Forensic Software Tools

The following tools are industry-standard and widely used by law enforcement and the private sector. These tools are proven to be reliable and produce consistent defensible results. No tool can cover everything - it is common to use multiple tools for a case. Some of these tools can be used to create forensic images as well.

AccessData’s FTK Forensic Tool Kit:  A powerful digital analysis program that processes and indexes data from a variety of sources and formats. It allows us to take a forensic image of a computer and process it. Once processed, an examiner can conduct searches, filter data, and view deleted data. FTK is often used to cull data prior to ingestion in eDiscovery platforms such as Relativity. FTK is capable of reporting findings in Excel format, PDF, HTML, and more. It is incredibly powerful and versatile and the preferred industry tool.

Guidance Software’s EnCase:  Much like FTK, EnCase processes and indexes data for searches and analysis. Many examiners use one or the other – even both. Your IST forensic collections team is certified in FTK.

Magnet’s Axiom:  Previously known as IEF (Internet Evidence Finder), Axiom is the leading web data analysis tool. Axiom processes forensic images and other data sources and parses data related to web activity such as web history, web cookies, downloaded history, web chat, webmail, and more. Axiom also simplifies the process of analyzing commonly encountered system artifacts like USB history and document history. Axiom allows for reporting in load files, PDF, Excel, HTML, and more.

Cellebrite UFED:  Sometimes referred to as UFED, Touch Ultimate, or UFED 4 PC, Cellebrite is a powerful mobile device collection and analysis tool. Cellebrite is capable of extracting data from phones, tablets, GPS units, drones, and more. It is capable of several types of extractions and provides a powerful review environment to conduct analysis. Cellebrite stores most extractions in .UFD, .ZIP, and .BIN formats. Cellebrite offers powerful reporting of data in various formats: Word, PDF, Excel, HTML, and UFED Reader (UFDR). Cellebrite comes in hardware and software versions. We use UFED 4 PC, the software version. This comes with several adapters and cords to connect to almost every pocket sized device released in the last 10 years.

Note: We use the Forensic Cellebrite. Phone carriers like Verizon and T-Mobile commonly use scaled down versions of Cellebrite to transfer logical data from an old phone to a new phone. It does not operate as a forensic tool.

Elcomsoft Phone Breaker:  The name might be misleading – it does not break anything. Rather, it allows us to break password protection on phone backups. Simple passwords can be cracked within minutes or hours. Complicated passwords can take weeks, months, or even years!

This tool is also used to pull iCloud backups of Apple devices from the cloud. It allows us to access a custodian’s iCloud account (credentials required). The downloaded backups are parsed within Cellebrite for analysis and production.

Oxygen Forensic Suite:  A mobile device forensic program. Generally lacking in comparison to Cellebrite, Oxygen is capable of extraction and analysis of mobile devices. Oxygen stores extracted mobile phone data in .OFB format which then is usually converted to a Cellebrite friendly format.

Autopsy:  A free, light weight digital forensic platform. Capable of processing, carving, and searching.

Aid4Mail:  A versatile email preservation and conversion tool. Aid4Mail allows us to pull email from a variety of sources and domains. Once collected, Aid4Mail can convert the data into a .PST file for ingestion into Relativity.

X-Ways:  Another full-featured forensic suite like FTK and EnCase, X-Ways is able to process digital data from a variety of sources and is said to be less resource hungry.

SIFT:  Unlike the programs listed here, SIFT is an entire operating system that runs within Linux. It is comprised of several free tools and is popular with law enforcement agencies and the private sector.

Arsenal’s Registry Recon:  A powerful registry parser. Much of Windows configurations for both the system and the user are stored into the framework of Windows called the registry. This tool makes it easy to review the information embedded with the Registry and produce reports.

XRY:  A hardware + software combo, XRY is used to extract and analyze data from mobile devices, much like Cellebrite and Oxygen.

BlackBag’s BlackLight:  A powerful forensic analysis platform much like FTK and EnCase, BlackLight can handle evidence from multiple sources. The big difference between BlackLight and the other tools is its ability to parse Apple computer (Mac) images with more intelligent parsing.

AccessData’s Mobile Phone Examiner (MPE):  MPE is AccessData’s answer to Cellebrite. Due to Cellebrite’s dominance in the mobile phone forensic market, most other dedicated tools fall short. MPE, like other Cellebrite competitors, do not support nearly as many devices nor parse as many applications as Cellebrite.

Paraben’s Universal:  Paraben is another company offering several tools that collect and parse most common devices. Paraben Universal is the FTK of Paraben, offering searching, processing, and more for most common device.

Griffeye:  A new forensic software tool that processes data and enables intelligent analysis through the use of custom parsers and photo recognition AI. Offers various custom analytic tools within the platform.

