Have you ever asked yourself what law enforcement agencies would find when analysing your computer ? How their tools would look like and what they would be checking ? If you answered the questions with yes you might want to try out Evidence Collector (via Techtrends) which is a forensic computer program. Evidence Collectors main purpose is to help with IT incidents but it can give a solid impression on how such tools work generally.
It’s a standalone tool which means it can be run from external devices connected to the computer which is definitely a prerequisite for all forensic tools. It analyses the user level at startup and displays information like the local IP and hostname. A click on Start Collecting processes 14 sequences, some with subsequences, that collect data and write that data into logfiles in the Evidence Collector directory.
The software did write 25 different log files into the log directory including a list of opened files, installed applications and processes. Evidence Collector concentrates on hardware and software only while law enforcement agencies would definitely scan the computer for files as well, probably using a software like Locate to find information in filenames and contents.
A detailed list of what is analysed:
- Shares and policies applied on shares
- Started and stopped services
- Installed software
- Installed Hotfixes
- Enumerated Processes
- Events logs
- TCP / UDP mapping endpoints
- Process handles tracking
- List start-up programs
- Suspected modules
- Users policies
- USB history
Evidence Collector is a free software currently in beta. There is no information on the homepage about compatibility, it runs fine on my Windows XP Service Pack 3 system.
Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!
Related Posts
4 Users Commented In This Post
Subscribe To This Post Comment Rss Or TrackBack URL