Digital Forensic Tools - IOSRJEN

IOSR Journal of EngineeringMar. 2012, Vol. 2(3) pp: 392-398be bent neither toward the prosecution nor the defense, butan unbiased statement of fact.C. Legal ProfessionEducating the legal fraternity is a priority due to longheldviews within the profession. Members of the legalprofession have adopted different attitudes to digitalforensic evidence in accord with their particular judicialperspective. There are three distinct perspectives that maybe adopted by legal professionals; prosecution argues forthe accused’s guilt, defense argues their innocence, and thefinder of fact being either the judge or the jury is expectedto be neutral until persuaded by legal argument. Prosecutionlawyers tend to become involved in legalissues early in the investigation case and develop legalargument to support prosecution as cases progress. Defenselawyers tend to become involved with cases only afterprosecution lawyers determine that a prosecution is likely tobe successful. As such defense lawyers do not necessarilyhave the depth of case data exposure that is available totheir fellow counsel.which allow the end user to modify the source code at will,and which must not restrict the end use of the software.VI. FORENSIC SOFTWARE TOOLSA. EnCaseSince its founding in 1997, Guidance Software hasgrown to be a leading providing of computer forensicsoftware and services with over 20,000 worldwide clientsand 285 employees. Guidance Software states that theirsuite of EnCase® solutions enables corporations,government and law enforcement agencies to conducteffective digital investigations, respond promptly toeDiscovery requests and other large-scale data collectionneeds, and take decisive action in response to externalattacks.D. Policy-makers and LegislatorsThis group includes legislators (e.g., Senators andCongressmen at various levels of government in the UnitedStates), their staff members, and staff members in a widevariety of agencies that have some level of responsibilityfor an area of government (e.g., the U.S. FederalCommunications Commission). This group is responsiblefor producing the legal and regulatory framework in whicha given society operates.E. CorporationsPopulations included here are corporate securityofficers, ethical hackers, system analysts, etc. with a focuson education rather than training. There can be someconsiderable time between the occurrence of anincident and the recognition that an incident has occurred. Itis during the period of time between the recognition of anincident and when it has been determined that lawenforcement must become involved that the corporatewarrior can define the success of an investigation.F. Higher EducationThere are many levels of higher education that need tobe considered in order to identify appropriate content andeducational methods for digital forensicstopics that work well for the various higher educationmarkets including community colleges, undergra- duateprograms, graduate programs, and educators.V. OPEN SOURCEGenerically, “open” means just that: the source code isopen and available for review. Open source is considered asa piece of software which is freely available andredistributable, which provide access to the source code,Fig. 4 Encase Screenshot.An Initial Project Scope Analysis of EnCase included thefollowing product features: Can read multiple file system formats such asFAT, NTFS, ext2, ext3, ReiserFS, UFS, and JFS. Can read multiple disk image formats such as Raw(dd), VMware, EnCase (.E01), and Safeback. Can remotely acquire disk images from networkedcomputers running an EnCase acquisition agent. Data collection from a running and turned offcomputer utilizing EnCase Portable. Integrated keyword searching EnScript programming language automates almostany functionality with complete control over thedetails Disk browsing, searching, and EnScript areprimary ways to view evidence Integrated viewer allows viewing of many popularfile formats, such as image filesISSN: 2250-3021 www.iosrjen.org 394 | P a g e

IOSR Journal of EngineeringMar. 2012, Vol. 2(3) pp: 392-398Indexes zip files for analysis of compressedfiles/foldersCan create hash values for any file in the aseIntegrated registry viewer.CharacteristicsEnCase is identified with certain characteristics: Requires a greater amount of time in trainingbefore a user can be effective in analysis Searching can be confusing No log file is available to investigators of theiractions performed in a session Extensive search customization afforded throughstring conditions, EnScript language commands,GREP, and filters. Convenient analysis afforded by importing theimage and hashing files in the background afterimporting .B. FTK ImagerFTK Imager is an extremely valuable tool to anyresponder or analyst, allowing them to not only acquireimages from systems (via the appropriate write-blockers orfrom live systems) but also to verify file s ystems ofacquired images, be they raw/dd or “expert witness”(perhaps more popularly known as “EnCase”) format,VMWare vmdk file format, etc. FTK Imager recognizes anumber of file system formats, including not just FAT andNTFS, but ext2, ext3, and others, as well.Fig. 5 FTK Imager Screenshot.Supports most modern email clients for emailanalysisIndexes zip files for analysis of compressedfiles/foldersKnown File Filter (KFF) feature aids theinvestigator in focusing on items of interestInterface is filter-based, with multiple differentpre-programmed filters for evidence viewingInternal viewer allows investigator to view Word,PowerPoint, and Excel documents, and variousimage filesInternal email viewer allows investigator tonavigate email from various email store formatswithout having the email client used to generatethe storeSearch feature using keywordsExpanded functionality, such as registry viewingand password recovery, comes in the form ofprogram integration with other company productsCreates hash values for any fileCharacteristics Requires substantially less time commitment totraining to use the program Intuitive GUI design for speedy analysis Lengthy importing process restricts time foranalysis of contents of the image Least customizable of all three software choicesC. ProDiscover FreeProDiscover is a powerful computer security tool thatenables computer professionals to find all the data on acomputer disk while protecting evidence and creatingevidentiary quality reports for use in legal proceedings.ProDiscover lets you search through the entire disk forkeywords and phrases with full Boolean search capability tofind the data you want. You can use the hash comparisoncapability to find known illegal files or to weed out knowngood files such as standard operating system files byutilizing the included data from National Drug IntelligenceCenter in their Hashkeeper database. ProDiscover powerfulsearch capability is fast and flexible, allowing you to searchfor words or phrases anywhere on the disk, including theslack space. The extensive on-line help capability and easyto use GUI interface allow you to quickly start usingProDiscover.An Initial Project Scope Analysis of FTK included thefollowing product features: Can read multiple file system formats such asFAT, ext2, ext3, and NTFS Can read multiple disk image formats such as Raw(dd), SMART, EnCase (.E01), Snapback, and SafebackISSN: 2250-3021 www.iosrjen.org 395 | P a g e

IOSR Journal of EngineeringMar. 2012, Vol. 2(3) pp: 392-398I am grateful for all other teaching and non-teachingstaff members of the Computer Technology for directly orindirectly helping us for the completion of this seminar andthe resources provided.REFERENCES[1] Carrier, Brian, Open Source Digital Forensic Tools: TheLegal Argument, @stake Research Report, October2002.[2] Welcome to Access Data! Available athttp://www.accessdata.com/.[3] SourceForge.net: regviewer. Available athttp://sourceforge.net/projects/regviewer/.[4] libpff. http://sourceforge.net/projects/libpff/.Casey, E. (2004). Digital Evidence and ComputerCrime: Forensic Science, Computers and the Internet.San Diego: Academic Press.[5] Marcus K. Rogers and Kate Seigfried, The future ofcomputer forensics, Computer and Security, 2004.[6] “Computer Forensics, IEEE Security and Privacy”,July/August 2005, James A. Whittaker & MichaelHoward.[7] “Towards Models for Forensic Analysis”, IEEEproceedings of the 2 nd International Workshop(SADFE’07), Sean Peisert, Matt Bishop, SidneyKarin.[8] “Modeling the Network Forensics Behaviors”,INSPEC’05, Sep 2005, Wei Ren & Hai Jin.ISSN: 2250-3021 www.iosrjen.org 398 | P a g e