Vidyabharati International Interdisciplinary Research Journal 10(1) 12 - 2 3 ISSN 2319-4979 ______QUALITATIVE ASSESSMENT OF DIGITAL FORENISC TOOLS S. Singh1 and S. Kumar2 Ambedkar Institute of Advanced Communication Technologies& Research, Delhi, India [email protected], [email protected] ______ABSTRACT Forensic science is a study of science to criminals and civil laws. Digital forensics is the part of forensic science relating to proof found in computers and advanced storage media. Forensic examiners gather, protect and break down logical confirmations over the span of examination. Digital information contains data as content, pictures, sound, video and so on. These days numerous cybercrime cases, for example, hacking, banking cheats, phishing, email spamming, etc., have developed which are connected with a computerized information. Since the digital investigation is turning into an expanding concern, numerous digital forensic tools have been created to manage the difficulties of exploring computerized wrongdoings. The motivation behind digital forensics strategies is to look, protect and extract data on advanced frameworks to discover potential confirmations to exhibit them in the courtroom. In this paper, we have discussed five kinds of forensics namely Network Forensics, Live Forensics, Cyber Forensics, Database Forensics, and Mobile Forensics. The paper depicts a list of digital forensic tools in detail and looks at them based on the characterized parameters to figure out which tool suits better for any investigation. The paper looks at network, database and mobile forensic tools and examines the silent features and uniqueness of each of the tools along with their functionalities. ______Keywords: Database forensics, Digital forensic tools, Forensic phases, Mobile forensics and Network forensics

Introduction 5. Mobile Forensics Digital forensics is the utilization of Since there are number of digital forensic investigation and analysis strategies to branches but we are working on Network assemble and secure proof from a certain forensics, Database forensics and Mobile computerized device in a manner that is forensics in this paper. reasonable for introducing in an official Network Forensics: Network forensics is a courtroom. The purpose of digital forensics branch of advanced digital forensic is to perform a structural investigation while identifying with the observing and maintaining a reputed chain of evidence to investigation of computer system traffic to uncover what exactly happened on a digital collect network traffic data, legitimate proof device and who was responsible for it. We or interruption recognition. The significant can say that digital forensics is a logical objective of the forensics of the network is methodology of safeguarding, procuring, to gather proof from the network traffic. It extracting, removing and representing attempts to investigate traffic information evidence that originates from the advanced collected from various websites and sources like PC, mobile, camera and so network equipment, for example, IDS and forth. firewalls. It screens on the system to Digital forensic incorporates a few sub- distinguish assaults and examine the idea of branches with the investigation of different attacks. It is also the way of distinguishing sorts of devices, media or artifacts. These interruption examples concentrating on branches are: attackers' exercises. Network forensic manages unstable and dynamic data. 1. Network Forensics Database Forensics: Database forensic is 2. Live Forensics the part of digital forensic and its database 3. Cyber Forensics legal investigation and related metadata. It focuses on experimentally interrogating the 4. Database Forensics ______March 2020 12 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______failed database and by attempting to remake sniffing and so on. Khaleque Md Aashiq the metadata and page data from inside an Kamal [2] looked at memory forensic Tools informational index. In this digital forensic, based on-time processing and left artifacts the read-only technique is utilized when of volatile memory. He analyzed the interfacing with a database to guarantee that variation in Tool time processing in terms of no information is undermined. distinct volatile memory size. With his experimentation, he proved that the Mobile Forensics: Mobile forensics is the processing time ’x’ of the tool does not recovery research of computerized proof increase by expanding the memory size 'x' from a cell phone under forensic conditions. times. S Mc Combie and M. Warren [3] The objective of mobile crime scene focuses on different methodologies to investigation is the act of using sound characterize computer forensics at the most philosophies for the securing of information fundamental level. They additionally contained inside the internal memory of a depicted various models like the Lucent cell phone and related media giving the model, KPMG model, Miter model, etc. and capacity to precisely report one's methodologies that have been created in discoveries. Mobile device forensics is an computer forensic fields. Pratima Sharma[4] advancing claim to fame in the field of played out an experiment using a computerized legal sciences. The procedure prodiscover tool to decrease the search of Mobile device forensics is separated into space by recognizing and separating the three fundamental classes namely, a seizure known documents to accelerate the that preserves the proof, Acquisition which searching procedure of evidence is the way toward recovering the identification. She looked into the image information from the gadget and the third files to know the area of interest within one is an assessment that examines the documents, erased records, and slack recovered information. documents. The experimental result The paper is structured as follows: Section 2 demonstrated that REGEX looks covers the previous comparative analysis empowered to get yield with only one hunt and work done related to digital forensics. rather than numerous endeavours in less Section 3 digital forensic process is time. Varsha Sanap and Vanita Mane [5] described with various phases. Section 4 displayed a correlation of three scientific covers the methodologies followed during instruments WinHex, Active record the comparative analysis. Section 5 gives a Recovery and Prodiscover Basic based on detailed description of forensic tools that are the parameters, for example, document categorized into network forensics, database assessment, log assessment, memory dump forensics, and mobile forensics. Section 6 investigation and so on. They additionally presents all the identified parameters based explored a contextual investigation of on which the comparative analysis is done. pornography. Priyanka Dhaka and Rahul Section 7 consists of a comparative analysis Johari [6] proposed a thought and strategy table of all the selected tools and Section 8 of utilizing digital- crime investigation tool describes the conclusion and future work. to extract the information which produced a record and sent the information in big data Literature Review tool, for example, MongoDB to oversee Numerous authors have given a relative enormous information and removed the investigation of various forensic tools. structured informational collection. Hamda Mayank Lovanshi and Paritosh Bansal [1] Bariki, Mariam Hashmi and Ibrahim Baggili clarified a comparative study on digital [7] present a standard information forensic tools, for example, desktop, live prerequisite for digital evidence products and network forensic tools based on the that could be used with computer forensic parameters like imaging, seizer, packet- tools to create reports. The principles