Dedicated Imaging Tools

While many tools listed in the Forensic Software section are capable of imaging storage mediums, these tools are crafted solely for imaging or aid in the process of imaging (mounting and write-blocking).

FTK Imager:  Very powerful but light weight imaging software. Generally placed on an external drive and plugged into the evidence computer, FTK Imager is able to create images in several formats of most devices. When creating remote images, we mail out the external drive with FTK Imager on it along with remote access software. FTK Imager can create logical, physical, and targeted verified images in .E01 and .AD1 format. FTK Imager can also open, browse, and mount images, or view deleted space within a drive or image.

EnCase Imager:  EnCase Imager can create images in .E01 and .L01 format. You cannot browse file content within an image using EnCase Imager.

Arsenal Image Mounter:  This tool allows us to mount images of several formats and define custom cluster size. Arsenal Image Mounting is used when other tools cannot handle problematic mounting situations.

Paraben’s P2 Explorer:  A forensic image mounting tool designed to help investigators manage and examine evidence.  With P2X Pro you can mount forensic images as read-only local logical and physical disks.

BlackBag’s MacQuisition:  This tool resides on a USB dongle and is used to safely boot and acquire data from over 185 different Macintosh computer models in their native environment. This is the most reliable and most¬ powerful Mac imaging tool on the market for the live data acquisition, targeted data collection, and forensic imaging of evidence.

Apple Forensic Artifacts

These terms are often encountered when discussing analysis – the review of data once it has been collected and often processed within a forensic software within an Apple computer.

Preference List (PLIST):  Files that store various preferences, user information settings, and system records for several applications and the Mac OS. For instance, the ipod.plist records information regarding connected iPhones and iPods.

Log files (.log):  A file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Systems log files that record various changes and events on the Mac OS. These can record system and user data via various logs that will store information for short to long periods of time.

File System Events (FSevents):  Reveals file system events that have occurred in the past such as file, folder, symbolic link and hard link creations, removes, renames, modifications, permission changes and more. These are useful to examine events involving mounting and unmounting external drives and disk images, activity within a user’s profile directory, document editing, internet activity, files moved to the trash, downloaded files, and much more.These event files are also created by the Mac OS on external media (unless the drive is disconnected before it can be created).

Basic Apple/Mac Terms

These terms are often encountered when discussing Apple computers.

Master Boot Record (MBR):  The table of contents for every file stored within the Windows environment. Stores metadata and location of each file residing on the computer. This file is not accessible by the user. It is one of the first files parsed when processing a drive in forensic software.

Finder:  Much like the Explorer for Windows, the Finder provides access to files and folders, displays windows, and generally controls interactions within the  Mac OS environment.

.Trash:  User files deleted by a user will be copied to the Trash Bin, much like Windows. These files still remain in allocated space and can be restored. Items present here also reveal their date of deletion. The “.” in front of the file name tells us it is a location hidden from view of the user.

When files are emptied from the Trash bin, they are marked as deleted in the file system catalog (similar to the MBR from Windows).  However, the file remains present on the drive until overwritten.

Secure Delete:  A method of deletion built into the MacOS that allows a user to delete the file entirely, overwriting the blocks in which the file resides and bypassing the Trash bin. The only way to recover data deleted in this manner is to capture the virtual memory (VM), ram, or access a backup through a Time Machine Backup or Time Capsule.

Launch Pad:  An application launcher for macOS. Launchpad’s full screen graphical user interface provides an alternative way to start applications in macOS, compared with other options such as the Dock or Finder.

Disk Utility:  A software utility for performing disk-related tasks on macOS. Used to format drives, mounting, secure disk deletion, and more.

Startup Manager:  A special boot environment accessed by holding down the Option key when powering on a Mac computer. Allows the user to load MacQuisition or any other drive connected to the computer that has a bootable OS installed such as macOS or Windows.

Recovery Mode:  Built-in recovery system for macOS. Connects the macOS to the internet via Wi-Fi and downloads the appropriate firmware to repair or restore the OS, restore data from a Time Machine backup, or get help online. Accessed by holding “Command+R” when powering on the Mac.

FileVault:  Apple’s macOS encryption.

Firmware Password:  A firmware password prevents starting up from any internal or external storage device other than the startup disk selected.

Time Machine:  Backup software application built-in to macOS. The software is designed to work with AirPort, as well as other internal and external disk drives. Creates incremental backups of files that can be restored at a later date. It allows the user to restore the whole system or specific files from the Recovery HD or the macOS Install disc.

Time Machine saves hourly backups for the past 24 hours, daily backups for the past month, and weekly backups for everything older than a month until the volume runs out of space. At that point, Time Machine deletes the oldest weekly backup

Boot Camp:  Built-in utility that allows a user to install Windows on Mac computers. Both environments can be used on the Mac.

