Transcription

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)DIGITAL FORENSIC TOOLS: A COMPARATIVEAPPROACHDhwaniket Ramesh Kamble1, Nilakshi Jain21,2Faculty of Information Technology, Shah and Anchor Kutchhi Engineering College,University of Mumbai, (India)ABSTRACTDigital forensic is part of forensic discipline that absolutely covers crime that is related to computer technology. Akey or an important factor of digital investigation process is that, it is capable to map the events of an incident fromdifferent sources in obtaining evidence of an incident to be used for other secondary investigation aspects. Due tothe application of computer used to investigate computer-based crime, has led to development of a new field calledDigital forensics. Digital Forensic provide foundation and new ideas for the betterment and understanding theconcepts. This paper studies the comparative approach of the digital forensic tools, its origins, its current positionand its future directions.Keywords : Integrated Digital Forensic Process Model, Award Key Logger, Recuva, OpenPuff, WinHex.I. INTRODUCTIONThe field of digital forensics has become increasingly more important over the last few years as both the computerand the cellular market has grown. Digital forensics describes the process of going into a technological device suchas a computer or a cell phone in order to monitor the activity on these items and determine if the item has beenhacked previously and/or is being watched. We may think that we don’t have much to hide on your technologicaldevice, so this warning need not apply to us. But just because we have hit a 'delete' button doesn't mean that a goodhacker can't find a copy of it somewhere on our machine. Computers can yield evidence of a wide range of criminaland other unlawful activities, criminals engaged in network-based crimes are not the only ones who storeinformation on computers. Many criminals engaged in murder, kidnapping, sexual assault, extortion, drug dealing,auto theft, espionage and terrorism, gun dealing, robbery/burglary, gambling, economic crimes, confidence games,and criminal hacking e.g. Web defacements and theft of computer files, maintain files with incriminating evidenceon their computer. Sometimes the information on the computer is key to identifying a suspect and sometimes the157 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)computer yields the most damning evidence.The use of scientifically derived and proven methods toward thepreservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidencederived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to becriminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.[1] A digitalforensic investigation process[1] is a special case of a digital investigation where the procedures and techniques thatare used will allow the results to be entered into a court of law. For example, an investigation may be started toanswer a question about whether or not illegal imports digital images exist on a computer.Fig.1 Digital Forensic Investigation Process[1]The process is mainly used in computer and mobile forensic investigations and consists of five steps which are listedbelow[1]: Preservation: Preserving digital evidence early, is a critical first step toward increasing our chances of asuccessful investigation, litigation, or incident response.158 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E) Collection: Since digital information is stored in computers, collection of digital information means eithercollection of the equipment containing the information, or recording the information on some medium. Examination: Examination is best conducted on a copy of the original evidence. The original evidence shouldbe acquired in a manner that protects and preserves the integrity of the evidence. Analysis: During the analysis an investigator usually recovers evidence material using a number of differentmethodologies (and tools), often beginning with recovery of deleted material. Reporting: When an investigation is completed the information is often reported in a form suitable for nontechnical individuals. Reports may also include audit information and other meta-documentation.II. DIGITAL FORENSIC: A BRIEF HISTORYPrior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crimes wererecognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorizedmodification or deletion of data on a computer system. Over the next few years the range of computer crimes beingcommitted increased, and laws were passed to deal with issues of copyright, privacy, harassment e.g., cyberbullying, cyber stalking, and online predators and child pornography. It was not until the 1980s that federal lawsbegan to incorporate computer offences. Canada was the first country to pass legislation in 1983. Throughout the1990s there was high demand for these new, and basic, investigative resources.Since 2000, in response to the needfor standardization, various bodies and agencies have published guidelines for digital forensics. A European leadinternational treaty, the Convention on Cybercrime, came into force in 2004 with the aim of reconciling nationalcomputer crime laws, investigative techniques and international co-operation.The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other Europeannations). A February 2010 report by the United States Joint Forces Command concluded that through cyberspace,enemies will target industry, academia, government, as well as the military in the air, land, maritime, and spacedomains. In 2010 Simon Garfunkel identified issues facing digital investigations in the future, including theincreasing size of digital media, the wide availability of encryption to consumers, a growing variety of operatingsystems and file formats, an increasing number of individuals owning multiple devices, and legal limitations oninvestigators[2].2.1. IDFPM FrameworkIntegrated Digital Forensic Process Model consist of following processes: Preparation, Incident, Incident response,Physical Investigation, Digital Forensic Investigation, Presentation and the processes are performed by qualifiedpersonnel.