Sociedades Cooperativas

Carrier’s work on forensic tool abstraction layers [27] bridged the gap between the definition of a forensic process model and the development of associated forensic tools in aiding an investigation. Since raw data from digital evidence is often very difficult to understand, the data are translated through one or more layers of abstraction using forensic tools until they can be understood. The directory is an example of a file system abstraction while ASCII is a non-file system binary abstraction. The abstraction layer concept has been instrumental in the development of many forensic tools. The tool abstraction model proposed by Carrier is illustrated in Figure 2.2.

Figure 2.2 Carrier's tool abstraction model 4 http://www.afflib.org/ Forensic Tool Abstraction Layer INPUT DATA RULE SET OUTPUT DATA MARGIN OF ERROR

46 Carrier classified forensic tool abstraction layers as lossy or lossless. When a forensic tool processed a source of digital evidence, leaving the source intact after the processing, the tool was supposed to provide lossless abstraction. On the contrary, if a forensic tool processing a source affected the source such that the source was no longer intact, that tool was said to provide a lossy abstraction associated with a margin of error. The abstraction layers identified two types of errors introduced by forensic tools, namely, tool implementation error introduced by tool design errors and abstraction error introduced by the simplifications used to generate the tool. Pan and Batten [146] studied the reproducibility of digital evidence that builds on the abstraction layer concept. During an evidence examination, digital evidence sources are interpreted using one or more forensic tools. Evidence discovery involves the process of reliably5

recovering encrypted, hidden, lost or deleted data from the acquired evidence for further examination. AccessData and Guidance introduced the AccessData FTK6 and Guidance EnCase7 forensic tool suites respectively for examining digital evidence. Carrier [25, 27] developed the SleuthKit8 framework based on the Coroner’s (TCT) toolkit. Cohen [39] extended the Sleuthkit to develop the PyFlag network forensic architecture for examining forensic images of hard disks, memory dumps, network captures and logs.

The forensic community has also witnessed the advent of many other tools for examining digital evidence from hard disk images, logs, network packet captures, memory dumps, mobile phones and so on. Sleuthkit [25], Pyflag [39], Wireshark [42], log2timeline [111], tcpdump [185] and volatility [195] are a few examples9

. Although tools such as Wireshark or tcpdump may have found their way into forensic investigations, it is interesting to note that they were not intended as forensic tools to examine and analyze digital evidence. Such tools are simply termed analysis tools. Sleuthkit and Pyflag excluded, many of the tools in the opensourceforensics website (refer to Footnote 9, p. 46) fall into this category, albeit for different sources.

During evidence examination, not all data may be readily available if efforts were made to conceal or eliminate data. One may need to identify and extract evidence from deleted or partial data, and recover hidden or encrypted data. The techniques associated with these methods are

5 _{This involves the process of obtaining data as it is represented in a digital evidence source, without having to} manipulate or modify any information contained on that evidence source.

6

http://accessdata.com/products/computer-forensics/ftk 7

http://www.guidancesoftware.com/forensic.htm 8 _{http://www.sleuthkit.org/}

47 known as data carving and steganography respectively. After extraction, all the data in evidence is indexed to enable querying and searching.

2.2.3.1 Data Carving

Occasionally, evidence examination uncovers the presence of deleted or partial file data that could help an investigation. The process of uncovering such data gave rise to the new field called data carving. Data carving is the process of identifying file types using a string of bytes, called magic numbers, from a memory image and matching them with a database of known magic numbers to recover deleted or partially deleted files [50]. The magic number is a constant binary stream used to identify a file format and is hence unique to each format. Carving is done on a disk when the unallocated file system space is analysed to extract files because data cannot be identified due to missing allocation information, or on network captures where files are “carved” from the dumped traffic using the same techniques. One drawback of this process on disks or images is that file- carving tools typically produce many false positives [50]; hence tests must be done on each of the extracted files in order to check their consistency. A huge repository of such file types and headers are then incorporated into each forensic tool which then examines the section of data that need to be carved with the reference file signatures.

Garfinkel proposed a technique for controlling the state space explosion when carving from AFF images [64]. Richard and Roussev [157] described a high performance file carver called Scalpel for carving files from hard disk images.

2.2.3.2 Data Hiding and Steganography

Evidence examination is often accompanied by discovery of new information from within digital evidence and this is called evidence discovery. One such evidence discovery technique is the discovery of steganographic content or hidden information. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. Digital steganography may include hiding information inside document files, image files, programs or protocols. Media files are ideal for steganographic transmission because of their large size. Hosmer and Hyde [86] discussed the challenges posed by steganography and proposed the saturation view technique to detect steganographic information from digital images. Lee et al [106] presented an approach for detecting image anomalies by combining computer graphics principles and AI reasoning. Image forgery has been classified into four categories, viz. deletion, insertion, photomontage and false

48 captioning. The approach segments a given image, computes the importance map on regions of importance and employs a rule based reasoning component to determine forgery status. Hargreaves et al. [82] described the Windows Vista format and examine the challenges it posed to forensics, while Park et al. [146] studied data concealment and detection in Microsoft Office 2007 files. Pal et al. [145] proposed a file fragmentation testing method using sequential hypothesis testing on raw forensic images to determine all sectors of a disk image where a file may have been stored.

2.2.3.3 Indexing and Querying Digital Evidence

Alink et al. [3] proposed XIRAF, XML based indexing and retrieval of stored digital evidence for querying. The XIRAF architecture indexed into raw disk images storing them in annotated XML format. The XIRAF framework consists of three subsystems; the tool repository, the storage subsystem and the feature extraction manager. The feature extraction manager handles the various feature extraction tools and integrates their outputs into XML which are then stored in the storage subsystem. A query engine called XQuery was used to query into the XML database for evidence related information.

In summary, over the years, researchers have devised new ways to examine digital evidence sources and discover potential sources of evidence using one or more forensic tools. However, it remains a largely manual and labour intensive process, and the growing volumes of digital evidence complicate this challenge. Garfinkel [67] noted that present-day forensic tools were designed to find new pieces of digital evidence but that the analysis continues to remain largely manual. There is a need to consolidate the research findings to provide a seamless transition from forensic examination to analysis, especially with multiple sources of digital evidence.