What Is Digital Forensics And Open Source Tool?

What Is Digital Forensics And Open Source Tool?

What Is Digital Forensics And Open Source Tool? – In digital forensics, we rely upon our expertise as examiners to interpret data and information retrieved by our tools. To provide findings, we must be able to trust our tools. When we use closed source tools exclusively, we will always have a veil of abstraction between our minds and the truth that is impossible to eliminate.

We wrote this book to fill several needs. First, we wanted to provide a work that demonstrated the full capabilities of open source forensics tools. Many examiners that are aware of and that use open source tools are not aware that you can actually perform a complete investigation using solely open source tools. Second, we wanted to shine a light on the persistence and availability (and subsequent examination) of a wide variety of digital artifacts. It is our sincere hope that the reader learns to understand the wealth of information that is available for use in a forensic examination.

To continue further, we must define what we mean by “Digital Forensics” and what we mean by “Open Source.”

What Is Digital Forensics And Open Source Tool?

What Is “Digital Forensics?

At the first Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics was defined as:

The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

While digital forensics techniques are used in more contexts than just criminal investigations, the principles and procedures are more or less the same no matter the investigation. While the investigation type may vary widely, the sources of evidence generally do not. Digital forensic examinations use computer-generated data as their source. Historically this has been limited to magnetic and optical storage media, but increasingly snapshots of memory from running systems are the subjects of examination.

Digital forensics is alternately (and simultaneously!) described as an art and a science. In Forensic Discovery, Wietse Venema and Dan Farmer make the argument that at times the examiner acts as a digital archaeologist and, at other times, a digital geologist.

Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs. … Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages or process ID numbers.

This mental model of digital forensics may be more apropos than the “digital ballistics” metaphor that has been used historically. No one ever faults an archaeologist for working on the original copy of a 4000-year-old pyramid, for example. Like archaeology and anthropology, digital forensics combines elements from “hard” or natural science with elements from “soft” or social science.

Many have made the suggestion that the dichotomy of the art and science of forensic analysis is not a paradox at all, but simply an apparent inconsistency arising from the conflation of the two aspects of the practice: the science of forensics combined with the art of investigation. Applying scientific method and deductive reasoning to data is the science—interpreting these data to reconstruct an event is the art.

On his Web site, Brian Carrier makes the argument that referring to the practice as “digital forensics” may be partially to blame for some of this. While traditional crime scene forensic analysts are tasked with answering very discrete questions about subsets of evidence posed to them by detectives, digital forensic examiners often wear both hats. Carrier prefers the term “digital forensic investigation” to make this distinction clear.

What Is Digital Forensics And Open Source Tool?

The Digital Forensics Process

The process of digital forensics can be broken down into three categories of activity:
acquisition, analysis, and presentation.

  • Acquisition
    • Acquisition refers to the collection of digital media to be examined. Depending on the type of examination, these can be physical hard drives, optical media, storage cards from digital cameras, mobile phones, chips from embedded devices, or even single document files. In any case, media to be examined should be treated delicately. At a minimum the acquisition process should consist of creating a duplicate of the original media (the working copy) as well as maintaining good records of all actions taken with any original media.
  • Analysis
    • Analysis refers to the actual media examination—the “identification, analysis, and interpretation” items from the DFRWS 2001 definition. Identification consists of locating items or items present in the media in question and then further reducing this set to items or artifacts of interest. These items are then subjected to the appropriate analysis. This can be file system analysis, file content examination, log analysis, statistical analysis, or any number of other types of review. Finally, the examiner interprets results of this analysis based on the examiner’s training, expertise, experimentation, and experience.
  • Presentation
    • Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. This consists of generating a report of actions taken by the examiner, artifacts uncovered, and the meaning of those artifacts. The presentation phase can also include the examiner defending these findings under challenge.

Note that findings from the analysis phase can drive additional acquisitions, each of which will generate additional analyses, etc. This feedback loop can continue for numerous cycles given an extensive network compromise or a long-running criminal investigation.

This book deals almost exclusively with the analysis phase of the process, although basic acquisition of digital media is discussed.

What Is Digital Forensics And Open Source Tool?

What is “Open Source?”

Generically, “open source” means just that: the source code is open and available for review. However, just because you can view the source code doesn’t mean you have license to do anything else with it. The Open Source Initiative has created a formal definition that lays out the requirements for a software license to be truly open source. In a nutshell, to be considered open source, a piece of software must be freely redistributable, must provide access to the source code, must allow the end user to modify the source code at will, and must not restrict the end use of the software. For more detail, see the full definition at the Open Source Initiative’s site.

What Is Digital Forensics And Open Source Tool?

“Free” vs “Open”

Due to the overloading of the word “free” in the English language, confusion about what “free” software is can arise. Software available free of charge (gratis) is not necessarily free from restriction (libre). In the open source community, “free software” generally means software considered “open source” and without restriction, in addition to usually being available at no cost. This is in contrast to various “freeware” applications generally found on Windows system available solely in binary, executable format but at no cost.

