A Comparative Study Based Digital Forensic Tool: Complete Automated Tool

______IJoFCS (2014) 1, 22-29 The International Journal of FORENSIC COMPUTER SCIENCE ______

www.IJoFCS.org

DOI: 10.5769/J201401003 or http://dx.doi.org/10.5769/J201401003

A Comparative Study based Digital Forensic Tool: Complete Automated Tool

Nilakshi Jain1, Dr. Dhananjay R Kalbande2

(1) University of Mumbai Email: [email protected] (2) University of Mumbai, Email: [email protected]

Abstract: Criminalization is a social phenomenon, which has drastically increased in last few years. In order, to make the job of the investigating agencies easy, use of technology is important. Digital Forensic investigation is a special field of computer forensic in which the scientific procedures and tools will allow the digital evidence to be admissible in a court of law. However there is not a proper guidance or predefined method which is accepted in court of law for investigation .Some tools or techniques provides partial solution to this .Hence the major objective is to implement the digital forensic tool which is based on digital forensic framework proposed[3]. The digital forensic tool will be a automated report generation tool which will be having facility of history keeper and feedback approach. Our digitized approach aids in the improvement of the society by helping the investigating agencies to follow a customized investigative approach in crime analysis and criminal identification rather than manually searching the database to analyze criminal activities, and thus assist them in combating crimes.

Key words: Digital Forensic, digital evidence ,forensic tools, forensic framework. increasing and the safety index has declined. I. Introduction Crime comes into being due to reasons like illiteracy, unemployment, over population, Mankind has flourished in all the spheres of life poverty. Many other factors like mindset of and and is challenging all the limits beyond the individual, upbringing, family background that can horizon, but at the same time crime incidences drive an individual to commit a crime. Due to the are shooting up at a high rate and crime has now advancements in technology, electronic gadgets become a rampant act. Crime can be national or come in handy and are being misused by people international but it’s always an offense against for their selfish motives. This has brought the morality in the society. In recent years, many term "Cyber Crime" into picture. Physical and cases related to murder, assaults, rapes, burglary cyber-crimes are cropping up at different rates ,hacking, banking frauds, e-mail spamming etc. and different geographical locations. has emerged. Statistics till mid of 2015 has depicted that the crime index in all countries is

______Paper submitted on: May 27th 2015 ______Jain and Kalbande 23

The Field of Digital Forensic is a relatively new a) Encase [1][2][3] digital forensic tool is field in the ocean of Forensic world [1][2] .In used to acquire ,analyse ,classify ,recover recent past years number of digital forensic & reconstruct the past events and report process has been proposed to claim the on digital evidence found during the digital authenticate and reliable process in court of law forensic investigation process. Encase is and many software companies developed the well known and accepted tool in court of digital forensic tool to manifest few proposed law as well as in digital forensic world. processes. In digital forensic investigation many authors developed tool same as their own digital b) FTK Forensic Toolkit [4][5] is produced by forensic methodology such as Encase[4][5].And AccesData .FTK is used to acquire, most of tools provides partial solution to the analyze, and to image hard disk drive. It investigation as per their knowledge of also calculates MD5 hash values and methodology proposed .Some proposed new confirms data integrity. FTK includes components to the existing forensic processes variety of tools which also include recover and added to the existing ones. Many process deleted files, email data analyze, which claim to be complete are exploited in court searching and password cracking . of law where both the digital evidence and c) SANS SIFT[6] which stands for SANS process are rejected by the court .However ,no investigation Forensic Toolkit which is compared and integrated approach has been combination of various tools used in established with feedback and history keeper virtual machine as a computer forensic approach [3]. suit It is basically deals with data images, raw images and multiple file systems i.e. To overcome the problem we proposed a NTFS, HFS, UFS and so on. framework in [3]and this paper is the enhancement of previous theory whose main d) PTK Forensic [7] is non free digital objective is practically apply the same theory in forensic tool which runs on Linux , MySQL the development of the proposed tool .The and PHP architectures .PTK used for primary objective of the paper is to study existing calculating a hash signature (using SHA- top 25 digital forensic tools and determine the 1 and MD5) for acquired media for phases which these tools can be complete of verification . proposed framework. e) Bulk_extractor [8] is a computer forensics Secondary objective is to develop the tool which tool or application that scans a disk completes all phases of proposed framework [3] image, a file, or a directory of files and with history keeper & feedback support. extracts useful information without parsing the file system or file system structures. 2. Digital Forensic Tools The results are stored in a separate file which can be easily inspected, parsed, or A. Review of Literature processed with automated tools. f) The Sleuth Kit [9] is a collection of The main aim of this section is to provide an command line tools that allows to analyze overview of top 25 digital forensic tools and map disk images and recover files from them. It these tool’s activity into phases proposed in is used behind the scenes in Autopsy and framework [3].

