Security and Forensic Tools

Presently, cyber crime has risen to unimaginable levels; this has been fuelled by the fact that the internet has created a dimension with no barriers while at the same time making a limitless number of tools available for use by cyber criminals. Because of this, computer forensics employ the use of modern tools and methods to extract and analyze data from storage devices obtained from digital crime scenes. This paper serves to expound on some of these forensic tools. It will address their similarities and differences.

The internet is the mother of all networks, linking millions of computing devices. It has become useful for applications in commerce, communication exchange and information exchange globally. It has impacted all sectors of our lives. The devolved nature of the internet is its very foundation, interestingly; this feature of the internet has opened networks and devices to a myriad of threats and attacks from malicious cyber criminals.

Cyber crimes involve, but are not limited to; theft or mutilation of intellectual property, fraud, and theft of trade secrets which are what most companies are built on. Such information normally confers a competitive advantage to companies, if compromised; the company can end up losing millions. In addition to this, presently, business transactions are not exclusively based on tangible money due to online trading. Credit card misuse is a type of financial fraud that may arise when a criminal gains access to critical financial information. Cyber obscenity is another common cyber crime. Pornographic material is hidden in storage media because criminals know the repercussions of being found in possession of such material.

Criminals perpetrate these crimes by finding vulnerabilities in software and operating systems of computers connected to the internet. Once a loophole is found, the criminal can access or store sensitive data on some form of storage media. This can be local i.e. on removable drives such as zip drives, compact disks or memory sticks. It can also involve hard drives. When such crimes are committed, a prosecution is normally an uphill task because the crime scene may involve different cities and unsuspecting third parties (Boyd and Forster: 2004). It is at this point that a forensic specialist is tasked with combing through the digital crime scene by neutrally scrutinizing a variety of digital material involved or presumed to be involved in the crime and finally produce a report summarizing the contents of the material under investigation.

Like any other science, some specialized hardware and software tools are employed during the investigations. A stringent methodology is adhered to to maintain the integrity and credibility of the material involved. The tools used in such an undertaking are designed to serve a single or a variety of functions. The features offered by a tool are directly linked to its complexity; this can be ease of use, algorithmic or design complexity. Some tools can offer incredible functionalities, but have complicated interfaces, this impact on their user friendliness. The cost of any given tool is the ultimate distinguishing factor; some are expensive, whereas some are completely free.

Forensic tools offer a variety of functionalities to render their use in investigations credible. Disk imaging and hashing functions are examples of functionalities used in maintaining the integrity of any storage media under investigation. Hashing functions guarantee that the imaged device is similar to the original. Hashing functions have been further developed into secure hash algorithm known as the MD5 hash function which is popularly used today. Comprehensive analysis of forensic software tools

Protecting digital data and devices from corruption or alteration is the first step in a forensic procedure. This is done by protecting it from the suspect in question. The capacity to access and analyze data is imperative to the success of an investigation.

Their effectiveness is highlighted.

1. Encase

Developed by Guidance Software, this forensic tool was introduced into the forensics sector in the late 1990s. It is capable of disk imaging, data verification, and analysis. An outstanding feature is the recovery of data via the scrutiny of unallocated spaces. It is important to note that these spaces can contain critical data that is important in an investigation. An investigator employing Encase will first image the storage device under scrutiny. The resultant image data is a bit stream image of the device that the software refers to as an ‘evidence file’. The software then carries out a verification of the credibility of the image and the original material by employing the MD5 hash function. The imaged data is mounted by the software to avoid the necessity of restoring the storage device in question. This software offers a tabulated view of the files obtained from the storage media. Important information like the last access, creation time and all the modifications done on the file is provided by this software.

2. FTK Imager

This is a tool created by Access Data. It helps in viewing and imaging storage devices. Its effectiveness at data recovery is pegged at the time when the file was deleted. It can generate MD5 hash values of visible and accessible data. The MD5 hash value is created and given to the investigator as a piece of the completed operation; this warrants the authenticity of the original data.

3. Forensic Tool Kit

This software is also developed by Access Data. It enables the investigator to view all the data on the selected storage device. It facilitates instant generation of hash values for files viewed during the investigation. This tool has a very simple user interface; its most outstanding functionality is the hashing function. However, it does not support data recovery; this directly affects data analysis.

4. PC Inspector file recovery

This is a free forensic investigation tool which has two main purposes; to disclose the contents of the selected storage device and to recover any deleted files from the media. It is a very effective tool for detecting all the data available in a storage device. It associated all the files with a condition; they can either be classified as good or poor.

The software has a ‘Find lost data’ ability; this performs an in-depth sector by sector scan. This includes unallocated space in the storage device. This reveals any files deemed to be lost or deleted. The chances of viewing or recovering a file that is unreferenced are better if the file is in good condition. The software does not guarantee the access to any file on the storage device that is unreferenced.

5. The Computer Online Forensic Evidence Extractor (COFEE)

This is a tool developed by Microsoft to enable forensic investigators to obtain evidence from a computer running on the Windows operating system. It is installed on an external storage device like an external disk drive or a USB flash drive. It serves as an automated forensic tool during real-time analysis. It was conceived by Anthony Fung, a former officer with the Hong Kong police. It is initialized by plugging the device containing it into a USB port. It has 150 implements together with a graphical user interface to enable the collection of data by investigators. The investigator then chooses the data to be exported; this is stored in an external device. The software then generates a report from the collected files. It has tools for internet browsing history recovery and password decryption. It also recovers the data stored in volatile memory which can get lost if the computer is powered off.

The capacity to recover all original system files, including unreferenced files from a storage device is imperative to an investigation. The above listed forensic tools clearly support this feature; however, data recovery is still a burning issue with these tools. None of the tools guarantees the recovery of files that are unreferenced. This is not useful for storage devices found after a long period after the crime has been committed.

Four forensic security and software tools that can be employed during forensic investigations have been discussed. This was done by analyzing their effectiveness and functionalities within the procedure of forensic investigations. Their shortcomings have been highlighted to enable improvement and informed decision making when choosing a tool. It is imperative that forensic investigators should be steps ahead of cyber criminals by using current forensic tools. This enables them to perform their duties during an investigation reliably.