There are a wide range of forensic and analysis tools to examine digital evidence in existence today. Traditional tool design examines each source of digital evidence as a BLOB (binary large object) and it is up to the examiner to identify the relevant items from evidence. In the face of rapid technological advancements we are increasingly confronted with a diverse set of digital evidence and being able to identify a particular tool for conducting a specific analysis is an essential task. In this paper, we present a systematic study of contemporary forensic and analysis tools using a hypothesis based review to identify the different functionalities supported by these tools. We highlight the limitations of the forensic tools in regards to evidence corroboration and develop a case for building evidence correlation functionalities into these tools. © 2013 IEEE.

Serugudi V. Raghavan

FORENSIC ENGINEERING

Metadata

BINARY ABSTRACTION

Binary large objects

DIGITAL EVIDENCE

EVIDENCE CORRELATION

EVIDENCE CORROBORATION

File systems

Systematic study

Technological advancement

DIGITAL FORENSICS

IIT Madras is a public technical and research university located in Chennai, Tamil Nadu. Founded in 1959, it is recognised as an Institute of National Importance.

IIT Madras has been ranked as the top engineering institute in India for four years in a row by the National Institutional Ranking Framework of the MHRD

It currently offers undergraduate, postgraduate and research degrees across 16 disciplines in Engineering, Sciences, Humanities and Management. About 596 faculty belonging to science and engineering departments and centres of the Institute are engaged in teaching, research and industrial consultancy.

IIT Madras

A study of forensic & analysis tools

Int. Workshop Syst. Approaches Digit. Forensics Eng., SADFE

Traditionally, sources of digital evidence are analyzed by individually examining the various artifacts contained therein and using the artifact metadata to validate authenticity and sequence them. However, when artifacts from forensic images, folders, log files, and network packet dumps have to be analyzed, the examination of the artifacts and the metadata in isolation presents a significant challenge. Ideally, when a source is examined, it is a valuable task to determine correlations between the artifacts and group the related artifacts. Such a grouping can simplify the task of analysis by minimizing the need for human intervention. By virtue of the value that metadata bring to an investigation and its ubiquitous nature, metadata based associations is the first step in realizing such correlations automatically during analysis. In this paper, we present the AssocGEN analysis engine which uses the metadata to determine associations between artifacts that belong to files, logs and network packet dumps, and identifies metadata associations to group the related artifacts. A metadata association can represent any type of value match1 or relationship that is deemed relevant in the context of an investigation. We have conducted preliminary evaluation of AssocGEN on the classical ownership problem to highlight the benefits of incorporating this approach in existing forensic tools. © 2013 IEEE.

AssocGEN: Engine for analyzing metadata based associations in digital evidence

Journal	Data powered by TypesetInt. Workshop Syst. Approaches Digit. Forensics Eng., SADFE
Publisher	Data powered by TypesetInstitute of Electrical and Electronics Engineers Inc.
Open Access	No