A comparison of Digital Forensic Tools

Introduction

Computer forensics is a division of digital forensic science that involves retrieving of the legal evidence found in digital storage media and computers. The aim of computer forensics is to examine digital media forensically and in a sound manner so as to identify, recover, preserve, analyze and present observations and facts that could be found on digital media. Though it mostly deals with investigating a diversity of computer crime, computer forensics can also be used in civil proceedings. The discipline involves comparable principles and techniques of data recovery, but with supplementary practices and guidelines intended to build a legal trail. In essence, programmers have produced a number of computer forensics applications. For instance, for many departments in the police, the choices of tools to be used are largely depended on available expertise and the department’s budgets. This paper analyzes and compares five of the available computer forensic tools.

Paraben P2 Commander

The P2 Commander is a free down able computer forensic option that is proven by legal courts to be used by investigators who require reliable, affordable digital analysis for computer investigations. The tool can process large data volumes in a fast and efficient manner, and is preferred for its higher efficiency of email and chat log analysis. Investigators employing p2 Commander are usually confident about their evidence being defensible, preserved and presentable in well researved reports. In particular, Paraben focuses on deep level of analysis for email, internet history, chat logs and many diverse file systems. It supports more industry average drive image and formats for forensics images. Moreover, this tool is also capable of supporting many file conversion and export features. P2 Commander is founded on a more than ten years of digital forensic technology. Specialized engines for data processing and product stability gives it a peculiar advantage over the other tools. Among the specific advantages of this specific tool include

A Specialized Registry Analysis contains capabilities of analyzing the system and registry files. The tool’s data triage feature can save a user’s precious time and mechanically transmit the most valuable data concerning installed software, the system, USB usage and many more. The tools specialized Email System is a complex network that has numerous gigabytes of messages. These systems can automatically help one to analyze email, recover what was deleted, sort out and finally analyze attachments.

Other advantages of this tool over others are that it harbors a Specialized Internet Analysis system. In this perspective, it has specialized engines for analyzing Firefox, Chrome and Internet Explorer. This makes it easy for investigators to sort al the operations of internet usage. From web pages, to images, to cookies, to history and more, internet files will not escape P2 Commander. Finally, this tool has a specialized pornographic detection system. By employing more than eleven different algorithms to determine each element in different body shapes, to skin tone, eliminating backgrounds, faces and more, the illegal image detection abilities in P2 Commander can be a huge help and time saver in these cases.

Furthermore, P2 Commander has various significant features that enable it to perform its task. Among these include Task scheduling and multi-threading capabilities that enable it to process more data in less time, Back end optimized catalog that supports substantial amounts of data and P2s Forensic Replicator(PFR). Other features are RAW disk images and Virtual HD Virtual PC disk images.

Oxygen Forensic Suite

Oxygen Forensic Suite is typically a mobile forensic software which covers more than standard logical cell phone, PDAs and cell phone analysis. It has more advanced proprietary protocols that permit it to work on a more detailed data than other logical forensic tools. Since the tool uses a low level protocols, specifically for smart phones, it allows the programmer to export SIM card data and basic information from smart phone, MMS/Email folders, contact list, deleted messages, and calendar schedules. The tool can also be used to export data from SMS centre timestamps, text notes, tasks, videos, sounds, photos, voice records, Java applications, Wi-Fi and GPRS activity, file system from flash card and phone memory and much more. Oxygen Forensic Suite combines both the low cost and simplicity of logical forensic software and the extracted information in achieving the comprehensiveness of physical tools. The Device connection wizard in this component connects a phone using a number of mouse clicks (Warren et al 2005).

On the other hand, the Data extraction wizard has capabilities of downloading all accessible information from a specific device in just a few minutes. After the process of downloading is concluded, one can either select the function of the mechanical forensic report, or use expedient programmed interface to filter, analyze and search for the data that was extracted. More than 2200 mobile appliance model are supported by this tool and the list continues to grow on a daily basis. Further, Oxygen Forensic Suite is capable of extracting data from such devices as iPhone,Nokia,Samsung,Sony Ericsson,Motorola,Blackberry,Siemens,Panasonic,i-Mate,Gigabyte,Vertu,HP,E-Ten,HTC and many others. The current market price for this tool is estimated to be around 799 dollars which is considered quite expensive in comparison to the other tools that have been evaluated.

