Authors: Manjot Kaur Bhatia, Palak Gambhir, Shefali Sinha, Saksham Kumar Singh
Certificate: View Certificate
The internet is expanding at a breakneck pace, as the number of crimes perpetrated using or against computers. The area of computer forensics has arisen in reaction to the rise of computer crime. Computer forensics is the meticulous collection and examination of electronic evidence that not only analyses the damage to a computer because of an electronic attack but also recovers lost data from such a system to convict a criminal. As a result, the standard forensic process that is required after an electronic attack involves collecting evidence from a computer system, analyzing, and presentation of the collected evidence in court. Forensics deals primarily with the recovery and analysis of latent evidence. The growth of digital forensics has substantially increased the requirement for effective tools. There are several tools available today which are used to investigate the OS of a given computer. The purpose of this paper is to compare OS forensics tools by evaluating their ease of use, functionality, performance, and product support and documentation. This research will provide a brief comparative analysis of two widely used OS forensic tools-OSForensics and autopsy based on various contradictory factors.
Applying inspection and analysis methods to obtain and preserve data from the relevant computer device in a form that is appropriate for presenting in court is known as digital forensics. Digital forensics does a thorough investigation while maintaining a recorded chain of evidence to ascertain precisely what may be found on a computer system and who was responsible for it. Examiners and analysts now routinely employ digital forensics technologies .
In general, forensic analysts adhere to the following guidelines: investigators create a digital duplicate of the device’s storage media after physically isolating it to ensure that it cannot be unintentionally contaminated. The original media is kept in a safe or another secure location once it has been duplicated in order to preserve its condition. To investigate the copy, analysts employ several strategies and recovery applications forensic tools, looking for clones of erased, encrypted, or corrupted information in invisible folders and free disk space. Digital forensics is a crucial tool for resolving computer- related crimes including phishing and financial crimes as well as crimes against individuals where a computer may contain evidence. The forensic examination of a computer’s data leak is known as memory forensics. Investigation of sophisticated computer assaults that are covert enough to not leave data on the machine’s hard drive is its main use.
In forensics, evidence is gathered, examined, and presented to the courts utilizing experimental knowledge. The retrieval and evaluation of evidence are the main topics covered by forensics. Evidence can come in a variety of shapes and sizes, including DNA evidence discovered in blood stains, fingerprints left on a window, and data on a hard drive. The process of gathering and analyzing data from networks, computer systems, storage devices, and wireless transmission in a form that is acceptable as evidence in a court of law is known as computer forensics .
Data gathering, authentication, and analysis are the three primary phases of computer forensic investigation. Making a bitwise duplicate of the disc is the main step in the data-gathering process. By comparing the duplicate with the original checksum, authentication establishes that the copy being used for analysis is a precise replica of the data on the original disc. If typical forensic techniques are unable to recover lost data, the user may be able to extract the data utilizing a more sensitive device, although this is seldom done because of the high cost of the required equipment.
The main purpose of computer forensics is to gather electronic evidence for use in investigations. To use this knowledge in the prosecution of a crime, the evidence must be properly and lawfully gathered. Finding evidence of several crimes resulting in the trade secret theft using computer and network forensics techniques. Computer and network forensics aim to provide sufficient proof so that offenders can be effectively punished. For instance, evidence relating to child pornography, fraudulent transactions, drug or forgery records, or murder may be discovered during a criminal investigation. In civil processes, it is possible to find evidence of private and professional documents that pertain to fraud, harassment, or divorce. Professionals in computer network forensics aren't solely employed by attorneys. Insurers may need computer network forensics technology to find evidence to reduce the amount paid for claims. Additionally, anyone can employ computer network forensics to back up sexual harassment or other tort claims .
Digital forensics is an ever-evolving science with many sub-disciplines. Some of these subdomains are:
II. LITERATURE REVIEW
Nisarg Trivedi and Dhruv Patel discussed about the Autopsy Forensics Browser which is a graphical user interface for The Sleuth Kit (TASK). Autopsy is a Windows-based, open-source, and free Source digital forensics software for event diagnosis. In a read-only setting, it is useful for analyzing disc images, local discs, and directories to identify potential reasons for an event. It is intended to be an expandable platform that can accommodate plug-in components from both open-source and proprietary software projects to provide an end-to -end computer forensics solution. This article describes the installation of Autopsy, data intake, data analysis, and software features in the most recent version.
