, an Internet history search would be a good start. If an employee may have sent proprietary intellectual property to a competitor, a search through all available e-mail records and mailboxes would be in order. Depending on the type of file in question, there are several different search tools available to do the job.

dtSearch Desktop 6.4

For combing through large amounts of data, dtSearch 6.4 leads the market with support for over 250 file types. Huge collections of files can be searched quickly once a document index has been created. In dtSearch parlance, an index is a database that stores the location of every word in a collection of documents,and each word's corresponding location throughout. Results are listed and highlighted with their exact locations. Results also can be exported to a format recognized by Microsoft Excel for reporting.

Indexing made searching through gigabytes of data extremely fast, but we found that initial creation of a document index can take a very long time--several days in some cases, depending on the amount of data on the disk. Although document indexing increases the speed and efficiency of any search, it's not required for dtSearch to operate. In a forensic investigation, though, it's typical to create an index, because the image being searched will not change or be modified, so there's no need for the flexibility of unindexed searching. With dtSearch, text can be found in almost any type of file, including Adobe PDF and compressed files. The only application we reviewed that integrates dtSearch is AccessData's Forensic Toolkit; if that's not one of your incident-response applications, dtSearch Desktop is a necessity.dtSearch Desktop 6.4. dtSearch, (301) 263-0731. www.dtsearch.com

Paraben NetAnalysis 1.34

Developing an initial profile of general computer activity can be daunting at first, but Internet history is an excellent starting point. Paraben's NetAnalysis can extract history files from a drive image created by any of the previous acquire and analysis products. We love this tool. It searched our entire image, not just the logical file system, so even deleted files could be obtained if they hadn't been overwritten. This is imperative, as deleting the browser cache is often the first step taken by a perpetrator.

NetAnalysis' history extractor collected all available Internet history files and displayed them in a hierarchical structure, with access times and dates listed for each. NetAnalysis also can show just the Internet hosts accessed in a separate frame; selecting one displays all associated URLs. Several built-in filters will automatically display potential illegal activity, including pornographic or file-trading site access; filters also can list all Internet searches performed. This makes it easy to assess a general Internet use profile, in addition to a specific assessment of every single page loaded in the browser.NetAnalysis stored collected history files in a SQL database and provided an exceptionally easy-to-use SQL query generation assistant for extended database searches. We could export reports of all history files, or filtered or tagged history files, in several different formats for custom reporting. In addition, several built-in report formats report only the Internet-history-related evidence in a case. The only problem we experienced was exporting filtered data to RTF--we had to restart the application to export differentiating filtered lists correctly. In spite of this, we highly recommend NetAnalysis for any Internet history investigation.

Paraben NetAnalysis. Paraben Forensics. (801) 796-0944. www.paraben-forensics.com

Paraben E-Mail Examiner 4.01 and Network E-Mail Examiner 1.61

These two products from Paraben excel at searching through e-mail file formats. With E-Mail Examiner, we could collect and display the most common mailbox types and view the files without having the accompanying e-mail program to display them. For example, we viewed a collection of Microsoft Outlook mailboxes, fully formatted and intact, without a copy of Microsoft Outlook. This feature is useful, especially when you're dealing with several formats on a single case.

E-Mail Examiner can display all found files together regardless of format; even better, we were able to export all of them at one time into a single standard EML format. While we had the Microsoft Outlook mailboxes displayed, we were able to open and display a collection of Eudora and Netscape mailboxes correctly at the same time, in the same listed viewer. E-Mail Examiner also can extract all addresses from an entire mailbox and display mail headers individually in a separate tab for closer examination. We could modify view-filter scripts within the application, for custom filtered viewing or export. All mailbox formats can be exported to HTML or generic mail format for reporting as well, and you can set up the program to export messages individually, applying the file MD5 hash as a file name. MD5 hashes are excellent file names when evidence is entered in court, because they let an untrained audience understand that each e-mail is a separate entity, even if several share a common subject line.E-Mail Examiner's export capabilities are its greatest attribute. Exporting multiple formats into a single accepted standard is valuable when searching through hundreds of gigabytes of mail; a more powerful search tool can then, if necessary, index the files.

We didn't run into many problems during testing. However, the bookmark functionality could be better designed. Bookmarking an e-mail message immediately inserts you into the bookmark-view screen, which is annoying and interrupts workflow.

Paraben's Network E-Mail Examiner is not as similar to its E-Mail Examiner as one might assume. Network E-Mail Examiner reads only Microsoft Exchange and Lotus Notes mail storage formats. Here's where not requiring the original mail software becomes an absolute necessity. Setting up Microsoft Exchange just to search or view the associated EDB files would take more money and effort than is usually afforded most investigations.

An investigator we spoke with says he appreciates this feature, as he can't afford to take the time to set up accompanying applications, nor can he expect to have the hardware necessary to do so reliably available. We were able to load and view an entire Lotus Notes mail store, correctly formatted as if we had the Lotus application. For our tests, we filtered and displayed all messages from, to or containing the name of our fictional suspect out of a mail store containing approximately 2,000 messages.

Again, because of the difficulty analyzing Lotus Notes and Microsoft Exchange files outside of their proprietary environments, export functionality is valuable. Network E-Mail Examiner can export entire mailstores into several different formats, including the standard EML format. The bookmark function of Network E-Mail Examiner lacks the annoying view adjustment we encountered in E-Mail Examiner, but help documentation was scarce and not very useful. Luckily, the application layout and display are straightforward and easy to understand. Both of these products have basic search functionality, however, their export functions are typically used in conjunction with a separate search application, such as dtSearch.Paraben E-Mail Examiner 4.01. Net E-Mail Examiner 1.61. Paraben Forensics, (801) 796-0944. www.paraben-forensics.com

Marisa Mack is a security consultant for Neohapsis, a Chicago-based security consulting firm. Write to her at [email protected].

All the products were tested on a secluded 100-Mbps network consisting of one 2.8-GHz Windows XP machine with 1.25 GB of RAM; one 1.4-GHz Windows 2000 Professional machine with 350 MB of RAM; and one 1.4-GHz Fedora Linux machine with 350 MB of RAM. Drive images of the Windows 2000 machine were obtained from the XP machine with the network-capable applications tested, then further analyzed with all the products included in our tests. The EnCase Enterprise product was tested separately on a secluded lab subnet consisting of two dual-2.4-GHz Windows 2000 Server systems with 2 GB of RAM, configured with the help of a Guidance Software sales engineer, as would be provided with any EnCase Enterprise Edition purchase.

A hash can be thought of as a file's fingerprint: In theory, no two are alike.

We created a hash by applying a hash function to a file to obtain the file's hash key. The key is typically a 128-bit or 160-bit number displayed as a string of hexadecimal digits. If a file should change in any way, a newly completed hash will not match the original one. For example, the MD5 hash of the phrase incident response is 84596f92c9a768dc2f55fe315dd5ff02. If we change even a single letter, the hash changes. The new hash for Incident response is 2cf5d93e2944114a95e4aa2ed55b96a0.File integrity can be verified by comparing hashes before and after a bitstream copy. Once a disk image has been created, its hash should be verified to ensure that no data was altered during the acquisition process. If an investigation ends up in court, this is a required step to reduce the risk of evidence-tampering accusations.