______March 2020 13 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______proposed secure the essential data on the preparation of tool, methods, court case, the sources of evidence, the intrigue orders and backing of the executives are and the custody chain of digital evidence. pictured. The author Charles Lim, Meily, Nicsen and c. Approach Strategy: In this stage, the HerryAhamdi[8] did experimental research improvement of the technique that will that aimed to reveal the rest of the data amplify the accumulation of untainted inside USB flash drives. The exploration proof while limiting the effect to the demonstrated that there were plentiful victim is done. delicate data recouped from the USB flash drives and the data was related to the d. Conservation Phase: In this stage, educational institute, individual and isolation, verifying and saving of the government. condition of physical and digital evidence takes place. Digital Forensic Process e. Accumulation Phase: In this stage, the The digital forensic process has the chronicle of the Physical scene, use of following eight components- standardized and duplicated digital IDENTIFICATION evidence and acknowledged method takes place. f. Assessment Phase: An efficient inquiry ARRANGEMENT of proof recently gathered is finished in this phase. APPROACH STRATEGY g. Analysis Phase: In this stage, the confirmations are analyzed using digital forensic tools and determine the CONSERVATION important data. It gathers the gained information and analyze it to discover ACCUMULATION the bits of confirmations. This stage also recognizes that the framework was tempered. ASSESSMENT h. Presentation Phase: In this stage, extracted data and other metadata are accounted for after the fulfillment of the ANALYSIS investigation. This stage is based primarily on cyber laws and provides the findings for the investigation's PRESENTATION respective proof.

Figure 1: Digital Forensic Phases Various process models are proposed by different authors:

