Literature Review for forensic tools used in UK

• Internal Code :
• Subject Code :
• University :
• Subject Name : IT Computer Science

Literature Review on the current validation process of the forensic tools used in the UK

Table of Contents

Introduction

Digital Forensic

Current Scientific Environment in the UK

Forensic Tools

Volatility

Encase

FTK Imager

Autopsy

Validation and Verification of Forensic Tools

Conclusion

Reference List

Introduction

According to Robertson, Vignaux, and Berger (2016), Forensic Sciences refers to the application of natural Sciences to the matters of the law which is concerned with the identification and evaluation of physical evidence. Over the past decades, forensic science has evolved and attained a merit of its own in the world of jurisprudence. The evolution of technology and science has given rise to new and improved practices, methodologies, and tools in the field of law. In the opinion of Ubelaker (2015), modern forensic science is not only limited to the investigation of criminal cases but is used for a broad range of applications for solving civil cases. Digital devices such as smartphones, tablets, and laptops have become an indispensable part of society with increased chances of criminal activities. The increasing number of computers and electronic devices demands the use of Digital forensic in all areas especially in the fields of computer security, law enforcement, and national defense. Various law enforcement agencies, investment companies, and financial institutions have incorporated the use of digital forensics in their infrastructure.

Digital forensics

pined by Olivier (2016), Digital forensics is the branch of forensic science that helps in recognizing, identifying, analyzing, validating, and presenting facts regarding digital evidence found on computers or any other digital media devices. In the era of Information Technology, the majority of data saved in our devices are digital due to the use of computer storage media. Digital forensics has simplified the process of storing data and addressed new challenges with regards to preserving information, maintaining trust, and data recovery. The reason for choosing computer forensic tools deals with recovering the lost data in case of malfunction of software and hardware, or for protecting the system when under attack by an intruder.

Current Scientific Environment in the UK

Science has advanced in almost every discipline which reflects that the opportunities for forensic expertise can go beyond the criminal courts. As stated by Radford (2015), the current condition of the UK states that the country needs to capitalize on the traditional applications of forensic science and create better opportunities to become a pioneer in the development of technology for detection and prevention from fraudulent activities and services. Currently, the country has been solving its issues in identifying the fraudulent activities and organized crimes prevailing around with the use of their digital forensic techniques that are useful in a wide range of fields outside their judicial system. Innovation is the key to bring changes in the world of forensic science and to address the growing complexities of identifying forensic evidence. It is under the discretion of policymakers and practitioners in the UK to adapt to the changing environment and innovate improved forensic tools.

Forensic Tools

Forensic refers to the techniques used by investigators to solve a crime. As stated by Maras (2015), Computer forensic refers to the art of investigating a crime that involves the use of computers. The need of solving cyber-related crimes has given rise to development of computer forensic tools to aid digital evidence collection. These tools are capable of performing basic to advanced level activities. Some of the most popular and commonly used forensic tools are as follows.

Volatility

According to Case and Richard III (2017), volatility refers to an open-source framework that is used to analyze the volatile memory for a host of things. This framework or tool is useful for investigators by the use of various plugins that provide an idea of the current condition of the machine and its current usability. Volatile memory or RAM is the primary storage of most computers used. The use of a Volatile framework can help in identifying the changes made on the computer. For instance changes in passwords, any network activity, change in processes, etc. which can be acquired from the live memory of the computer. This tool is useful in identifying the clues that led to the loss of data due to several reasons.

Encase

As suggested by Quick and Choo (2016), encase refers to the tool for a digital investigation that can use in forensics to recover any loss of data or information from seized hardware. Encase helps investigators to in-depth research and analysis of the user files in order to gather evidence such as saved documents, internet history, images, and Windows Registry information. Encase is a multipurpose forensic investigation tool that prioritizes the files before investigating and collects the digital data without compromising integrity. It helps in decrypting by the use of password recovery mechanisms. The investigation from this tool can be performed for almost all Windows and mobile operating systems. The process of using this tool has a simplified collection of evidence and automating common tasks. This helps in spending more time on the investigation rather than spending time on the entire process.

