On nearly any search warrant that involves digital data or cryptocurrency, chances are you will seize a computer or a mobile device, or multiple devices. A forensic group or team will perform the direct extraction of possible evidence from a computer in most instances. These are normally highly trained forensic computer experts who know how to extract data from a computer without compromising the data to present it as possible evidence in a prosecution. However, should the task fall upon you to perform, several commercially available forensic tools can assist in analyzing and extracting data? Here is an overview of a few of these tools and their benefits:
- Magnet AXIOM Forensics suite of forensic tools recover the deepest artifact data available and provide the investigator with the most relevant starting point for an investigation. It then allows the investigator to drill down into the digital evidence in the file system to find more data and verify source location. So, it can very neatly carve Bitcoin addresses, queries, log files, etc., from a wallet and organize them in an easy-to-read format. They even offer free, limited functionality tools to investigators, as downloads from their website. You can find out more about this tool and the flexibility and options available at https://www.magnetforensics.com/products/.
- EnCase is a forensic tool that offers decryption capabilities and one of the broadest support features of any forensic solution. Encryption support includes products such as Dell Data Protection, Symantec, McAfee, and many more. You can further expand the decryption power of EnCase Forensic with Tableau Password Recovery — a purpose-built, cost-effective hardware solution to identify and unlock password-protected files. EnCase does not have Bitcoin extraction capabilities built-in but encases an EnScript finder that can locate addresses on drive images or other media. You can learn more about the EnScript finder and get a free download at https://www.guidancesoftware.com/app/search-for-valid-bitcoin-addresses.
- FTK is a free, downloadable forensic tool that you can use to create images, process a wide range of data types from many sources from hard drive data to mobile devices, network data, and Internet storage in a centralized location. It can decrypt files, crack passwords, and build a report, all with a single solution. You can also recover passwords from over 100+ applications, access a KFF hash library with over 45-million hashes, and analyze data through advanced, automated analysis without scripting. You can find out more about FTK by accessing this link at https://accessdata.com/products-services/forensic-toolkit-ftk.
- Belkasoft Evidence Center makes it easy for an investigator to acquire, search, analyze, store and share digital evidence found inside a computer and mobile devices, RAM, and cloud. The toolkit quickly extracts digital evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps, iOS, Blackberry, Android backups, GrayKey, UFED, OFB, Elcomsoft, JTAG, and chip-off dumps. Evidence Center will automatically analyze the data source and layout the most forensically important artifacts for an investigator to review, examine more closely or add to a report. A free trial can be downloaded at https://belkasoft.com/ec.