ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

A comparison of Digital Forensic Tools

Updated on January 29, 2015

Computer forensics is a division of digital forensic science that involves retrieving of the legal evidence found in digital storage media and computers. The aim of computer forensics is to examine digital media forensically and in a sound manner so as to identify, recover, preserve, analyze and present observations and facts that could be found on digital media. Though it mostly deals with investigating a diversity of computer crime, computer forensics can also be used in civil proceedings. The discipline involves comparable principles and techniques of data recovery, but with supplementary practices and guidelines intended to build a legal trail. In essence, programmers have produced a number of computer forensics applications. For instance, for many departments in the police, the choices of tools to be used are largely depended on available expertise and the department’s budgets. This paper analyzes and compares five of the available computer forensic tools.

Paraben P2 Commander

The P2 Commander is a free down able computer forensic option that is proven by legal courts to be used by investigators who require reliable, affordable digital analysis for computer investigations. The tool can process large data volumes in a fast and efficient manner, and is preferred for its higher efficiency of email and chat log analysis. Investigators employing p2 Commander are usually confident about their evidence being defensible, preserved and presentable in well researved reports. In particular, Paraben focuses on deep level of analysis for email, internet history, chat logs and many diverse file systems. It supports more industry average drive image and formats for forensics images. Moreover, this tool is also capable of supporting many file conversion and export features. P2 Commander is founded on a more than ten years of digital forensic technology. Specialized engines for data processing and product stability gives it a peculiar advantage over the other tools (Geiger, 2005).Among the specific advantages of this specific tool include

A Specialized Registry Analysis contains capabilities of analyzing the system and registry files. The tool’s data triage feature can save a user’s precious time and mechanically transmit the most valuable data concerning installed software, the system, USB usage and many more. The tools specialized Email System is a complex network that has numerous gigabytes of messages. These systems can automatically help one to analyze email, recover what was deleted, sort out and finally analyze attachments.

Other advantages of this tool over others are that it harbors a Specialized Internet Analysis system. In this perspective, it has specialized engines for analyzing Firefox, Chrome and Internet Explorer. This makes it easy for investigators to sort al the operations of internet usage. From web pages, to images, to cookies, to history and more, internet files will not escape P2 Commander. Finally, this tool has a specialized pornographic detection system. By employing more than eleven different algorithms to determine each element in different body shapes, to skin tone, eliminating backgrounds, faces and more, the illegal image detection abilities in P2 Commander can be a huge help and time saver in these cases.

Furthermore, P2 Commander has various significant features that enable it to perform its task. Among these include Task scheduling and multi-threading capabilities that enable it to process more data in less time, Back end optimized catalog that supports substantial amounts of data and P2s Forensic Replicator(PFR). Other features are RAW disk images and Virtual HD Virtual PC disk images.

Oxygen Forensic Suite

Oxygen Forensic Suite is typically a mobile forensic software which covers more than standard logical cell phone, PDAs and cell phone analysis. It has more advanced proprietary protocols that permit it to work on a more detailed data than other logical forensic tools. Since the tool uses a low level protocols, specifically for smart phones, it allows the programmer to export SIM card data and basic information from smart phone, MMS/Email folders, contact list, deleted messages, and calendar schedules. The tool can also be used to export data from SMS centre timestamps, text notes, tasks, videos, sounds, photos, voice records, Java applications, Wi-Fi and GPRS activity, file system from flash card and phone memory and much more. Oxygen Forensic Suite combines both the low cost and simplicity of logical forensic software and the extracted information in achieving the comprehensiveness of physical tools. The Device connection wizard in this component connects a phone using a number of mouse clicks (Warren et al 2005).

On the other hand, the Data extraction wizard has capabilities of downloading all accessible information from a specific device in just a few minutes. After the process of downloading is concluded, one can either select the function of the mechanical forensic report, or use expedient programmed interface to filter, analyze and search for the data that was extracted. More than 2200 mobile appliance model are supported by this tool and the list continues to grow on a daily basis. Further, Oxygen Forensic Suite is capable of extracting data from such devices as iPhone,Nokia,Samsung,Sony Ericsson,Motorola,Blackberry,Siemens,Panasonic,i-Mate,Gigabyte,Vertu,HP,E-Ten,HTC and many others. The current market price for this tool is estimated to be around 799 dollars which is considered quite expensive in comparison to the other tools that have been evaluated (Geiger, 2005).