 DFaaS Process Model, 2014 a. Identification Phase: In this stage, the evidence and their locations are  Integrated Digital Forensic Process recognized from the digital sources. It Model, 2013 principally deals with the detection of  The Advanced Data Acquisition Model incidents, the accumulation of proofs (ADAM), 2012 and monitoring of the evidence.  The Systematic Digital Forensic b. Arrangement Phase: In the Investigation Model (SRDFIM), 2011 arrangement stage, the choice and ______March 2020 14 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______ The Digital Forensic Investigation around INR 19 million has been allocated to Framework, 2008 the whole wire transfer scheme.  The Two- Dimensional Evidence The event received the Indian Cyber Cop Reliability Amplification Process Model, Award for Investigation Officer Mr. Sanjay 2008 Jadhav, Assistant Commissioner for Police Crime, Pune Police. The panel of judges Digital Forensics: Case Study from India held the opinion that this case was the most In the trial, the accused served in a BPO that important case for the Indian IT industry in managed the activities of a global bank [9]. 2005 and was prosecuted in a competent During the process of their research, the manner, with a considerable portion of the accused had collected personal swindled funds being immobilized, a vast identification numbers (PIN) and other number of persons convicted and the matter confidential information from the clients of referred to the court for trial within 90 days. the bank. With these, the accused and the Methodology accomplices, through various cafes, diverted large sums of money from specific The approach adjusted focus on the clients' accounts to false accounts. investigation of various computerized criminological tools as talked about in the Investigation previous sections. These devices portray Following receipt of the lawsuit, the entire different functionalities. In our study, we business structure of the plaintiff company pursue a procedure as discussed in Fig. 2. was analyzed and a network review was The initial phase in the process includes the performed to assess the possible source of choice of tool. The following stage-manages the data theft. The police were successful in the extraction of features which helps us in capturing two suspects because they had distinguishing the parameters. The last step placed a trap in a local bank where the compares the tools based on parameters. accused had fake accounts for unlawfully TOOL SELECTION transferring money. During the inquiry, the BPO device file logs were retrieved. The IP addresses were STUDY TOOL FEATURES traced back to the Internet service provider and, eventually, to the cyber cafes through which illicit downloads were PARAMETERS IDENTIFICATION made.Registers held in cyber cafes and cyber cafe operators helped to recognize the other defendants in the trial. Email IDs and phone call printouts were also collected and TOOLS COMPARISON ON THE BASIS OF PARAMETERS analyzed to assess the identities of the suspects. The records of the detained Figure 2: Flow Chart of Strategy accused were scanned, and provided crucial Digital Forensic Tools details to identify the other accused. Some of the accused's mail accounts contained fast The digitalization of the world is getting all codes that were needed for Internet money the more dominant step by step. So the field transfer. of digital forensic is additionally developing extremely quickly. In this segment, we will All 17 of the suspects in the case were talk about three digital forensic tools under charged within a brief amount of time the their respective categories: indictment sheet was sent to the court within a prescribed period of time. An amount of

