You are on page 1of 7

Tracks Inspector: Putting Digital Investigations

in the Hands of Investigators
J. Henseler 1, J. Hofste2, A.Post3
1

Create-IT Applied Research Amsterdam University of Applied Sciences, j.henseler@hva.nl
2
Tracks Inspector, Fox-IT, Delft/ The Netherlands, jop.hofste@fox-it.com
3
Tracks Inspector, Fox-IT, Delft/ The Netherlands, post@fox-it.com

Abstract - With the pervasiveness of computers and mobile
devices, digital forensics becomes more important in law
enforcement. Investigators increasingly depend on the scarce
support of digital specialists which impedes efficiency of
criminal investigations. This paper describes the architecture
of Tracks Inspector, a commercially available product for
computer assisted discovery of digital evidence. Tracks
Inspector was designed to put digital investigation in the hands
of non-technical investigators. The design criteria aim to look
for "low hanging fruit" in the evidence without the help of
digital forensic experts. As a result we expect that backlogs
will be reduced and investigators can better explain to the
experts what they are looking for. Experts can then focus on
the challenging work. The architecture of Tracks Inspector is
scalable, robust, secure and supports cases with hundreds of
evidence units giving access to hundreds of users through a
simple web-based user interface.
Keywords— digital forensics, technology assisted review, early
case assessment, cross drive analysis

L

I. INTRODUCTION

aw enforcement today relies on digital forensics in a
greater variety of criminal investigations. With the
pervasiveness of computers and mobile devices in society, the
occurrences and volume of digital information in cases are
exploding. Investigators who are intrinsically involved in
collecting and assessing evidence must depend on specialists,
unfamiliar with their cases, to process digital information.
This impedes and even prevents prosecuting cases since there
are too few digital forensics specialists and labs to support
caseloads.
Investigators typically investigate the evidence looking for
events and information about persons. This process is
essentially a review task that is similar to electronic reviews in
E-Discovery projects that are described by the EDRM model
[7]. Other research has revealed that technology assisted
review (TAR) can greatly improve the precision and recall of
relevant items ‎[9].
Digital forensic experts acknowledge that automation and
artificial intelligence can be a solution to deal with the
increasing complexity and volume of digital evidence ‎[5].
Automation is a necessary part of the solution of maintaining
consistency, increasing efficiency and optimizing how digital
investigators spend their time. But although these new

ISBN: 978-0-9891305-7-8 ©2014 SDIWC

techniques can be helpful, they also have their limitations.
Ultimately, a combination of human and computer intelligence
will be required.
Existing TAR solutions focus on document review with
full-text search and retrieval solutions enhanced with vectorspace clustering and predictive coding technologies. However,
these solutions tend to ignore the remaining rich variety of
multi-media files that is found on modern computers as well
as other tracks that are left by users, e.g., visited web sites and
documents recently opened by the user. Such tracks can only
be examined by digital forensics experts with specialist tools.
Inspired by this problem we identify a number of research
questions in the next section. Then, after a short survey of
existing digital forensics tools, we propose Tracks Inspector1
‎[10]. This is a commercial solution that enables investigators
without a technical background to easily investigate digital
evidence using a web browser. Tracks Inspector brings
simplicity, scalability and collaboration to the handling,
storage, processing, management and reporting of digital
evidence. While not intended to replace laboratory-quality
solutions such as FTK and EnCase, Tracks Inspector provides
a complementary solution to solve more cases and solve them
faster by reducing the workloads on digital specialists to only
the most complex cases.
II. RESEARCH QUESTIONS
Inspired by the problem outlined in the introduction, we would
like to design and implement a system which assists in the
review of digital evidence in such a way that it:
1.
2.
3.
4.
5.
6.

