See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/301446454

Computer forensic tool using history and feedback approach

Conference Paper · September 2015

DOI: 10.1109/ICRITO.2015.7359315

CITATIONS READS
9 186

2 authors:

Nilakshi Jain Dhananjay R. Kalbande

Shah And Anchor Kutchhi Engineering College Sardar Patel Institute of Technology
9 PUBLICATIONS   74 CITATIONS    125 PUBLICATIONS   921 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Comparative analysis of methods used for Monitoring Activities of Daily Living for the Elderly People View project

visual evoked potential brain-computer interfaces View project

All content following this page was uploaded by Nilakshi Jain on 23 March 2020.

The user has requested enhancement of the downloaded file.

 Computer Forensic Tool using History and
Feedback Approach

Nilakshi Jain Dr. Dhananjay R Kalbande

Information Technology Department Computer Engineering Department
Shah and Anchor Kutchhi Engineering College Sardar Patel Institute of Technology
Mumbai, India Mumbai, India
nilakshijain1986@gmail.com k_dhananjay@yahoo.com

Abstract—This Digital Forensic investigation is a special
field of computer forensic in which the scientific procedures and
tools allow the digital evidence to be admissible in a court of law.
However there is not a proper guidance or predefined method
which is accepted in court of law for investigation. Some tools or
techniques provides partial solution to this .In this paper the
various challenges with current digital forensic tools are
identified .Literature studied demonstrate that no complete
,comparative and automated tool with history keeper and
feedback approach exist to manage the crucial activities in the
organizations. The major objective is to implement the digital
forensic tool which is based on digital forensic framework
proposed [3] and also able to manage all suspicious activity in the
organization. The proposed digital forensic tool is an automated
report generation tool which is having facility of history keeper
and feedback approach. Hence this tool will be utilize by all the
application without worrying about the field of crime .The tool
will work as source of information for new investigator due to
new two additional modules mentioned above.
Keywords—digital forensic ,computer forensic tool , framework,
cyber crime .
I. INTRODUCTION
The Field of Digital Forensic is a relatively new field in the
ocean of Forensic world [1][2] .In recent past years number of
digital forensic process has been proposed to claim the
authenticate and reliable process in court of law and many
software companies developed the digital forensic tool to
manifest few proposed processes. In digital forensic
investigation many authors developed tool same as their own
digital forensic methodology such as Encase[4][5].And most of
tools provides partial solution to the investigation as per their
knowledge of methodology proposed .Some proposed new
components to the existing forensic processes and added to the
existing ones .Many process which claim to be complete are
exploited in court of law where both the digital evidence and
process are rejected by the court .However ,no compared and
integrated approach has been established with feedback and
history keeper approach [3].
To overcome the problem we proposed a framework in [3] and
this paper is the enhancement of previous theory that’s main
objective is practically apply the same theory in the
development of the proposed tool .The primary objective of the
paper is to study existing top 25 digital forensic tools and
determine the phases which these tools can be complete of
proposed framework.
Secondary objective is to develop the tool which completes all
phases of proposed framework [3] with history keeper &
feedback support and also completes need of digital forensic
tool for any organization.
II. NEED FOR CURRENT PROPOSED TOOL
A. Common requirements of Digital Forensic Tool in the
organization
Information communication technology (ICT) has
increased the data flow from one organization to another
organization. Hence this has increased the cyber crimes .To
ensures security following points should be cover by any
digital forensic tool:
• Provides the proper platform to investigate the
incidents and frauds.
• Tool should be effective and efficient enough to
control the unauthorized data flow.
• It should ensure the availability of reliable, good
and authenticate digital evidence which should be
admissible in the court of law.
• The tool can also be used for non investigation
purpose to increase the knowledge of employees
and improve their performance.
B. Various Digital Forensic Tools
A number of Digital Forensic Tools /suites are available for
investigators to conduct digital forensic investigation .The
sleuth Toolkit [12], Encase [4] [5] [6] and FTK [8] are readily
accepted digital forensic tools that are emerging to comply
with the increase demand of forensic tools. The following
digital forensic tools are reviewed:
TABLE 1 DIGITAL FORENSIC TOOLS
Sr. Name of Digital Source of Software / Website
No Forensic Tool
1 Encase [4][5][6] http://www.guidancesoftware.com
2 FTK[7][8] http://en.wikipedia.org/wiki/Forensic_Toolkit
3 SANS SIFT[9] https://www.sans.org/
4 PTK[10] http://en.wikipedia.org/wiki/PTK_Forensics

