_____________________________

IJoFCS (2018) 1, 22-28

The International Journal of
FORENSIC COMPUTER SCIENCE
_____________________________
www.IJoFCS.org
DOI: 10.5769/J201801002 or http://dx.doi.org/10.5769/J201801002

Comprehensive study of digital forensics branches and

tools
Prachi Ankush Zinge1, Madhumita Chatterjee 2
(1) Department of Computer Engineering, PCE, New Panvel, University of Mumbai, Email: [email protected]
(2) Department of Computer Engineering, PCE, New Panvel, University of Mumbai, Email:
[email protected]

Abstract: In today’s world, digital devices are being integral part of our life and these digital
devices are evolving with new technology. Some people make use of new technology for their
personal gain. Cybercrimes are growing rapidly due to evolving technology. Digital forensics is the
science which encompasses, identify, analyze, recover and investigate digital evidences found in
digital devices. To make the forensic process effective the discipline is subdivided into various
branches, where specialized tools are available for a particular branch. Every forensic tool is
associated with some of the limitations which disturb the investigation process. Hence, proper forensic
tool which satisfies the requirement of the case is required to be used.

Key words: Digital Forensics, digital forensic branches, digital forensics tool

I. Introduction Forensics, Small Scale Device Forensics or

In today’s modern era, a lot of cybercrimes take
place due to increased use of computers. These
crimes include various types of frauds, ponzi
schemes and money transfer by unknown
claimants to their accounts. The computers are
interconnected with each other in the form of
networks and exchange huge amount of data
responsible for cyber fraud and cybercrime.
Cyber criminals use IT infrastructure or
technology that has led to the emergence of
Digital Forensic to deal with such crimes.
2. Digital Forensic
Digital Forensic expanded to various sub-
disciplines, namely Computer Forensics, Memory
Forensics, multimedia Forensics, Network
Mobile Device Forensics and Android Forensic
according to attributes of computing and the type
of device used. Many computer parts such as
hard disks, cell phones, iPods, pen drives, digital
cameras, CDs, DVDs, floppies, computer
networks, the Internet etc. contains digital
evidence. Digital evidence can be hidden in
pictures (Steganography), encrypted files,
password protected files, deleted files, formatted
hard disks, deleted emails, chat transcripts etc.
Digital evidence is useful relating to crimes such
as online banking frauds, online share trading
fraud, source code theft, credit card fraud, tax
evasion, virus attacks, cyber sabotage, phishing
attacks, email hijacking, denial of service,
hacking, murder cases, organized crime, terrorist
operations, defamation, pornography, extortion,
smuggling etc.