______March 2020 15 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______1. Network Forensics based communication statistics of the captured packets [13]. Network Forensic is the field of Digital criminology where the investigators focus c. Name resolution: The identified on packets travelling in a network and the address is converted into an details of the computer systems connected understandable format and the process is to that network. Following are the tools to called name resolution. Various name test the network forensic applications: resolution tools are Network name resolution, MAC name resolution, and 1.1 transport name resolution. Wireshark is free and analyzer of open d. Packet Assembling: The process of source network protocols that empowers the transferring large chunks of data by investigator to intelligently browse the splitting it into smaller packets and later data traffic [9]. The combining them again to form the author of Wireshark is Gerald Combs and complete data is called packet created by the Wireshark group. It catches assembling. This is done to reproduce live information from a network interface the captured packet efficiently [13]. [11]. It captures traffic and converts it into a readable arrangement. This makes simple to e. Color Coding: Wireshark has recognize how much traffic crosses the customized coloring rule which is network, how often and how much latency applied to the captured packets for quick there is between some hops and so on. and effective analysis. It highlights the Wireshark supports over 2,000 network packets of interest. protocols. Live information is perused from 1.2 Nmap (Network Mapper) various kinds of the network like IEEE 802.11, , PPP (Point-to-Point Nmap is a network scanner used by sending Protocol) and loopback [12]. Wireshark packets and reviewing replies to find host colors data packets to assist the client by and equipment on a computer network [13]. identifying the sorts of traffic. The developer of Nmap is Gordon Lyon (Fyodor). It identifies the open ports on The various features that make Wireshark target hosts and interrogates remote network stand differently are: facilities to determine the name and version a. Decoding packets and exporting number of the application. It also helps to objects: Wireshark has a powerful identify the operating system (OS). feature of decoding the captured packets Various features of Nmap are: into the client’s readable format. It also export captured objects as packet a. Network mapping: Nmap identifies the streams which helps in retrieving the devices connected to the network which different file types downloaded during is known as host discovery. It also packets capturing. detects the servers, switches, and routers and identifies how they are physically b. Captured packet statistics: Wireshark connected. can generate an overview of network activities statistically. The various tools b. Operating System Detection: Nmap that come under the statistics menu detects the connected operating system option are, summary that returns a quick to the network. The detection process is report about the entire capturing called OS fingerprinting. It provides the process; protocol hierarchy presents details of the operating system like statistical information about various software version, vendor’s name. protocols seen during network analysis; and flow graphs that represent timeline- ______March 2020 16 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______c. Service Discovery: Nmap can also d. Smart administration detect services like HTTP, , SMTP acknowledgment: Nessus can running on the connected systems and differentiate between a non-standard identifies their applications and port running FTP server and the internet versions. server port 8080. d. Security Auditing: Since Nmap can e. Full SSL support: The tool has the detect the versions of OS, it helps the capacity testing SSLizied network manager to determine the administrations, for example, HTTPS, vulnerabilities and loopholes in the SMTP, IMPS and can even be provided network that may harm in the future. with a certificate so it can very well coordinate with PKI type condition. e. Port scanning: Nmap scans the ports available on the network and identifies 1.4. their status based on the response received for an SYN (synchronization) Xplico is a Network Forensic Analysis Tool request. Six port states are perceived by (NFAT) which is an application that Nmap namely closed, open, unfiltered, reproduces the acquisition contents filtered, closed|filtered and open|filtered. conducted with a packet sniffer. It is created by Giauluca Costa and Andrea de Franceshi. 1.3 NESSUS The objective of Xplico is to extract web traffic to catch the application’s information Nessus is a vulnerability scanner for open- it contained. It permits simultaneous access source networks that uses the normal by various investigators. The tool analyzes vulnerabilities and architecture of the web packet and catches them to remove and exposition. It has a web-based interface that parse certain protocols and return web contained a web customer and a simple action, for example, VoIP, email and HTTP HTTP server. It does not require any [15]. The Xplico framework underpins software installation apart from the Nessus various protocols with the most steady server. It can distinguish potential being: HTTP, ARP, SMTP, PPP, SIP, vulnerabilities in the frameworks [14]. It VLAN, DNS, IPv4, IPv6, TCP, UDP, FTP incorporates configuration reviewing, and so on. To prevent protocol resource profiling, rapid discovery, and misidentification, every application protocol delicate information revelation and is recognized using Port Independent defenselessness analysis of a security act. It Protocol Identification (PIPI). is created by Tenable. Inc. The scientific necessities for Xplico are The principle highlights of Nessus are: characterized as pursues: a. Remote security and local a. To distinguish between various hubs on security: Nessus can distinguish not the network. only the distant host defects on the network but the missing patches and b. To gather information precisely as it was nearby defects too. seen "on the network". b. Updated safety for the database: The c. To parse the information into a format Nessus safety check can be retrieved by that does not "lose" data. using the Nessus-update-modules path. d. To enable the analyst to see any parsed c. NASL: NASL (Nessus Attack Scripting output in the applicable setting. Language) is included in Nessus to 2 Database Forensics compose safety tests rapidly. Database forensic is the part of advanced digital forensic that manages the ______March 2020 17 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______investigation of databases and distinguishes 2.2 ForensicToolKit (FTK) the reason for failure. Following are the Forensic Toolkit (FTK) is a computerized tools to test the database forensic inquiry phase designed to support the job of applications: experts working in the field of data security, 2.1Cuckoo Sandbox innovation, and law permission. It is created by AccessData. It can acquire and analyze Cuckoo sandbox is an automated malware digital devices, for example, computer hard investigation system. It is utilized to drives, flash memory devices, USB drives, consequently test and extract records and cell phones, tablets, and other advanced gather exhaustive investigation results that media [17]. Its approach is linked to a Specify what the malware does in an method called post- mortem computer isolated operating system. The originator forensics that occurs when the computer has and core developer of Cuckoo Sandbox is been turned off. It makes exact copies Claudio Guarnieri in 2011. (forensic images), known as bit-to-bit or It can recover the accompanying kinds of bitstream, to ensure the honesty of the results: information collected. It generates pictures and processes a broad variety of data types a. Traces of calls made by all malware- that shape forensic pictures into email generated processes. archives, conducts an inquiry, analyzes the b. Files produces, deleted and downloaded registry, decrypts files, cracks passwords, during the implementation of the and produces a single solution report. malware. The real capacities FTK incorporate are: c. Malware memory dumps a. Email Analysis: The tool provides d. Network traffic follow in format forensic experts with an intuitive e-mail investigation interface. It includes e. Screenshots taken during malware particular word parsing messages, implementation header reviews for the IP address of the f. Complete memory dumps of the source, and so on. computer. b. File Decryption: the most well-known Cuckoo is intended to be an independent use of the product is a key component of application just as to be incorporated in FTK file decoding. Whether breaking bigger structures. It tends to be utilized to the password or decoding whole extract DLL records, generic windows documents. FTK can recover passwords executable, PDF archives, URLs and HTML for over a hundred applications. documents, Microsoft Office reports, Visual c. Data Carving: The tool includes a Basic (VB) scripts, PHP scripts [16] and so powerful cutting engine for data. forth. Cuckoo sandbox comprises a focal Specialists can search for documents administration programming that handles depending on the information type and test execution and investigation. Cuckoo's pixel size. foundation's main sections are a host machine (the software for administration) d. Data Visualization: Evidence and multiple guest machines (for inquiry, perception in computer forensics is an virtual or physical machines). The Host runs up-and-coming worldview. Instead of the central section of the sandbox that deals examining textual information, forensic with the whole inquiry process, while the experts can make use of techniques of Guests are in an isolated environment where perception of data to create a gradually the samples of malware get performed and instinctive picture of a situation. FTK analyzed. ______March 2020 18 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______provides schedule creation, cluster access to countless Windows-based tools graphs and geo-area for this element. such as putty, VNC cut-off document recovery tool, Registry Viewer and Asterisk e. Cerberus: FTK has built-in Cerberus, Logger. an incredible automated malware discovery feature. It sniffs malware on a 2.4 X-Ways computer using machine understanding. X-Ways is an incredible investigation report It proposes actions along these lines to generation application for law enforcement, handle it whenever discovered. intelligence organizations, and the private f. OCR: The optical character recognition sectors. It runs under windows. It is created motor of FTK enables to convert images by X-Ways software technology in 2015. It to readable material quickly. Also, is a propelled workplace for digital forensic multi-language assistance is included. analysts. This forensics is increasingly proficient to use. It's not an application 2.3 HELIX starving for the resource. Rather it often Helix Pro is an advanced forensic tool suite goes very fast and discovers documents that CD that offers both live response and have been erased. It is small and operates a bootable criminological environment. The USB stick without installation on any live response utility furnishes the window system. It is based on WinHex and computerized investigator with an intuitive Disk Editor as well as part of a productive graphical interface and simplest methods for process model in which computer imaging a subject framework's physical criminological examiner shares data and memory [18]. It is created by teams with experts. CarneronMalin and James Aquilia in 2013. X-Ways crime scene investigation contains Helix Pro gets physical memory from a all of WinHex's overall and special subject (client/ victim) system by imaging characteristics, for example, the character device document. At the point when the system is live, its state is a. It can clone all the images and data continually changing, however, gathering available in the disk. data from such a system is helpful when b. Reading, partitioning and documenting they can't be killed. Because of closing all raw (.dd) picture records, ISO, VHD, the proof available in volatile memory, VHDX, VDI pictures cache and sometimes disk is lost down a hacked or compromised machine. The c. Automatic ID of lost/erased allotments system is not impacted while working with

