Brian Carrier •
Digital Forensics Tools
General purpose forensics tools versus specialized digital forensics tools.
You know the difference.
We’re going to cover that in this video.
Hi, I’m Brian Carrie from Cyber Triage and Basis technology.
We recently covered this topic in a blog post in cybertriage.com.
I started to use these topics when people ask me how Cyber Triage and autopsy were different.
Autopsy is general purpose digital forensics tool because it can be used for lots of investigation types as long as a user knows where to look.
Cyber Triage is a specialized digital forensics tool and focuses only on intrusion investigations.
By being narrowly focused, it can do lots of analytics for you and help you find the evidence faster.
This video dives into it more.
Let’s start with the basics.
Digital investigators are tasked with answering a set of investigative questions and different types of data are needed depending on the question, such as many law enforcement investigations may rely on communications data.
Child Exploitation cases may rely heavily on videos and pictures, and intrusion cases may focus more on user logins and malware.
The role of your software is to give you access to that data so you can view and find the evidence.
The tools will often parse filesystems, memory and file formats to allow you to get access to the internal data.
That provides search analytical features to help you focus on relevant data 1st and they’ll give you display options in a generic way such as hex or more detailed view set as movie playback.
To be effective, your tools need to give you access to that data, so you can answer those questions you’ve been set out to answer.
The key difference between general purpose and specialized forensics tools is how focused they are on your investigation.
Both types can be used for given types investigations, but the specialized tool is going to do more of the work for you.
A general purpose forensics tool will focus on the basics like parsing and displaying data, and they rely on you to figure out what kinds of data are relevant to investigation and what kind of values make it anomalous and suspicious.
These tools are designed to help you with nearly any every kind of investigation, as long as you know where to look.
A specialized digital forensics tool is focused on certain kinds of investigations and they’re pre programmed to answer certain kinds of questions.
They’ll have the parsing and UI display features, but they’ll also have analytics to help focus on the types of data that are relevant for you to bubble them up amongst the thousands of items that are not relevant.
Therefore they require less of your work because they’re doing something analytics for you.
The easiest analogy is a Swiss army knife versus a power tool.
Swiss Army knives have knives, scissors, screwdrivers, corkscrews, and much more.
You could probably build a house if you have one of the knives with a saw on it, but it’s gonna take you awhile.
Your House will be completed much faster if you have specialized saws and drills that were built that were made to build a house.
General purpose forensics tools are the most popular category of tools out there, and many of the common tools exist here, such as magnet Axiom, NK, celebrate and autopsy.
Let’s look at some pros and cons of these on the pro side, they give you basic coverage to all kinds of investigations, and they could be the only option for some kinds of investigations.
On the other hand, they require the user to have extensive training on where to look and what they’re looking for, and critical data could be missed if the user forgets to look for it.
In our tool set autopsy is a general purpose tool.
It supports a wide range of file systems for computers and mobile devices.
If you investigation relies on Geo coordinates, there’s camel GPS and exit modules to pull that data out and map viewers for you.
If your investigation relies on web artifacts, there modules for common browsers and UI display that.
If it relies on pictures, there’s EXIF and object detection and hash set modules for that.
The key point though is you have to know which modules to enable or disable.
Autopsy is used around the world for a variety of investigation types by users who know what they should be looking for for their investigative questions.
For example, you’ll need to review the communications websites to know if they’re relevant.
There are fewer specialized end to end forensics tools.
The most obvious ones that come to mind are Cyber Triage, which collects and analyzes artifacts needed for intrusions.
There’s velocity surgeon Volcano which specializes in memory and analysis to answer questions about intrusions.
And there’s other solutions which focus more on specific investigative questions that are integrated into solutions.
So this project, Vick, which focuses on questions around Child Exploitation cases.
There’s IOC scanners that answer questions about known indicators of compromise, but not necessarily new variants of intrusion investigations.
And a bunch of instruments collection tools that are specialized on the collection.
Part of an investigation and focused on intrusion questions.
But they don’t do the analysis, they’re just going to give you some artifacts to start looking at, and it’s up to you to go through and figure out which ones are suspicious anomalous.
Now I think most of these tools are focused on intrusions because these kinds of cases have the most complexity and the biggest scale intrusion investigations can impact dozens or hundreds of computers and attackers are constantly changing their techniques to evade detection.
This makes automation and specialization critical.
So the pros and cons.
So the pros that specialized tool is their speed.
You can more quickly focus on the relevant data because the software is doing the analytics without user intervention.
2nd is a comprehensiveness you can collect and process more data because the computer is doing the analysis, often in parallel and it can be updated to know where to collect and how to analyze data from.
Now there are always cons downside.
Specialized tools is they may not work for all your investigation types, consultants and law enforcement have to do a wide variety of investigation types and those specialized tools may not be available for a new kind of investigation for you or something you do rarely on the side.
So in our toolset, Cyber Triage special is a specialized digital forensics tool.
It collects only artifacts and files that are likely to be relevant as part of the intrusion and then it scores and analyzes those artifacts to identify the ones that are likely relevant.
The ones that are scored as bad or suspicious are more likely to be involved with an intrusion, and you can start there instead of 10s of thousands of artifacts that probably aren’t relevant.
For most of our users, Cyber Triagewill shave off hours of their investigation and let them more quickly focus on the artifacts that are relevant.
But as we pointed out, Cyber Triage is not going to be useful for all kinds of investigations.
If you’re doing chat exploitation or some other kind of, you know traditional communications or other kinds of cases, right?
Cyber Triage is not going to focus on that.
It’s focused on user accounts and lateral movement in malware on a system.
So what should be in your toolkit?
Unless you’re on a team with a single mission, such as if you’re in a security operation center, then you should probably have a combination of general-purpose and specialized tools.
For example, a general-purpose forensics tool, focus on computers and laptops, maybe a general-purpose tool for cell phones, and then specialized tools for the investigations that you do most commonly and are the most time-consuming such intrusions.
As datasets are becoming bigger, investigations rely on access to more kinds of data.
The need for specialized tools and automation becomes critical and much more obvious.
Especially, you consider complicated data types associated with intrusions.
So to get back to the original question, the main difference between autopsy and Cyber Triage is Autopsy, a general-purpose tool and Cyber Triage is a specialized tool focused on intrusion.
Both serve critical roles in the examiner’s toolbox.