Forensic investigations became the “new normal”, as cybercriminals increased their activities at the expense of users and businesses alike. It is sad to admit that cybercrime is set to grow to an estimated $2 trillion black market industry by next year, 2019 according to Juniper Research. Forensic expertise is now one of the top sought-after skills by IT professionals next to application development and chip manufacturing. And the tools of the trade are used in a very isolated environment, like a USB-flash drive with a built-in Linux distro containing forensic-tools. This is usually done in order to isolate the hard drive of the system to be investigated.
Windows is not an ideal platform for Forensic investigations, as every Windows installation is dependent on the hardware. It is not designed as a portable operating system which can run from an external USB flash drive. Writing to the hard drive is a very destructive process in a forensic investigation. The current situation of the hard drive needs to be preserved as much as possible to enable a successful forensic investigation.
However, that does not mean that Windows cannot be used as a forensic investigation platform. The person conducting the checks just needs to be more careful, compared to using the target hard drive in a Linux machine. A hard drive connected to a Windows computer performs various writes to the drive, that is just how Windows works. The moment the drive is connected, a corresponding drive letter will be assigned and hidden folders to support the Recycle Bin and the NTFS file structures are written to the newly connected drive.
Here are a few of the Windows-based digital forensic tools available to Windows users:
A Windows-based application that scans the hard drive for currently deleted information. It also provides an offline Windows Registry checker to enable users to navigate registry keys from an offline Windows partition (Windows partition on a secondary drive). Aside from those features, it can also playback video and audio from the deleted contents of the drive, extract lost images, browser history, metadata information from files. A timeline analysis tool is also built-in to see the progress of writes to the drive during its previous use before the forensic analysis.
Encrypted Disk Detector
A Windows-based app that helps reveal encrypted data from a fully encrypted drive. It is compatible with BitLocker, the built-in encryption of Windows Pro and higher, and also supports 3rd party encryption algorithms like TrueCrypt, PGP and Safebook encrypted partition.
This tool is very well known for detecting unwanted and unneeded network traffic. It is a network analyzer tool of any typical IT support professional and network administrators. It is a multiplatform tool available in Windows, Linux and MacOS.
Magnet RAM Capture
It is a special tool that creates a virtual representation of the computer’s memory in a file. That same file dump can be analyzed for data recovery and further troubleshooting.
A comprehensive cross-platform packet sniffing tool. Used by network professionals to detect information about the computers on the network. It reveals important information like OS, hostname, session and open ports.