Helix, which is essential because if it were d. Access to logical running process to be installed in the scheme, the system's memory initial state would be changed. Hence, some e. Use formats to view and alter binary criminal tracks may be lost. information structures, etc. From images to dissecting, Helix produces 3. Mobile Forensics an MD5 checksum [18] document for each record generated or imported to ensure the Mobile forensics is the part of advanced integrity of the records, e.g. nobody changes digital forensics which manages the the documents. advanced investigation in cell phones. Following are the tools to analyze the The Helix has applications, for example, versatile criminological applications: Windows Forensic Toolchest, FTK Imager, and Incident Response Collection Report. It 3.1 BitPim is very well utilized as a versatile BitPim is an open-source cross-platform criminological environment as it provides application to monitor cell phone data using ______March 2020 19 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______the CDMA communication protocol. BitPim 2.3 Belkasoft Evidence Center is developed by Roger Binns in 2003. Belkasoft Evidence Center is a forensic BitPim can be used to back up phone-saved option for securing, discovering, finding, information and to synchronize contacts and extracting and investigating advanced calendars. It is consistent with multiple evidence stored inside cell phones, RAM schedules and contact management systems and cloud. This tool is developed by that help the CSV (Comma Separated Belkasoft. It makes it simple for an Vales), including Google Apps, Microsoft examiner to gain, search, extract, store and Office, and other software applications offer computerized proof found inside cell [20]. phones. By examining cloud, hard drives, Additionally, BitPim supports customizing a memory dumps, drive pictures, and chip-off few other kinds of information, including dumps, the toolbox will quickly extract contact information, schedules, ring tones, digital proofs from various sources. images, and wallpapers. BitPim allows It finds over a thousand kinds of the most immediate access to key telephone features significant forensic artifacts, including over and data by the researcher. The researcher two hundred mobile applications, all main can deactivate the functioning capacity of document formats, browsers, email clients, the phone. Most phones with a Qualcomm- social networks, dozens of image and video made CDMA chipset are BitPim- formats, system files and registry files, compatible. instant messenger, etc. 3.2 MOBILedit Belkasoft evidence center does not adjust MOBILedit is advanced forensics that and alter information on hard drives or disk Inspects and reports GSM / CDMA / PCS images that are being researched. It wireless gadget data. This tool is developed empowers full-content pursuit through all by Compleson Laboratories. MOBILedit procured proof and offers a complete associates with Mobile gadgets through an analysis of periods of intrigue using a IR port such as a Wi-Fi, Bluetooth graphic timeline. connection or a connection module. After 3.4 Oxygen Forensic network building, model number, sequential number, and its manufacturer recognize the Oxygen Forensic is versatile criminological mobile model. The data obtained from the software for sensible investigation of mobile devices is stored in the file .med phones, cell phones and PDAs (Personal format. The associated areas are filled with Digital Assistant). Oxygen Software has data after a fruitful lawful acquisition: developed this tool. It can remove device subscriber information, phonebook, missed information, contacts, calendar activities, calls, ringing last numbers, received calls, SMS messages, logs of occurrences and SIM phonebook, inbox, drafts, sent items files. It discovers passwords to encode and files folder. MOBILedit is a platform reinforcements and images. It sidesteps that operates with a variety of devices and screen lock on well-known Android cell phones and examines the phone's operating devices. It gains location, history contents through an envelope structure and media documents from automatons and similar to MS Outlook. This allows the data extracts information from cloud stored on the phone to be reinforced, stored administrations, for example, iCloud, on a laptop or duplicated information to Google, Microsoft and so forth. It also gets another phone via the copier function of the information from IoT(Internet of Things) phone. gadgets and savvy watches. It offers import and investigation of call information