Spotlight:  A system-wide desktop search feature of Apple’s macOS and iOS operating systems. Spotlight is a selection-based search system, which creates an index of all items and files on the system.

Mobile Device Terms

These terms are often encountered when discussing mobile devices such as phones and tablets.

Backups:  A backup of a mobile device. Many manufacturers and providers will offer a proprietary backup system.

Database:  Used by mobile phone apps to store and retrieve information. Holds free space within, which allows for recovery of deleted data like text messages and calls.

Faraday Bag/Cage:  A bag or room that blocks radio waves, preventing mobile phones from communicating with an outside signal such as a tower or Wi-Fi network. Useful in criminal matters when a suspect could send a remote wipe signal to a smart phone.

Application (App):  A program that runs on a mobile device. Software like Cellebrite will often support popular apps and parses data automatically. Other apps will need to be manually analyzed to translate data in human-readable formats.

iCloud:  The cloud backup platform for Apple devices. The iCloud holds the 3 most recent backups for devices tied to an AppleID.

AppleID:  The account used to manage Apple devices. An AppleID logged into several devices will often share or sync data from one to another. Data deleted from one device might be found on another.

Google Account:  The account used to manage Android devices. A Google account logged into several devices will often share or sync data from one to another. Data deleted from one device might still be found on another.

Verizon Cloud:  Verizon’s backup platform. Stores messages, contacts, photos, etc.

Samsung Backup:  Samsung’s backup platform. Stores messages, contacts, photos, etc.

Logical Extraction:  A basic extraction of data from a mobile device that is limited to the phone’s preconfigured export options. Usually defined by the manufacturer and typically very limited and provides little to no deleted data. Multiple extraction types can be combined into one, and a Logical Extraction is best when performing other types of extractions. For instance, Samsung Galaxy devices prevent an examiner from extracting messages using the more powerful extraction methods however, messages can be extracted using a logical method and combined later.

File System Extraction (FSE):  The most common extraction on most mobile phones. An FSE allows an examiner to extract databases and other system data from a mobile device for parsing within mobile device analysis software like Cellebrite’s UFED Physical Analyzer. These databases often contain deleted data. FSE extractions include application data. Aside from databases, this extraction can only access allocated space, meaning no deleted data outside of what is contained within databases or other files that act as containers. Depending on the amount of data on a phone, this extraction can take between 20 minutes to 4 hours

Physical Extraction:  This type of extraction is the only true “image” format out of all the extraction types. It is a 1:1 verified image of the phone’s internal storage chip. It allows an examiner to access free/unallocated space to recover/carve any deleted data. This type of extraction is often not supported on devices running recent security patches, firmware versions, or builds. This means most devices will not allow a Physical Extraction until months after not being updated. Example: iPhones newer than the iPhone 4 and prior do not support physical extraction.

Firmware Version (Android):  The version of firmware running on an Android mobile device. Android uses a number and a dessert to express the version. For instance, Android version 8.0 is Oreo and the version before is 7.0 and Nougat.  While Apple firmware versions range widely over all devices, all  Android devices firmware ranges between 2.0 to 8.0.

Firmware Version (iOS):  The version of firmware running on an Apple mobile device. Apple firmware updates have a high user install base and varies between different devices, versions, and release dates.

Firmware Updates:  Most updates will patch several exploits used by forensic tools. It takes time for the tools to catch up after updates to make sure data is parsed accurately. A database used to store text messages might handle data differently when a new update is released.

SMS:  Short Message or commonly known as a text messages. SMS is typically sent and received over a phone carrier’s network using the subscriber’s phone number. SMS and MMS share a database.

MMS:  Multi-media message. Like SMS, an MMS message is sent and received over a phone carrier’s network. MMS messages contain attachments such as photos, video, and audio. SMS and MMS share a database.

Chat Message:  A message exchanged using a third party application like Skype, Snapchat, Facebook Messenger, etc. Forensic analysis tools typically separate SMS/MMS from chat messages. Chat messages reside in unique databases tied to the third party application.

iMessage:  iMessage is an instant messenger service built and implemented by Apple for Apple devices. iMessages are commonly synced across Apple devices in use by the same AppleID. iMessages share a database with SMS/MMS messages on iOS devices.  When reporting, messages are tied to conversations by Chat IDs.

iChat:  allows iMessages to be sent to iPhones and iPads (iOS 5 devices) as well as working the same Buddy Lists. iChat syncs with Apple devices tied to the same AppleID. This allows a user to access iMessages from their phone on a MacBook. iChat will often archive messages away, persisting after deletion on other devices.

