However, someone has found these tools useful due to some functionality they provide. There are many tools that you can use, and many of them simply weren’t designed with analysis in mind. Throughout this topic, each topic has presented, described, and/or demonstrated tools used for particular purposes, but in each case that presentation was simply, "hey, look at what this tool does and see how it’s useful." My goal in this topic is to fill in the gaps for many readers with a number of other tools that will get them started-tools such as hex editors, packet capture and analysis tools, etc.
An analyst who realizes this is one step ahead of, not behind, the bad guy.
Sure, there have been public presentations at popular computer security conferences discussing how to subvert an analyst who uses EnCase, but the fact is that anti-forensic tools and techniques target the analyst, not the tools. Many people think that anti-forensic tools target a particular commercial application this simply is not the case.
Anti-forensic tools are those tools (and in some cases, techniques) that a bad guy will use to make our jobs more difficult, such as modifying file MAC times or wiping data (or "evidence") from the system. Now is a good time to discuss the topic of anti-forensic tools. From that perspective, you’re not tied to a particular commercial application (in the absence of some specific requirement that forces you to use it) and can instead explore the use of low-cost or freely available tools and applications that your analysis needs. After all, as I’ve said time and time again, the age of Nintendo forensics is over! The key to forensic analysis is understanding what artifacts are available to you and having a logical, reasoned, and comprehensive plan or process for collecting and interpreting the data. The key to forensic analysis isn’t pushing the button on an application user interface. Every tool or application has its strengths and its weaknesses, and trained, knowledgeable analysts understand what they need to do before selecting the tool or application to assist them in their analysis. Commercial applications (EnCase, FTK, ProDiscover, etc.) are just that-tools. Would it be nice to have access to all of the commercial tools? Sure, it would be, but from a budgetary perspective it just isn’t practical. The cost of commercial tools affects law enforcement officers and even consultants (such as myself-hey, we all have budgets we have to adhere to). This affects schools: Computer forensic courses are offered not only at major universities but also at community colleges. This affects more than just hobbyists and those interested in delving into this fascinating (to me, anyway) realm, however. To a number of folks, performing incident response and computer forensic analysis appears to be simply out of reach due to the cost associated with the various commercially available tools.