1

has an intuitive user interface with native language
support,
supports collaboration in a team of investigators
working on the same case,
assists in identification of user tracks on a computer,
mobile phone or digital storage media,
is scalable to meet increasing number of users,
number of evidence units and processing speed,
enables the investigation to start while a forensic
image of the evidence is created, and
produces a report in a human digestible format.

http://www.tracksinspector.com

1

browsing through digital evidence and associated meta data. list of installed software. A. extracting meta data and converting content but also for storing information in MySQL databases. Forensic Toolkit (FTK) from Access Data ‎[6] is a commercially available solution. XIRAF is a prototype forensic warehouse system developed by the Netherlands Forensic Institute (NFI) ‎[1]. The SANS Investigative Forensic Toolkit is a forensic application which supports a large variety of evidence images and file systems. documents. XIRAF uses a XML Database layer upon an Oracle database solution for the storage and XQuery as the query language to retrieve information. The processing software recognizes email archives. All data communication is based on serialized protobuf messages via RPC so that daemons actually have the ability call other daemons that can exist on remote servers. It is available2 for download and runs on the Ubuntu operating system. It provides a framework for feature extraction and is accessible through a web-based interface. This software can be used for both forensic acquisition of data as well as the analysis of forensic images. The user interface allows users to construct powerful filters but is not intuitive to use for non-technical users. The Digital Investigation Framework is an open source solution. video. daemons can be run on multiple servers and use multi-threading which results in a scalable architecture. This is a forensic solution which processes and renders are large variety of digital evidence. The system consists of various processes that connect with each other through remote procedure calls (RPC). The evidence controller manages the connected evidence units and assigns analysis tasks to processing units. The interface of Tracks Inspector is intuitive with a look and feel that is commonly found on modern internet websites. one of the most well-known software packages in the forensic world.org/community/downloads ISBN: 978-0-9891305-7-8 ©2014 SDIWC 2 . Furthermore it reconstructs and analyzes the Windows registry and has an attractive timeline analysis feature that visualizes operations on the computer along a time line ‎[2]. In this paragraph we will discuss a small selection. pictures. The prototype has been further developed and is now offered as a hosted solution to law enforcement in the Netherlands. Access Data ECA provides a web-based front end to the traditional FTK backend and provides a web-based user interface for early case assessment. When a known operating system is detected. Guidance Software has developed Encase ‎[4]. This toolkit is a powerful collection of tools but requires a trained expert to use these tools and to understand their limitations. The processes depicted in Figure 1 can be described as follows: The evidence monitor monitors connected evidence units that are directly connected to that host or indirectly connected via a remote evidence host.x is completely database driven and processing can be distributed over multiple servers. The Tracks Inspector appliance is based on one or more servers running Ubuntu.sans. It is an appliance for capturing. But processing does not start until a complete forensic image of the evidence is presented. With a few exceptions. additional features (e. FTK is popular with digital forensic experts. One of the unique features of Tracks Inspector is that it can capture a forensic image of a hard disk and simultaneously process the evidence on this disk and provide investigators access to extracted data. performance monitoring. It is designed for experts and does not have a web-based interface.g. Global system architecture A schematic overview of the system is depicted in Figure 1. IV. Unlike the other tools mentioned earlier. TRACKS INSPECTOR The evidence host is an optional process that is not required to use Tracks Inspector.III. The evidence host listens to local input slots and Tracks Inspector is a commercial solution developed by Fox-IT. user activity) are extracted and processing starts with analyzing data in user folders before analyzing other (system) folders. Version 4. EXISTING DIGITAL FORENSICS TOOLS During the past ten years quite a number of digital forensic tools have become available for investigating digital evidence. These can be physical devices like compact discs / DVD's / hard disks / USB sticks and memory cards. This information is available in the evidence database which contains a list of tasks that need to be completed for a particular evidence unit. It includes a file browser and supports most file systems. audio and internet history files. FTK users can start analyzing a case while processing is in progress. The evidence monitor can also monitor a designated input folder in which forensic or raw images of physical devices can be placed or a folder with logical files. The framework is custom developed but many components are based on open source programs for mounting file systems. processing and 2 http://computer-forensics. The evidence host typically runs on a table top shuttle in a lab environment called physical evidence station and can be used to connect evidence using a standard write blocker. It is not one tool but it includes several (external) software packages to analyze the data. There is virtually no restriction on the number of servers in a Tracks Inspector appliance. In this paragraph we describe the global system architecture as well the supported media and file types.

