Jan 5, 2023 2 min read

Building a Forensic Toolkit

Building a Forensic Toolkit

Developing a toolkit for digital forensics on computer and mobile devices can be designed in various ways depending on the operating environment you plan on working in. For example in a military environment it may be necessary to quickly extract digital forensics data. The investigator may also need to carry the necessary hardware on their person meaning it will need to be lightweight and mobile. The types of devices being analyzed will also determine the specific requirements that one should include in their forensics toolkit. For example extracting media from iOS devices will vary from Android devices and these will vary from older generation mobile devices commonly used in foreign countries.

Any forensic toolkit should contain both software and hardware tools for media extraction, preservation as well as evidence handling. If it is computer hardware and mobile devices that will be examined then there should be a few software tools as follows. First there should be a tool to capture a disk image from computer devices. This can be any memory extraction tool such as Autopsy or FTK Imager. I would prefer FTK imager as it has a better user interface and seems to be more intuitive. There are other tools on the market that you can get for varying cost such as the SANS Digital Forensics Toolkit or the Computer Aided Investigative Environment (CAINE). All of these options are commonly used by law enforcement and professionals in the field.

As for mobile forensics it would be ideal if one could acquire the Cellebrite UFED which is a full stack mobile forensics toolkit that can accomplish almost any task needed to include brute force password cracking on smart phones. However, this tool is quite expensive and may not be available to all users. If this is the case there are numerous cheap and free tools that can be downloaded from online to accomplish similar tasks. For example the tool ANDRILLER which can be downloaded from GitHub allows users to brute force Android devices and extract volumes of data from the device. Additionally Magnet Acquire and Magnet RAM capture allow users to extract data from iOS devices and other removable media devices.

As for hardware the investigator will need computers and mobile power sources to conduct media extraction in the field. Additionally the kit will need a wide array of cables for both computers and mobile devices. This will include various USB cables, lightning cables and network cables. The investigative toolkit will also need to include tools for proper evidence handling, perseveration and documentation such as labels, evidence bags, digital cameras, gloves and portable lighting.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to eSecurity Institute.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.