records.

______March 2020 20 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______Identified Parameters j. Protocol: It shows the principles pursued by the tool. The procedure for our analysis process helps us in deciding the best tool which is k. Topology: It alludes to the course of reasonable for a specific investigation. The action of network portrayal. parameters being considered are l. Acquire: It alludes to recognize the underneath: advanced proof inside the hard drive. a. Imaging: Imaging is a bit- by- bit, m. File System: The strategy for document sector- by- sector direct copy of a framework securing empowers the physical storage device that includes all investigator to gain logical acquisition files, folders and unallocated, free and since it gives access to file system slack space [1]. information. b. Hashing: Hashing refers to the n. History: It recovers the browsing utilization of the hash function to check history, calls history of the cell phone. the integrity of the information used to confirm that the image is o. SIM Analyzer: It gets ICCID indistinguishable from the source (Integrated Circuit Card Identifier) media. without knowing the PIN and furthermore recovers Location Area c. Recovery: Recovery is the way toward Information. It likewise gives access to getting back the information from the SIM card status data, for example, IMSI, erased drive. It is utilized to extricate the LAI, PIN, PUK. current information. d. Data Analysis: Data analysis is a way p. Multiple Source: It gives complete of examining the extracted data from support of contact account records, for digital devices. example, Gmail, Skype, or Facebook contacts without knowing the account e. Reporting: Reporting alludes to the best passwords. possible document generation after perform by the forensic tool. Comparative Analysis f. Packet Analyzer: It is utilized to Table 1 given below gives the comparative investigate the packet data, for example, analysis of various digital forensic tools IP, MAC, firewall data. based on the identified parameters. This analysis is used to determine which forensic g. Packet Sniffing: Packet sniffing tool suits better in terms of parameters for separates data about the packet going any investigation. All these parameters have into the network. been discussed in section 6. All the tools h. Packet Spoofing: In packet spoofing, IP that are mentioned in the table have been information is extracted. also discussed. In this section, we have compared only three categories of Digital i. Open Port: It encourages us to Forensic tools. And the other two categories distinguish the open ports in the IP have been already analyzed in paper [1]. association that is required for application and servers.

