Computer forensic also known as cyber forensic involves the acquisition of legal evidence which is found in computers and digital media storage. It involves using analytical and investigative techniques for the collection and examination of evidence. This technique is commonly used for criminal investigations or civil litigation. (Holley, 2000) There are several computer software which are used for this kind of investigation and analysis of evidence. They include: EnCase, The Sleuth Kit and Autopsy Browser among others. Using a single tool cannot produce substantial evidence to be used for prosecution. There is need to employ at least two of these tools so as to have accurate information when pursuing a criminal case. (Carrier, 2002)
When performing a forensic investigation, there are some features that need to be taken into consideration. These features include:
WinHex Editor - This is an editor provides access to all the files, clusters, sectors and bytes inside a computer system. Other types of editors which should be present in a forensic tool include File Editor, Disk Editor and RAM Editor. When using this type of editor, the speed of operation is greatly increased with a reduction in the memory space usage. (Carrier, 2006)
Directory Browser - The directory browser should support FAT, NTFS, CDFS and UDF. The browser is able to list existing and deleted files and directories in a computer system. It can also aid copying files off the hard drive. This can help extract information from a computer even if that information had been deleted to conceal evidence.
Disk Cloning and Disk Imaging - This involves producing copies of the contents of a disc to other disks or to image files. (Carrier, 2002)
Data recovery – The forensic tool should be able to recover files by names and by types.
Hard drive cleaning – It should be able to remove any trace of files without any forensic matter from the computer. (Carrier, 2002)
File slack and file space capturing - Whenever a file size is not evenly divisible, there is need to capture the space that remains(Carrier, 2006)
In our study we embarked on a thorough analysis of three tools which are commonly used in forensic analysis. The tools are: EnCase, FTK and the use of Autopsy and The Sleuth Kit (TSK).
Encase is a computer forensic software product which is used in the analysis of media. It is usually considered the de facto standard for criminal digital forensics evidence collection. EnCase has tools which are used for data acquisition, file recovery, indexing and file parsing. There is need to conduct proper training to the people who are to operate the software so as to ensure that they provide quality services. Data recovered by EnCase has been used as evidence on several cases across the globe. (Holley, 2000)
The Forensic Tool Kit offers law enforcement and cooperate security professionals with an ability to perform some form of complete and thorough forensic examinations. It is a tool that can integrate for the acquisition encryption, decryption and analysis of digital evidence. It also provides for ways of analyzing the digital evidence. (Gyger, 2006)
Autopsy and The Sleuth Kit (TSK)
This is a freeware tool which performs analysis on imaged and live systems. The tools do not rely on the operating system to process file systems thereby making it possible for a person to examine file systems in an intrusive manner. This allows for hidden and deleted contents to be shown. The Autopsy provides case management, image integrity key word searching and other forms of automated operations in the system. (Gyger, 2006)
These tools have different features and are used differently in the investigation processes. A detailed report was then prepared after carrying out the investigations whereby I compared the use of EnCase and the use of FTK (Forensic Tool Kit), The Sleuth Kit and Autospy Browser. (Gyger, 2006)
Comparing FTK, EnCase and Autopsy
FTK, EnCase and Autopsy all use the MD5 hash
FTK, EnCase and Autopsy all show hash for individual files.
FTK, EnCase and Autopsy can all verify an image integrity
FTK, EnCase and Autopsy can all find and identify deleted files clearly
They can all find encrypted files
They can all search for strings
They all include Hex Level viewer
They all organize files into predetermined categories
They all show the image gallery
They all show the number of times a file has been created, accessed or modified
They all identify and analyze slack and free space
They can all find overwritten files.
Contrasting FTK, EnCase and Autopsy
EnCase requires a greater amount of time in training whereas FTK requires a lesser amount of time when performing a training session.
Searching using EnCase is quite confusing whereas when using Autopsy and Sleuthkit it is easier to perform an extensive search through string conditions.
FTK and Autopsy uses SHA1 hash whereas the EnCase does not use the SHA1 hash.
Both the EnCase and the Autopsy cannot identify encrypted files clearly whereas the FTK can identify the encrypted files clearly
The EnCase does not provide a log file of investigator activities whereas both the FTK
Both the Encase and the FTK can identify overwritten files whereas the Autopsy can only identify overwritten files by file name only.
From the comparisons above and the definitions of each tool being used, it is clear that a single tool cannot be very effective. It is therefore necessary to combine at least two tools so as to get the best results when trying to analyze some form of data. Using at least two of the above tools can result into the production of very good results. I would recommend the use of at least two of the above tools in order to maximize on the efficiency and the functionality of the system. (Holley, 2000)
Carrier, Brian. (2002) Open Source Digital Forensic Tools: The Legal Argument, stake Research
Report. ACM Publishers New York USA
Carrier, Brian. (2006)The Sleuth Kit: Tool Details. Addison Wisley Publishers New York USA.
Gyger, Alain. (2006) Sleuthkit/Autopsy: An Open Source Forensic Package. ACM Publishers
New York USA
James Holley.(2000) Computer Forensics Market Survey. SC Magazine. Kansas City