Vedanta Kapoor et. al explored the principles of digital forensics and discuss the numerous forensics investigation teams that are at their disposal. Additionally, they talk about the many kinds of cybercrimes that occur and the tools that are available to stop them. Additionally, they conducted a comparison analysis of all the tools available based on many aspects, providing the reader with an abstract understanding of which tool to employ for the greatest outcomes.
B. V. Prasanthi explored all the different branches of digital forensics and forensics frameworks that are there and reviewed all the popular digital forensics tools available in the market that are in use by various agencies for the purpose of crime investigation. Each tool is made to suit different needs such as Caine is used for virtual forensics, X- Ways Forensics for disk imaging and cloning, Libforensics to develop digital forensics applications and extract info from various sources, etc. Nowadays, every second someone falls victim to cyber -attacks or cyber thefts, and hence Cyber Forensics is indispensable in today's world.
Security and scalability are important issues for system[16,17]. Shaweta Sachdeva et al. did an in-depth analysis of the various tools that exist online for performing Digital Forensics and security faults. They have explained in detail all the phases involved in the data analytics process and their significance, starting from the Identification phase, followed by Acquiring phase, the Authentication phase, the Analysis phase, and lastly Presentation phase. In the present scenario, the number of mobile phone and computer users only seems to be increasing, and hence more and more people are falling prey to cyber-attacks and scams. Hence, we cannot underestimate the importance of digital forensics.
Jarno Baselier has described all about the tool OSForensics and its application in the field of Digital Forensics. OSForensics is a tool that is a complete suite of tools with different uses. It is used for both live-acquisition and non-live-acquisition forensics. The paper talks about the complete installation process of OSForensics and the steps involved in it, as its striking features make OSForensics stand out and outperform its other competitors in the market. It is very affordable as compared to other software’s available in the market and significantly faster. The author has also explained in detail its interface and various components of the software.
III. FORENSIC ANALYSIS TOOLS
It is a GUI-based digital forensics tool that permits the user to explore hard disk drives and PDAs. It contains a module architecture that enables the user to find supplemental applications or support unique Python or Java projects. This tool contains localized email records and conversations and assists a sizable number of users all around the world. Autopsy is used by law enforcement and business inspectors to examine what happens on a computer. In fact, the user may use it to restore photos from the memory card of their camera. The term "autopsy" refers to the process of investigating the disk's contents after consumption. The most popular types of data conceptual by ingesting are used in digital forensic investigation, which keeps a strategic distance from the necessity to physically carry out the tasks.
1. Timeline Analysis: helps in identifying activity by displaying framework events in a graphical connection point.
2. Registry Analysis: utilizes RegRipper to differentiate recently accessed archives and USB devices.
3. Keyword Search: Using text extraction and record-checking modules, users may uncover records that include certain phrases and discover common articulation patterns.
4. Email Analysis: Like Thunderbird, email analysis can also parse MBOX design messages.
5. Web Artifacts: helps to identify client action by extracting web action from regular applications.
6. LNK file analysis finds other approaches and helps to report them.
OSForensics is a toolbox that provides a tonne of information on how a machine is used and the files that are stored on it. Users may absolutely manage their tasks and projects with OSForensics. Operating system forensics allows users to monitor what their children are doing on the system and enlist legal experts in the investigation. The application can be easily installed on computer memory. It helps the user to find particular documents on the computer, recover deleted data, keep track of activity, or create a report with specialized information about the machine.[12,13] It is also quite simple to use, which is fortunate because there is no documentation for the complexities. There is a rare scenario that a user ever has to examine a computer completely, in that scenario OS forensics could be the best tool that can help. Operating System Forensics is essentially a thorough investigation of all devices, and its user interface syncs well. It may also be set up on a USB storage device.
C. DFF (Digital Forensics Framework)
A digital forensics framework is open-source computer forensics programming. It is utilized both by proficient and non-master individuals to accumulate, moderate, and con-cede digital proof without compromising frameworks and data rapidly and without any problem. It is used to compile, moderate, and concede digital proof without jeopardizing systems and data by both experts and non-specialists. Its order line interface empowers to perform digital examination from a distance and accompanies regular functionalities accessible in like manner system like finish, undertakings the executives, and globing or console easy routes.[11,13] The digital forensic framework may also launch a number of scripts to automate repeated tasks. High-level users and engineers may also preplan their investigation using a digital forensic framework directly from a Python mediator.