______March 2020 21 www.viirj.org

Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______Table 1- Comparative Analysis of Digital Forensic Tools

Tools Digital Tools Imaging Hashing Recovery Data Reporting Packet Packet Packet Open Protocol Topology Acquire File History Sim Multiple forensic availability Analysis Analyzer Sniffing Spoofing Port system Analyzer Source type

Wireshark Free ------   

Nmap Network Free - - - - -      - - - - - Free ------Nessus     

Xplico Free    -      -  - - - - Cuckoo Free ------Sandbox     

Database Free ------FTK      Free ------Helix      

X-Ways License      ------ - - - - Free ------Bitpim      

MOBILedit Mobile Trial -   -  ------     Belkasoft Trial ------evidence          center

Oxygen Free ------Forensic          

In this table, check mark (√) indicates that the particular parameter is available in the concerned tool and minus sign (-) indicates the absence of that parameter in the concerned tool.

______March 2020 22 www.viirj.org Vidyabharati International Interdisciplinary Research Journal 10(1) ISSN 2319-4979 ______Conclusion on their requirements. In this paper, we have Nowadays, many digital forensic tools and broadly categorized three types of digital techniques are used for cybercrime forensic tools namely Network forensics, investigation. The paper provides a Database Forensics, and Mobile forensics. comparative study between different Some tools are user- friendly because of their GUI and some tools are based on forensic tools concerning a set of parameters like imaging, hashing, packet analyzer, SIM commands. In the future, we will find the analyzer, etc. This comparative study limitations of the Wireshark Forensic tool definitely will help forensic investigators to and try to rectify them experimentally select the best possible forensic tool based

References 1. Lovanshi M., Bansal P. (2019). Drives in Educational Environment, Comparative Study of Digital Forensic IEEE. Tools, Springer Nature Singapore. 9. Singh S., Kumar S. (2020). Capability 2. Khaleque Md A.K., Mahmoud A.l, of Wireshark as Intrusion Detection Munawara S.M. (2016).Memory System, International Journal of Recent Forensic Tools: Comparing Processing Technology and Engineering, Volume-8 Time and left Artifacts on volatile Issue-5, January. memory, International workshop on 10. http://prateek- Computational Intelligence (IWCI). paranjpe.blogspot.com/p/cyber- 3. McCombie S,, Warren M. forensics-case-studies.html (2003).Computer Forensic: An issue of 11. https://www.wireshark.org/docs/wsug_h definition, 1st Australian Computer, tml_chunked/ChapterIntroduction.html Network and Information Forensics 12. https://learning.oreilly.com/library/view/ Conference. instant-wireshark- 4. Sharma P., Jain K., Nagpal B., Tanvi starter/9781849695640/ch01s04.html (2017).REGEX: An Experimental 13. https://www.networkworld.com/article/3 Approach for Searching in Cyber 296740/what-is-nmap-why-you-need- Forensic, IEEE Conference, March. this-network-mapper.html 5. Sanap V., Mane V. (2015).Comparative 14. https://www.tenable.com/sites/drupal.d Study and Digital Forensic Tools, mz.tenablesecurity.com/files/uploads/do International Journal of Computer cuments/nessus_4.4_user_guide.pdf Applications, ICAST 2015. 15. https://www.xplico.org/archives/540 6. Dhaka P., Johari R. (2006).CRIB: 16. https://buildmedia.readthedocs.org/medi Cyber Crime Investigation, Data a/pdf/cuckoo/latest/cuckoo.pdf Archival and analysis using Big Data 17. https://www.forensicswiki.org/wiki/Fore Tool, ICCCA. nsic_Toolkit 7. Bariki H., Hashmi M., Baggili I. 18. https://www.pcquest.com/forensic- (2011).Defining a Standard of Reporting analysis-helix/ Digital Evidence Items in Computer 19. https://digital- Forensic Tools, Institute of Computer forensics.sans.org/blog/2009/11/20/helix Sciences, Social Informatics and -3-pro-first-impressions Telecommunication Engineering. https://searchmobilecomputing.techtarge 8. Lim C., Meily, Micsen, Ahmadi H. t.com/definition/BitPim (2014), Forensic Analysis of USB Flash ______March 2020 23 www.viirj.org