Registry Recon

The registry recon, developed by Arsenal Recon, is a computer forensic tool that allows users to view how registries have changed overtime from both former and current installations in Microsoft windows. Installations. Registry Recon first obtains Registry information from a piece of evidence, from ether establishing whether the information was active, volume shadow copies, or was deleted. From there, it then rebuilds all registries that the extracted information represents. In essence, Registry Recon is currently the only tool in digital forensics that can rebuild registries from either previous or active installations of windows. The product was named after reconnaissance, a French word for investigation. The Window’s Registry is a central component of all contemporary versions of Microsoft Windows. It is a composite ecosystem, in the form of database, contains information that is related to software, hardware, and users which are important for computer forensics practitioners.

Essentially, the Registry has “keys" and "values” which in some way are similar to files and folders in a computer. The Registry is frequently referenced throughout Window’s operations so that more Registry data can be found on both volatile and disk memory. In essence, this tool was intended to focus on two major shortcomings of available computer forensic tools-impeccably recovering enough Registry information from a shed of evidence, and transforming it in a way that can enable the user to see how the Registries changed over time (Casey, 2004). The current price for Registry Recon goes about 349 dollars

The Sleuth Kit(TSK)

This is a collection and library of Windows and Unix -based utilities and tools that facilitates forensic analysis of computer systems. This library was written by Brian Carrier, a renown digital investigator. Essentially, the tool is used to carry out investigations and extraction of data from images of GNU/Linux, Windows and Unix computers. It is generally used in combination with Autopsy, a custom front-end application to provide an interface that is user friendly (Mohay, 2003). The Sleuth Kit is used alongside other several tools and components for file extraction. Individual who wish to acquire this tool will have to incur a cost of approximately 200 dollars, which is the current market price. Moreover, the Sleuth Kit is an open source, free suite and provides a variety of specific command- line based utilities. Some of the tools that Sleuth Kit possesses are: Blkls which displays blocks of data within a file system, Ils which lists all entries of metadata, such as an inode, and Fsstat.Displays statistical information about storage medium or an image. In addition, the tool also contains Mactime which enables it to creates a timeline for all files according to their MAC times, and Disk stat (Linux only) which identifies the existence of an Area that is Host Protected.

Computer Online Forensic Evidence Extractor (COFFEE)

This is a tool created by Microsoft, to enable computer forensics investigators to extract evidence from a Windows computer. The tool is normally installed on an external disk drive or a USB flash drive. It performs like a computerized forensic tool during a live analysis. Microsoft provides COFFEE tools and other online technological support to law enforcing agencies at no cost. This is unlike other tools which usually comes with a price, and sometimes an expensive one. Anthony Fung, a former police officer in Hong Kong who presently works with Microsoft’s internet safety enforcement team as a senior investigator, created COFFEE. Fung developed the device preceding the discussions that he had held at a law enforcement technology conference in 2006.

Currently nearly 2100 officers in more than 15 countries use the device. A case that Microsoft cited in 2008 April credits COFFEE as turning out to be vital in an investigation in New Zeeland about trafficking of Child pornography, giving out evidence that led to the arrest of the culprits. In April 2009, Interpol and Microsoft signed an agreement whereby; Interpol would serve as the major international distributer of COFFEE. Copies of COFFEE leaked out to a number of torrent websites on November 2009. Analysts have pointed that is this tool is being used as a principal wrapper around many other utilities that were not available to investigators previously. Further, the tool is activated when it is plugged into a USB port. It harbors a graphical user interface and 150 tools to assist investigators in data collection. The software is made up of three sections. When using this tool, an investigator has to first configure COFFEE in advance before selecting the intended data for exporting. This is then subsequently saved to a USB device so as to plug into the target computer. Lastly, the last interface generates information from the composed data.