978-1-4673-7231-2/15/$31.00 ©2015 IEEE

 5 Bulk Extractor[11] https://github.com/simsong/bulk_extractor C. Automated Report Generated Tool
6 The Sleuth Kit[12] http://www.sleuthkit.org/sleuthkit/
7 The Coroner’s[13] http://www.sleuthkit.org/sleuthkit/ This module will generate an automated report in two different
8 DFF [14] http://www.sleuthkit.org/sleuthkit/ format details report for investigator to prove the crime and
9 COFEE[15] http://en.wikipedia.org/wiki/COFEE solve the case .and second report for the user which will
10 ProDiscover Basic[16] http://www.arcgroupny.com contain only required details .This will reduce the manual
11 Volatility[17] https://www.volatilesystems.com report writing time of the investigator .Then both report will
12 Linux’dd[18] http://sourceforge.net/projects/dc3dd/
13 CAINE[19] http://www.caine-live.net/page5/page5.html
always be resent in the history keeper module.
14 Recuva[20] http://en.wikipedia.org/wiki/Recuva
15 HexEditor[21] http://en.wikipedia.org/wiki/Recuva D. History Keeper Module / Feedback Module
16 DEFT[22] http://www.deftlinux.net/
17 Xplico[23] http://www.xplico.org/ This is one of main module of the tool ,this module will be
18 LastActivityView[24] http://www.nirsoft.net used by the investigator to check the similarities in between
19 Mandiant https://www.mandiant.com cases if he received the present case which he finds any
RedLine[25]
similarity from past case he can use the same combinations of
20 PlainSight[26] http://www.plainsight.info/index.html
21 HxD[27] http://mh-nexus.de/en/hxd/ tools/process to solve the present case. This module will save
22 HELIX[28] http://www.e-fense.com/products.php time to investigate the similar case and will also be work as
23 P2explorer[29] https://www.paraben.com/p2-explorer.html the guide for new investigators. The investigator can add his
24 AwardKeylogger[30] http://www.award-soft.com/award-keylogger feedback to solve the specific problem and can add his
25 USBDeview[31] http://www.nirsoft.net
experience which will work as literature for other
investigators.
C. Mapping of Digital Forensic Tools to Digital Forensic
Framework[3]
Table 2 shows the processes of proposed framework that are
supported by the tools discussed. The aim of creating this table
is to find out the deficiency of existing tools .As shown in table
2 all tools are not able to complete the processes of proposed
framework [3].
III. PROPOSED DIGITAL FORENSIC TOOL
This section provides a brief overview of the tool developed
which is based on proposed model [3] .The comparative
digital forensic tool shown in Fig 1, which is developed using
the comparative table 2.1 and will be address all the processes
in the proposed model .The technical platform of the tool is
Fig 1. Block Diagram of Proposed Digital Forensic Tool
Net Beans IDE 7.1.1 and Oracle 10g .The tool has been tested
on windows system.The tool will be used by two user firstly Advantages of Proposed Digital Forensic Tool:
User who is registering the case and second the investigator
who will be investigating the case.There are four modules in • The tool provides proper guidance for new user
the tool which covers all phases of proposed framework. regarding case registration and processing further.
A. Case Registration Module
• It covers all the requirement of organization
The normal user will register his case .Which will be then mentioned in above section II A.
transfer to the investigator for investigate.
• As this works according to the phases of proposed
B. Investigator’s Module framework [3] it provides proper solution in all the
application.
Use Who will be responsible for solving the case and he will
be having combinations of all services in form of tools like • New investigator can use the history feedback
network inspections, recover file, calculate hash or imaging module to learn the process and apply the experience
the disk and many more .This module is having all the in investigation.
services which a Digital forensic tool should be having .This
module is having all the phases of the proposed framework • This tool generates the automated report of the case
[3]. investigated.
 TABLE 2: MAPPING OF DIGITAL FORENSIC TOOLS TO PROPOSED DIGITAL FORENSIC FRAMEWORK

Phases of proposed
framework[3] Digital Forensic Tools

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

24]

[16]
[25]
[30]

DFF[14]
HxD[27]

PTK [10]
DEFT[22]

FTK[7][8]
Xplico [23]

Recuva[20]

CAINE [19]

COFEE [15]
HELIX3[28]

Linux'dd'[18]

Volatility[17]
Sr.

HexEditor [21]
PlainSight [26]

SANS SIFT [9]

P2explorer [29]

Encase[4][5][6]
AwardKeylogger
USBDeview [31]

ProDiscover Basic
LastActivityView[
Mandiant RedLine

The Sleuth Kit[12]

The Coroner's [13]

Bulk Extractor [11]

No Phases

1 Acquire √

2 Analyze √ √ √ √ √ √ √ √ √ √
Approach
3 Strategy

4 Assess

5 Attribute √

6 Authenticate √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

7 Become Aware √ √ √ √ √ √ √ √ √ √

8 Classify √ √ √ √

9 Closure

10 Communication

11 Decide

12 Decision

13 Destroy √ √
Digital
14 Investigation √ √

15 Document √ √ √ √ √ √ √

16 Extract √ √ √ √ √

17 Harvest √ √ √ √ √ √ √ √ √ √ √ √

18 Hypothesis √
 Phases of proposed
framework[3] Digital Forensic Tools

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

24]

[16]
[25]
[30]

DFF[14]
HxD[27]

PTK [10]
DEFT[22]

FTK[7][8]
Xplico [23]

Recuva[20]

CAINE [19]

COFEE [15]
HELIX3[28]

Linux'dd'[18]

Volatility[17]
Sr.