Remote Wipe:  Android and Apple devices can be remotely wiped through and This can be done by logging into the Google or AppleID account tied to the device. Locations of the devices connected to these accounts can be tracked and remotely wiped or locked with the push of a button.

LCD:  Is a panel behind the glass and digitizer on a mobile device that creates the display. If evidence is described as damaged with no picture/display, the LCD can be replaced quite easily.

Digitizer:  The touch screen panel of the mobile device that sits directly behind the glass lens of the screen and can be replaced if not functioning on evidence.

Download Mode:  A special mode with differing names across different mobile device manufacturers (Firmware mode, Flash Mode, Fastboot). Booting the phone into download mode allows a direct access point to create a physical image on many devices. Not always a possibiity but download mode is a great way to bypass lock codes or phones that no longer boot.

Boot loop:  A mobile device that cycles through the booting process. Data can still be extracted using download mode or repairing the boot loop by flashing data to repair it.

Flashing:  The process of using special tools and software to write directly to the ROM of a phone. This is usually done in digital forensics to repair corrupt system files or modify the phone in order to gain access to user data.

ROM:  Read Only Memory. The ROM stores the OS of the phone - system data.

Recovery Partition:  This part of the phone’s storage allows the user to restore a device to factory settings, clearing out user data. This recovery partition can be replaced with a custom recovery partition which allows an examiner to create backups of Android devices.

Jail Break:  Modifying a mobile device to remove restrictions imposed by the manufacturer or operator. Allow the installation of unauthorized software. This term is usually used when describing the modification of iOS devices. A jail-broken iOS device will give the examiner access to more data.

Root:  Much like a jail-break, rooting a mobile phone provides access to data on the “root” or top most level of the mobile phone’s file system. It is equivalent to a jailbreak, but, this term is used when discussing the modification of Android devices.

Cloud Data

Terms related to cloud data.

Webmail:  When webmail is accessed through a web browser, the email sent or received is not stored on the computer. Instead, it is loaded from the webmail server and viewed from within the browser. Depending on the webmail service, different pieces of information will be recorded within various web browser artifacts. It is sometimes possible to determine which webmail accounts were accessed or which folders were viewed. It is not always possible to determine what emails were viewed, sent, or received.

The following terms are encountered when discussing the imaging process of storage media such as hard drives, flash drives, files, phones, and more.

Hash: A unique numerical identifier generated by a mathematical algorithm to verify that an image is identical to the source media (hash verified).

Once an image is completed, the next step in the process is hash verification to make sure the forensic image contains an exact copy of the data being copied.

The first hash is generated against the evidence and a second hash is generated against the completed forensic image. At the end of the imaging process, the two hashes are compared. If the hashes match, the image is verified and forensically sound.

A hash can be calculated using many different algorithms such as MD5, SHA1, and SHA256.

Image: A verified forensic copy of digital data. Usually compressed and created using various tools depending on the device. Sometimes referred to as an acquisition, collection, or extraction.  An image is commonly observed in .E01 format due to the wide support for the format.

An image can be thought of as a container that holds and protects all of the data pulled from a device. It can be password protected. Images can be segmented in specified chunks (we often split our .E01 images into 2 GB segments).

Physical Image:  A bit-by-bit 1:1 direct copy of a physical storage device. Includes all files, folders, unallocated space, free space, and slack space. Includes live and deleted files.

Physical images are the most common type of image on computers and drives. It is very uncommon when dealing with mobile phones. Physical images will often be .E01 format when compressed (most common) or .001, .BIN, .dd (not compressed – increasingly uncommon) .BIN files are common when dealing with physical images of mobile phones.

Logical Image:  A forensic copy of all “live” – or non-deleted – data on a hard drive or other media. Typically, a logical image captures what you would see when browsing your computer.

Typically, free space, deleted files, and fragments will not be captured. For instance, when creating a logical image of a computer with a 500 GB hard drive and 100 GB are in use to store files, the resulting image will be 100 GB uncompressed – only captures the space on a storage medium in use.

Found in .AD1 and .L01 logical formats (FTK and EnCase respectively).

Targeted Image:  A targeted copy of specific folders and/or files. Much like a Logical Image, a targeted image captures live, non-deleted data.  This is often used when needing to preserve specific files on a computer without collecting the entire hard drive. This results in a much faster imaging process.

Live Data:  Also known as “active” data, these are files that are not deleted and can be collected using all imaging methods. Live data resides in “allocated” space on a disk.

Deleted Data:  Data residing within “free space”. When a file is deleted, the space on the disk in which the file resides is marked as “free” or available to new writes and it is removed from view. This tells the operating system that this space can now be used to write new data.

Allocated Space:  The space on a storage medium in use by the operating system where files reside. When a file is created, an operating system such as Windows will look for free space within the allocated space of the drive.