These lists can be predefined. A case typically contains 10 to 100 or even more evidence units. Case administrators can link evidence units to a specific case.g. 3 . The evidence db stores all information about the evidence units. The system is scalable because evidence databases can be controlled on different servers by different evidence monitors. files in a file system. video files). The case and user information are cached at the session host to reduce the amount of RPC calls.g. User privileges can differ per case. the NIST list. for end nodes. are compared with the known hashes in the hashes host. that it needs to be analyzed. the nodes are tagged with a predefined tag. ISBN: 978-0-9891305-7-8 ©2014 SDIWC The hashes host process controls hash lists.g. The processing host processes evidence nodes. compressed folder or messages and attachments in an email archive) which remain to be processed.Figure 1: Tracks Inspector scalable architecture connects the evidence to Tracks Inspector if it is connected and if it can be mounted. The session host manages the user session at the front-end. End node analysis extracts metadata and generates conversion tasks for certain file formats (e. This can be used for example for default system files or known hashes of illegal materials. like the session and the user privileges and roles. All files which are hashed by processing. Each evidence unit has its own evidence database which contains all processed and extracted information. e. Processing an evidence node can either mean that a node must be discovered or. The case host and its associated database manage the cases that are added by the users in the front-end. or they can be uploaded by an administrator. The user host stores all front-end user information. It bridges the gap between the front-end host and the evidence database. Node discovery creates a hierarchical tree of sub nodes (e. If matches are found.

