Computer Forensic Tool Paper
Computer Forensic Tool Paper
net/publication/265847805
CITATIONS READS
0 3,912
3 authors:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Abdullahi Mohammed on 20 September 2014.
Abstract:
Computer Forensics involves the identification, acquisition, analysis and presentation of digital evidence stored in
the form of encoded information. This paper discusses computer forensics and how it is applied under Microsoft
Windows environment. The focus of the research has been on NTFS file system and forensic science as applied to
Microsoft Windows. The underpinning knowledge developed in the theoretical framework is specifically applied to
NTFS computers. The design and implementation of an NTFSUNDELETE file Recovery tool application software,
using Visual C++ was achieved. This tool can be used to recover deleted files during a Computer based forensic
investigation. The file recovery tool could be used by any interested person to recover accidentally deleted files
under NTFS file systems on Microsoft Windows computers.
1. INTRODUCTION
In the last decade there has been an enormous digital world and this result in an increased need of
increase in computer usage. The development of computer forensic investigators in the past years.
digital equipment and the availability of computer
networks have had a great impact on business today. Companies have opened their eyes for computer
A lot of transactions that were earlier done by regular forensic and many, often larger, corporations have
mail are today conducted through automated started up their own computer forensic teams within
processes on the Internet. This shift has made the company. There are a few software packages that
corporations dependent on computers and computer have been widely used by computer forensic
networks. In the past, information was stored in large investigators, but the license fees are quite expensive.
archives as paper documents. Today information is There are few “complete” research papers that take
stored electronically in database and often made up the forensic (investigative) work, forensic applied
available over networks. All of these changes have to computers and the technical background of the
made a lot of the work easier for companies but the files system that is to be investigated. To conduct a
downside is that companies (and private persons) are sound computer forensic investigation, the examiner
more prone to attacks in cyberspace. needs to have good knowledge of both the computer
Criminals and the crimes they commit have always forensic process and the underlying technology.
followed the development of new technologies Papers focused on the computer forensic process
closely; as soon as a new technology is developed the often prerequisite good knowledge of operating
criminals adapt to it and use it to commit crimes. system and the file system. Papers focused on
Technology advancements have had a positive forensics examinations of a particular file system
influence on business opportunities but where often prerequisites good knowledge of the forensic
businesses can make money there is potential for process. There is a need for an introduction to
criminals to make money as well. Criminals have computer forensics that takes up both of these areas.
now entered the digital world and more and more Tools and techniques used in computer forensics are
crimes are committed with the use of computers or undergoing rapid development. There are few well
other digital devices. Therefore, Forensic accepted tools that have been successfully “proven in
investigators have also been forced to enter the court”. These tools have undergone extensive testing
to prove that they do what they are supposed to do.
76
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
In addition to these few “accepted” tools there are 2.1 FORENSIC ANALYSIS OF COMPUTER
several tools that have been developed by companies SYSTEM
trying to enter the market. Many of the tools are
Forensic analysis of computer systems is performed
good, even though they may not be as complete as
with specialized computer forensic tools, but in order
the market leading ones. The problem with most of
to find and preserve the integrity of the evidence the
the tools is, as with most software applications, the
investigator must be aware of how a computer and its
lack of scientific approach to development by the
file system works.
development team [3]. Therefore, there is a risk that
errors are introduced that makes it hard for an Every piece of evidence has a forensic value, which
investigator to draw unambiguous conclusions based describes the possibility to draw conclusions from the
on the results presented by the tool. evidence [2]. Time stamp has a high forensic value
since it makes it possible to reconstruct the order of
There is need for education in computer crime and
actions on the computer.
computer forensics, not only for forensic specialists
but security personnel as well. Computer forensic Forensic quality refers to how believable the
training is offered by several companies but the information is [2]. Information like time stamps is
training is often intended for future forensic considered to have a high forensic value, but it
doesn’t say anything about the forensic quality. If
specialists.
there is a possibility that the evidence has been
tampered with, the forensic quality decreases.