Unallocated Space:  Space on a storage medium that is not allocated or in use by the operating system (not used for storing files). Even when formatting a hard drive, the data that was lost might still persist within unallocated space.

Free Space:  Available space on a storage medium where data can be stored. New files are written onto free space.

Storage Medium:  Anything that stores digital data – flash drives, hard drives, CDs, DVDs, SD cards, and more fall into this category (drive, disk, disc). Data can be stored and retrieved.

Slack Space:  The unused space at the end of a file in a file system that uses fixed size clusters (so if the file is smaller than the fixed block size then the unused space is simply left unused). Often contains deleted information from previous uses of the block.

Parsing:  The largely automated process of sorting, organizing, and translating data. Many forensic tools will parse a forensic image and provide easy to review results after sorting most data into categories or plotting data into rows and columns.

File System:  Used to control how data is stored and retrieved on a storage medium.  Often responsible for maintaining metadata such as creation dates and location.

Partition:  A section of a disk used to store data. A single hard drive can be partitioned into several partitions. Each partition usually serves a distinct purpose. Windows will commonly split a hard drive into several partitions: Boot, OS, and Recovery. Each partition is independent of the others.

Mounting:  The process of taking a forensic image or drive and loading it into the Windows environment through a mounting tool for the purpose of imaging or review. For instance, an image of a computer can be mounted, and its contents browsed within Windows Explorer as if it were a drive that was plugged in.

Live Image:  An image performed when a computer is powered on. Normally, a hard drive is removed to create an image to avoid changing data on the evidence. However, in civil matters where document preservation and collection is needed, it is common to run lite (non-installing) software like FTK Imager on the evidence computer and create a forensic copy of the evidence onto an external drive plugged into the evidence computer. Live imaging is also useful when the computer is encrypted.

Restore:  A restore is a forensic image of a computer that has been restored to a hard drive. This is useful when a client wants to browse through the preserved computer folder structure and files without making changes to the original evidence. The image is often restored to an external drive and allows the client to plug the drive in and browse it.

Write block:  A software or hardware tool used to prevent changes to evidence media when connecting it. Prevents the examiner from making changes to the evidence when creating the forensic image.

Verify:  A term used to refer to the hashing of both source media and acquired image to verify the accuracy of the copy.

Volume:  A volume is anywhere data can be stored on a device. A keyboard can be plugged into a computer via USB but cannot store data. However, a flash drive plugged into a computer via USB contains a volume to store data.

Hash Value:  Hash values can be computed for individual files. This is a unique string and any change, no matter how small, to the file will result in a drastically different hash value. Hash values are used to validate files or detect changes in a copy.

Random Access memory (RAM):  RAM is physical storage used by a computer that can be accessed quickly. However, it is volatile and will not survive a reboot or loss of power.  When imaging VM or RAM, it is important to capture this prior to powering off the device.  The computer will use RAM space to store information as it performs different jobs. It is common to find documents or passwords in RAM.

Virtual Memory (VM):  Virtual RAM is stored on a hard drive to provide a temporary space for data from RAM to reside until it is needed again by a program. When the physical RAM fills up, data is swapped from the VM to the physical RAM. (sometimes referred to as Swap Space) Example: Pagefile.sys on Windows. These files can be parsed for data.

Clone:  Duplicating the contents of a disk to another.

Imaging Terms

 IST Discover-E :

Digital Forensic Terms

These tools help keep evidence safe when collecting data and improve the work flow of the forensic process.

Tableau Bridge:  Is the Online sync client plus live query functionality. Live query functionality enables the maintenance of live connections between data sources published to Tableau Online and on-premises relational data. Bridges allow an examiner to connect a drive to a computer for imaging, analysis, and more while preventing writes or edits to the evidence. It is a rectangular phone sized device and functions as a bridge between a SATA hard drive and a computer. This bridge acts as a write blocker. IST uses the Tableau Bridge for forensic collections.

Tableau Forensic Duplicator:  Forensic duplicators are the hardware version of software imaging tools. They are travel-sized physical units the approximately the size of a modem. Evidence (source drive) is connected on one side (write-protected side) and the target drive to the opposite side (write side). The Tableaus can create clones of a disk, create images, and then verify the image. Tableaus are fast and reliable imaging solutions for SATA hard drives, external hard drives, USB devices like flash drives, and more.

Tableaus have small LCD panels that display imaging progress and ETA for completion. It also provides a full forensic log of the imaging and verification process which is stored in the same folder as the image. It notifies you of errors, as well. There is also a touch screen enabled version (TD3). IST uses Tableau TD2u duplicators.

Tableaus can also be used to forensically wipe drives.