24 A Comparative Study based Digital Forensic Tool: Complete Automated Tool ______

many other open source and commercial malware analysis that allows the digital forensics tools. investigators to extract digital artefacts g) The Coroner's Toolkit(TCT)[10] is a suite from volatile memory (RAM) dumps. of free computer security programs by Dan l) Linux'dd'[15] dd comes by default on the Farmer and Wietse Venemadesigned to majority of Linux distributions like Ubuntu, assist in digital forensic analysis. TCT is Fedora. DD is used for wiping a drive and mainly a Linux based tool which is used creating a raw image of a drive.dd is a for data recovery and analysis .The suite integration of various digital forensic tools. runs under several Unix-related operating systems: FreeBSD,OpenBSD, BSD/OS, S m) CAINE [16] which stands for Computer unOS/Solaris, Linux, and HP-UX. TCT is Aided Investigative Environment is Linux released under the terms of the IBM Live CD that contains a variety of digital Public License. forensic tools which include a user-friendly GUI, semi-automated report creation and h) DFF[11] which stands for Digital Forensics tools for Mobile Forensics, Network Framework (DFF) is an open Forensics and Data Recovery. source computer forensics software that allows to collect, preserve, and reveal digital evidence without n) Recuva[17] is a data recovery tool compromising systems and data, it also for Windows, developed by Piriform. It is include the feature to read RAW,EWF and able to recover files that have been AFF forensic file formats, access local and permanently deleted and it also recover remote devices and recover hidden and deleted files. flies from USB flash drives, memory cards and MP3 players. i) COFEE [12] which stands for Computer HexEditor [18] is a basic hex editor which Online Forensic Evidence o) Extractor (COFEE) is a digital forensic handle very large files this tool is useful tool kit, developed by Microsoft, to for loading large files like database files or help computer forensic forensic images and performing actions investigators which is used to extract such as manual data carving, low-level file editing, information gathering and evidence from a Windows computer. searching for hidden data. j) ProDiscover Basic [13] is a simple digital forensic investigation tool that is used to p) DEFT[19] is bundles of digital forensic tools which aims to help with Incident image, analyse and report on evidence found on a drive. After adding a forensic Response, Cyber Intelligence and image we can view the data by content or Computer Forensics scenarios. Which by looking at the clusters that hold the contains tools for Mobile Forensics, Network Forensics, Data Recovery, and data. It also search for data using the Search node based on the criteria. Hashing. q) Xplico [20] is an open source Network k) Volatility[14] is a memory forensics Forensic Analysis Tool (NFAT) which is framework for incident response and

______Jain and Kalbande 25

used to extract applications data from Windows Explorer or load it into an internet traffic it is also used for a external forensic analysis tool. multitude of protocols ,TCP reassembly, and the ability to output data to a MySQL. x) AwardKeylogger [27] is fast, invisible and easy-to-use surveillance tool that records r) LastActivityView[21] is the tool which is user activity and keystroke to a log file. allows to view what actions were taken by This log file sent secretly with email or a user and what events occurred on the FTP to a specified receiver or attacker . It machine such as running an executable can also detection specified keywords and file, opening a file/folder from Explorer, an take a screenshot whenever one is typed, application or system crash or a user displaying findings in a tidy log viewer. performing a software installation will be logged. y) USBDeview [28] operating systems records artifacts when USB removable s) Mandiant RedLine [22] perform memory storage devices (thumb drives, iPods, and file analysis of a specific host which digital cameras, external HDD, etc.) are collects information about running connected to the system.USBDeview processes and drivers from memory, and provides complete information about the gathers file system metadata, registry removable storage device connected via data, event logs, network information, the system . services and tasks. B. Comparative Table t) PlainSight [23]) allows to perform digital forensic tasks such as viewing internet Table 1 shows the processes of proposed histories, data carving, USB device usage framework that are supported by the tools information gathering, examining physical discussed. The aim of creating this table is to find memory dumps and extracting password out the deficiency of existing tools .As shown in hashes. table all tools are not able to complete the processes of proposed framework[3] . u) HxD[24] allows to perform low-level editing and modifying of a raw disk or 3. Proposed Digital Forensic Tool main memory (RAM).It includes searching and replacing, exporting, This section provides a brief overview of the tool checksums/digests, an in-built file developed which is based on proposed model[3] shredder, concatenation or splitting of files .The comparative digital forensic tool which is and generation of statistics. developed using the comparative table 2.1 and will be address all the processes in the proposed v) HELIX3[25] is used in Incident Response, model .The technical platform of the tool is Computer Forensics and E-Discovery NetBeans IDE 7.1.1 and Oracle 10g .The tool has scenarios it also deals with hex editors been tested on windows system . and password cracking utilities. The tool will be used by two user firstly User who w) P2explorer [26] is a forensic image is registering the case and second the mounting tool that allows to mount a investigator who will be investigating the case. forensic image as a physical disk and view the contents of that image in There are four modules in the tool :

