Knut Kröger & Reiner Creutzburg A practical overview and comparison of certain commercial forensic software tools for processing large-scale digital investigations Knut Kröger & Reiner Creutzburg Brandenburg University of Applied Sciences IT- and Media Forensics Lab, P.O.Box 2132 D-14737 Brandenburg, Germany Email: {kroeger|creutzburg}@fh-brandenburg.de ABSTRACT The aim of this paper is to show the usefulness of modern forensic software tools for processing large-scale digital investigations. In particular we focus on the new version of Nuix 4.2 and compare it with AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7 regarding its performance, functionality, usability and capability. It is shown how these software tools work with large forensic images and how capable they are in examining complex and big data scenarios.    INTRODUCTION In the software market, there are many good and established forensic tools like AccessData FTK, X-Ways Forensics and Guidance Encase Forensic. These tools are suitable for most standard forensic examinations and differ mostly in the functionality or in the usability concept. In the last years many investigators have increasing problems with the examination of large amounts of data. There are often great difficulties to investigate the data. Frequently, preparing the data with the forensic tools is very time consuming and error prone. Also the analysis of these cases takes more and more time because the standard forensic tools became instable and slow. To solve this problem there is a special forensic Tool named NUIX. It was important to have a uniform approach for all analysis steps. The test scenario contains all steps to analyze the forensic software tools in the same way. For this reason 4 different forensic images were created. Because of the very long processing time only images up to 300 GB size were used. Also it is not even interesting how big the image is, but more how many files and forensically interesting information it includes. Hard- and Software To have a good performance and the same conditions for all tests the hardware has to be well selected. For all tests and analyzes it was used a PC with Intel Core i7 3.40 GHz, 8 GB RAM, 256 GB SSD, 2 TB HHD and a Windows 7 Enterprise 64 Bit operation system. For a good transfer rate the test images and the generated data of the forensic tools were stored and analyzed on a SSD. All forensic tool are used in a 64 Bit version because of the 32 Bit versions hardware limitations. Because of the many available publications and manuals about the forensic tools AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7 the following section shows only the functions and the usability of Nuix 4.2. Nuix has a modern user interface with tabs and windows. Nuix contains a set of standard menus. Many of the commands on these menus are also located closer in context with the tasks with which they are associated, such as on right-click menus. INVESTIGATION RESULTS All generated forensic images were loaded with the forensic tools NUIX 4.2, AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7. With every program an index was created and the created questions have to be answered: How many files contain the images? How many documents include the images? How many Word and PDF files were found? How many E-mails were found? These questions are necessary to test the functionality and usability and to find out how many steps are required to find out the answers in the different forensic software tools. For the creation of an index the log files of the forensic tools were analyzed. It should be find out how long it takes to generate an index. Table 1 shows the execution times. It is very important to know that the results in table 1 are not unique values because all forensic programs have special options that were automatically performed if an index was created. It is not even possible to deactivate all the options and for this reason the generated times are only an indication for the duration to create an index. But it is a good clue to decide the right forensic tool for each specific case. The next step was to answer the questions from above. All programs can be used to answer the question but the usability and the user concept of the forensic tools are very different and often not easy to understand. NUIX is developed for large-scale digital investigations and has a lot of features to handle big data cases. Some key features are: automatic classification document navigator filter batch load details cluster runs search macros redaction and bulk redactions export to ringtail load file support for windows registry files support for file carving, slack space and deleted space history tab hex viewer scan for new child items support for XRY, Cellebrite, some Android databases, ADS, iPhone support- call and SMS databases, voicemails PREPaRATION For the implementation of the investigation, a test scenario was developed. With this test scenario all software tools were analyzed and evaluated. For more clarity the scenario was developed to find out the specific properties, advantages and disadvantages. Nuix 4.2 contains eight tabs that host a variety of workflows and case information. The primary tab is the Workbench tab, which contains a holistic view of the data within the case and supports most of the necessary eDiscovery tasks. A very interesting option is the Network view. With this function it is possible to analyze patterns of communication between persons in a set of evidence. The Networks view provides a dynamic view of communication patterns, including frequency of communication and any outlying communications in a graphical format. CONCLUSION The following conclusion refers only to the tests and scenarios that are studied in this paper. The forensic tools can handle the created test images sufficiently. Only the program Nuix 4.2 has a new approach to work with large forensic images. If an investigator has to work with large-scale digital investigations, it is a very difficult and time consuming task. The tests show that already the processing of a customary image like a Windows 7 with 98 GB is often hard to handle for the forensic tools. The processing time is often very long and the results are unclear and sometimes hidden. Actually it is urgently required to develop new techniques to handle large-scale forensic investigations. Nowadays in most cases the forensic images that have to be processed have a minimum size of 50 GB and this values is increasing constantly. Also required are more scalable programs for more efficient working progress for specific cases. SPIE Defense, Security and Sensing, “Mobile Multimedia/Image Processing, Security, and Applications 2013, Vol. 8755