comparison of open source and commercial software in forensic informatics
DESCRIPTION
Comparison of open source and commercial software in forensic informatics. Trends in forensic informatics. One of the most dynamically improving branches of forensic science In some cases, data digitalizing represents the only way of information archiving - PowerPoint PPT PresentationTRANSCRIPT
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Comparison of open source and commercial software in
forensic informatics
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Trends in forensic informatics
One of the most dynamically improving branches of forensic science In some cases, data digitalizing represents the only way of information
archiving Digitalizing and computerizing interlopes progressively in all of the
advanced countries in the world Positive effects Negative effects:
misuse of a computer to commit a crime use computer directly, where digital data are the primary object of an
assault Promptly respond to the fact, that it’s necessary to perform quick, certain
and specific digital data analysis
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
The main principles of digital data analysis
A possibility to apply standard scientific procedures The main goal of digital forensic analysis consists of confirmation or
confutation of appointed conjecture A necessity of the whole process automation Process of analysis consists of:
data acquisition and preparation data accessing and sorting data analysis documenting of information and results information and results presentation to competent authority in form of easy
understanding
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Available software tools
Primary software tools applicable to digital forensics:
tools not especially developed for digital forensic investigation tools directly dedicated to digital forensic investigation:
commercial tools (EnCase, Forensic ToolKit) shareware, freeware, open source tools (SleuthKit/Autopsy) special licensed tools (e.g. only for legislative investigations – ILook)
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools directly dedicated to digital forensic investigation
EnCase commercial product most commonly used expensive own scripting language WIN32 platform
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools directly dedicated to digital forensic investigation
Forensic ToolKit commercial product designated rather for
routine operations fair price without possibility of
own scripts addition WIN32 platform
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools directly dedicated to digital forensic investigation
ILook special licensed product free for legislative
investigations designated for routine
and exact operations own scripting language plenty of existing scripts analysis report generation
in Slovak language WIN32 platform
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools directly dedicated to digital forensic investigation
Sluethkit/Autopsy Sleuthkit – set of tools for allocated and unallocated data space documenting Autopsy – graphical
interface of the tool open source license platforms: UNIX, LINUX,
WIN32(CYGWIN)… low control comfort relative possibility of
results verifying
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Validation options of obtained results
Process of result correctness contains basically following tests: test of false positives test of false negatives
Process of result verification: open source tools have a possibility to check source code on the part of end
user commercial software tools are supplied in form of the black box of which
results could be verifying by the circular test
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Validation options of obtained results
Circular test procedure consists of several steps: creation of file, which content is generated by exactly defined symbols (e.g.
hexadecimal code “FF”) file system association, formatting creation of data content as well as on the standard data medium (e.g.
copying, deleting, etc.) specification of the questions about what exactly should be performed within
the frame of the circular test (e.g. to find all files, to find unallocated disk space, to find all files containing the word “forensic”, etc.)
The whole process of data medium creation, which is designated for the circular test, must be documented and after completing given to participants.
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools requirements
Digital forensic analysis tools should meet following basic requirements: treatability of FAT and NTFS file systems (basically most common used file
systems) ability to recover deleted content ability to recover lost logical partitions on the data medium searching for files in unallocated disk space known files recognition recognition of unknown or crypted files automatic file content indexing analyzed files checksum generation (CRC, MD5, SHA1) known files exclusion on the basis of the checksum (e.g. operating system
files) if the files are not an object of analysis analysis report generation
Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava
Tools comparison
Tool/function EnCase Forensic ToolKit SleuthKit/Autopsy ILook
Supported platforms WIN32 WIN32WIN32(CYGWIN),
LINUX, MAC, SOLARIS, BSD
WIN32
Supported file systemsFAT, NTFS, EXT2/3, HFS, BSD, UFS, AIX,
Reiser, PALM
FAT, NTFS, EXT2/3
NTFS, FAT, FFS, EXT2/3, UFS, BSD
FAT, NTFS, HFS, EXT2/3, SYS5, UDF,
Netware
License Commercial Commercial Open source Special license
Analysis report generation Yes Yes Yes Yes
Own script support Yes No Yes Yes
Control checksum Yes Yes Yes Yes
Known files exclusion Yes Yes Yes Yes
Graphical interface Yes Yes Not required Yes
File content indexing Yes Yes Yes Yes
Known files recognition Yes Yes Yes Yes
Searching for files in unallocated disk space
Yes Yes Yes Yes