Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Comparison of open source and commercial software in

forensic informatics

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Trends in forensic informatics

One of the most dynamically improving branches of forensic science In some cases, data digitalizing represents the only way of information

archiving Digitalizing and computerizing interlopes progressively in all of the

advanced countries in the world Positive effects Negative effects:

misuse of a computer to commit a crime use computer directly, where digital data are the primary object of an

assault Promptly respond to the fact, that it’s necessary to perform quick, certain

and specific digital data analysis

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

The main principles of digital data analysis

A possibility to apply standard scientific procedures The main goal of digital forensic analysis consists of confirmation or

confutation of appointed conjecture A necessity of the whole process automation Process of analysis consists of:

data acquisition and preparation data accessing and sorting data analysis documenting of information and results information and results presentation to competent authority in form of easy

understanding

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Available software tools

Primary software tools applicable to digital forensics:

tools not especially developed for digital forensic investigation tools directly dedicated to digital forensic investigation:

commercial tools (EnCase, Forensic ToolKit) shareware, freeware, open source tools (SleuthKit/Autopsy) special licensed tools (e.g. only for legislative investigations – ILook)

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools directly dedicated to digital forensic investigation

EnCase commercial product most commonly used expensive own scripting language WIN32 platform

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools directly dedicated to digital forensic investigation

Forensic ToolKit commercial product designated rather for

routine operations fair price without possibility of

own scripts addition WIN32 platform

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools directly dedicated to digital forensic investigation

ILook special licensed product free for legislative

investigations designated for routine

and exact operations own scripting language plenty of existing scripts analysis report generation

in Slovak language WIN32 platform

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools directly dedicated to digital forensic investigation

Sluethkit/Autopsy Sleuthkit – set of tools for allocated and unallocated data space documenting Autopsy – graphical

interface of the tool open source license platforms: UNIX, LINUX,

WIN32(CYGWIN)… low control comfort relative possibility of

results verifying

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Validation options of obtained results

Process of result correctness contains basically following tests: test of false positives test of false negatives

Process of result verification: open source tools have a possibility to check source code on the part of end

user commercial software tools are supplied in form of the black box of which

results could be verifying by the circular test

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Validation options of obtained results

Circular test procedure consists of several steps: creation of file, which content is generated by exactly defined symbols (e.g.

hexadecimal code “FF”) file system association, formatting creation of data content as well as on the standard data medium (e.g.

copying, deleting, etc.) specification of the questions about what exactly should be performed within

the frame of the circular test (e.g. to find all files, to find unallocated disk space, to find all files containing the word “forensic”, etc.)

The whole process of data medium creation, which is designated for the circular test, must be documented and after completing given to participants.

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools requirements

Digital forensic analysis tools should meet following basic requirements: treatability of FAT and NTFS file systems (basically most common used file

systems) ability to recover deleted content ability to recover lost logical partitions on the data medium searching for files in unallocated disk space known files recognition recognition of unknown or crypted files automatic file content indexing analyzed files checksum generation (CRC, MD5, SHA1) known files exclusion on the basis of the checksum (e.g. operating system

files) if the files are not an object of analysis analysis report generation

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Tools comparison

Tool/function EnCase Forensic ToolKit SleuthKit/Autopsy ILook

Supported platforms WIN32 WIN32WIN32(CYGWIN),

LINUX, MAC, SOLARIS, BSD

WIN32

Supported file systemsFAT, NTFS, EXT2/3, HFS, BSD, UFS, AIX,

Reiser, PALM

FAT, NTFS, EXT2/3

NTFS, FAT, FFS, EXT2/3, UFS, BSD

FAT, NTFS, HFS, EXT2/3, SYS5, UDF,

Netware

License Commercial Commercial Open source Special license

Analysis report generation Yes Yes Yes Yes

Own script support Yes No Yes Yes

Control checksum Yes Yes Yes Yes

Known files exclusion Yes Yes Yes Yes

Graphical interface Yes Yes Not required Yes

File content indexing Yes Yes Yes Yes

Known files recognition Yes Yes Yes Yes

Searching for files in unallocated disk space

Yes Yes Yes Yes

Dušan Mikulaj, Marek Laššák, Institute of Forensic Science, Slovakia – Bratislava

Thank you for your attention