FTK Imager

As stated by Hashim, et. al. (2017), FTK of forensic tools is used for scanning the hard drive and look for potential evidence. It helps investigators identifying or cracking down a password, analyzing emails, or identify and analyze specific characters in user files. Apart from that, FTK helps in file decryption and data visualization. FTK Imager is a standalone module that can be used to image and ensure that the data is safe when hashing is used. FTK imager can image the hard disc in multiple sections in a compiled single file. These multiple sections can be compiled later to get a reconstructed image. As per the inconvenience of the investigator, a selection between GUI and the command line can be made.

Autopsy

As stated by Lazaridis, Arampatzis, and Pouros (2016), Autopsy refers to open-source computer software that is used for conducting hard drive investigations. The use of Autopsy software military and government agencies, law enforcement agencies, and corporate investigators to conduct various digital investigations. The tool is built extensibility to the user as they would be able to add new functionality to identify the underlying data source. The Autopsy software is built for the convenience of users to access all the features and its modules. The tool can be used by one or more than one investigator.

Validation and Verification of Forensic Tools

The courts and law enforcement of the contemporary era have been served well by the procedure of using automated software. Experience investigators and detectives are capable of using their policing skills for providing valid evidence in conjunction with such automated software. However, increased functionality for the existing software as well as the demand for new software has been created due to the growth in the field of computer forensic. Such growth has also created a means of verifying that such software is truly forensic. What it basically means is that forensic tools and software should have the ability to meet the necessary requirements. Computer forensic originated in the late 1980s. According to Xiong, et. al. (2010) they were introduced in the form of an Ad Hoc practice for meeting the service demands of the community of law enforcement. There has been a recent development in the field of computer forensics. It has now turned into a multi-domain discipline by crossing the fields of law enforcement, academics, and corporate. The interacting elements as well as the definition itself of computer forensics depend and vary on the different authors and their distinct backgrounds. As opined by Wang and Lee (2013), a concise description of the computer forensics core connotations can be given as the procedure of preserving, identification, presentation, and analysis of digital evidence in a specific way that is acceptable in legal terms. This work focuses upon Encase, FTK imager, IEF evidence finder, and Autopsy that have been in common usage by the agencies and law enforcement of the United Kingdom.
In the opinion of Taylor, Fritsch, and Liederbach (2014), there has been an explosive growth in electronic crime as well as the information technology in the last 10 years that has been experienced by the world. On one side, the IT field has become more dynamic in nature and the numbers of digital devices that come with storage and processing capacity have grown rapidly. While on the other side, search consistent advancements in the technology field have given rise to complex issues in the discipline of electronic evidence. This basically means with the advancement and development in the field of technology, the number of crimes has also increased. One of the challenges that are faced by the practitioners of the forensic tools is sharing the reliability unsoundness of the forensic tools and digital evidence that is possessed by such tools. Garfinkel (2010) states that the dependency of the results of the investigation is predominantly identified by the correctness and validity of the forensic tools and the process of their application because today's forensic investigations heavily rely upon the forensic tools. Hence, continuous demand has come into effect from the law enforcement and related Agencies for verifying and validating the forensic tools for assuring the reliance and dependency of the digital evidence. The request of bringing the electronic evidence discipline along with the other established disciplines of forensic is another factor that demands the verification and validation of the forensic tools. According to Watson and Jones (2013), a primary method of achieving such an objective is acquiring external accreditation like the laboratory accreditation of ISO 17025E. The agencies and laboratories of electronic evidence attested against various established criteria and have a requirement of satisfying the extensive needs that are specified within this document for gaining accreditation. The forensic tools and the procedure of their utilization are required to be tested as a part of the accreditation process.
The validation and verification of the software tools basically refer to the technologies and methods which help in providing confidence and reliability in the system software and these tools. There are basically two approaches to the validation and verification of forensic tools. These are known as software testing and software inspection. The inspection of the forensic software and tools takes place during all stages of the life cycle of their development, inspection of design programs, program codes, and requirement documents. On the other hand software, testing is the process of running incorporation of the specific software for checking if the same is produced significantly. The validation and verification of software tools were introduced back in the early 1990s. As such its concept has been interpreted and described in various different contexts. Pottebaum, et. al. (2011) state that, in the standard of the IEEE 1012-1998, Validation has been referred as the procedure of evaluation of a component or system during or after the process of development for determination of requirement satisfaction level. Meanwhile, verification refers to the procedure of evaluation of a component or system for determining whether or not the products of a specific phase of development are capable of satisfying the requirements which are imposed at the beginning of that phase. The only available explanation of the forensic validation in the discipline of electronic evidence is provided by the SWGDE (Scientific Working Group on Digital Evidence). They describe it as an evaluation for determining if a procedure, technique, or tool functions as intended and significantly. Considering all the definitions that have been provided by various researchers and practitioners as well as considering the ISO 17025 requirements, the definitions of verification and validation of forensic tools are adopted as follows. As opined by Beckett and Slay (2011), validation refers to the confirmation by the means of examination and objective evidence provision that a procedure, technique, or tool functions as intended and appropriately. Verification is the validation confirmation with procedures, techniques, and tools of laboratories.

