Continuing our discuss in introduction backtrack for computer/digital forensic tools part I, in this part we will try to dig how deep is backtrack have a potential source as computer/digital forensic tools. Backtrack is a linux distro which can put many kit into one vessel and collaborated each other, this is an excess of backtrack which not owened by other. Talking of computer/digital forensic tools we have too clasify some parts of tool into different part besides of it's use, after i read some article with the same topic of computer/digital forensic many of them classify it's into five major classification, that is ..
- Data Acquisition
- Data Recovery and Carving
- Meta Data Analysis
- Network Forensic
- Log File Analysis
After looking at the five major clasification of digital forensic tool above, we agree that Backtrack 4 have all candidate to meet all requirement, let peel of one by one.
Data Acquisition is set of application which is responsible to interrogate harddrive and get neccessary information from them, in this field we have some particular job like make an 'identic' copy of harddrive then analyse them without ruin the original evidance and doing File System Interrogration jobs even it NTFS/FAT/EXT3 or Other. To do a data acquisition jobs in backtrack we have such application Advanced Forensic Format Library (afflib), Automated Image and Restore (air-imager), dd, dcfl-dd, lsof, guymanager, acidlab, and RDA. All applicaton mentioned can be installed using backtrack package manager.
Data Recovery and Carving
The Data Recovery tools is set of application which responsible to get erase data back, analyzing hidden and erase partition, and fixing a broken block of filesystem. Data carving is extracting data (files) out of undifferentiated blocks (raw data) for the purpose of file identification. We have such application like ddrescue, foremost-menu, scalpel, xpilco, allin1, and autopsy In backtrack to do Data Recovery and Carving.
Meta Data Analysis
Meta Data Analysis is looking for hidden variable behind the file and data, to do a meta data analysis we need some application which can do activity like dissassembling a file (ducument/image/audio/video) and get hidden variable like when was file last accessed, when was it modified, or simeting like when was file has been created and using what tools it's has been created, looking for meta data analysis tool we have application called libtsk1, vinetto, also image and video editor (gimp,fspot,audancity) in backtrack.
Network Forensic tools is not much different if compare with network security program, cause that is have real same algorithm eventhough we do the reverese enginnering ones. Network forensic tools covered such jobs like make an analysis of network traffic, captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging, identification network error, sniffing and loging network activity in various port (telnet, ssh, imap, pop3, smtp) and many more. This part is the specialization of backtrack, we have many network security/network forensic tools in this distro that can be use, this is the following of them : netcat, netflow, tcpdump, kismet, wireshark, and very lot of stuff.
Log File Analysis
There are components of files that may have evidentiary value including the date and time of creation, modification, deletion, access, user name or identification, and file attributes. computer-created files (log) which can be potential evidence are backup files, log files, configuration files, printer spool files, cookies, swap files,hidden files, system files, history files, temporary files,link files, event logs. All application program in every computing work has always make a log file which can be a perfect evidence if we're dig correctly, to do such log analysis job in backtrack we have such application aneteater, wflogs, sma, nulog, awstat, galleta-menu, and maltego.
Eventually we have finish our discuss in Introduction of backtrack as computer/digital forensic tools, looking to our conclusion before now we have realy agree that Backtrack linux have some potential resource to be reliable digital forensic tools. In other occasion we will discuss one by one that application above to get clear explanation how to make it and use it wisely.