Manual vs. Automated Tools for Digital Forensic Analysis

One of the joys of continuing my education is having getting to write a mini-article once a week for my fellow students and instructors. I’ve decided to share some of the better ones here. B.

Ok, I admit it. The title is a mouthful, but it was the only way to encapsulate the topic. The question for the discussion post in question asked:

Would you use automated forensic tools (e.g. FTK Imager, EnCase) to process digital evidence or perform all forensic processes manually? Why or why not? What are some of the pros and cons for using automated forensic tools over manual processing of digital evidence?

As a former software developer, I always get a kick out of questions like this. TL;DR, highly automated GUI-interface tools are only as good as the programmers who wrote them. Additionally, they can actually prevent users from accessing certain things. Less “sophisticated” tools operated from a command line give the user more power, but they also demand more knowledge and skill to be used effectively.

Automated tools like EnCase and FTK are wonderful and powerful. They have nice GUI interfaces and lots of easy-to-run analytical features that can help a forensicator find key evidence and put together a timeline with relative ease. But the information stored in a forensic image of a computer hard drive can be accessed by less sophisticated tools. Ultimately, it’s all there, in 1’s and 0’s, or in hexadecimal, depending on how deeply you’re diving into the data.

But GUI-based applications are not infallible. This is just as true for forensics tools as it is for games, word processors, and web browsers. When software developers create a GUI-interface application, they are essentially pre-programming “recipes” for different kinds of activities that can be executed through other means. The downside is that sometimes these tools miss things they were not programmed to detect, or, conversely, they can return false positives, leading the user to believe something is important when it is not. That’s when it’s nice to have other ways of analyzing things more directly.

To help illustrate what I’m talking about, if I am having network connectivity issues on my Windows system at home, I can use the GUI-based Network & Internet dialogs and/or the Network and Sharing Center to troubleshoot and tweak the settings. I can also do the same things using a shell (or terminal) window, or by using PowerShell.

Here is the rub – in order to use PowerShell or a terminal, both of which are command line interfaces (CLIs), I have to know more about what I’m doing. Worse, one wrong character in a command string might just fail harmlessly, or it might break something spectacularly. CLIs are more powerful specifically because they don’t have “training wheels” to keep the user from falling over. As a result, IF I know what I’m doing I can run command strings to tweak and fine turn things with a MUCH higher degree of control than the GUI will ever allow.

Think of it like the “riddle of steel” from Conan the Barbarian. Any tool is only going to be as good as the knowledge and skill of the person using it. You can give a monkey the finest brushes and paint available and still get junk. Give Leonardo DaVinci dirt, twigs, and egg whites, and you get art.

Reference Links

Marak, V. (2016, January 26). Command line for Windows malware and forensics. Infosec Resources. https://resources.infosecinstitute.com/commandline-malware-and-forensics/

Martinez, B. (2010, July 18). The Riddle of Steel From Conan [Video]. YouTube. https://www.youtube.com/watch?v=wgN1sLcAQnw

Leave a Reply

Your email address will not be published. Required fields are marked *