___________________________________
Paper submitted on: May 14th, 2018
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
Digital Forensics is “the use of scientifically
derived and proven methods for the
preservation, collection, validation, identification,
analysis, interpretation and presentation of digital
evidence for the purpose of facilitating or
furthering the reconstruction of events of a
criminal nature or helping to facilitate the
unauthorized actions shown to be disruptive to
planned actions”[11]. Nowadays, significant
changes have taken place in the digital forensics
process.
2.1 Objective of Digital Forensic
With the advancement of the computer, there is a
revolution in the way humans live, work and play.
Businesses are growing with the help of the
computers rapidly. But there is a dark side of
computers also. Cybercriminals use them to carry
out malicious assaults. These assaults are
varying from fraud and identity theft to hacking,
embezzlement and many such activities.
Evidence can be derived from computers and
used in a court against suspected accused.
Initially, the judges accepted such computer
evidence as any other type of evidence smoothly.
But, as data became more ambiguous with the
advancement of digital devices, computer-derived
evidence lost its reliability gradually.
Hence, for preserving the integrity of the evidence
and to have a subject matter expert opinion,
cybercrimes are investigated for identifying,
generating, analyzing, verifying and presenting
digital evidences in the court using standard
tools. As a precaution, certain policies,
guidelines, standards, laws which are acceptable
to the jurisdictional process are followed for
getting hold of the criminal. It generally comprises
of four major processes:
Acquisition: In this first phase of
investigation, the digital devices are identified for
digital evidences, and then collected in such a
way that the original state or content of the
evidences remains the same and any deletion or
addition cannot be in any possible manner.
Preservation: The evidences collected
from the suspicious machines should be
23
preserved to maintain and guarantee the Chain of
Custody. For this, service providers are needed
who will ensure that the evidence offered in court
is the same as that was collected and there was
no tampering with it while it was in the custody.
Analysis: Analysis phase plays an
important role because the result obtained after
the analysis of the evidences using digital
forensic tools helps the investigators to identify
the cause of the incident and provide them
effective results sufficient to be submitted in the
court for justice. This phase includes recovery of
deleted content and examining the system
content.
Presentation: This phase consists of
coming to the conclusions on the basis of
evidences obtained from the forensic
investigation. In this phase, acquired data is
processed to derive relevant information as per
need and is based entirely on policy and law.
The above process is generally recognized and
followed across the world in the investigation of
cybercrimes
3.BRANCHES OF DIGITAL FORENSICS
Digital Forensics emerged because of the
cybercrimes carried out by use of IT infrastructure
or technology by cyber criminals. Below are given
it’s subdisplines.
Computer
forensic
Mobile Memory
forensic forensic
Digital
forensic
Network Multimedi
forensic a forensic
Figure 1 : Types of Digital Forensic
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
The digital devices contain sensitive personal
information. So it is risky if they are lost or stolen.
Forensic analysis of these devices by developers
and the users can make them more aware of how
and which data to store or not to store. Sensitive
information can be used by the attacker to spoof
the real identity of a person.
Digital forensics plays a very crucial role in the
cybercrime investigations. To submit any digital
or cyber trails as evidence in the court of law, the
digital evidences must follow the four Daubert’s
guidelines to be accepted in the court of law,
which are:
1. Testing- All the tools taken in identifying,
generating and verifying the digital evidence must
be scientifically tested and proven efficient and
reliable acceptable by any court of law.
2. Error Rate- A known error of the process is
identified. The error rate for any tool is calculated
on the basis of the number and severity of bugs
produced in the system.
3. Publication- The tools used during the
investigation process must be common with
experts able to work with those tools. The
publication guideline ensures that the procedure
has been documented and has undergone
several peer reviews to assure quality and work.
4. Acceptability - The tools and the results
generated using them should be acceptable by
the digital forensics community.
3.1 Computer Forensics
Computer forensics as defined by the CSI is “The
preservation, identification, extraction,
interpretation and documentation of computer
evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting
of information found, and providing an expert
opinion in a court of law or other legal and /or
administrative proceedings so as to what was
found[21].
The main goals of a computer forensic
investigation are:
24
• To recover, analyze, and preserve
computer related materials to be
presented as evidence in a court of law
• To identify the evidence quickly, estimate
the potential impact of the crime on the
victim, and assess the internet and
identify the culprit.
3.2 Memory Forensics
Memory forensics or memory analysis deals with
the analysis of volatile data in a computer’s
memory dump. Information security professionals
conduct memory forensics to investigate and
identify attacks or malicious behaviors that do not