26 A Comparative Study based Digital Forensic Tool: Complete Automated Tool ______

3.1 Case registration Module which will work as literature for other investigators. The normal user will register his case .Which will be then transfer to the investigator for Advantages of proposed digital investigate . forensic tool : 3.2 Investigator’s Module Provides Security of personal information by the Admin and User login, thus our project is more Who will be responsible for solving the case and secured. he will be having combinations of all services in form of tools like network inspections, recover file Our system will help the law enforcing agencies ,calculate hash or imaging the disk and many to reduce the crime rate by identifying the crime more .This module is having all the services percent of a particular city. which a Digital forensic tool should be having .This module is having all the phases of the As this works according to the phases of proposed framework[3]. proposed framework [3] it provides proper solution in all the application. 3.3 Automated report Generator New investigator can use the history feedback Module module to learn the process and apply the experience in investigation. This module will generate a automated report in two different format details report for investigator This tool generates the automated report of the to prove the crime and solve the case .and case investigated. second report for the user which will contain only required details .This will reduce the manual 4.Conclusion report writing time of the investigator .Then both Crime Investigation is one of the important tasks report will always be resent in the history keeper of police organizations. In today's IT enabled era module . many techniques are available for crime 3.4 History Keeper Module/ prevention and investigation. The study was conducting by studying various digital forensic Feedback Module tools included in review of literature .This paper was motivated by the lack of consistent This is one of main module of the tool ,this technology in digital forensic research area. The module will be used by the investigator to check main object of the study was to determine the similarities in between cases if he received whether the complete proposed digital forensic the present case which he finds any similarity framework can be implemented in digital forensic from past case he can use the same tool with automated report generation .The tool combinations of tools/process to solve the was developed and tested on many cases related present case. This module will save time to to various application areas and achieved very investigate the similar case and will also be work fast and reliable result. In review of literature we as the guide for new investigators. The have included 25 digital forensic tools the study investigator can add his feedback to solve the can be done on more to get better objectives. In specific problem and can add his experience future we can enhance data privacy, reliability, accuracy & other security measures of a crime

