1 / 13

Comparison of open source and commercial software in forensic informatics

Comparison of open source and commercial software in forensic informatics. Trends in forensic informatics. One of the most dynamically improving branches of forensic science In some cases, data digitalizing represents the only way of information archiving

nrieth
Download Presentation

Comparison of open source and commercial software in forensic informatics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comparison of open source and commercial software inforensic informatics

  2. Trends in forensic informatics • One of the most dynamically improving branches of forensic science • In some cases, data digitalizing represents the only way of information archiving • Digitalizing and computerizing interlopes progressively in all of the advanced countries in the world • Positive effects • Negative effects: • misuse of a computer to commit a crime • use computer directly, where digital data are the primary object of an assault • Promptly respond to the fact, that it’s necessary to perform quick, certain and specific digital data analysis

  3. The main principles of digital data analysis • A possibility to apply standard scientific procedures • The main goal of digital forensic analysis consists of confirmation or confutation of appointed conjecture • A necessity of the whole process automation • Process of analysis consists of: • data acquisition and preparation • data accessing and sorting • data analysis • documenting of information and results • information and results presentation to competent authority in form of easy understanding

  4. Available software tools Primary software tools applicable to digital forensics: • tools not especially developed for digital forensic investigation • tools directly dedicated to digital forensic investigation: • commercial tools (EnCase, Forensic ToolKit) • shareware, freeware, open source tools (SleuthKit/Autopsy) • special licensed tools (e.g. only for legislative investigations – ILook)

  5. Tools directly dedicated to digital forensic investigation EnCase • commercial product • most commonly used • expensive • own scripting language • WIN32 platform

  6. Tools directly dedicated to digital forensic investigation Forensic ToolKit • commercial product • designated rather for routine operations • fair price • without possibility of own scripts addition • WIN32 platform

  7. Tools directly dedicated to digital forensic investigation ILook • special licensed product • free for legislative investigations • designated for routine and exact operations • own scripting language • plenty of existing scripts • analysis report generation in Slovak language • WIN32 platform

  8. Tools directly dedicated to digital forensic investigation Sluethkit/Autopsy • Sleuthkit – set of tools for allocated and unallocated data space documenting • Autopsy – graphical interface of the tool • open source license • platforms: UNIX, LINUX, WIN32(CYGWIN)… • low control comfort • relative possibility of results verifying

  9. Validation options of obtained results • Process of result correctness contains basically following tests: • test of false positives • test of false negatives • Process of result verification: • open source tools have a possibility to check source code on the part of end user • commercial software tools are supplied in form of the black box of which results could be verifying by the circular test

  10. Validation options of obtained results Circular test procedure consists of several steps: • creation of file, which content is generated by exactly defined symbols (e.g. hexadecimal code “FF”) • file system association, formatting • creation of data content as well as on the standard data medium (e.g. copying, deleting, etc.) • specification of the questions about what exactly should be performed within the frame of the circular test (e.g. to find all files, to find unallocated disk space, to find all files containing the word “forensic”, etc.) The whole process of data medium creation, which is designated for the circular test, must be documented and after completing given to participants.

  11. Tools requirements Digital forensic analysis tools should meet following basic requirements: • treatability of FAT and NTFS file systems (basically most common used file systems) • ability to recover deleted content • ability to recover lost logical partitions on the data medium • searching for files in unallocated disk space • known files recognition • recognition of unknown or crypted files • automatic file content indexing • analyzed files checksum generation (CRC, MD5, SHA1) • known files exclusion on the basis of the checksum (e.g. operating system files) if the files are not an object of analysis • analysis report generation

  12. Tools comparison

  13. Thank you for your attention

More Related