leave easily detectable tracks on hard drive data.
Memory forensics can provide a way into the
runtime system activity, including open network
connections and recently executed commands or
processes. In many cases, critical data pertaining
to attacks or threats exist solely in system
memory – namely network connections, account
credentials, chat messages, encryption keys,
running processes, injected code fragments, and
internet history which is non-cacheable. Any
program – malicious or otherwise – must be
loaded in memory to execute, makes memory
forensics important for identifying obfuscated
attacks.
3.3 Multimedia Forensics
Multimedia forensics deals with the analysis of
media files (images, audio, video files, documents
and various file types) which are used to hide
information using Steganography.
Steganography is a technique of hiding a secret
message within an ordinary message and
extracting it at the destination to maintain
confidentiality of data. Criminals have become
more aware so it has also been used as a mode
of communication to hide confidential data and
send it across to the intended audience in several
cases.
3.4 Network Forensics
Network forensics deals with the data found
across a network connection mostly incoming and
outgoing traffic within the host in the Network and
analyze the traffic data logged through firewalls or
IDS or at network devices like routers. The goal
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
of network forensic is to trace the source of the
attack to prosecute the cyber criminals.
Network forensics is defined as “The use of
scientifically proven techniques to collect, fuse,
identify, examine, correlate, analyze, and
document digital evidence from multiple, actively
processing and transmitting digital sources for the
purpose of uncovering facts related to the
planned intent, or measured success of
unauthorized activities meant to disrupt, corrupt,
and or compromise system components as well
as providing information to assist in response to
or recovery from these activities”[7].
Network investigation includes the reformation
and analysis of data from computer networks
associated with having been alternated or got to
in an unauthorized manner. Its purpose is to
permit specialists to reason about the
circumstances or the activity and to submit proof
in front of a court of law [7].
3.5 Mobile Forensics
The unlimited use of Mobile Phones, these days
have made it inevitable source for forensic
analysis, from criminal and noncriminal point of
view. Mobile forensics is the science of
recovering digital evidence from a non-tampered
mobile device under forensically sound conditions
using legally accepted methods.
Today mobile Phones have become so pervasive
that they rule us in many ways which includes;
they are not only helping us to make and attend
a call, but also many business activities, financial
transactions, social networking, SMS, MMS,
video calls, photography, electronic mail, Web
browsing, multimedia capturing, basic editing and
playback, electronic document previewing, store
and manage Personal Information via Persona
Information Management (PIM) applications (e.g.
Contacts, calendar, etc.).
These flexibilities create significant challenges for
mobile forensic tool manufacturers and
examiners in hunting at the right location and
right technique inside the phone. These variations
and changes are so fast that there is always the
25
risk that one forensic tool can be good for a
specific version may not work for the successor
version. Sometimes the power consumption may
lead to vanishing of the information available on
these devices as they are power constrained.
This can occur during one the-fly data acquisition
from the volatile memory. Lack of standard
hardware and software interface further poses
challenge in MDF for the practitioners.
Sometimes the storage is damaged or corrupt
and taking data out of it is very challenging.
Variety of applications for the same task on the
same mobile platform also put challenge, for
example web browsers forensic is also in demand
and there are different types of browsers for
android platforms, which are different from each
other in many respects.
4. FORENSIC TOOLS
4.1 Forensic toolkit (FTK)[12]: FTK Imager is a f
ree tool that can be downloaded from Access Dat
a on its website. FTK is used to acquire, analyze,
and to image hard disk drive. It calculates MD5 h
ash values and confirms data integrity, includes a
variety of tools that include recover deleted files,
analyze email data searching and password crac
king [25]. Another characteristic of FTK Imager is
that it makes a bit-for-bit duplicate image of the m
edia, thereby avoiding accidental manipulation of
the original evidence. The installation of FTK Ima
ger is very simple and the option of using the tradi
tional version, with the need to install the product
hard disk is available. It has the benefit of allowin
g FTK Imager to run directly from a USB key [13].
4.2Autopsy[13] : Autopsy® is a digital forensics
platform and graphical interface to The Sleuth
Kit® and other digital forensics tools. It displays
system events in a graphical interface to help
identify activity and extracts web activity from
common browsers to help identify user
activity[26]. It uses RegRipper to identify recently
accessed documents and USB devices and
identifies short cuts and accessed documents.
Autopsy analyzes disk images, local drives, or a
folder of local files[13]. Tool groups files by their
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
type to find all images or documents and
examiner can view videos and images in the
application and not require an external viewer. It
displays thumbnail of images to help quick view
pictures. It filters out known good files
