AccessData FTK

The Forensic ToolKit (FTK) contains a suite of forensic tools (including FTK, registry viewer, and FTK imager), produced by AccessData that is one of the leading commercial companies in the fields of digital forensic and e-Discovery (AccessData, 2016). It is one of the most accepted tools by the law enforcement and the court. The investigator can use it to cover all the processes of a standard digital forensic investigation, including data acquisition, evidence examination, and report production; also it can be used for conducting different tasks, such as data carving, data decryption, registry analysis, timeline analysis, and mobile data viewing. An example of how it can be used for analysing email item is illustrated in Figure ‎4.4.

Figure ‎4.4: Case example of AccessData FTK

Although the FTK is one of the most reliable digital forensic tools on the market, it is very expensive and does require the user to take a formal training. Also, majority of the analysis is manually carried out by the investigator, which is a time consuming task.

Below is a tabular representation of the tools discussed in this chapter, listing them in terms of their main functions and categorisation. It may be seen that most of the tools listed here belong to the “commercial” category; hence there is a need to develop more open source tools as well. It can also be seen that the tools vary in their capability, and most of the tools focus on tasks that relate more to data collection and sorting, rather than any actual analysis which corresponds to the observations of Ayers (2009) as they mostly help in extracting files, hidden data, deleted files and memory dumps. While these functions are certainly important, the tool capabilities currently need to be enhanced.

58

Name of Tool Function in DF Misc Comments

Triage Concept (Rogers et al, 2006)

Quick evidence finding Find victims at risk

Find the danger level of the suspect

Computer Forensics Field Process Triage Model

Case Based Reasoning (Horsman

et al, 2011)

Decides best suited case on situation basis Case knowledge applied to current case Proposed case is adapted

Cased added to the knowledge base for future reference

Concept which used knowledge derived from a knowledge base Based on four R‟s Retrieve, Reuse, Revise and Retain

X-Live (Lee et al, 2010)

Focuses on circumstances when data is huge

Focuses on automation

Gathers and presents data in XML format

Implements Digital Forensics XML for live data collection

Automatic Windows Log (Murphey, 2007)

Helpful in situations when direct information like time stamps etc.is not forthcoming

Creates automatic log without manual intervention

Recovery Repair Validation Collation

Works on Windows NT based systems e.g. XP and Windows 2003

B-Method Gladyshev and Enbacka (2007)

Useful in situations when deliberate tampering has been done with files to hide computer crime traces

Detects anomalies based on inconsistencies in data logs Based on popular systems development methodology

FACE Case et al (2008)

Presents 5 data views to users namely: Users, Group, Processes, File System and

Network Capture

Uses Ramparser Linux based tool

Timeline Analysis (Araste et al, 2007)

Creates timeline with 4 parameters: Accuracy, Authentication, Integrity and Accountability

Attempts to automate timeline analysis and eliminate

internal/external errors

Attempts to reconstruct events that occurred during a computer crime to create a full picture

Autopsy (Carrier, 2016)

Case management, data carving, index searching, timeline analysis, reporting, mobile images

One of the best open source forensic case management tools; Also with dedicated support and training resources available

Bulk_extractor (Garfinkel, 2013)

Extracts various data types from raw images at a very high speed and accuracy, including email address, credit card numbers and URLs

A high performance triage tool gain a lot of popularity from law enforcement

59

Name of Tool Function in DF Misc Comments

AccessData FTK

Supports most of the functionalities for digital forensic investigations apart from analysis automation

One of the leading commercial digital forensic software

Table ‎4.1: DF Tools Comparison

4.5

Discussion

As already discussed in this section, some tools and techniques partly automate processes that help to save the time and effort of digital forensic investigators. Without this level of automation, the process of digital forensics would not withstand the immense rise in the number of computer crime incidents and the growing volumes of data that needs to be examined.

Although automation does exist in different portions of the current tools, there is a need to enhance the level of automation. Without the use of such automation, it is going to be extremely difficult for forensic examination to deal with the rising volumes of cyber forensic cases, the rising variety of devices used and the widespread use of the Internet (Hunton, 2009).

The field of digital forensics is extensive, and there are many areas to be covered. As such it is not easy to label any tool, technique or methodology as the best when compared to the rest. As it is already envisaged, most of these tools have their own sets of capabilities and limitations.

These limitations are related to various aspects, such as a lack of suitable automated tools which help to replace human intelligence, the absence of strong input from various digital forensic investigators to build a solid database which is universally available, acceptable and accessible. Many tools can only be used for some specific aspect of the digital forensic examination process, and there is a scarcity of tools which act as a one stop shop for solving various aspects of the problem.

60

Due to the tools‟ limitations, researchers have been constantly improving the techniques of digital forensics, including attempts to minimise manual effort and increase automation. Whether it is case based reasoning or case profiling, they all reflect the direction in which researchers are heading. Attempts to automate have been partially successful, mainly because there are certain areas still wherein human intellect, judgement and reasoning cannot be matched by automated processes, algorithms or computer based models.

This is important too, since the ultimate effect of the final legal outcome of the digital investigation would come to bear upon a real human being, whilst the machines, networks and technology are only a medium for the perpetration of such crimes. Hence, it is necessary for the results of such investigations to be as accurate as possible, so that no innocent person is victimised because of inaccurate findings.

The live data forensic system is a great attempt at dealing with live forensics. Although the project is still in the development phase, it is already quite extensive and comprehensive, and tries to address various requirements of a digital forensic investigator such as speed, accuracy and a degree of automation. There is certainly a great deal of improvement to be made in the system and the potential cannot be underestimated.

The triage concept has also been discussed, which is useful in situations where time is a critical factor and the quick collection and analysis of the evidence is required to have a speedy delivery of justice. The concept of triage consists of various advantages as explained earlier which helps to ensure that in sensitive cases such as paedophiles and kidnapping, valuable time is not lost in comparison with traditional investigation processes.

From a broader perspective, it may be stated that every type of tool, technique and technology has its place in the development of digital forensic investigation and no single tool or technology can be isolated as being the most useful. It is the culmination of these tools and techniques that will help in the overall advancement of the field of digital forensics.

4.6

Conclusion

One of the main features of future tools is to stress the methods of automation that are necessary to ensure that digital forensic investigators spend less time on each case and reduce

61

the backlog of cases. Significant effort has been put in to increase automation. However, those attempts have to be further enhanced to deal with the future needs in the digital forensic field. The process of triage is useful to ensure that speedy investigation is carried out and to save time as compared to traditional tools and techniques. On the whole, the field of digital forensic investigation has grown technologically but efforts need to be made to ensure improvements in related processes such as triage and automation are also developed.

To conclude it may be stated that though digital forensic investigation has advanced from traditional forensics, there is a lot of room for improvement, as it is still in its early stages. From the technology used for the investigation of computer crimes, to the prosecution of a victim and the legalities and legal definitions, unless they are as universal as the concept of cyberspace itself, room for error will always remain.

62