Popular Forensic Tools - Essay Example

Introduction “Computer crime and computer-supported criminal activities are booming businesses” (1). Computer forensics is one of the largest growth professions of the 21st century as the soaring increase in the number of Internet users combined with the constant computerization of business processes has created new opportunities for computer criminals and terrorist. Generally, recognition, protection, investigation, and documenting a crime perpetuated in a computer system are called computer forensics. There are a number of tools available in the market that can used to perform computer forensics. These include EnCase, FTK, and ASR Data’s SMART. These tools are mostly created using a closed-source approach or commercially marketed application and because these tools can prove innocence or guild, it can people’s lives significantly. For this reason such systems should be always available for systematic review and debate. The introduction of open-source approach is to make processes and procedures of such system clearly defined and open for systematic analysis. The following section compares to popular forensic tools- the commercially available FTK and its open-source counterpart, Autopsy. FTK or Forensic Toolkit Forensic toolkits are commonly known to provide tools for performing many activities of a computer forensic investigation. However, there is no single toolkit has been developed that encompasses all the forensic activities that an investigation might require. FTK or Forensic Toolkit developed by AccessData company, has an interface that is easy to understand and use. “It is a complete forensic toolkit” (2). Partially overwritten files are retrived and sorted automatically by this forensic tool. FTK also integrate dtSearch, a text retrieval engine, which provides powerful and extensive text search functionality. FTK’s customizable filters allow sorting through thousand of files to quickly find the required evidence. FTK can also be used to perform e-mail analysis (3). The downside is the time it takes to index the data, but the benefits can be enormous. After the evidence is indexed, FTK has excellent searching capabilities (4). FTK automatically extracts Microsoft Office documents, client-based e-mail, web-based e-mail, Internet activity, and more. Because the tool does this automatically, it can save tremendous amount of time so that the analyst can go about the business of analyzing only relevant data. FTK’s ability to fully index data yields nearly instantaneous keyword searchers. Although this may not sound important, but on a multi-gigabyte hard drive image, this can alleviate hours of search time at the forensic workstation. FTK analyzed all Microsoft Windows file systems including NTFS, NTFS compressed, and FAT 12/16/32. However, FTK only analyze Linux ext2 & ext 3. Therefore if the system under investigation uses a different file system, the analyst must use another tool to perform his analysis such as EnCase or the Coroner’s Toolkit (5). FTK investigate e-mail files and probably one of its strongest features is the ability to create a full text index of large files. FTK has the ability to read PST and OST archives directly by accessing internal structures. The result is that e-mails are automatically indexed during the import process, making them easy to search quickly, especially across multiple main stores. Moreover, using FTK, a user can view forensic images of hard disks, floppy disks, CDs, DVDs, and other storage media that was created with FTK Imager, or you can view images created with other tools. It will read image files created with ICS, SafeBack, and forensic, uncompressed images created with Ghost, and read or write image files in EnCase, dd Raw, SMART, and FTK image formats (6). This means that even if another organization or person with different software created a forensic image, a user could still view the image file and determine whether it contained any evidence. This is particularly useful in situations such as when an internal investigation was conducted, a forensic image was created from a suspect computer, and police now need to view the evidence that was acquired. In addition to the image file formats that can be made for analyzing disk, there are also a number of file formats that can be read and created for CD and DVD forensics. These include ISOBuster, CUE, CloneCD, Alcohol, Plextools, Virtual CD, and many others FTK provides an easy-to-use GUI interface, so command-line options are not needed to use the tool. The first thing a user should do when starting FTK is to decide whether he or she want to create a new case or open an existing one. When creating a new case, FTK allows entry of specific information about the examiner and choose several case options. FTK comes with several options for logging information, and under ‘Case Log’ option, the user can customize automatic login. The next screen, ‘Processes to Perform’, highlights several options available to FTK while building the case file. KFF Lookup and Full Text Index are of particular interest as this options filter out files that are presumably harmless. The Windows operating system requires hundreds of standard system files to run properly. These files, if unchanged, will provide little information to the analysis in most scenarios. The KFF