Software Applications Forensic Investigators Use

In the realm of computer forensics, there are many different software applications and hardware that digital forensic investigators need to use to find evidence against a crime that was committed, protect the evidence so that it maintains its integrity, and then present the evidence that was found. The vast majority of software applications that are used by forensic investigators are used to help them find the evidence they are trying to attain. The software applications in use can range from anything such as a root kit to an encryption cracking application. Sometimes there is actually a need for hardware devices to aid the investigators to accomplish their job. In most cases there is a combination of both software applications and hardware devices to assist a forensic investigator in doing their job.

One key hardware device that forensic investigators may have to use is called a write-blocker. A write-blocker allows a forensic investigator to read the contents of a device, such as a storage device or hard drive, but it prevents anything from being written to the drive (NIST, 2008). This helps forensic investigators maintain the integrity of the evidence because if they were allowed to write to the drive, the drive could either become corrupted or the evidence could be tainted. Write-blockers come in all shapes and sizes and more importantly they support different computing standards so that different types of devices can be read, but not written to. Some of the devices that a write-blocker can be used to interface with are USB hard drives, IDE hard drives, SATA hard drives, ESATA hard drives, thumb drives, firewire hard drives, and the list goes on. A write-blocker can be used by forensic investigators to aid them in preserving a drive’s contents, while allowing the investigators to read the data contained on the drive.

A root kit is a software application or multiple applications that are used to hide or conceal that a system has been compromised through methods of subversion or evasion. One root kit that was aimed at Apple’s OS X operating system is called Reopen-A or just Reopen for short. This root kit functions by somebody with administrative permissions installing it onto a system. Because this root kit requires administrative access to be first installed, it is considered a low security threat. It functions by trying to copy files of itself into the “/System/Library/StartupItems” directory. Reopen also creates a directory called “.info” in the root directory and then it tries to capture password hashes and application configurations. Some of the applications that this root kit tries to capture data for are: FTP servers, web servers, VNC, browsers, and a bunch of other applications (SOPHOS, 2004). Reopen also tries to modify file and directory permissions so that they are read/writeable by anybody. Reopen is a root kit that tries to modify settings on a computer running OS X and it also tries to capture account information to include logins and passwords and it does this by creating a directory on the host computer.

A version of a rootkit that was aimed at the Microsoft Windows operating system is called, “Win2K Rootkit.” This rootkit functions by installing a bogus “.dll” file and when the file is executed this rootkit has full control over all resources on the system. This rootkit hides processes on the system that it is running and entries it makes in the systems registry (Bobkiewic, 2003). Another interesting thing that this rootkit does is sniffs keyboard strokes, in attempt to capture usernames and passwords. The Windows rootkit is similar to the OS X rootkit, however it was designed to run on the Windows operating system and it has some additional features and full control over the system. The Windows rootkit functions by installing a fake driver on the system and then when the driver is executed the rootkit has full control over the system and resources, which it uses to capture data.

Adore-ng is a rootkit designed to take aim at the Linux operating system. This rootkit has an advanced promiscuous mode that hides promiscuous flags. Adore also has a persistent file and directory hiding. Adore is sophisticated enough to have process hiding and netstat hiding with a root-shell backdoor (Liston, 2004). This allows a remote user to be hidden as they have root access on the system. A version of Adore has also been ported to work on BSD. The Linux rootkit has some advanced hiding and promiscuous mode hiding features that include a root-shell backdoor to give somebody full control of the system.

In conclusion, forensic investigators have to overcome obstacles from applications like rootkits, which are designed to hide their existence on a system. There are many different types of rootkits, some are aimed at Windows systems, Apple’s OS X, Linux OS, and almost every other operating system on the market. When forensic investigators are searching for data they can use a hardware device called a write-blocker that allows them to read the contents of a device, but protects against corrupting data or tainting evidence by blocking the ability to write to the drive.

1. (2008, December 8th). Hardware Write Block. Retrieved April 19, 2009, from National Institute of Standards and Technology Web site:
2. (2004, October 25th). SH/Renepo-A. Retrieved April 19, 2009, from SOPHOS Web site:
3. Bobkiewic, Bartosz (2003, January 23rd). Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment. Retrieved April 19, 2009, from Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment Web site:
4. Liston, Tom (2004, January 6th). Adore-ng 0.31 released. Retrieved April 19, 2009, from SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc Web site:

Sharing is caring