MPEG.g. PGA. e. JAR. Types like ISO. With this type of input mobile phones can be added to cases as evidence units. JPEG. POTX.net/ https://www. a system can have one evidence monitor and 100 processing units for fast data processing. GIF. PNG. it becomes an evidence unit in the system. XPI. FLV. M4B.djangoproject. 3GP. F4P. JFI. ICON. All connected USB devices are read and monitored as well as hard disks coupled through USB. JFIF. This is done using the file magic command in Linux which is augmented with custom rules to enhance the detection of certain complex MIME types. This folder should be accessible to the evidence monitor as a local folder or as a folder that is mounted from a remote file server. PPTX BMP. DOT. OTT. SWF. ZIP EML. JPE. IDE. MP3. M4A. these are low-level copies of raw data of physical disks. M4R. For instance. F4A.lighttpd. 4 ISBN: 978-0-9891305-7-8 ©2014 SDIWC 7 http://www. MPG. MKA. QT. developed by MicroSystemation7. RAR. MPE. PDF. Table 1). 4.cellebrite. an optical disc that is inserted in the CD / DVD drive will automatically be processed. After this tree is completed. SVG. DOTM.com/ 6 http://www. (forensic) image file. Digital Business card (VCF. Chrome / FF History files (SQLite). spreadsheets and presentation are supported and meta data. TIF. MK3D. DOCX. M4P.guidancesoftware. WMA. M4V. DAA or other disk image file formats are also supported. PPT. logical folder or third part data has been detected. The list of supported file types is continuously being extended and Tracks Inspector relies on open source tools for extracting full-text and metadata as well as for conversion.com XRY. it may be useful to execute multiple front-end hosts etc. REV.JPG. XLST. B. XLS. MKS. PPS. AVI. Currently exports from the two market leaders in mobile phone forensics are supported.com/xry/what-is-xry 4 . A case administrator should assign this evidence unit to a case and start processing. Physical devices The evidence monitor or remote evidence host supports every storage device that is connected to it and that is mountable. Windows Registry files.com/ 5 http://www. PPTM. WMA EAR. WAVE. For a system with many users. case host and user host only have one instance. WMV IE History file. WAV. is extracted. It is based on the Python web framework Django 4. F4B. 2. File extensions can be misleading and therefore Tracks Inspector detects file type not by extension but by analyzing the file signature. The system currently processes logical files from four types of input media: 1. ASF. F4V. DOTX. A few functions such as the evidence controller. If mounting fails the image is not processed. WAR. VCARD) Documents Most common Microsoft / Open office document types for word processing. author field. (e)Sata etc. MP4. Processing always commences with node discovery in which the complete folder tree of the evidence unit in the logical file system is recursively traversed. DIB. This architecture is designed for processing large amounts of evidence data. XLT. WRI POT. GZ. WPn. C. Most of the functions in the architecture can be executed on multiple servers. OST. developed by Cellebrite6. ODT. user accounts and/or third party XML is parsed and added to the evidence unit database. 3. general information about the operating system (if present). Table 1: Tracks Inspector supported file types Category Audio Compressed / Archive Files E-mail message Spreadsheet Document Presentation Picture Video Misc Filetype AAC. provided that they can be mounted by the Ubuntu operating system that is hosting the evidence monitor process. MSG.msab. Disk images Forensic EnCase5 images as well as raw DD (Unix disk dump) images are supported. Third party data Tracks Inspector can also accept digital evidence that has been exported (typically in an XML format) from supported third party applications. Supported media The main purpose of Tracks Inspector is to provide a quick analysis of user data on digital evidence in order to find "low hanging fruit". For example. MKV. This framework is combined with HTML5 technology and offers an intuitive web interface that works on popular browsers including tablets and smart phones. MHT. WP. The second one is 3 http://www. PST ODS. MOV. WPD. WM. PPSX. XGA 3G2. XLTX DOC. JIF. Supported file types Currently. RTF.3 The front-end exists of a lightweight web server Lighttpd . Then file processing starts. Once a device. Logical folders The third input evidence type is a folder which can contain logical files and subfolders. TIFF. Tracks Inspector has support for most popular file types (cf. DOCM. The first one is UFED.

For Internet Explorer ‎[12] the data is extracted per day. folder path. The EXIF (meta data) information is extracted as well to give some side information about the image. During file processing. modified. The archives are extracted and the contents of the archive are analyzed as a folder with subfolders. MBOX and Thunderbird. The evidence units are represented by rectangular shapes which show evidence name.g. Internet history The Internet history of the most modern browsers is recognized and analyzed. In addition to this extraction. This eliminates the need for downloading native files and installing custom 3rd party software on desktop computers. Video and Audio files Most well-known mime types for image formats are supported. general file metadata (e. With this information a detailed time line can be generated to give an overview of the browsing behavior of users. Data archives Tracks Inspector processes (compressed) data archives as if they are folders. date created. This ISBN: 978-0-9891305-7-8 ©2014 SDIWC information is stored separately for each user account that was encountered on the evidence. Figure 2 illustrates the evidence dashboard that is presented to a user when accessing a case. video duration. Lotus Notus NSF email is currently not supported and needs to be converted prior to presenting it to Tracks Inspector. filename. In addition to these email archive formats. The first one is an iPhone. increases ease of use and reduces the risk of accidentally leaving confidential data on computers used by investigators. Similar information is extracted from other browsers like Google Chrome and Mozilla Firefox. This particular example shows 12 evidence units.E-mail archives A variety of Email archive formats is supported. second one a MacBook etc. photo Exif data. The second evidence unit has a padlock icon because Tracks Inspector detected encrypted data in the file Figure 2: Tracks Inspector dashboard 5 . This data will be extracted from the history files.g. last accessed) and specific file metadata (e. a short description and the number of objects discovered per category. Office document author. which are stored on a disk. This data becomes immediately searchable using the standard MySQL full-text indexing capability. Multi-part archives are also supported as well as archives in archives and archives in email attachments. Images. This process has already been outlined in the previous paragraph. files are also converted to a HTML5 compatible format so that they can be viewed by investigators in their web browser. For example Microsoft Office Outlook Pst/Ost. Tracks Inspector presents various dashboards to monitor progress and to start with the analysis. email header fields) as well as full-text content for supported file types is extracted and stored in the evidence unit database. per week and overall. Most popular video and audio types are also supported including typical mobile phone formats. USING TRACKS INSPECTOR Tracks Inspector processes evidence units that have been identified by the system and that have been assigned to a case by a case administrator. The archives are scanned for password protection and cryptography usage. As soon as evidence is being processed. also single email file formats such as MSG and EML are supported. emails in archives etc. V.