Registry Recon

The registry recon, developed by Arsenal Recon, is a computer forensic tool that allows users to view how registries have changed overtime from both former and current installations in Microsoft windows. Installations. Registry Recon first obtains Registry information from a piece of evidence, from ether establishing whether the information was active, volume shadow copies, or was deleted. From there, it then rebuilds all registries that the extracted information represents. In essence, Registry Recon is currently the only tool in digital forensics that can rebuild registries from either previous or active installations of windows. The product was named after reconnaissance, a French word for investigation. The Window’s Registry is a central component of all contemporary versions of Microsoft Windows. It is a composite ecosystem, in the form of database, contains information that is related to software, hardware, and users which are important for computer forensics practitioners.

Essentially, the Registry has “keys" and "values” which in some way are similar to files and folders in a computer. The Registry is frequently referenced throughout Window’s operations so that more Registry data can be found on both volatile and disk memory. In essence, this tool was intended to focus on two major shortcomings of available computer forensic tools-impeccably recovering enough Registry information from a shed of evidence, and transforming it in a way that can enable the user to see how the Registries changed over time (Casey, 2004). The current price for Registry Recon goes about 349 dollars

The Sleuth Kit(TSK)

This is a collection and library of Windows and Unix -based utilities and tools that facilitates forensic analysis of computer systems. This library was written by Brian Carrier, a renown digital investigator. Essentially, the tool is used to carry out investigations and extraction of data from images of GNU/Linux, Windows and Unix computers. It is generally used in combination with Autopsy, a custom front-end application to provide an interface that is user friendly (Mohay, 2003). The Sleuth Kit is used alongside other several tools and components for file extraction. Individual who wish to acquire this tool will have to incur a cost of approximately 200 dollars, which is the current market price. Moreover, the Sleuth Kit is an open source, free suite and provides a variety of specific command- line based utilities. Some of the tools that Sleuth Kit possesses are: Blkls which displays blocks of data within a file system, Ils which lists all entries of metadata, such as an inode, and Fsstat.Displays statistical information about storage medium or an image. In addition, the tool also contains Mactime which enables it to creates a timeline for all files according to their MAC times, and Disk stat (Linux only) which identifies the existence of an Area that is Host Protected.

Computer Online Forensic Evidence Extractor (COFFEE)

This is a tool created by Microsoft, to enable computer forensics investigators to extract evidence from a Windows computer. The tool is normally installed on an external disk drive or a USB flash drive. It performs like a computerized forensic tool during a live analysis. Microsoft provides COFFEE tools and other online technological support to law enforcing agencies at no cost. This is unlike other tools which usually comes with a price, and sometimes an expensive one. Anthony Fung, a former police officer in Hong Kong who presently works with Microsoft’s internet safety enforcement team as a senior investigator, created COFFEE. Fung developed the device preceding the discussions that he had held at a law enforcement technology conference in 2006.

Currently nearly 2100 officers in more than 15 countries use the device. A case that Microsoft cited in 2008 April credits COFFEE as turning out to be vital in an investigation in New Zeeland about trafficking of Child pornography, giving out evidence that led to the arrest of the culprits. In April 2009, Interpol and Microsoft signed an agreement whereby; Interpol would serve as the major international distributer of COFFEE. Copies of COFFEE leaked out to a number of torrent websites on November 2009. Analysts have pointed that is this tool is being used as a principal wrapper around many other utilities that were not available to investigators previously. Further, the tool is activated when it is plugged into a USB port. It harbors a graphical user interface and 150 tools to assist investigators in data collection. The software is made up of three sections. When using this tool, an investigator has to first configure COFFEE in advance before selecting the intended data for exporting. This is then subsequently saved to a USB device so as to plug into the target computer. Lastly, the last interface generates information from the composed data (Bhoedjang, 2012).


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)