USB Write Blocker:  Much like the Tableau Bridge, USB Write Blocker is a professional forensic tool for investigating USB mass storage devices, such as thumb drives and acts as a bridge between the USB devices and a computer to protect USB evidence when it is connected to a computer. This includes external drives and flash drives and is relied on by digital investigators, technicians, and IT staff.

Wiebetech:  Is a line of digital forensics, digital investigation, and IT tools used for remote investigations, eDiscovery, and corporate security.

External Drive:  An external drive is a hard drive (HDD) or solid-state drive (SSD) that is connected to a computer on the outside rather than on the inside. This is where images are typically stored when creating images. Images are later archived to an encrypted volume. Once archived, the external drive is forensically wiped to remove any remnants of the image.

Internal Drive:  The primary storage device located inside a computer system. It usually contains pre-installed software applications, the operating system and other files. Most desktop computers have several internal hard drives, allowing them to provide greater data storage.. During forensic collections, internal drives may also be used to process evidence since internal drives tend to have faster write speeds.

Forensic Hardware Utilities

These terms are often encountered when discussing web analysis.

These terms are often encountered when discussing Windows computers.

These terms cover common (and less-common) sources of evidence. Use this list to explore the possible locations data might reside.  It is always best to have the password for the device. In some cases, the password can be circumvented.

AirPort (Time Capsule):  A Wi-Fi router with a built-in hard drive. Commonly used to create backups over the network of macOS devices.

Parallels:  A third-party program that allows a user to create a virtual environment of Windows that can be used in a window on a Mac computer.

Cookie:  A small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website.

Cache:  Temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag. Documents, photos, and more can be found here.

Private Browsing:  Web sites browsed in private modes will store less information. However, activity is still revealed through other files related to the action of visiting a web site.

UFD:  The Cellebrite extraction file format. The .UFD file allows us to load the extraction data (usually in .zip format).

Explorer:  Through Explorer, users can browse their computer through a file and folder structure within a Windows environment.

Shadow Volume Copy:  A backup system baked into Windows. Also known as a System Restore, SVCs can be used to observe a computer system as it existed in the past. Each restore point can be processed and analyzed as if it were a separate machine. Data deleted on a current system might exist within a past restore point. Windows will often create a restore point automatically after installing an application, updating, or a user can create a restore point on a schedule or manually.

Recycle Bin:  User files deleted by a user will be sent to the Recycle Bin. These files still remain in allocated space and can be restored. Items present here also reveal their date of deletion.

Device Manager:  Windows feature to observe connected devices and hardware.

Disk Management:  Windows feature that provides information regarding connected drives and volumes/partitions of each drive.

Desktop Internal Hard Drive:  Drives used inside desktop PCs, iMacs, and some servers. (spinning magnetic disk, 3.5inch) SATA connection. Imaging times 2-5 hours.

Laptop Internal Hard Drive:  Drives used inside laptops that are smaller than Desktop Internal Hard Drives. (spinning magnetic disk, 2.5inch) SATA connection. Imaging times 2-5 hours.

SSD:  Solid State Drive. 2.5 inch. Uses solid state storage as opposed to a spinning magnetic disk. SATA connection. No moving parts. Imaging on SSD is always faster. 1-3 hours.

SSD Stick:  A thin solid state stick used for storage in laptops and computers. Some computers, including laptops, will have a single M2 SSD stick and a small 2.5 hard drive. The newer, sleeker MacBooks use SSD sticks. Imaging times run from 1-3 hours. The MacBooks can sometimes be completed in around 45 mins.

Server:  A computer used to share data across a network to other computers (clients). Servers usually have a much larger storage capacity.  Due to the large capacity of most servers, and the occasional need to create an image of a server over a network, imaging times are extremely larger. Even with a direct connection, imaging can run 20-40 hours. Over a network with smaller volumes imaging times  can be even higher. The imaging is run in the background and has minimal impact on users accessing data on a server. When a server image is complete, an exceptions list will be generated which provides a list of files that were unable to be imaged. These can be attempted again as a separate smaller image as long as the files are closed and not in use by anyone on the network.

Cloud: Remote storage accessed via the web. Most cloud storage providers have some type of activity logging available to premium subscribers. Content stored within the cloud accounts can be synced to a device like an external drive and imaged or collected using a forensic tool. Since files need to be pulled down from the cloud to external drive to be imaged, time to completion can run anywhere between 3-20 hours.

Cloud PC Backups:  Some companies utilize backup services such as Carbonite, Azure, and iDrive to back up their Cloud storage. These backups can usually be exported to an external drive and imaged. Typically, these are flat exports, with data stored in folders instead of a compressed image or proprietary format.