HexEditor [21]
PlainSight [26]

SANS SIFT [9]

P2explorer [29]

Encase[4][5][6]
AwardKeylogger
USBDeview [31]

ProDiscover Basic
LastActivityView[
Mandiant RedLine

The Sleuth Kit[12]

The Coroner's [13]

Bulk Extractor [11]

No Phases

19 Incident Response √ √ √

20 Individualize √
21 Infrastructure

22 Notify

23 Operational

24 Package √
Physical
25 Investigation √

26 Plan
27 Policy/Procedure
28 Post Process

29 Pre-process

30 Readiness

31 Reconstruct √ √

32 Recover √ √ √ √ √ √ √ √ √ √ √ √

33 Reduce √ √ √

34 Search √ √ √ √ √

35 Seizure

36 Submit

37 Trace √ √

38 Trace back

39 Transport

40 Triggering
 [10] Wikipedia PTK Forensic . http://en.wikipedia.org/wiki/PTK_Forensics ,
February 2015 .
IV. CONCLUSION [11] AFFLIB open Source Computer Forensic Software . Bulk Extractor
https://github.com/simsong/bulk_extractor/wiki/Installing-
bulk_extractor , February 2015 .
The study was conducted by studying various digital forensic
[12] B.D. Carrier .Sleuth Kit . http://www.sleuthkit.org/sleuthkit/ January
tools included in literature .This paper was motivated by the 2015.
lack of consistent technology in digital forensic research area. [13] Wikipedia .The Coroner’s Toolkit . http://www.sleuthkit.org/sleuthkit/
The main objective of the study was to determine whether the February 2015.
complete proposed digital forensic framework can be [14] Digital Forensic Framework .(Re)Discover Digital Investigation
implemented in digital forensic tool with automated report http://www.sleuthkit.org/sleuthkit/ January 2015.
generation .The tool was developed and tested on many cases [15] Wikipedia ,Computer Online Forensic Evidence Extractor (COFEE),
http://en.wikipedia.org/wiki/Computer_Online_Forensic_Evidence_Extr
related to various application areas and achieved very fast and actor , January 2015.
reliable result. In review of literature we have included 25 [16] ARC ,ProDiscover Basic .
digital forensic tools the study can be done on more to get http://www.arcgroupny.com/products/prodiscover-basic/ , January 2015.
wide objective [17] https://www.volatilesystems.com/default/volatility , February 2015.
[18] Linux dd, http://sourceforge.net/projects/dc3dd/ , February 2015.
References [19] CAINE Software , http://www.caine-live.net/page5/page5.html ,
January 2015.
[1] V.Baryamureeba and F.Tushabe.The Enhanced Digital Forensic [20] Wikipedia , Recuva , http://en.wikipedia.org/wiki/Recuva , February
Investigation Process Model .In proceedings of the 4th Annual Digital 2015.
Forensic Research Workshop ,Baltimore ,MD .Citeseer 2004.
[21] Wikipedia , HexEditor , http://en.wikipedia.org/wiki/Recuva , January
[2] M.Reith ,C.Carr,and G.Gunsch .An Examination of Digital Forensic 2015.
Models. International journal of Digital Evidence,1(3):1-12,2002.
[22] DEFT , http://www.deftlinux.net/ , February 2015.
[3] Nilakshi Jain and Dr.Dhananjay R Kalbande ,Digital Forensic
Framework using Feedback and Case History Keeper ,International [23] Network Analysis Tool ,Xplico http://www.xplico.org/download ,
Conference on Communication ,Information & Computing Technology February 2015.
(ICCICT) ,pp 1-6 ,2015. [24] LastActivityView
[4] Guidance Software .Encase search technology validated http://www.nirsoft.net/utils/computer_activity_view.html , February
https://www.guidancesoftware.com/products/Pages/encase- 2015.
forensic/overview.aspx?cmpid=nav ,January 2015. [25] Mandiant RedLine
[5] Wikipedia –Encase . http://en.wikipedia.org/wiki/EnCase , January https://www.mandiant.com/resources/download/redline , January 2015.
2015 [26] PlainSight http://www.plainsight.info/index.html , January 2015.
[6] Sectool –Encase . http://sectools.org/tool/encase/ ,January 2015. [27] HxD Freeware Hex Editor and Disk Editor , http://mh-nexus.de/en/hxd/
[7] Wikipedia .Forensic Toolkit , January 2015.
http://en.wikipedia.org/wiki/Forensic_Toolkit ,January 2015. [28] HELIX3, Incident Response and E Discovery tool , http://www.e-
[8] Access Data .Forensic Toolkit http://accessdata.com/solutions/digital- fense.com/products.php , January 2015.
forensics/forensic-toolkit-ftk ,January 2015. [29] P2explorer , https://www.paraben.com/p2-explorer.html , January 2015.
[9] System Administration Networking and Security Institute (SANS [30] AwardKeyLogger , http://www.award-soft.com/award-keylogger ,
).Computer Forensics and Incident Response . January 2015.
https://www.sans.org/course/advanced-computer-forensic-analysis- [31] USBDeview http://www.nirsoft.net/utils/usb_devices_view.html ,
incident-response ,February 2015. January 2015.

View publication stats