A comparison of forensic toolkits and mass market data recovery applications

Digital forensic application suites are large, expensive, complex software products, offering a range of functions to assist in the investigation of digital artifacts. Several authors have raised concerns as to the reliability of evidence derived from these products. This is of particular concern, given that many forensic suites are closed source and therefore can only be subject to black box evaluation. In addition, many of the individual functions integrated into forensic suites are available as commercial stand-alone products, typically at a much lower cost, or even free. This paper reports research which compared (rather than individually evaluated) the data recovery function of two forensic suites and three stand alone `non-forensic' commercial applications. The research demonstrates that, for this function at least, the commercial data recovery tools provide comparable performance to that of the forensic software suites. In addition, the research demonstrates that there is some variation in results presented by all of the data recovery tools

Experimental Analysis of Web Browser Sessions Using Live Forensics Method

In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions.

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics

A comparative forensic analysis of privacy enhanced web browsers

Growing concerns regarding Internet privacy has led to the development of enhanced privacy web browsers. The intent of these web browsers is to provide better privacy for users who share a computer by not storing information about what websites are being visited as well as protecting user data from websites that employ tracking tools such as Google for advertisement purposes. As with most tools, users have found an alternative purpose for enhanced privacy browsers, some illegal in nature. This research conducted a digital forensic examination of three enhanced privacy web browsers and three commonly used web browsers in private browsing mode to identify if these browsers produced residual browsers artifacts and if so, if those artifacts provided content about the browsing session. The examination process, designed to simulate common practice of law enforcement digital forensic investigations, found that when comparing browser type by browser and tool combination, out of a possible 60 artifacts, the common web browsers produced 26 artifacts while the enhanced privacy browsers produced 25 for a difference of 2\%. The tool set used also had an impact in this study, with FTK finding a total of 28 artifacts while Autopsy found 23, for a difference of 8\%. The conclusion of this research found that although there was a difference in the number of artifacts produced by the two groups of browsers, the difference was not significant to support the claim that one group of browsers produced fewer browsers than the other. As this study has implications for privacy minded citizens as well as law enforcement and digital forensic practitioners concerned with browser forensics, this study identified a need for future research with respect to internet browser privacy, including expanding this research to include more browsers and tools

A Framework for Identifying Host-based Artifacts in Dark Web Investigations

The dark web is the hidden part of the internet that is not indexed by search engines and is only accessible with a specific browser like The Onion Router (Tor). Tor was originally developed as a means of secure communications and is still used worldwide for individuals seeking privacy or those wanting to circumvent restrictive regimes. The dark web has become synonymous with nefarious and illicit content which manifests itself in underground marketplaces containing illegal goods such as drugs, stolen credit cards, stolen user credentials, child pornography, and more (Kohen, 2017). Dark web marketplaces contribute both to illegal drug usage and child pornography. Given the fundamental goal of privacy and anonymity, there are limited techniques for finding forensic artifacts and evidence files when investigating misuse and criminal activity in the dark web. Previous studies of digital forensics frameworks reveal a common theme of collection, examination, analysis, and reporting. The existence and frequency of proposed frameworks demonstrate the acceptance and utility of these frameworks in the field of digital forensics. Previous studies of dark web forensics have focused on network forensics rather than hostbased forensics. macOS is the second most popular operating system after Windows (Net Marketshare, n.d.); however, previous research has focused on the Windows operating system with little attention given to macOS forensics. This research uses design science methodology to develop a framework for identifying host-based artifacts during a digital forensic investigation involving suspected dark web use. Both the Windows operating system and macOS are included with the expected result being a reusable, comprehensive framework that is easy to follow and assists investigators in finding artifacts that are designed to be hidden or otherwise hard to find. The contribution of this framework will assist investigators in identifying evidence in cases where the user is suspected of accessing the dark web for criminal intent when little or no other evidence of a crime is present. The artifact produced for this research, The Dark Web Artifact Framework, was evaluated using three different methods to ensure that it met the stated goals of being easy to follow, considering both Windows and macOS operating systems, considering multiple ways of accessing the dark web, and being adaptable to future platforms. The methods of evaluation v included experimental evaluation conducted using a simulation of the framework, comparison of a previously worked dark web case using the created framework, and the expert opinion of members of the South Dakota Internet Crimes Against Children taskforce (ICAC) and the Division of Criminal Investigation (DCI). A digital component can be found in nearly every crime committed today. The Dark Web Artifact Framework is a reusable, paperless, comprehensive framework that provides investigators with a map to follow to locate the necessary artifacts to determine if the system being investigated has been used to access the dark web for the purpose of committing a crime. In the creation of this framework, a process itself was created that will contribute to future works. The yes/no, if/then structure of the framework is adaptable to fit with workflows in any area that would benefit from a recurring process

Web browser artefacts in private and portable modes: a forensic investigation

Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from

Influence of HTTP Header Entries on the Forensic Analysis of Web Browser Artifacts

The traces (digital evidence) created by users can be influenced by the parameters transmitted by the web server. HTTP header entries instruct the web browser or web server to perform certain functions. These include, for example, the criteria according to which content is to be cached on the client. If these effects are unknown to the investigators, this can be erroneously classified as manipulation. In addition, it is now being considered that new traces can be created by header entries that are not yet in the focus of the common investigation procedures. In this work, a demo application was used to investigate which parameters have an influence on the forensic investigation of traces of Mozilla Firefox

A Methodology for the Examination of the Effectiveness of Secure Erasure Tools Running On Windows XP - Research in Progress

Currently, there appears to be a lack of academic research in the area of testing the efficacy of secure erasure applications and utilities in regard to the activities of an average user in a home or small business context. This research in progress aims to develop a testing methodology that will provide a forensically sound base for which to analyse these tools. It involves the installation of various Internet related applications (for example browsers, instant messaging software and download clients), and the use of these applications for typical Internet activities (e.g. internet banking, instant messaging, web browsing and other activities that would be conducted by an average user). Following the creation of the simulated history, this paper discusses a practical testing methodology that includes the creation of image files, the allocation of these image files, and the use of forensic tools to examine disk contents before and after the execution of the secure erasure applications on the simulated user history. Additionally, a reporting mechanism has been formulated that will allow test results to be efficiently compiled and compared to form valid conclusions about the effectiveness of each erasure utility on internet history