Wireshark is a free open-source parcel analyzer. It is used for network damage, testing, programming and association convention progress, and education. With this tool, we can view every package on the network and gauge the high level of traffic in our company. Every OS is compatible with Wire Shark, and it has a user-friendly interface in GUI contexts. Wire shark is the world's most appropriate organization analyzer. This is an extremely useful asset that gives organization and upper-layer conventions data about the data caught in an organization.
A network bundle analyzer is a monitoring tool used to look within an organization link to see what's going on. One of the best sniffers anyone could expect to discover is being developed as a free, high-quality sniffer called WireShark. It includes amazing components and a great graphic user interface that has been properly developed and produced do. It is supported by Windows, MAC OS X, and frameworks built on Unix. This amazing sniffer Wireshark has channels, a diversity of codes, and numerous perspectives that enable users to inspect individual bundles and delve deeply into network data. Wireshark may be used to analyze a large program's network traffic, sweep the traffic stream on the network, or track out network problems.
An encryption tool called TrueCrypt is available as freeware and is open source. It can encrypt a package, the entire stockpiling device, or create a virtual fragmented disk inside a document. It has full disk encryption and is a multi-stage open-source record of documents. Additionally, it has the ability to arrange a fragmented hard disk section on a smaller encrypted record that is clearly visible to any disk administrator. It provides advanced encryption without any problems. Additionally, it offers "on -the-fly encryption," which means that after entering the right password, we don't need to rely on bulky papers to decode the information, showing that the data are readily available. TrueCrypt protects very sensitive personal and corporate classified data. To prevent unauthorized access to legitimate data, it employs document encoding and package encryption.
For the key inference, a few combinations of hash and encryption computations are used. TrueCrypt is the tool that helps to encrypt the data. This method is replicated from one storage disk to another storage disk when we clone from a TrueCrypt disc.  At that stage, data got decoded and temporarily stored in memory. Decoded data is always temporarily kept in RAM by TrueCrypt; it is never saved to a disk. In any case, the volume's data collection is already encoded before it is mounted.
IV. COMPARATIVE ANALYSIS RESULTS
V. RESEARCH CHALLENGES
With the huge advancement of computer innovations over the last ten years, the use of innovation has been characterized as both great and terrible. While certain individuals use innovation to develop things to help humanity, hoodlums likewise use innovation to accomplish their own objectives. One of the primary issues is that when an innovation is created to recognize and research hoodlums, there is one more method that assists lawbreakers with concealing themselves. This is a gigantic test forensics officials face today. Not at all like numerous different wellsprings of actual proof, digital proof is not difficult to change, eliminate or stow away, perhaps without leaving tracks that could distinguish the lawbreaker. So, hostile to forensics has turned into a significant test for digital forensics. The various challenges that occur during forensics include:
Encryption is the cycle of scrambling data that must be decoded and perused by somebody who has the right deciphering key. Encryption is utilized to stow away or make the proof mixed up on the compromised framework.
In 2007, an occurrence happened when US customs tracked down youngster erotic entertainment on Canadian resident and legitimate us occupant Sebastian Boucher’s pc. The pc was seized as evidence, and he was accused of shipping the porn across borders. The issue seemed when inspectors attempted to open the implicating drive z and figured out that it was a pretty good privacy scrambled holder. Albeit a forensic copy of the hard drive was made after the closure of the journal, the inspector couldn’t open the scrambled compartment.
Attackers use a variety of encryption methods, and in order to make the data useable, experts must decode the encrypted data. It is time-consuming, and occasionally the data that has been scrambled cannot be read.
Steganography is an encryption strategy that can be utilized alongside cryptography as an extra-secure technique in which to safeguard data.”. Steganography is a technique that may be used to hide any data inside of a record transporter without altering its outside appearance. This steganography is used by attackers to hide their secret data (payloads) inside the hacked framework. The expert must identify this hidden data while analyzing computer infractions in order to unearth the information for further reference.
C. Undercover Channel
An Undercover communication channel, sometimes known as a hidden channel, allows attackers to hide information from the organization and perhaps evade interruption detection methods. Regularly, an organisation convention is picked, and its header is changed to spill messages between assailants, taking advantage of the way that a couple of fields of the header are adjusted during transmission.”. Assailants utilize these secrets directly to keep a secret association between the assailant and the compromised framework. It is less recognizable.
