130 likes | 213 Views
Comparison of open source and commercial software in forensic informatics. Trends in forensic informatics. One of the most dynamically improving branches of forensic science In some cases, data digitalizing represents the only way of information archiving
E N D
Comparison of open source and commercial software inforensic informatics
Trends in forensic informatics • One of the most dynamically improving branches of forensic science • In some cases, data digitalizing represents the only way of information archiving • Digitalizing and computerizing interlopes progressively in all of the advanced countries in the world • Positive effects • Negative effects: • misuse of a computer to commit a crime • use computer directly, where digital data are the primary object of an assault • Promptly respond to the fact, that it’s necessary to perform quick, certain and specific digital data analysis
The main principles of digital data analysis • A possibility to apply standard scientific procedures • The main goal of digital forensic analysis consists of confirmation or confutation of appointed conjecture • A necessity of the whole process automation • Process of analysis consists of: • data acquisition and preparation • data accessing and sorting • data analysis • documenting of information and results • information and results presentation to competent authority in form of easy understanding
Available software tools Primary software tools applicable to digital forensics: • tools not especially developed for digital forensic investigation • tools directly dedicated to digital forensic investigation: • commercial tools (EnCase, Forensic ToolKit) • shareware, freeware, open source tools (SleuthKit/Autopsy) • special licensed tools (e.g. only for legislative investigations – ILook)
Tools directly dedicated to digital forensic investigation EnCase • commercial product • most commonly used • expensive • own scripting language • WIN32 platform
Tools directly dedicated to digital forensic investigation Forensic ToolKit • commercial product • designated rather for routine operations • fair price • without possibility of own scripts addition • WIN32 platform
Tools directly dedicated to digital forensic investigation ILook • special licensed product • free for legislative investigations • designated for routine and exact operations • own scripting language • plenty of existing scripts • analysis report generation in Slovak language • WIN32 platform
Tools directly dedicated to digital forensic investigation Sluethkit/Autopsy • Sleuthkit – set of tools for allocated and unallocated data space documenting • Autopsy – graphical interface of the tool • open source license • platforms: UNIX, LINUX, WIN32(CYGWIN)… • low control comfort • relative possibility of results verifying
Validation options of obtained results • Process of result correctness contains basically following tests: • test of false positives • test of false negatives • Process of result verification: • open source tools have a possibility to check source code on the part of end user • commercial software tools are supplied in form of the black box of which results could be verifying by the circular test
Validation options of obtained results Circular test procedure consists of several steps: • creation of file, which content is generated by exactly defined symbols (e.g. hexadecimal code “FF”) • file system association, formatting • creation of data content as well as on the standard data medium (e.g. copying, deleting, etc.) • specification of the questions about what exactly should be performed within the frame of the circular test (e.g. to find all files, to find unallocated disk space, to find all files containing the word “forensic”, etc.) The whole process of data medium creation, which is designated for the circular test, must be documented and after completing given to participants.
Tools requirements Digital forensic analysis tools should meet following basic requirements: • treatability of FAT and NTFS file systems (basically most common used file systems) • ability to recover deleted content • ability to recover lost logical partitions on the data medium • searching for files in unallocated disk space • known files recognition • recognition of unknown or crypted files • automatic file content indexing • analyzed files checksum generation (CRC, MD5, SHA1) • known files exclusion on the basis of the checksum (e.g. operating system files) if the files are not an object of analysis • analysis report generation