Powered External HDD:  External drives with faster write speeds. These drives require power through a wall outlet and a USB connection to a computer. Usually very large capacity. Examples include the WD MyBook, Seagate Backup Plus, and Buffalos. These drives are usually very large (TB+) and can run for 6+ hours.

Microsoft Office365:  An online service that provides email, cloud storage, SharePoint, Skype, Office, and more. Office365 email can be collected by creating mailbox exports through an Admin account. Exported data can be filtered by mailbox and date. Email exports are fairly quick – 10 minutes to 4 hours. Multiple mailboxes can be exported at once allowing a collection of an entire company’s Office365 email to begin in a few minutes.

Microsoft Exchange:  Mail server and calendaring server developed by Microsoft. Exchange email is stored within .EDB databases. These .EDB files can be preserved from offline Exchange servers. When performing a live image of a running Exchange server, the .EDB database will be inaccessible. For that reason, it is best to work with the company’s IT dept. to export requested mailboxes using PowerShell or an Exchange front end utility that allows for exports.

Flash Drive:  Small external media utilizing flash storage. Imaging of these are usually within 10-30 minutes.

External HDD:  An external HDD that connects to a computer via USB connection. Imaging times depend on capacity taking anywhere from 1-4 hours.

Memory Cards:  Small flash cards used to expand storage on mobile phones, digital cameras, etc. Examples include MicroSD, SD, Sony Memory Stick Pro Duo, CF, SDHC. Imaging times are generally at 5 minutes to an hour on most sizes.

Mobile Phones:  Most mobile phones can be acquired and parsed. Phone capacity is ever-increasing and the amount of data users are storing on these are increasing as well. It is best to secure a mobile phone for at least a day. The average extraction of a smart phone is 2 hours however,  in extreme cases, can run as long as 10 hours. This happens when multiple types of extractions are needed in order to extract the user data.

Tablet:  Most tablets use the same firmware found on mobile phones – Android and iOS. Imaging times are similar to phones.

Tablet PCs:  Tablet PCs are often forensically acquired through the same methods we would use for a live image. Imaging times on the solid state storage of Tablet PCs run from 25mins to 1.5 hours, typically.

Virtual Machines:  VMs can be acquired in two ways. One – from within the VM using forensic imaging software such as FTK Imager. Two- From outside the VM by preserving the actual file the VM resides in (VHD or VMDK usually). Imaging times run 1-5 hours depending on the VM size.

Google Takeout:  When looking at an account involving a Google service such as Google Maps, Gmail, Google Drive, Hangouts, YouTube, or more, it is sometimes best to export this data using Google Takeout. This data can sometimes reveal what a user is doing on an Android phone down to the minute – app by app. This is an export service provided by Google that allows a user to export most of the content stored within a Google account.  These exports can take days on larger Google accounts. When creating a Google Takeout, Google receives the request and the archive is prepared on Google’s side. When it is complete, the data can be downloaded. Downloads can run from 10mins to a few hours depending on size.

Web Artifact Terms

Basic Windows Terms

Evidence Sources

These terms are often encountered when discussing analysis – the review of data once it has been collected and often processed within a forensic software within a Windows computer.

LNK File:  Also known as a “Shortcut” or “Link” file, LNK files provide quick access to another file such as a program or document.

The LNK file records information about the file it is linked to and is only created if that file is opened from the computer or even external media like a flash drive. For instance, if a user opens a Word document, a LNK file is created that records the metadata of the Word document at the time of opening: Created Date, Modified Date, Access Date, location, and size. This LNK file updates each time the file is accessed.

The LNK file itself is a real file that lives on the Windows computer. As a result, it too has metadata that reveals the first time a file was opened (The created date of the LNK file). This is summarizing LNK files in a general manner. Several nuances can apply.

JMP List:  Jump Lists are a Windows Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists are tied to each of the applications. For instance, If you click and hold down on a program icon on your Start menu, a list of recently accessed files will populate on the screen for the respective application Users will have Jump lists for Microsoft Word listing several documents accessed and another list for Excel. The Jump list provides access to historical records of accessed files, even if the file has been deleted or existed on an external drive.  Jump lists are great when tracking file access from many applications.

Shellbag:  A set of Registry keys that maintain the size, view, icon, and position of a folder when observed. The forensic value is that not only does it record the folder history for internal media but also for external media. Even if an encrypted drive is plugged into a computer and browsed, the folder list will still be recorded each time a user browses through the drive.

Folder history is recorded for any folders observed from a screen recording the dates and times folders were observed. Examiners use this artifact to determine where on a computer or drive a user has navigated.

Registry:  The framework of Windows. The Registry stores hundreds of thousands of values that help Windows run. This includes a wealth of system and user information. Commonly use data stored within the Registry is used to build USB device history, MRUs (Most recently used documents), and more. The Registry is broken into components called Hives. Each Hive is responsible for managing different aspects of the Windows OS such as SOFTWARE, SYSTEM, NTUSER.DAT (data about individual users), and SECURITY.

