A large range of computer forensic software is used in our work. DownTown Data Recovery uses licensed and commercially available software. The work we do with these tools is documented and can be replicated and verified by others to confirm our findings. Among the key tools we own and use for analysis are Guidance EnCase, Magnet Axiom, FTK, Splunk and Internet Evidence FInder.
In addition to these basic tools a large number of utility software tools are used for specialized tasks, for example WinHex from X-Ways software or Data Lifter for data carving or Web Historian from Mandiant for Internet data review or Event Log explorer from FSPro Labs, and LogParser from Microsoft Corp for the analysis of various system logs and network data files.
Forensic images are made with EnCase, FTK Imager, Magnet Aquire or Unix dd in most cases. In all cases hash values are created to verify the image to the original data and to maintain the integrity of the image file.
The traditional industry method of imaging has been to remove the hard drive from the subject PC and attach it to a write-block device or hardware imaging tool. The image is read by a PC without modifying the original subject drive. DownTown Data Recovery uses write-block hardware from Digital Intelligence and WiebeTech. Various write-blockers handle different hard drive communications standards, IDE, SATA, USB, and four SCSI interfaces.
Many times other methods are needed to create the forensic image. There are cases where it is not practical or not possible to remove the hard drive from a computer. Modern Solid State Drives ("SSD"), cloud collections, mobile devices, system memory and servers often require the device being collected to be running in its natural state while the collection is made. In these cases we will use a variety of techniques and tools to make the collection. These include live boot Linux tools, such as Helix, Raptor, MacQuisition, or Paladin and live aquisition software tools, such as FTK Imager and Magnet Aquire.
At DownTown Data Recovery, LLC we follow strict procedures on the collection of forensic images and the handling of potential evidence files. Our “chain-of-custody” forms and practices are based on the recommendations of the U.S. Department of Justice in their publication Forensic Examination of Digital Evidence: A Guide for Law Enforcement.