D. Data concealing away space
Attackers hide some data inside volume sections and make it impossible for the regular framework commands and projects to find them. It complicates and prolongs the assessment, and occasionally, the validity of the data might be disputed. Perhaps the most well- known method of obscuring data away from the computer is a rootkit.
As per Microsoft (2014), malware architects use rootkits to stow away malware inside casualties' pcs. It is exceptionally difficult to distinguish rootkits and most computer clients don't have the foggiest idea about how to eliminate these rootkits. Client mode rootkits are equipped for stowing away "processes, records, framework drivers, network ports, and even framework administrations".
E. Remaining Data Wiping
Data cleanup for leftovers is yet another name for remaining data wiping. A few hidden cycles are operating without the attacker's information at the time the attacker uses a computer to accomplish his goal. However, a shrewd attacker can avoid this risk by removing the tracks left by his machine and making the structure appear as though it hasn't been used for that purpose.
F. Tail obfuscation-going after the Apparatuses
The most well-known strategy is the obscurity of the well-spring of the assault. Here, the assailant involves bogus data to deceive the specialist (for example bogus email headers, changing record expansions). In this manner now and again the examiner could miss a few data that have forensic worth.
G. Resource Challenges
Depending on the circumstances, the amount of data involved in the case may be huge. In order to spread messages amongst attackers, an organisation convention is frequently chosen and its header modified. This technique makes use of the fact that a few header fields are altered during transmission. Attackers use these secrets to maintain a covert connection between themselves and the compromised system. It is harder to identify.
Likewise, the examiner must review each piece of information that was acquired in order to compile evidence. For the test, a bigger expenditure could be necessary. Time is a constraining factor; thus, it becomes yet another challenging test in the realm of digital forensics. Client exercises are rewritten in the volatile memory in unexpected memory forensics because the data stored in the volatile memory is vaporous. In this way, agents are able to dissect only late material that has been stored in unexpected memory. This minimizes the data's value as evidence in the investigation.
An examiner should make sure that no information is changed or overlooked throughout the examination when collecting data from the source, and the information should be thoroughly obtained.
Data sources that are harmed won’t be quickly utilized in examinations. So, it is a significant issue when an examiner finds an important source that isn’t usable.
Various individuals across the globe have proposed various strategies for distinguishing imitations. Different approaches to altering pictures are talked about above in this paper. As from the above conversation, the inactive methods or visually impaired imitation identification is liked over dynamic procedures as dynamic strategies require the first picture alongside the manufactured picture. In any case, with uninvolved recognition methods history of the picture isn’t by any stretch of the imagination required. This element is detached method makes it extremely renowned. Crooks are turning out to be increasingly more fit for doing falsifications with various procedures. They utilize different strategies all at once altogether not to be identified by accessible fraud discovery procedures. Right now, accessible advances to identify fabrications are not programmed and the majority of the apparatuses expect humans to work. Computerizing these devices is a truly extreme undertaking to be achieved in not so distant future. In this paper, we analyzed particular forensic apparatuses utilized for breaking down security blemishes in digital forensics and the point-by -point survey of digital forensics. The data structure that is located in memory may also be used to get digital proof using a variety of devices. The new cycle model is chosen to quickly acquire urgent proof and investigate the situation. The Stepwise Forensic. The data structure that is located in memory may also be used to get digital proof using a variety of devices. The new cycle model is chosen to quickly acquire urgent proof and investigate the situation. The stepwise forensic process model demonstrates an in-situ method that provides occurrence- recognizable evidence, recovery, and analysis. The SFPM suggests a brand-new investigative paradigm for selecting the aim and, as it were, breaking down the key confirmations. To surpass the limitations of the conventional forensic model, it is planned to quickly pick and assess the framework depending on the circumstances surrounding the crime scene. The network parcel analyzer is focused on network research analysis, the evolution of correspondent norms, and in education. It detects network traffic as well as a distinct increase in traffic in our company. The sophisticated forensic tools are supposed to collect and analyze data throughout the forensic investigation, but they are also anticipated to spot any errors or conflicts that may have occurred during execution. Because of the quick expansion in the number of Internet clients across the world, the recurrence of digital assaults has expanded. In this way, the need to devise successful systems and foster proficient apparatuses to conveniently recognize these assaults. In this paper, we have analyzed various devices for performing digital forensic examinations. This examination gives a temporary investigation of the instruments concerning the digital forensic examination.