The public prosecutor on the case felt comfortable with the standard report that was produced based on all files that had been tagged as relevant by the investigators. user accounts. Particularly interesting dashboards are the Case wide search. Since mid 2013 a stand-alone server solution is in use by the Police in De Pinte. A summary of this dashboard and underlying algorithms is described in ‎[11].. Feature extraction from evidence units is essential for meaningful correlation and will be an ongoing task. VII. However.system during processing. Garfinkel ‎[8] has proposed a method to find similarities among evidence units using cross-drive analysis based on forensic feature extraction. we at least have practical evidence which indicates that Tracks Inspector is a user friendly application that enables non-technical investigators to analyze digital evidence. a list of user accounts with user login times. An important difference with the approach followed here is that Garfinkel extracts features from raw disk data without considering the logical structure of the data on a disk. The Case Analysis dashboard provides a cross evidence-unit analysis of identities. common user security identifiers (SID). it is not useful when it is intended to assist a user who has to understand the context from which certain features have been extracted. 96 Gb RAM memory and 10 Tb storage (6 x 2 Tb Sata 7. operating system nor file format interpretation. RESULTS AND CONCLUSIONS Beginning of 2012 a series of workshops was organized to measure Tracks Inspector usability using the System Usability Scale ‎[3]. The system is connected to the wide area network which has well over 100 users in the region. the drawback of this approach is that it does not make use of valuable contextual information and that it will have to analyze all disk sectors even if they are not allocated to logical files. FUTURE WORK Future work on Tracks Inspector will focus on identifying more tracks that are left by users on a computer and on automated analysis based on evidence unit correlation to assist users in intelligent review and prioritization of evidence units. Also other features will be considered such as registration of USB devices. Tracks Inspector enabled investigators to reduce the existing case backlog in a matter of weeks and were able to solve simple investigations in days that would normally take months because of lacking support from digital forensics teams. Belgium and another one by the Police in StMaarten. not only by the investigators but also by the public prosecutor. Other dashboards in Tracks Inspector reveal particular details about certain media. Case Identities and the Case Analysis dashboards. The office of the public prosecutor felt also comfortable with the system because investigators could eliminate privileged using the mark-as-privileged function in the interface. the five investigators were able to analyze all evidence units concurrently in two weeks’ time without any specific training. This report has been added to the case binder. e. VI. The scalability goals in terms of number of users and processing speed of evidence units is considered satisfactory and the 100 user license was procured early in 2013. Both customers are lacking the support of digital forensic experts and were suffering from backlogs up to 6 months and in some cases even longer. A Tracks Inspector base system consisting of a single server with dual hex-core. The standard report produced by the system is considered readable. A total of 49 evidence units had been seized amounting to a total of 2 Tb. In total 36 non-technical investigators from Dutch law enforcement and other government investigation organizations were interviewed after they experienced Tracks Inspector in a half day workshop.1 out of 100 points on the System Usability Scale which suggests that Tracks Inspector is an easy to use application.4 already has built in support for identity extraction. Version 1. The investigation was related to a human trafficking case. In both cases an ICT administrator was trained in maintaining the server and in using the physical evidence system for copying and processing digital media. The Case Identities dashboard displays identities that have been extracted from document authors. We plan on including more sources for extracting identities. mobile phone data etc.g. WiFi networks. We have demonstrated that the base system can be scaled easily to a multi-server system to increase processing speed and to handle 20-30 concurrent users. The largest case currently on the system consists of 80 evidence units.200 rpm disks in RAID5 mode) was installed in their office. The multi-server system consists of 5 servers with a total of 40 Tb of storage. The case wide search dashboard allows users to search for keywords across all evidence units in the case. The investigators were trained in using the system and in identifying it’s limitations and exceptions. While loading the evidence. 6 . Not only did they find relevant material to support the allegation. These three dashboards assist an investigator in discovering interesting identities which in turn may help with the prioritization of the evidence unit analysis. The system scored 88. Although these results are not based on scientific experiments. multi-media analysis etc. list of installed programs or type of operating system. The concept of evidence correlation in digital forensics is not new. they also found evidence for an ISBN: 978-0-9891305-7-8 ©2014 SDIWC additional criminal complaint. Although this type of feature extraction can be considered useful. The advantage of this approach is that feature extraction is robust and is not complicated by neither file system. For instance. After these workshops Tracks Inspector has been tested by a team of five non-technical investigators of Dutch Law enforcement. At the end of 2012 a multi-server Tracks Inspector system was tested in a national Dutch pilot project with a 100 user license. This test was positively concluded. from cookies and selected registry keys. semiautomatic merging and alias detection which are presented as a table formatted heat map.