[2] The documentation process is included in the IDFPM as a continuous process. The documentationprocess includes investigation on documents and chain of custody recorded as accurately as possible in the entireinvestigation. The infrastructure and operational readiness process is also a process that occurs in parallel.159 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E) Preparation:This is encapsulated process by stating that forensic readiness has two main objectives, firstly to maximizethe collection of credible digital evidence from an incident environment, and secondly to minimize the costof a forensic incident response. Any defects may be exploited during presentation of the digital evidencefindings. Incident:An incident may be detected by an automated incident detection system, or a similar set of event sequencesis recognized by an investigator, based on possible previous experience. Incidents are often detectedsecretly and dealt with secretly within an organization. In these instances it is imperative that theorganization’s policies and procedures are studied to determine any possible investigative limitation. Incident Response:Depending on the type of investigation, witnesses need to be safeguarded, suspects need to be detained assoon as possible after arrival and potential evidence must be secured. The first responder is the firstcustodian to maintain the chain of evidence and custody of potential digital evidence. The first respondermust be able to accurately describe the scene in the initial drafting of documentation; these includephotographs, video and sketches. Digital forensic Investigation:The physical investigation process occurs in parallel with the digital investigation if the crime is notisolated to the digital space. The focus of the physical investigation is to analyze DNA, fingerprints andother possible physical evidence obtained from the incident scene. Presentation:Based on the presentation report, a decision is made regarding the person to whom the incident can beattributed. The decision must be recorded in some database for future reference. All other relevantdocumentation that was compiled during the investigation and that might be relevant in reaching a decisionis included in the final presentation report. The legal processes of court case, if applicable, will become thefocus of the processes that follow.2.2 Study of ToolsTools are the predefined software or methods which are available for application of digital forensic.Some of the following tools are listed below: FTK (Forensic Toolkit)[6][7]IT is an advanced Code Breaking and Password Recover. This tool is full Unicode and provides code Page Support.It also gives advanced Email support. Powerful Search Functionality. Registry Supplemental Reports are providedby FTK. It is very easy to use as interface.160 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)Fig.2 Integrated Digital Forensic Process Model Framework [2]161 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E) Encase[6][7]It securely investigate/analyze many machines simultaneously. Limit incident impact and eliminate systemdowntime with immediate response capabilities. Investigates and analyze multiple platforms. Efficiently collect onlypotentially relevant data. Audit large groups of machines for sensitive or classified information. Identify fraud,security events and employee integrity issues. Sleuthkit[7]Collection of UNIX-based command line file and volume system forensic analysis tools. Analyzes raw, ExpertWitness (i.e. Encase) and AFF file system and disk images. Various analysis Techniques-meta-data structureanalysis, time line generation, sort files based on their types etc. Autopsy[7]It is a GUI for Sleuthkit[7]. Dead analysis and live analysis is done with the help of autopsy. Case managementusing client server model. Various analysis Techniques-meta-data structure analysis, keyword search, time linegeneration, sort files based on their types etc. FIT4D (Forensic Investigation Toolkit 4 Developing countries):A software toolkit utilizes the limited resources in developing countries. Improves the efficiency, privacy andusability. Addresses the problem of lack of forensic experts in developing countries. A low-cost, distributedinfrastructure to deploy the FIT4D software toolkit.III. PRESENT INVESTIGATIONThere are two fundamental problems with the design of today’s computer forensic tools: Today’s tools are designed to help examiners find specific pieces of evidence, not to assist in investigations.[8] Today’s tools are created for solving crimes committed against people where the evidence resides on acomputer, they were not created to assist in solving typical crimes committed with computers or againstcomputers.[8]Digital forensics tools play a critical role in providing reliable computer analysis and digital evidence collection toserve a variety of legal and industry purposes. These tools are typically used to conduct investigations of computercrimes by identifying evidence that can be used in a court of law. In addition to criminal investigation, these sametools are used for purposes of maintenance, debugging, data recovery, and reverse engineering of computer systemsin private settings. Digital forensics tools are designed for use by forensics investigators. It is important to considerthe background, computer expertise, workflow, and practices of these users. [7]Suppose we consider five tools which are used presently.162 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)3.1 Award Key Logger[4]Award Key logger[4] is a program for tracking key presses on a keyboard. The program is an easy-to-usesurveillance tool, and its invisibility can find out what other people do with your computer while we are away.Award Key logger[4] records every keystroke to a log file, which will reflect everything that is typed (Googlesearches, visited