Lookup option allows a user to reduce the set of files under analysis by eliminating the known files from the case. Therefore, it can save a user time, money, and resources during the investigation. Autopsy in the Sleuth Kit Proprietary packages such as Encase, FTK and X-Ways Forensics are widely respected by law enforcement and by those in the forensic community. However, these packages come with large price tags (7). Autopsy is an open source forensic tool that has many of the same features as its commercial counterparts. Autopsy is also respected in both the forensic and law enforcement communities as valuable tool for conducting forensic investigation. The Autopsy Forensic Browser is a digital analysis tool that uses a command-line interface. Its graphical interface is based in HTML and part of the Sleuth Kit. The Sleuth Kit in combination with Autopsy can analyse Windows and UNIX file system and offers comparable features of popular digital forensic tools being sold in the market. Autopsy allows for live analysis of media by running the tools from a CD. Features include an excellent graphical interface for viewing directory and file content, running hash database lookups, sorting files, creating activity timelines, performing searchers, and much more. Autopsy also includes excellent case management and reporting features. Its client-server architecture lends itself naturally to several people working at the same time on data held on one large server. Autopsy is written in Perl and will run on many platforms (8). Autopsy Forensic Browser allows an analyst to analyze allocated files, previously deleted files, directories, data units, and metadata of forensic images in a read-only environment. Autopsy provides a GUI front-end to perform functions such as initiating string and regular-expression searches, recovering deleted material, creating a timeline of events, by examining the modified, access, and changed times of files. Importing hash databases of ‘known-good’ files so that a user can perform hash comparisons with the evidence files. Autopsy has several security mechanisms that are highly effective. For instance, the Autopsy serve cannot be accessed without the URL given at runtime. In addition to the URL security, Autopsy creates a log file of all connections made to the Autopsy servers on the host running the server (9). The Autopsy Forensic Browser features include case management where investigations are organized by cases which contain one or more host. These individual hosts can hold and analyze several file system images and configured to have its exclusive time-setting and clock skew to mimic the original time. Configuration files are stored in ASCIII text files and standard directories are used to organise the cases. This makes it easy to incorporate other tools and customize the environment. In Autopsy, file-system images can be analyzed from the perspective of files and directories. This mode shows the file-system contents in the same way that original users see them. The investigator is shown data that is normally hidden by the operating system such a deleted file names. There are two ways to view and analysed the content these files. One is by viewing it as an ASCII or as extracted strings from binary files if the file is executable. However, the investigator should be very careful that the HTML would not process the file content. For instance, an HTML file would be shown as raw text and not the formatted version. Autopsy uses the NIST NSRL to identify known and trusted files and a user-created ‘Ignore Database’ of files that can be ignored. Autopsy also has a user-created ‘Alert Database’ of files that should be identified if found such as rootkits. Moreover, Autopsy can examine each file in a file-system image and ignore those found in the ignore and NSRL hash databases, raise an alert for those found in the alert hash databases, and sort the remainder based on type. In case there was an attempt to hide the file by changing its extension, Autopsy can identify the file by comparing the extension of the file with the file type. Keyword searches of the file-system image can be performed using ASCII strings and ‘grep’ regular expressions. Keyword searching can be done on unallocated space or in a large file-system image. To speed up the search, an index of the file can be created. Autopsy can be configured to automatically search keywords that are frequently being used. Metadata structures contain the details about files and directories and Autopsy allows one to view the details of any metadata structure in the file system. This will allow easy recovery of deleted content. Autopsy can read and display various data unit including ASCII and HEX DUMP (strings) and other file format and file type. Using the file type, Autopsy can scan the metadata structures and find which allocated the data unit. (10). Although there are some notable disadvantage the Sleuth Kit offers superior flexibility and control to the investigator when performing digital investigation provided he has knowledge of at least one scripting language and well aware of commands similar to UNIX. Without these skills examination of compete suspect system would be difficult and laborious task. For this reason, developer of this system created the Autopsy Forensic Tool. It is intended to make the collection