Conclusion

It can be concluded that a discipline like electronic evidence and forensic tools have not developed in the same manner as developments in forensic fields of ballistics and DNA. One of the biggest issues faced by practitioners and researchers is that the scientific foundations in the field of forensics have not been specified and mapped before and the functions which are known for together making up the procedure of electronic evidence and forensics have not yet been characterized and stated. Introducing accreditation into the contemporary laboratories of digital forensics has several inferences to the researchers in this discipline. Meeting the necessary accreditation requirements is quite difficult due to the dynamic environment and heavy workload around which the researchers work. There is a reasonable paradigm shift in the verification and validation for assisting in the process. For completion of the entire paradigm of verification and validation, a greater deal of work is required for being carried out in the future.

Reference List

Beckett, J. and Slay, J., 2011. Scientific underpinnings and background to standards and accreditation in digital forensics.Digital investigation,8(2), pp.114-121.
Case, A. and Richard III, G.G., 2017. Memory forensics The path forward.Digital Investigation,20, pp.23-33.
Garfinkel, S.L., 2010. Digital forensics research The next 10 years.Digital investigation,7, pp.S64-S73.
Hashim, M.A., Halim, I.H.A., Ismail, M.H., Noor, N.M., Fuzi, M.F.M., Mohammed, A.H. and Gining, R.A.J., 2017. Digital Forensic Investigation of Trojan Attacks in Network using Wireshark, FTK Imager and Volatility.Computing Research amp Innovation (CRINN) Vol 2, October 2017, p.205.
Lazaridis, I., Arampatzis, T. and Pouros, S., 2016, May. Evaluation of digital forensics tools on data recovery and analysis. InThe Third International Conference on Computer Science, Computer Engineering, and Social Media (CSCESM2016)(p. 67).
Maras, M.H., 2015.Computer Forensics. 4th ed. Massachusetts, USA Jones and Bartlett Learning.
Olivier, M., 2016. Digital forensic science A manifesto.South African Computer Journal,28(2), pp.46-49.
Pottebaum, J., Artikis, A., Marterer, R., Paliouras, G. and Koch, R., 2011, May. Event definition for the application of event processing to intelligent resource management. InProceedings of the 8th International ISCRAM Conference, Lisbon, Portugal.
Quick, D. and Choo, K.K.R., 2016. Big forensic data reduction digital forensic images and electronic evidence.Cluster Computing,19(2), pp.723-740.
Radford, T., 2015. Britain could be forensic science world leader, says chief scientific adviser. online Available at lthttps//www.theguardian.com/science/2015/dec/17/britain-could-be-forensic-science-world-leader-says-chief-scientific-advisorgt Accessed 19 March 2019
Robertson, B., Vignaux, G.A. and Berger, C.E., 2016.Interpreting evidence evaluating forensic science in the courtroom. 6thed. New Jersey, USA John Wiley amp Sons.
Taylor, R.W., Fritsch, E.J. and Liederbach, J., 2014.Digital crime and digital terrorism. New Jersey, USA Prentice Hall Press.
Ubelaker, D.H. ed., 2015.The global practice of forensic science. 3rded. New Jersey, USA John Wiley amp Sons.
Wang, Y. and Lee, H.C., 2013, March. Research On Some Relevant Problems in Computer Forensics. InProceedings of the 2nd International Conference on Computer Science and Electronics Engineering. Paris, France Atlantis Press.
Watson, D.L. and Jones, A., 2013.Digital forensics processing and procedures Meeting the requirements of ISO 17020, ISO 17025, ISO 27001 and best practice requirements. Newnes.
Xiong, W., Park, S., Zhang, J., Zhou, Y. and Ma, Z., 2010, October. Ad Hoc Synchronization Considered Harmful. InOSDI(Vol. 10, pp. 163-176).