______Jain and Kalbande 27 based data mining system. Moreover there is a [14]Digital Forensic Framework. (Re)Discover Digital need to improve the prediction or efficiency and Investigation http://www.sleuthkit.org/sleuthkit/ January 2015. enhancing the system. [15] Wikipedia, Computer Online Forensic Evidence Extractor (COFEE), http://en.wikipedia.org/wiki/ References Computer_Online_Forensic_Evidence_ Extractor, January 2015. [1] Baryamureeba and F.Tushabe.The Enhanced Digital Forensic Investigation Process Model .In [16] ARC ,ProDiscover Basic . proceedings of the 4th Annual Digital Forensic http://www.arcgroupny.com/products/prodiscover- Research Workshop ,Baltimore, MD .Citeseer 2004. basic/, January 2015. [2] M.Reith ,C.Carr,and G.Gunsch .An Examination of [17]https://www.volatilesystems.com/default/volatility, Digital Forensic Models. International journal of Digital February 2015. Evidence,1(3):1-12,2002. [18]Linux dd, http://sourceforge.net/projects/dc3dd/, [3] Nilakshi Jain and Dr.Dhananjay R Kalbande, February 2015. Digital Forensic Framework using Feedback and Case [19] CAINE Software, http://www.caine- History Keeper, International Conference on live.net/page5/page5.html , January 2015. Communication ,Information & Computing Technology (ICCICT), pp 1-6 ,2015. [20]Wikipedia, Recuva, http://en.wikipedia.org/wiki/ Recuva, February 2015. [4] Guidance Software .Encase search technology validated https://www.guidancesoftware.com/products/ [21] Wikipedia, HexEditor, http://en.wikipedia.org/ Pages/encase-forensic/overview.aspx? cmpid=nav, wiki/Recuva, January 2015. January 2015. [22]DEFT http://www.deftlinux.net/, February 2015. [5]Wikipedia – Encase . http://en.wikipedia.org/wiki/ [23] Network Analysis Tool ,Xplico EnCase, January 2015 http://www.xplico.org/download , February 2015. [6] Sectool –Encase . http://sectools.org/tool/encase/ [24] LastActivityView http://www.nirsoft.net/utils/ ,January 2015. computer_activity_view.html, February 2015. [7]Wikipedia .Forensic Toolkit http://en.wikipedia.org/ [25] Mandiant RedLine https://www.mandiant.com/ wiki/Forensic_Toolkit, January 2015. resources/download/redline, January 2015. [8] Access Data .Forensic Toolkit [26] PlainSight http://www.plainsight.info/index.html , http://accessdata.com/solutions/digital-forensics/ January 2015. forensic-toolkit-ftk, January 2015. [27]HxD Freeware Hex Editor and Disk Editor, [9] System Administration Networking and Security http://mh-nexus.de/en/hxd/ , January 2015. Institute (SANS ).Computer Forensics and Incident Response. https://www.sans.org/course/advanced- [28]HELIX3, Incident Response and E Discovery tool, computer-forensic-analysis-incident-response http://www.e-fense.com/products.php, January 2015. ,February 2015. [29]P2explorer, https://www.paraben.com/p2- [10] Wikipedia PTK Forensic . http://en.wikipedia.org/ explorer.html, January 2015. wiki/PTK_Forensics, February 2015 . [30] AwardKeyLogger, http://www.award-soft.com/ [11] AFFLIB open Source Computer Forensic award-keylogger, January 2015. Software. Bulk Extractor https://github.com/simsong/ [31] USBDeview http://www.nirsoft.net/utils/ bulk_extractor/wiki/Installing-bulk_extractor, February usb_devices_view.html, January 2015. 2015. [12] B.D. Carrier. Sleuth Kit. http://www.sleuthkit.org/ sleuthkit/ January 2015. [13] Wikipedia. The Coroner’s Toolkit. http://www.sleuthkit.org/sleuthkit/ February 2015.

______A Comparative Study based Digital Forensic Tool: Complete Automated Tool 28

Phases of proposed framework Digital Forensic Tools 1 2

1 2 3 4 5 6 7 8 9 10 1 12 13 14 15 16 17 18 19 0 21 22 23 24 25

EE [15] EE

[16] [25] [30]

DFF[14]

HxD[27]

PTK [10] PTK

DEFT[22]

FTK[7][8]

Xplico [23] Xplico

CAINE [19] CAINE

HELIX3[28] COF

Sr. Recuva[20]

Volatility[17] Linux'dd'[18]

SANS SIFT [9] SANSSIFT

PlainSight [26] PlainSight

HexEditor [21] HexEditor

Encase[4][5][6]

P2explorer [29] P2explorer

USBDeview [31] USBDeview

AwardKeylogger AwardKeylogger

ProDiscover Basic Basic ProDiscover

The Sleuth Kit[12] Sleuth The

Mandiant RedLine RedLine Mandiant LastActivityView[2

No Phases [13] Coroner's The Bulk Extractor [11] Extractor Bulk

1 Acquire √

2 Analyse √ √ √ √ √ √ √ √ √ √

3 Approach Strategy

4 Assess

5 Attribute √

6 Authenticate √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

7 Become Aware √ √ √ √ √ √ √ √ √ √

8 Classify √ √ √ √

9 Closure

10 Communication

11 Decide

12 Decision

13 Destroy √ √

14 Digital Investigation √ √

15 Document √ √ √ √ √ √ √

16 Extract √ √ √ √ √

17 Harvest √ √ √ √ √ √ √ √ √ √ √ √

18 Hypothesise √

19 Incident Response √ √ √

20 Individualise √

21 Infrastructure

22 Notify

23 Operational

______Jain and Kalbande 29

24 Package √

25 Physical Investigation √

26 Plan

27 Policy/Procedure

28 Post Process

29 Pre-process

30 Readiness

31 Reconstruct √ √

32 Recover √ √ √ √ √ √ √ √ √ √ √ √

33 Reduce √ √ √

34 Search √ √ √ √ √

35 Seizure

36 Submit

37 Trace √ √

38 Trace back

39 Transport

40 Triggering Table 1. : Digital Forensic Tool mapped to the Proposed Digital Forensic Framework[3]