using NSRL and flag known bad files using
custom hash sets in Hash Keeper, md5sum, and
Encase formats and also tag files with arbitrary
tag names, such as 'bookmark' or 'suspicious',
and add comments. The Tool Extracts strings
from unallocated space and unknown file types in
many languages. It displays file system and
meta-data structure details.
4.3 Winhex[14]: It is made by X-Ways Software
Technology AG of Germany, is a powerful tool for
data analysis, editing, and recovery. WinHex is a
global hexadecimal editor, useful in the field of
computer forensics, low level data processing,
data recovery, and IT security[14]. It scrutinizes
and edits all sorts of files, recover missing data or
deleted files from digital devices. Also, it is a RAM
editor, data interpreter. WinHex is in its core a
universal hexadecimal editor, particularly helpful
in the realm of computer forensics, data recovery,
low-level data processing, and IT security and
inspects and edit all kinds of files, recover deleted
files or lost data from hard drives with corrupt file
systems or from digital camera cards[27]. It is a
disk editor for hard disks, floppy disks, CD-ROM
& DVD,ZIP,Smart Media,Compact Flash,etc.
Winhex has various data recovery techniques.
Random-number generator Supports files of any
size. Very fast. Easy to use. Extensive program
help.
4.4 Mandiant Redline[15] - Mandiant RedLine is
a popular tool for memory and file analysis. It
collects information about running processes on a
host, drivers from memory and gathers other data
like meta data, registry data, tasks, services,
network information and Internet history to build a
proper report.
4.5 Hex Workshop[16]: Hex Workshop
integrates advanced binary editing and data
interpretation and visualization with the ease and
flexibility of a modern word processor[16]. With
26
the Hex Workshop, you can edit, cut, copy, paste,
insert, fill and delete binary data. It allows to jump
to file or sector location, find or replace data,
perform arithmetic, bitwise, and logical
operations, binary compare files, generate
checksums and digests, view character
distributions and export data to RTF or HTML for
publishing. Hex Workshop includes a Sector
Editor with disk imaging tools, a Base Converter
for converting between hex, decimal and binary
data types, a Hex Calculator supporting
arithmetic and bitwise operations, an expression
calculator supporting variables, conditionals,
iteration and arithmetic and bitwise operations,
and a data visualizer designed to help you
visually identify patterns and interesting data from
rendered images.
4.6 QuickStego[17]: QuickStego is a freeware
that is used for image steganography forensics.
QuickStego lets you hide text in pictures so that
only other users of QuickStego can retrieve and
read the hidden secret messages[28]. Once text
is hidden in an image the saved picture is still a
'picture', it will load just like any other image and
appear as it did before[28]. The image can be
saved, emailed, uploaded to the web as before,
the only difference will be that it contains hidden
text. The larger the image, the more text that can
be concealed within and QuickStego will tell you
how many characters of text you must lose if you
go over this limit per picture[28]. In practice a lot
of secret text can be hidden in even a small
image. QuickStego imperceptibly alters the pixels
(individual picture elements) of the image,
encoding the secret text by adding small
variations in color to the image. In practice, to the
human eye, these small differences do not
appear to change the image.
4.7 Wireshark[18] : Wireshark is a traffic
capturing and sniffing tool. It uses Winpcap to
capture packets, so it can only capture the
packets on the networks supported by winpcap.
Captures live network traffic from Ethernet, IEEE
802.11, PPP/HDLC, ATM, Bluetooth, USB, Token
Ring, Frame relay, FDDI networks[29]. Captured
files can be programmatically edited via
command line. Wireshark captures live packet
data from a network interface and open files
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
containing packet data captured with
tcpdump/WinDump, Wireshark, and a number of
other packet capture programs[18]. It import
packets from text files containing hex dumps of
packet data and also displays packets with very
detailed protocol information and save packet
data captured. Export some or all packets in a
number of capture file formats and filter packets
on many criteria and search for packets on many
criteria[18]. Wireshark colorize packet display
based on filters and create various statistics.
4.8 Network Miner[19] : Network miner is a
network forensic analysis tool (NFAT) for
windows that is used as a passive network
sniffer/packet capturing tool in order to detect
operating systems, sessions, hostnames, open
ports etc. without putting any traffic on the
network which extracts files and certificates
transferred over the network by parsing a pcap
file by sniffing traffic directly from the network[19].
NetworkMiner makes it easy to perform advanced
Network Traffic Analysis (NTA) by providing
extracted artifacts in an intuitive user interface.
The way data are presented not only makes the
analysis simpler, it also saves valuable time for
the analyst or forensic investigator and this
functionality can be used to extract and save
media files (such as audio or video files) which
stream across a network of websites such as
YouTube[19]. User credentials (usernames and
passwords) for support protocols are extracted by
NetworkMiner and displayed under the
"Credentials" tab[29].
4.9 MOBILedit[20]: MOBILedit[20] supports
extraction and viewing data from different sources
such as; Contact book, call history, text and
multimedia messages, files, calendars, notes,