This core material of this book is focused on the use of open source software to perform digital forensic examinations. “Freeware” closed source applications that perform a function not met by any available open source tools or that are otherwise highly useful are discussed in the Appendix.

Benefits of Open Source Tools

There are great many passionate screeds about the benefits of open source software, the ethics of software licensing, and the evils of proprietary software. We will not repeat them here, but we will outline a few of the most compelling reasons to use open source tools that are specific to digital forensics.

Education

When the authors entered the digital forensics field, there were two routes to becoming an examiner. The first was via a law enforcement or military career, and the second was to teach yourself (with the authors representing each of these routes). In either scenario, one of the best ways to learn was by using freely available tools (and in the self-taught scenario, the only way!). Today, there are numerous college programs and training programs available to an aspiring examiner, but there is still something to be said for learning by doing. The authors have been using open source tools throughout their careers in digital forensics, and we both have no doubt that we are far better examiners than we would have been otherwise.

Using open source tools to learn digital forensics has several benefits. First, open source tools innately “show their work.” You can execute the tool, examine the options and output, and finally examine the code that produced the output to understand the logic behind the tool’s operation. For the purposes of small examination scenarios, you can run the tools on any old hardware you have access to—no multithousand dollar deluxe forensic workstation required. Finally, you also have access to a dedicated community of examiners, developers, and enthusiasts ready to help you—provided you’ve done a modicum of legwork before firing off questions answered trivially by a Google search.

Portability and Flexibility

Another key benefit to the tools covered in this book by and large is that they are all portable and flexible. By portable we mean that you can easily take your toolkit with you as you move from one system to another, from one operating system to another, or from one job to another. Unless you personally license an expensive proprietary tool, your toolkit may not come with you if you move from one company to another. Any product specific expertise you built up could end up worthless. If you are currently employed in law enforcement, any law enforcement–only tools you are ­currently using won’t be available to you should you decide to go into the private sector.

If portability means you can choose where you use your tools, flexibility means you can choose how you use your tools. You can use open source tools on your local system or you can install them on a remote server and use them over a remote shell. You can install them on a single system or you can install them on thousands of systems. You can do all this without asking the software provider for permissions, without filling out a purchase order, and without plugging a thousand hardware copy protection dongles into a thousand machines.

Price

In addition to being open source, all of the tools covered in this work are free of cost. This is great for individuals looking to learn forensics on their own, students taking formal coursework in digital forensics, or examiners looking to build a digital forensics capability on a budget. This is also a great benefit for anyone already using a full complement of commercial tools. Adding a set of open source tools to your toolkit will usually cost you nothing, save for a bit of time. Even if you continue using proprietary, commercial tools on a daily basis, you can use the tools in this book as an adjunct to cover gaps in your tools coverage or to validate or calibrate your tools’ findings and operation.

Ground Truth

Arguably the biggest benefit open source software provides to the examiner is the code itself. As renowned philosopher Alfred Korzybski once said, “the map is not the territory.” Being able to review the source code that you then compile into a working program is invaluable. If you have the skill and desire, you can make changes to
the function of the code.

You can verify fixes and changes between versions directly without having to simply trust what your software provider is telling you. Using the Sleuth Kit as an example, we have no less than three different ways to review bug fixes in the software. First, we can review the change log files included with each release. Most proprietary software vendors will include something similar when a new version is released. Second, we can review the freely accessible bug trackers maintained at the Sleuth Kit project site.

Most proprietary forensic software vendors will not provide open access to their full list of bugs and fixes. Finally, we can take the previous version of the source code and compare it with the newer version automatically via the diff command, highlighting exactly which changes have occurred. The first option is reading the map. The last option is ­surveying the territory.

Additionally, with open source software the function of the code can be reviewed directly. The authors have had experiences where proprietary forensic products have produced demonstrably erroneous results, but these tests were performed in a “black box” scenario. Known input files were generated and processed, and precalculated expected results compared to the output from the proprietary tool, and false negatives were discovered. The authors had to bypass the tool’s internal logic and implement correct function externally. Had the tool been open source, the error in processing could have been identified directly in the code,
fixed, and subsequently fixed in the main code repository, identifying and solving the problem for all users of the code.

In the previous scenario, the lack of access to the source code acted as an additional layer of abstraction between the examiners and the truth. Each layer of abstraction is a possible source for error or distortion. Since the goal of the examiner is to uncover truth, it is in the examiner’s interest to ensure that the possible layers of
abstraction are minimized. If your findings are ever brought into question, being able to show the actual source code used to generate data you interpreted could be incredibly valuable.

What Is Digital Forensics And Open Source Tool?

Conclusion

The world of digital forensics has a long history of relying heavily on closed-source tools. Armed with an understanding of what we are doing, why we are doing it, and why we choose to use the tools we do, we can move on to the next chapter and begin building an open source examination platform

If You Like Overall Information On Digital Forecnsics and Open Source Tool Then Go to my site And Check Other Blogs For More Blogs Click Here

Related posts

Leave a Comment