Wei. Automation and artificial intelligence in digital forensics. 2012.. S.. REFERENCES [1] Alink. 2006.. G.. http://accessdata. J. A.org/. 2009. P. [2] ArxSys. ISBN: 978-0-9891305-7-8 ©2014 SDIWC 7 . Xiraf–xmlbased indexing and querying for digital forensics. Cormack.. Weerdmeester. Submitted to the ICAIL 2013.digital-forensic. & A.eafs2012. The e-dicsovery reference model (edrm).. Hofste. [10] Henseler. 17. 2013.eu/sites/default/files/files/abstract book eafs2012. Access.. Last visited February 2013. Computer assisted extraction. digital investigation 3. 50–58. Jordan. EnCase computer forensics: the official EnCE: EnCase certified examiner study guide.pdf. Usability Evaluation in Industry.. EAFS2012 Abstract published in http://www.Future work will also focus on internet usage and attempt to identify which features in addition to internet history urls are of additional value to non-technical investigators. [8] Garfinkel. Forensic toolkit 4 whitepaper. W. [7] Doe. we intend to include other visualization methods (inspired by existing research) such as a plotting events on a timeline and plotting GPS-coordinates on map. S. 2010. L. Technology-assisted review in ediscovery can be more effective and more efficient than exhaustive manual review. Digital I nvestigation 3.eafs2012. JL & Tech. J. J. In P. B. 2012. C.. EAFS2012 Abstract published in http://www. 11–16. [11] Henseler.. Sybex. 2011.pdf.. 2012. http://www. A. van Keulen. merging and correlation of identities. E. [6] Data.com/downloads/media/FTK DataSheet web. M. 1996. [9] Grossman.. de Vries. W. [12] Wilson. M. [5] Casey. J. Swiping through digital evidence. R.eu/sites/default/files/files/abstract book eafs2012.pdf.. "SUS: a "quick and dirty" usability scale". London: Taylor and Francis. 2006.. [3] Brooke. 2006. Open source digital investigation framework. Forensic feature extraction and cross-drive analysis... [4] Bunting. 2012. Rich. Last visited February 2013. Thomas.. McClelland. Bhoedjang. 71–81. Netanalysis forensic internet hisory analysis.. the review stage. Boncz.. R. Lastly. B. W.