DigitalForensics 2014: Advances in Digital Forensics X pp 279-295 | Cite as

Performance of a Logical, Five- Phase, Multithreaded, Bootable Triage Tool

  • Ibrahim Baggili
  • Andrew Marrington
  • Yasser Jafar
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 433)

Abstract

This paper describes a five-phase, multi-threaded bootable approach to digital forensic triage, which is implemented in a product called Forensics2020. The first phase collects metadata for every logical file on the hard drive of a computer system. The second phase collects EXIF camera data from each image found on the hard drive. The third phase analyzes and categorizes each file based on its header information. The fourth phase parses each executable file to provide a complete audit of the software applications on the system; a signature is generated for every executable file, which is later checked against a threat detection database. The fifth and final phase hashes each file and records its hash value. All five phases are performed in the background while the first responder interacts with the system. This paper assesses the forensic soundness of Forensics2020. The tool makes certain changes to a hard drive that are similar to those made by other bootable forensic examination environments, although the changes are greater in number. The paper also describes the lessons learned from developing Forensics2020, which can help guide the development of other forensic triage tools.

Keywords

Triage tool bootable tool forensic soundness performance 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    F. Adelstein, MFP: The Mobile Forensics Platform, International Journal of Digital Evidence, vol. 2(1), 2003.Google Scholar
  2. 2.
    N. Beebe and J. Clark, A hierarchical, objectives-based framework for the digital investigations process, Digital Investigation, vol. 2(2), pp. 147–167, 2005.CrossRefGoogle Scholar
  3. 3.
    B. Carrier and E. Spafford, Getting physical with the digital investigation process, International Journal of Digital Evidence, vol. 2(2), 2003.Google Scholar
  4. 4.
    E. Casey, M. Ferraro and L. Nguyen, Investigation delayed is justice denied: Proposals for expediting forensic examinations of digital evidence, Journal of Forensic Sciences, vol. 54(6), pp. 1353–1364, 2009.CrossRefGoogle Scholar
  5. 5.
    A. Fathy, A. Marrington, F. Iqbal and I. Baggili, Testing the forensic soundness of forensic examination environments on bootable media, submitted for publication, 2014.Google Scholar
  6. 6.
    S. Garfinkel, A. Nelson and J. Young, A general strategy for differential forensic analysis, Digital Investigation, vol. 9(S), pp. S50–S59, 2012.CrossRefGoogle Scholar
  7. 7.
    K. Iserson and J. Moskop, Triage in medicine, Part I: Concept, history and types, Annals of Emergency Medicine, vol. 49(3), pp. 275–281, 2007.CrossRefGoogle Scholar
  8. 8.
    J. James, A. Lopez-Fernandez and P. Gladyshev, Measuring accuracy of automated investigation tools and procedures in digital investigations, presented at the Fifth International Conference on Digital Forensics and Cyber Crime, 2013.Google Scholar
  9. 9.
    D. Kennedy and D. Sun, How to triage computer evidence: Tackling Moore’s law with less, Evidence Technology Magazine, vol. 8(2), 2010.Google Scholar
  10. 10.
    R. Mislan, E. Casey and G. Kessler, The growing need for on-scene triage of mobile devices, Digital Investigation, vol. 3(3-4), pp. 112–124, 2010.CrossRefGoogle Scholar
  11. 11.
    M. Pollitt, An ad hoc review of digital forensic models, Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 43–54, 2007.CrossRefGoogle Scholar
  12. 12.
    M. Reith, C. Carr and G. Gunsch, An examination of digital forensic models, International Journal of Digital Evidence, vol. 1(3), 2002Google Scholar
  13. 13.
    G. Richard III and V. Roussev, Digital forensics tools: The next generation, in Digital Crime and Forensic Science in Cyberspace, P. Kanellis, E. Kiountouzis, N. Kolokotronis and D. Martakos (Eds.), IGI Global, Hershey, Pennsylvania, pp. 76–91, 2006.Google Scholar
  14. 14.
    M. Rogers, J. Goldman, R. Mislan, T. Wedge and S. Debrota, Computer Forensics Field Triage Process Model, Proceedings of the Conference on Digital Forensics, Security and Law, pp. 27–40, 2006.Google Scholar
  15. 15.
    P. Stephenson, Modeling of post-incident root cause analysis, International Journal of Digital Evidence, vol. 2(2), 2003.Google Scholar
  16. 16.
    M. Suhanov, Linux for Computer Investigators: Pitfalls of Mounting Filesystems (www.forensicfocus.com/linux-forensics-pitfalls-of-mounting-file-systems), 2009.Google Scholar
  17. 17.
    C. Tilbury, NTFS $I30 index attributes: Evidence of deleted and overwritten files, SANS Digital Forensics and Incident Response (http://computer-forensics.sans.org/blog/2011/09/20/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files), September 20, 2011.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Ibrahim Baggili
    • 1
  • Andrew Marrington
    • 2
  • Yasser Jafar
    • 2
  1. 1.University of New HavenWest HavenUSA
  2. 2.Zayed UniversityDubaiUnited Arab Emirates

Personalised recommendations