 R.S Khalaf and A. Varol, ”Digital Forensics: Focusing on Image Forensics,” 2019 7th International Symposium on Digital Forensics and Security (ISDFS),2019, pp. 1-5, doi: 10.1109/ISDFS.2019.8757557  G Maria Jones; S Godfrey Winster, ”An Insight into Digital Forensics: History, Frameworks, Types and Tools,” in Cyber Security and Digital Forensics: Challenges and Future Trends, Wiley, 2022, pp.105-125, doi: 10.1002/9781119795667.ch6  H. Majed, H. N. Noura, and A. Chehab, \"Overview of Digital Forensics and Anti-Forensics Techniques,\" 2020 8th International Symposium on Digital Forensics and Security (IS-DFS), 2020, pp. 1-5, doi: 10.1109/ISDFS49300.2020.9116399  O. M. Adedayo, ”Big data and digital forensics,” 2016 IEEE International Conference on Cybercrime and Computer Forensic (ICCCF), 2016, pp. 1-7, doi: 10.1109/IC-CCF.2016.7740422  Refaces. (2022, January 18). What is Digital Forensics: Process, tools, and types: Computer Forensicsoverview. RecFaces. Retrieved from https://recfaces.com/articles/digital-forensics  K. U. Maheshwari and G. Shobana, \"The State of the art tools and techniques for remote digital forensic investigations,\" 2021 3rd International Conference on Signal Processing and Communication (ICPSC), 2021, pp. 464-468, doi: 10.1109/ICSPC51351.2021.9451718.  L. Chen, L. Xu, X. Yuan and N. Shashidhar, \"Digital forensics in social networks and the cloud: Process, approaches, methods, tools, and challenges,\" 2015 International Conference on Computing, Networking and Communications (ICNC), 2015, pp. 1132-1136, doi: 10.1109/ICCNC.2015.7069509.  K. S. Singh, A. Irfan and N. Dayal, \"Cyber Forensics and Comparative Analysis of Digital Forensic Investigation Frameworks,\" 2019 4th International Conference on Information Systems and Computer Networks (ISCON), 2019, pp. 584-590, doi: 10.1109/ISCON47742.2019.9036214.  K. Ghazinour, D. M. Vakharia, K. C. Kannaji and R. Satyakumar, \"A study on digital forensic tools,\" 2017 IEEE International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), 2017, pp. 3136-3142, doi: 10.1109/ICPCSI.2017.8392304.  A. Al-Sabaawi, \"Digital Forensics for Infected Computer Disk and Memory: Acquire, Analyse, and Report,\" 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), 2020, pp. 1-7, doi: 10.1109/CSDE50874.2020.9411614.  Al-Dhaqm et al., ”Digital Forensics Subdomains: The State of the Art and Future Directions,” in IEEE Access, vol. 9, pp. 152476-152502, 2021, doi: 10.1109/ACCESS.2021.3124262  Y. Adam and C. Varol, ”Intelligence in Digital Forensics Process,” 2020 8th International Symposium on Digital Forensics and Security (ISDFS), 2020, pp. 1-6, doi: 10.1109/ISDFS49300.2020.9116442  V. Fernando, ”Cyber Forensics Tools: A Review on Mechanism and Emerging Challenges,” 2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2021, pp. 1-7, doi: 10.1109/NTMS49979.2021.9432641  P. Bahadur and D. S. Yadav, ”Computer forensics-digitized science,” 2015 SAI Intelligent Systems Conference (IntelliSys), 2015, pp. 1025-1031, doi: 10.1109/Intel-liSys.2015.7361269  R. Poisel and S. Tjoa, ”A Comprehensive Literature Review of File Carving,” 2013 International Conference on Availability, Reliability and Security, 2013, pp. 475-484, doi: 10.1109/ARES.2013.62.  Bhatia, M., Muttoo, S. K., & Bhatia, M. P. S. (2011). Secure group communication protocol. Int J Adv Eng Sci Technol, 11(1), 221-225.  Bhatia, M., Muttoo, S. K., & Bhatia, M. P. S. (2013). Secure Requirement Prioritized Grid Scheduling Model. Int. J. Netw. Secur., 15(6), 478-483.
Copyright © 2022 Manjot Kaur Bhatia, Palak Gambhir, Shefali Sinha, Saksham Kumar Singh. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.