This material is based upon work supported by Telkom, IST and the NRF through THRIP. Any opinion, findings and conclusions or recommendations expressed in this material are those of the authors and therefore the Telkom, IST and the NRF do not accept any liability thereto.

Cyber-crime has reached unprecedented proportions in this day and age. In addition, the internet has created a world with seemingly no barriers while making a countless number of tools available to the cyber-criminal. In light of this, Computer Forensic Specialists employ state-of-the-art tools and methodologies in the extraction and analysis of data from storage devices used at the digital crime scene. The focus of this paper is to conduct an investigation into some of these Forensic tools eg.Encase®. This investigation will address commonalities across the Forensic tools, their essential differences and ultimately point out what features need to be improved in these tools to allow for effective autopsies of storage devices.

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

The internet is a network of networks, connecting millions of computing devices [1, p1], and has applications in business, communications and information interchange throughout the world. Undoubtedly, the advent of these connections has impacted all aspects of our lives. The decentralized nature of the internet forms its very foundation, yet ironically, this nature has opened networks and individual machines to a host of threats and attacks from cyber-criminals.

Cyber-crime includes, but is not limited to, the theft of trade secrets, theft of or destruction of intellectual property and fraud. Trade secrets and intellectual property is typically the foundatio n upon which many companies are built. This information gives each company a competitive advantage and to have such information compromised in any way could easily cost the company millions. In addition, since money is no longer exclusively paper based due to online trading, financial fraud such as credit card misuse is propagated once a criminal gains access to enterprise information systems. Cyber obscenity is one of the more popular forms of cyber crime. Essentially, pornographic material, such as child pornography, is hidden on storage media since perpetrators acknowledge the illegality of being in possession of these images.

Cyber-criminals associate themselves with one of or all of these crimes by making it their jobs to find vulnerabilities in operating systems, applications or services that run on a computer connected to the internet [2]. Once a vulnerability is discovered and exploited, the criminal is able to view or store sensitive information on some form of storage media. The storage medium can either be local, i.e. hard-drives or removable, i.e. floppy disks, zip drives, memory sticks or CDs. Once the crime is committed, prosecution becomes extremely difficult since the crime venue could easily be in different cities and countries and involve unsuspecting third parties. At this point, a computer forensic specialist (CFS) is tasked to investigate the digital crime scene by impartially scrutinizing a number of digital sources that are either involved or thought to be involved in the crime, and ultimately produce a single document reflecting a summary of the contents of the digital source.

Like any other forensic science, CFSs make use of a number of specialized software tools and hardware devices to carry out investigations. These investigations follow a strict methodology to maintain the credibility and integrity of all storage devices involved. The general methodology is to [3]:

- PROTECT the subject computer system during the forensic examination from any possible alteration, damage, data corruption or virus infection.
- DISCOVER all files on the subject system which includes existing normal files, deleted yet remaining files, hidden files, password-protected files and encrypted files.
- RECOVER, as much as possible, files that are discovered to be deleted.
- REVEAL, to the extent possible, the contents of hidden files as well as temporary files used by both the application programs and the operating system.
- ACCESS the contents of protected or hidden files if possible and legally appropriate.
- ANALYZE all relevant data found in special areas of the disk. The concept of special areas of a disk is explained later in section 3.
- PRINT out an overall analysis of the subject computer system. This analysis includes a listing of all relevant files and discovered file data. The print-out also provides an overview of the system layout, file structures and data authorship information. Any attempts to hide, delete, protect or encrypt information will also be revealed through the print-out.
- PROVIDE EXPERT CONSULTATION and/or testimony as required. This testimony would typically be required to prove the points of a case in a court of law.

The subject of this paper will be those tools involved in each step of the, above mentioned, forensic methodology. The functionalities offered by the tools will also be discussed to offer a better understanding into the forensic process.

These tools generally differ in functionality, complexity and cost. In terms of functionality, some tools are designed to serve a single purpose [4] while others offer a suite of functions. Therefore, the functionalities offered by a tool are exactly what lead to its complexities. These complexities can either be related to design and algorithmic complexity or ease-of-use; in some instances, a tool can offer great functionality but fall short because of a complex interface. Cost is the final distinguishing factor. Some of the market-leading commercial products cost thousands of dollars while other tools are completely free [4]. With these limiting factors (functionality, complexity, and cost) in mind, the computer forensic expert now needs to evaluate the criticality of the crime and choose an appropriate tool(s) to help with his/her investigation.

In the remainder of this paper, a brief background to computer forensics is given. An explanation of some terms and concepts is given thereafter. The paper then offers an overview of forensic tools by identifying some functionalities and how they are achieved. The paper then also identifies differences between the evaluated tools. Finally, some findings are presented with suggested future add-ons for these tools and a brief conclusion is given.