Pagefile.sys:  Pagefile.sys is the Windows paging file, also known as the swap file, or virtual memory file. It’s what Windows uses when it runs out of physical memory, or RAM.

Windows Forensic Artifacts

This section covers most acronyms you’ll encounter within the digital forensic realm.

Sync:  The process of sharing data across multiple devices and platforms. Usually, data will exist in more than one location. Many computers will reveal evidence of files that were once synced to a computer.

File Version:  A version of a file at a point in time. Cloud sites like Dropbox will store documents. When a change is made to that document, the new version is saved and the old version remains if file versioning is enabled. Some cloud sites allow us to pull these past versions.

NTFS:  New Technology File System. File system for Windows PCs.

FAT:  File Allocation Table. The file system for many USB flash drives. Compatible with Windows/macOS/Linux and most devices.

HFS+:  Hierarchical File System – File system for macOS.

APFS:  Apple File System – The new macOS file system released with the macOS “High Sierra” version 10.13. The APFS file system caused many forensic troubles upon the release due to the advanced structuring of the file system. Most tools are slowly building support. The only way to image an APFS Mac is thorough MacQuisition. The only way to parse it is through BlackBag’s BlackLight. APFS Macs will provide the most limited forensic value until analysis methods and technology catch up.

.E01:  Disk image file used by almost every forensic tool. Compressed.

.DD:  DD image file – uncompressed. Often the result of older forensic tools or command line created images.

.AD1:  FTK Imager logical image format seen when creating targeted images or images of folders. Compressed.

.L01:  EnCase logical image format seen when creating targeted images of images of folders. Compressed.

.LX01:  Newer version of the L01.

.001:  DD image. Uncompressed.

MRU:  Most Recently Used. An artifact within the Windows Registry that reveals recently accessed documents.

USB:  Universal Serial Bus. A standardized technology for attaching peripheral devices to a computer.

VSN:  Volume Serial Number. A unique value assigned to identify a volume on a device. A VSN for a flash drive will change when it is formatted. Example: 456B-DE33.

MD5:  Hashing algorithm. Commonly used. 16 bytes. 32 digits long.

SHA1:  Hashing algorithm. Commonly used. 160 bit. 40 digits long.

SHA256:  Hashing algorithm. Commonly used. 256 bit. 64 digits long.

SATA:  The connection used on internal drives.

mSATA:  Mini SATA. Used in small solid state storage for mostly laptops.

USB-C:  New universal connection found in phones, computers, and peripherals.

NAND:  Flash memory of a mobile device. The “hard drive” of a mobile device.

HDD:  Hard disk drive. Storage used in computers and comprised of moving magnetic components.

SSD:  Solid State Drive. Hard drive with solid state storage. No moving parts. Increasingly more common and getting cheaper. Currently, it is a bit on the expensive side for larger sizes.

IMEI:  (International Mobile Equipment Identity) is a unique 17 or 15 digit code used to identify an individual mobile phone to a network. The IMEI number is unique to the mobile phone.

MEID:  MEID Number (Mobile Equipment Identifier) is a unique identification code for CDMA (Sprint and other non-SIM card carriers) mobile devices.  In 2006, MEID replaced ESN.

ESN:  ESN stands for Electronic Serial Number and is a unique identifier for your mobile device. IMEI and MEID are both different formats of ESN numbers. Most modern smartphones use an IMEI number as an identifier.

OS:  Operating System. System software that manages computer hardware and software resources and provides common services for computer programs.

GPS:  Global Positioning System – Often used when discussing location based tracking and information from mobile devices.

KB:  Kilobyte. 1000 bytes. A text file will be just a few KBs.

MB:  Megabyte. 1000 Kilobytes. A word document will be a few MBs. A video recorded on your phone might be a couple of hundred MBs.

GM:  Gigabytes. 1000 MBs. 10,000 documents on average.

BIOS:  Firmware used to perform hardware initialization during the booting process. Can be accessed by holding a key during the computer’s boot process.

RAID:  (redundant array of independent disks) Data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. Encountered in some environments. Imaged live to prevent errors or issues reassembling the RAID.

VHD:  Virtual Hard Disk – one of many formats a virtual machine is stored in.

VMDK:  Virtual Machine Disk – another format for virtual machine storage.

VHDX:  Hyper-V virtual hard disk – another format for virtual machine storage.

.UFD:  Cellebrite extraction file format. An extraction phone will be stored in .zip format usually with a .UFD describing the data collection to Cellebrite.


Talent Acquisition Team

Innovative • Service • Technology • Passion