reminders, raw application data, IMEI, operating
systems, firmware including SIM details (IMSI),
ICCID and location area information. Wherever
possible MOBILedit based forensic is also able to
retrieve data deleted from phone memory and
can bypass the passcode, PIN and phone backup
encryption techniques too. With MOBILedit
Forensic Express, you can extract all the data
from a phone with only a few clicks. This includes
deleted data, call history, contacts, text
messages, multimedia messages, photos, videos,
recordings, calendar items, reminders, notes,
27
data files, passwords, and data from apps such
as Skype, Dropbox, Evernote, Facebook,
whatsapp, Viber, Signal, wechat and many
others[20].
4.10 FonePaw Android Data Recovery[21] :
The deleted information still exists on the phone
and you cannot find them only because it is
hidden[21]. To get them back, you need to make
sure that you do not factory reset the phone, or
add new operations to it. That is, make sure that
the deleted files have not been overwritten. More
important, you need a professional recovery tool,
for instance, FonePaw Android Data Recovery.
Wrongly delete contacts, photos or messages,
whatever your phone's symptoms, FonePaw
Android Data Recovery has prescribed. The
recoverable files include deleted/lost photos,
contacts, text messages, WhatsApp messages
and photos, videos, music, voice recordings,
document files and more[21]. This program is
easy to operate and efficiently. FonePaw Android
Data Recovery is a risk-free, allowing you to
scan, preview and recover what have been lost
from your Android phone securely[21]. Photos
and videos that are captured and downloaded
can be easily retrieved. You can select file types
to scan and regain at will. But you are required to
make sure your deleted files have not been
overwritten before recovery. So if data loss
happens, stop using mobile phone.
5. Conclusions
In today’s digital world, it is important to secure
our digital devices and data from cybercriminals.
Digital forensic tools play a vital role to recover
deleted data as well as help to find perpetrators
by analyzing evidence. There are so many tools
of forensic and each tool has different operation.
So it becomes difficult to choose the appropriate
tool for respective incident. The above study tells
you about different forensic tools for different
forensic branches.
 ____________________________________________ Prachi Ankush Zinge, and Madhumita Chatterjee
References
[1] Monali P. Mohite, S. B. Ardhapurkar, Design and
implementation of a cloud based computer forensic
tool,2015th fifth International Conference on
Communication Systems and Network Technologies,
IEEE, 2015.
[2] Lianhai Wang, Ruichao Zhang, Shuhui Zhang, A
model of computer live forensics based on physical
memory analysis, The 1st International Conference on
Information Science and Engineering, IEEE, 2009.
[3] Rob Witteman, Arjen Meijer, M-T.Kechadi, Nhien-
An Le-Khae, Toward a new tool to extract the
evidence from a memory card of mobile phones, 4 th
International Symposium on digital forensics and
security, IEEE, 2016.
[4] Mohammad Wazid, Avita Katal, R H Goudar,
Sreenivas Rao, Hacktivism Trends, Digital Forensic
Tools and Challenges: A Survey, Preceedings of 2013
IEEE Conference on Information and Communication
Technologies(ICT 2013), IEEE, 2013.
[5] Ebru Celikel Cankaya, Brad Kupka, A survey of
digital forensics tools for database extraction, FTC
2016- Future technologies conference 2016, IEEE,
2016.
[6] Sriram Raghavan, S V Raghavan, A study of
forensics and analysis tools, IEEE, 2013.
[7] Mrunal H. Mate,Smita R. Kapse, Network Forensic
Tool- Concept and Architecture, 2015 fifth International
Conference on Communication Systems and Network
Technologies, IEEE,2015.
[8] Radhika Padmanabhan, Karen Lobo, Mrunali
Ghelani, Dhanika Sujan, Mahesh Shirole, Comparative
analysis of commercial and open source mobile device
forensic tools, IEEE, 2016.
[9] Noble Kumari, A. K. Mohopatra, An insight into
digital forensics branches and tools, 2016 International
Conference on Computational Techniques in
Information and Communication Technologies, IEEE,
2016.
[10] Neelam Maurya, Jyoti Awasthi, Raghavendra
Pratap Singh, Dr. Abhishek Vaish, International
Journal of Advanced Engineering and Global
Technology, Vol-03, Issue-07, July 2015.
28
[11] E. Casey, Digital Evidence and Computer Crime:
Forensic Science, Computers, and the Internet,
Academic Press,ELSEVIER, 2011.
[12]https://accessdata.com/product-download/ftk-
imager-version-3.2.0/
[13]https://www.sleuthkit.org/autopsy/download.php
[14]http://www.winhex.com/winhex/hex-editor.html
[15]https://www.fireeye.com/content/dam/fireeye-
www/services/freeware/ug-redline.pdf
[16] http://www.hexworkshop.com/overview.html
[17] http://quick-stego.software.informer.com/1.2/
[18] https://www.wireshark.org/download.html
[19] http://www.netresec.com/?page=NetworkMiner
[20] http://www.mobiledit.com/downloads/#forensic
[21] https://www.fonepaw.com/android-data-recovery/
[22] http://csisite.net/forensics.htm
[23] Nihar Ranjan Roy, Anshul Kanchan Khanna,
Leesha Aneja, Android phone forensic: tools and
techniques International conference on computing,
communication and automation, IEEE, 2016.
[24]https://www.eccouncil.org/programs/computer-
hacking-forensic-investigator-chfi/
[25] Nilakshi Jain1 , Dr. Dhananjay R Kalbande, A
Comparative Study based Digital Forensic Tool:
Complete Automated Tool, The International Journal of
FORENSIC COMPUTER SCIENCE,
www.IJoFCS.org,2015.
[26] http://resources.infosecinstitute.com/7-best-
computer-forensics-tools
[27]https://www.computersecuritystudent.com/FOREN
SICS/Windows/Miscellaneous/lesson3/index.html
[28] http://www.quickcrypto.com/free-steganography-
software.html
[29] http://www.forensicswiki.org/wiki/Wireshark