and examination of digital evidence easier by automating many of the tasks. However, during the usability analysis conducted by Clarke & Furnell (2008), there is several usability issues found. For example, problems arising from failures in complying Web usability rules and relevant usability heuristics. Usability issues relating to the use of mismatch between users domain language and the system task language, issues on error handling and prevention, issues on provision of Help and Documentation, and several issues imposed by the Operating System. For instance, to show the actions of the user, the system employs stylised button and upper-case text fonts. Although the benefit of using this style is unquestionable and attractive, the fact that the choice of colours and font restrict the readability of the interface even in close proximity offers no subjective satisfaction. In addition, it would be more difficult for sight impaired user to read them. There are numerous terms in Autopsy that probably is strange to beginners or new users of Linux Operating system and digital forensic tools. Examples of some of the terms used by Autopsy that these kinds of users may find difficult to understand include ‘case’, ‘image’, ‘host’, and ‘hash database’. Understanding the difference between ‘disk’ and ‘partition’ may complex for novice users. It is the realty of life that one must aware or knowledgeable of the task before he can effectively carry it out. Similarly, an investigator can only effectively perform analysis of the suspected computer system if he is knowledgeable and well aware in the nomenclature of the subject. In Autopsy, there are a number of occasions when error avoidance is not well thought-out as intensely as it should be. “Error prevention enhances usability” (11) by preventing users from stumbling into circumstances where the user is affected by the errors. For instance, text entry fields are being use again and again just to type details of file existing in the system. It is very likely that invalid data will be entered into the system whenever a user enters or type the wrong string. This means that errors resulting from invalid input may occur later and imperil a case. A ‘Browse’ button similar to the one provided by HTML forms maybe very useful in this situation. A ‘Browse’ button right next to the text entry field may prevent a user from entering wrong strings since it can automatically provide a user with the right string. Regarding availability of Help and Documentation, some of the pages do not have help facilities. Help is not context sensitive and a system rather than task-oriented. The help system do not show initial information in the content frame of the page and consequently, user will spend considerable time searching through the index to find what he needs. At present Autopsy runs on Linux, Mac, OS X, OpenBSD, FreeBSD, and Solaris platforms. In addition, adding the functionality of Cygwin, Autopsy can also run on Windows environments through simulation provided by Cygwin. Cygwin provides the library to emulate a UNIX environment in Windows. It is therefore essential that a user is well-verse in UNIX-like operating systems as they may find it hard to get familiar to some of the failings of this system. For instance, the location and directory structure, the range and abilities of the applications, and command-line management. “It is difficult to use than many commercial products” (12). Comparison Table Table 4.1 – Comparison Table Features Ease of Use Performance Documentation Support Value of Money Forensic Tool Kit Extensive features beyond basic forensic (Password Recovery, Distributed Network Attack feature) Overwhelming at first glance but after reading the documentation, it becomes intuitive Excellent Documentation can be vague at certain points, especially in the more complex areas of the program Good Affordable price for great features Autopsy Forensic Tool Case management and reporting features. Client-server architecture Unix-based thus require special skills from users Further improvement required Help and Documentation not always available in pages Good Freeware Conclusion Computer crimes can greatly affects people’s lives and a good forensic tool is required to assist analyst in performing computer forensic investigation. FTK is a high-priced commercial forensic toolkit but its ability to perform digital forensic is unquestionable considering the savings in time, money, and resources during the investigation. Autopsy from the Sleuth toolkit also has features commonly found in its commercial counterparts and it is considered also as a valuable tool for conducting forensic investigation. More importantly, Autopsy is an open-source application and would not cost a user a cent. However, in critical forensic investigation where outcome would affect the lives of people, price of an application is definitely not a criterion. Because of its non-commercial nature, Autopsy suffers various usability issues and can only run independently on most publicly available free operating systems. In addition, since its based on UNIX, other users may find it difficult to get used to some weakness of the system particularly in the command line. It the near future, there may be considerable improvement with Autopsy but until then it is much better to use FTK. Read More