sites, etc. ) during your absence. The program can send the log files secretly by email or FTP to aspecific receiver. On the other hand, the program can also detect specific keywords and take a screenshot wheneverone is typed.3.2 RecuvaRecuva is an important file recovery[3] software used to back up deleted file data information accidentally done bythe user from their Windows PC, recycle bin or from an MP3 player. Everyone of us has witnessed the problem ofaccidentally deleting files containing some useful information from their computer.But what if, that file is permanently deleted from the hardware of the system? We may have come across thesituation on our Windows PC where we delete files from your computer, delete all the necessary rubbish from yourRecycle Bin and start to wonder did you mistakenly deleted our most important file for our office or personal use?All these questions have one solution - Recuva. Even if we delete a particular file, we can undo the same from ourrecycle bin.3.3 USBDeview[6]USBDeview[6] is a small utility that lists all USB devices that currently connected to your computer, as well as allUSB devices that you previously used. For each USB device, extended information is displayed: Devicename/description, device type, serial number (for mass storage devices), the date/time that device was added,VendorID, ProductID, and more.USBDeview[6] also allows you to uninstall USB devices previously used, disconnect USB devices that are currentlyconnected to your computer, as well as to disable and enable USB devices. We can also use USBDeview[6] on aremote computer, as long as you login to that computer with admin user. USBDeview[6] is a free application forWindows computers that provides a useful tool for USB devices plugged to Windows-based computers.3.4 WinHexWinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, datarecovery[3], low-level data processing, and IT security. An advanced tool for everyday and emergency use, inspectand edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digitalcamera cards.163 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)3.5 OpenPuff[5]OpenPuff is a professional steganography tool, with unique features we won’t find among any other free orcommercial software.[5] OpenPuff is 100% free and suitable for highly sensitive data covert transmission.[5]OpenPuff[5] is used primarily for anonymous asynchronous data sharing, i.e. the sender hides a hidden stream insidesome public available carrier files (password carrier files carrier order are the secret key) and the receiverunhides the hidden stream knowing the secret key.Table 3.1 Comparison of considered tools on the basis of featuresAward tformWindows 8,Windows 7Windows 7Windows 7Windows 7SupportWindows 7,(32 bit),(64 bit),(32 bit),(32 bit),Windows 7WindowsWindows 7Windows 7(64 bit),8,(64 bit),(64 bit),Windows 8,WindowsWindowsWindows 8,Windows VistaVistaVista (32bit),Windows2000,(32 bit),(64 bit)WindowsServer,WindowsWindows VistaVista (64bit),WindowsNT4,(64 bit),Windows XPVista (32bit),WindowsWindows ,Vista (64bit),Windows 98Windows eTechnologyAG164 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February ghCost15237 INRFreeFreeFree15486 INRPurpose ofBoth GoodGoodGoodBoth GoodBoth GoodUtilizationand Badand Badand BadFig.3 Utilization of Tools in terms of percentageTable 3.2 Comparison of considered tools on the basis of Digital Forensic Investigation YesAward KeyLogger165 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)Table 3.3 Comparison of considered tools on the basis of IDFPM eForensicPresentationInvestigation Recuva USBDeview WinHex OpenPuff Award KeyLogger Justification for the Difference:The Comparison is done among five tools which are Award Key Logger[4], Recuva, USBDeview[6],OpenPuff[5] and WinHex. As we compare our tools on the basis of feature, investigation process andIDFPM[2] model framework we notice that among the five tools WinHex is said to be the better tool.WinHex not only has all five properties of Investigation process but also has the properties defined in theIDFPM[2] process. WinHex is an advanced tool for everyday and emergency use which inspect and editall kinds of files, recover deleted files or lost data from hard drives with corrupt file systems, data wipingand disk cloning. WinHex also analyzes the data and compares the file. So in comparison among otherfive tools, WinHex is the best in terms of utilization, characterization and performance.IV. RESULTS AND DISCUSSIONSComputer related crime is growing as fast as the Internet itself. Today, enterprises focus on implementingpreventative security solutions that reduce vulnerabilities, with little concern for systematic recovery orinvestigation. We have reviewed the literatures in Digital forensics and identified three main categories of activity inDigital forensics. The three research categories are framework, Digital forensics Investigation process, and Tools.The advances such as framework, process and tools of Digital Forensic have been reviewed and discussed. We166 P a g e

International Journal of Advance Research In Science And Engineeringhttp://www.ijarse.comIJARSE, Vol. No.4, Issue No.02, February 2015ISSN-2319-8354(E)should not leave everything to Digital forensics experts. If we are going to find a solution to the computer crimeproblem, it will be through a collaborative effort. Everyone from individual users, to company owners have to getinvolved. The considered tools, investigation process, and the framework, enhance the forensics of computersecurity by helping experts in the field do their job faster and more efficiently. It is up to the companies and users toadopt these policies according to their needs.V. FUTURE SCOPEA multidisciplinary approach is required to fully foresee the future of cybercrime forensics. The most obviouschange will be in the type, size and speed of storage media, memory, and processors. In the next 5 years, standardcomputers will come with 5TB of storage while flash drives will carry 250 GB