Forensic Tools – SY0-601 CompTIA Security+ : 4.1

Some IT security investigations will require additional forensics. In this video, you’ll learn about memdump, WinHex, FTK imager, Autopsy, and more.


If you’ve ever imaged a drive or a partition in Linux, then you’ve probably used the DD command. The term DD comes from another DD command that was originally on IBM mainframes, and those used the Job Control Language, or JCL to operate. DD is a reference to the data definition that converted between ASCII and EBCDIC on the IBM mainframe.

DD allows you to create a bit-by-bit copy of all of the information that may be on a drive or in a directory. This can obviously be very useful if you need to capture this information in order to perform additional analysis later.

The command to create a disk image would be to use the DD command with the input associated with a particular drive or a partition, and then the output would go to an image file that you would create. To restore from that image, you would simply reverse the process by specifying the image follows the input, and the output would be that drive or partition where you would like to store that information.

If you are performing forensics on a system, you might be interested in what’s on the storage drive. But you might also be interested in gathering what might be in memory. In order to capture that information, you can use the memdump utility. That will take all of the information and system memory and send it to a particular location on your system. This is very useful after the fact, because many third-party forensics tools can read this memory dump file, and be able to identify or locate information that may be stored in that memory file.

Because you would commonly store the memory dump somewhere outside of the system, we would commonly use memdump in conjunction with Netcat, stunnel, openssl, or some other host that we would send to across the network.

Once you have some of these images or memory dumps, you may want to look through a raw representation of those files. And one easy way to do this in Windows is with the WinHex utility. This is a third-party editor that allows you to view information in hexadecimal mode, so you can pull out information that’s located in a file, in memory, in disks that you may have, and be able to not only view, but edit that information as well.

There’s also disk cloning capabilities built into WinHex, so you could copy everything from a file and store it in an image file, or copy it to a separate storage device. You can also perform secure wipes with WinHex, to be sure that all of this information that might be contained within a file will be completely wiped and will not be recoverable with third-party utilities.

And there are other forensics tools inside of WinHex as well. It’s a great utility to have in Windows, and performs many different functions for the security professional.

If you’re using Windows as your forensics platform, then you need some way to capture images from other drives and be able to store them in a format that can be read by other third-party utilities. A utility that’s almost used universally for this purpose is from Access Data. It’s called FTK Imager, and it’s an imaging tool that can mount drives, image drives, or perform file utilities in a Windows executable.

This is also widely supported in many other forensics tools so that you can capture information in FTK Imager, and then use those image files in other utilities on other operating systems.

There’s even the ability built into FTK Imager to read encrypted drives, as well. Of course, you would still need the key or the password required to be able to access that encrypted drive. But the ability to decrypt it and reimage it is something that is built in to FTK Imager.

It can also save these files into other very common formats. So if you’re using DD, or ghost, or Expert Witness, FTK Imager can read and write to those image formats as well.

Once we’ve taken an image of a storage drive, we’d like to be able to search through that drive to find other pieces of information. A tool that provides this is the Autopsy tool. This is a tool that provides digital forensics of information that is stored on a storage device, or in an image file, and it allows us to view and recover data from these devices as well.

It can view many different kinds of data. So you can search through downloaded files, you can view the browser history on a device, view email messages, identify databases, view graphics files, and so much more.

Here’s an Autopsy output from a drive that I purchased on eBay. The drive was sent to me as a used hard drive. But nothing on the drive had been formatted. So I imaged the drive using FTK Imager, and then I imported that image into Autopsy, which was able to go through the drive and showed me that there were 1,057 images, nine videos, 146 audio files, and more information that it was able to pull out from there.

If I look at the images, I can click on the thumbnails and it can show me the information that was stored on that drive. And it can do that for all of these file types, and identify where any of this information might be. This was very telling because I was able to go through and view web bookmarks, email addresses, emails that were sent on this machine, and I was able to find internal company information that was being sent out and sold to me as a used hard drive.

It may be useful as a security professional to perform your own tests against systems that may be in your environment, and see how vulnerable they might be.

One way to perform these tests is with an exploitation framework. And there are many third-party tools that you can use to be able to perform these exploitations. These tools can be used to create custom attacks, where you build the attack type, and what’s contained within it. And you can add additional tools as more vulnerabilities are found.

These are commonly frameworks that allow you to add additional modules. And as the community finds different vulnerabilities, they’ll create new modules, you’ll be able to download those modules, and use them on your own systems.

A good example of a popular exploitation framework is Metasploit, that has a number of known vulnerabilities, and an increasing number are added to Metasploit all the time.

Another one is the Social-Engineer Toolkit, which has information that allows for spear phishing, website attack vectors, infectious media generators, and so much more.

In the process of performing these vulnerability checks against a system, or searching through it using our forensics tools, we may run across password files or information that may contain password hashes. If we have that information, we may be able to perform brute force attacks to be able to identify those passwords. And a good way to do that is to use a password cracker.

We can use this as an online tracking tool that can perform multiple requests to a device that’s online, trying different passwords with usernames to see if you can find the right combination. But it’s probably more common to use these crackers in an offline mode where you already have the hash files. If you have the hashes, then you can perform a very high speed brute force to see if you can identify what those passwords might be.

Of course, it can take a great deal of time and resources to be able to perform these brute force attacks, and the amount of time and resources will depend on a number of criteria. One of these characteristics might be the password complexity, or the strength of the password.

If the password is more randomized, then the entropy is higher, and it takes much longer to be able to perform a brute force attack. These password hashes might have also been saved with a hashing algorithm that uses a great deal of CPU cycles and makes it very difficult to perform a brute force attack. If we have graphics processors, or GPU’s, then we can often use the high speed capabilities of those pieces of hardware in order to help with this password cracking process.

In order to prevent someone like me from purchasing a used drive, imaging the drive, and then running it through forensic software, you can sanitize the drive before you send that to someone else. This is the process of completely removing data, and also making it so that none of that data could be recovered later on.

We would use data sanitization if we wanted to take an entire drive, clean it of anything that might be on it, and then use that drive again internally, or sell it on the open market.

Or we might want to sanitize a single file that’s on our system, making all of that data unrecoverable, but leaving everything else on our system. Of course, you want to be very careful when you’re using data sanitization tools. Once you delete this information using these tools, there’s no way to recover it later. Unless you have a backup, of that data has now been permanently erased.