I am often asked about my success stories in the Forensic environment. Most frequent question is What tools are you using and the financial implications of obtaining such tools?
Well, first of all, I am the non-profit type. Therefore, with a HEX editor I can obtain quite a lot of information from a media submitted to me for examination.
Second, I am very lazy. I research what is available and not re-invent the wheel. Where possible, I will compile my own automated scripts (bash, perl, etc) to fast-track my examinations. I prefer to utilise Open Source applications. Here, I stay in touch with the community and is not bound to commercial and vendor specific applications.
Thirdly, I am not a mooosher – someone who press buttons or follow Icons to generate nice impressive graphs and reports. I enjoy most of my work in command level and produce facts. It is very important to understand what one is doing during a forensic examination. After an examination of a system or network, one have to explain to a non-technical person where, when and how the evidence was found.
For live and network forensic examinations one should consider BACTRACK as the optimal toolbox. Backtrack is based on top of slackware/SLAX. Their main focus is penetration and network security testing. It contains an extensive collection of tools, including a South African tool I often use, know as Maltego.
Yes, known tools such as the Sleuthkit and Autopsy and others are included in Backtrack. It is worth while to take their course and examination. One can install it as a full functional operating system and add other applications as needed.
The best tool for First Responders is HELIX. HELIX is based on customised distribution of the Knoppix Live CD. It is likely the best data forensics Live CD distro out there to date. An excellent beginners guide in PDF is on the site, as well as user support forums.
For standalone computer forensics I should mention the Digital Evidence & Forensic Toolkit (DEFT) by Stefano Fratepietro. It is a very stable forensics Live CD distro built on top of Kubuntu.
It contains the Sleuth kit & Autopsy frontend, the afflib Advanced Forensic Format tools, dd rescue, foremost, hex dump, ophcrack – a windows password recovery tool, qtparted, testdisk, vinetto, readpst, kismet, wireshark, ettercap, airsnort, and other network sniffers.