Presentation is loading. Please wait.

Presentation is loading. Please wait.

Knut Kröger & Reiner Creutzburg

Published bySilvia Edwards Modified over 6 years ago

Similar presentations

Presentation on theme: "Knut Kröger & Reiner Creutzburg"— Presentation transcript:

1 Knut Kröger & Reiner Creutzburg
A practical overview and comparison of certain commercial forensic software tools for processing large-scale digital investigations Knut Kröger & Reiner Creutzburg Brandenburg University of Applied Sciences IT- and Media Forensics Lab, P.O.Box 2132 D Brandenburg, Germany ABSTRACT The aim of this paper is to show the usefulness of modern forensic software tools for processing large-scale digital investigations. In particular we focus on the new version of Nuix 4.2 and compare it with AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7 regarding its performance, functionality, usability and capability. It is shown how these software tools work with large forensic images and how capable they are in examining complex and big data scenarios.    INTRODUCTION In the software market, there are many good and established forensic tools like AccessData FTK, X-Ways Forensics and Guidance Encase Forensic. These tools are suitable for most standard forensic examinations and differ mostly in the functionality or in the usability concept. In the last years many investigators have increasing problems with the examination of large amounts of data. There are often great difficulties to investigate the data. Frequently, preparing the data with the forensic tools is very time consuming and error prone. Also the analysis of these cases takes more and more time because the standard forensic tools became instable and slow. To solve this problem there is a special forensic Tool named NUIX. It was important to have a uniform approach for all analysis steps. The test scenario contains all steps to analyze the forensic software tools in the same way. For this reason 4 different forensic images were created. Because of the very long processing time only images up to 300 GB size were used. Also it is not even interesting how big the image is, but more how many files and forensically interesting information it includes. Hard- and Software To have a good performance and the same conditions for all tests the hardware has to be well selected. For all tests and analyzes it was used a PC with Intel Core i GHz, 8 GB RAM, 256 GB SSD, 2 TB HHD and a Windows 7 Enterprise 64 Bit operation system. For a good transfer rate the test images and the generated data of the forensic tools were stored and analyzed on a SSD. All forensic tool are used in a 64 Bit version because of the 32 Bit versions hardware limitations. Because of the many available publications and manuals about the forensic tools AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7 the following section shows only the functions and the usability of Nuix 4.2. Nuix has a modern user interface with tabs and windows. Nuix contains a set of standard menus. Many of the commands on these menus are also located closer in context with the tasks with which they are associated, such as on right-click menus. INVESTIGATION RESULTS All generated forensic images were loaded with the forensic tools NUIX 4.2, AccessData FTK 4.2, X-Ways Forensics 16.9 and Guidance Encase Forensic 7. With every program an index was created and the created questions have to be answered: How many files contain the images? How many documents include the images? How many Word and PDF files were found? How many s were found? These questions are necessary to test the functionality and usability and to find out how many steps are required to find out the answers in the different forensic software tools. For the creation of an index the log files of the forensic tools were analyzed. It should be find out how long it takes to generate an index. Table 1 shows the execution times. It is very important to know that the results in table 1 are not unique values because all forensic programs have special options that were automatically performed if an index was created. It is not even possible to deactivate all the options and for this reason the generated times are only an indication for the duration to create an index. But it is a good clue to decide the right forensic tool for each specific case. The next step was to answer the questions from above. All programs can be used to answer the question but the usability and the user concept of the forensic tools are very different and often not easy to understand. NUIX is developed for large-scale digital investigations and has a lot of features to handle big data cases. Some key features are: automatic classification document navigator filter batch load details cluster runs search macros redaction and bulk redactions export to ringtail load file support for windows registry files support for file carving, slack space and deleted space history tab hex viewer scan for new child items support for XRY, Cellebrite, some Android databases, ADS, iPhone support- call and SMS databases, voic s PREPaRATION For the implementation of the investigation, a test scenario was developed. With this test scenario all software tools were analyzed and evaluated. For more clarity the scenario was developed to find out the specific properties, advantages and disadvantages. Nuix 4.2 contains eight tabs that host a variety of workflows and case information. The primary tab is the Workbench tab, which contains a holistic view of the data within the case and supports most of the necessary eDiscovery tasks. A very interesting option is the Network view. With this function it is possible to analyze patterns of communication between persons in a set of evidence. The Networks view provides a dynamic view of communication patterns, including frequency of communication and any outlying communications in a graphical format. CONCLUSION The following conclusion refers only to the tests and scenarios that are studied in this paper. The forensic tools can handle the created test images sufficiently. Only the program Nuix 4.2 has a new approach to work with large forensic images. If an investigator has to work with large-scale digital investigations, it is a very difficult and time consuming task. The tests show that already the processing of a customary image like a Windows 7 with 98 GB is often hard to handle for the forensic tools. The processing time is often very long and the results are unclear and sometimes hidden. Actually it is urgently required to develop new techniques to handle large-scale forensic investigations. Nowadays in most cases the forensic images that have to be processed have a minimum size of 50 GB and this values is increasing constantly. Also required are more scalable programs for more efficient working progress for specific cases. SPIE Defense, Security and Sensing, “Mobile Multimedia/Image Processing, Security, and Applications 2013, Vol. 8755

Download ppt "Knut Kröger & Reiner Creutzburg"

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
July 11 th, 2005 Software Engineering with Reusable Components RiSE’s Seminars Sametinger’s book :: Chapters 16, 17 and 18 Fred Durão.

July 11 th, 2005 Software Engineering with Reusable Components RiSE’s Seminars Sametinger’s book :: Chapters 16, 17 and 18 Fred Durão.
Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.

Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Project 3 File, Document, Folder Management, Windows XP Explorer Windows XP Service Pack 2 Edition Comprehensive Concepts and Techniques.

Project 3 File, Document, Folder Management, Windows XP Explorer Windows XP Service Pack 2 Edition Comprehensive Concepts and Techniques.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.

Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.

Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.

Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Chapter Nine NetWare-Based Networking. Introduction to NetWare In 1983, Novell introduced its NetWare network operating system Versions 3.1 and 3.1—collectively.

Chapter Nine NetWare-Based Networking. Introduction to NetWare In 1983, Novell introduced its NetWare network operating system Versions 3.1 and 3.1—collectively.
AUTOMATION OF WEB-FORM CREATION - KINNERA ANGADI – MS FINAL DEFENSE GUIDANCE BY – DR. DANIEL ANDRESEN.

AUTOMATION OF WEB-FORM CREATION - KINNERA ANGADI – MS FINAL DEFENSE GUIDANCE BY – DR. DANIEL ANDRESEN.

Similar presentations

Ads by Google