The aims and objectives of this paper are to give an
introduction to the computer forensics process and
2.1.1 COMPUTER DISKS AND FILE
describe how to apply computer forensics to NTFS
SYSTEMS
computers and to discuss the design and
implementation of a file recovery tool using Visual Computer hard disk is used for storing non-volatile
C++ programming language. This tool shall be used data such as program files, system files and user-
to undelete deleted files in a Microsoft Windows created files etc. Non-volatile data refers to digital
NTFS file system environment. data that remain in memory even if the power is
turned off. Volatile data on the contrary is lost when
2. LITERATURE REVIEW the computer is turned off or the power is lost.
Volatile data is for example found in the computer
Forensic analysis of crime scenes have gone from RAM.
securing physical evidence such as fingerprints and
DNA (Deoxyribonucleic Acid) to secure digital A hard disk may be divided into logically separate
evidence. Technological advances have resulted in partitions, each formatted to a volume using a file
more sophisticated crimes using computers and other system such as FAT or NTFS (Windows computers).
digital equipment. Sometimes the computer or Files are handled and stored differently on different
digital equipment is not used to commit the crime but file systems and this paper is focus on NTFS used by
digital evidence can be found that help investigators windows 2000 and XP operating systems. A hard
tie a suspect to the crime and the crime scene[1]. disk may contain up to four primary partitions which
Forensic investigators therefore need to secure digital all can have different operating systems and different
evidence as well as physical evidence. Digital file systems.
evidence can be found in many different devices like
computers, scanners, printers, digital cameras, cell A hard disk is divided into sectors which normally
phones etc. are 512-byte in size (determined by hardware). Two
This section discusses basics of computer or more sectors form a cluster and thus the cluster
system and forensic analysis. How digital evidence is size is always a multiple of the sector size. Cluster
processed, how computers are searched for evidence size varies between different file systems and on
as well as how to analyze the evidence found on NTFS it is possible to manually set the cluster size
computers are discussed. The following chapters will when formatting the volume. Larger clusters can
explain where to look for evidence on an NTFS make the disk blocks more manageable but with
computer increased waste of disk space [9].
77
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
A file stored on disk allocates as many clusters as usually a rich source of information of what have
needed to fit the entire file. Allocated clusters always been done on the computer. Some of the files are
belong to a certain file and cannot be split between possible to delete and there are a lot of tools that
two files. If for example a small file is saved to the could aid a criminal to erase tracks left on a
disk but do not fill the entire cluster with data, the computer. Even if such tools are used there are often
unused space of that cluster cannot be used for some traces left and there may also be possible to
storing any other data as long as that file exists. This find evidence of that such tools have been used.
unused portion of the cluster is called slack space [4]. Examples of computer-created files include Backup
The last cluster allocated by a file will always leave a files, log files, cookies, printer spool files,
little bit of slack space, since it is highly unlikely that configuration files, etc
the file fills the entire cluster. Therefore an increased
cluster size will result in increased waste of disk Other data areas refer to files and data areas not
space, because the average size of the slack space covered by the first three categories. The following
will be larger [9]. are some examples: Bad clusters, deleted files, free
space, hidden partition, slack space, unallocated
Disk space not currently allocated by any file is space etc.
called unallocated space. This does not mean that
unallocated space is “empty space” on the hard disk. Note that free space is disk space not allocated by
There is often a lot of information that could be any partition, unallocated space is disk space not
found in unallocated space like deleted files or allocated by any file on a partition.
fragments of deleted files [4].
2.1.3 LIVE AND DEAD SYSTEM
2.1.2 DATA FILES AND DATA AREAS When the investigator is to confiscate a live system
During a computer forensic investigation the file there are some issues to consider before cutting the
system is searched for evidence. Evidence is often power. A live system refers to system that are up and
found in files, but there are other data areas that may running where information may be altered as data is
contain evidence like slack space and unallocated continuously processed. Dead systems are systems
space[10]. One way to divide files and data areas is that are switched off and no data processing is taking
into the following four categories: user-created files, place [5]. To retain the integrity of the data it is often
user protected files, computer-created files and other considered appropriate to cut the power supply to the
data areas [7]. computer, but this will have other implications.
User-created files are files that the user is somewhat There is a lot of information of evidentiary value that
aware of; it could be files downloaded from the could be found in a live system. Switching it off may
Internet and saved on disk or files created by the user cause loss of volatile data such as running processes,
himself, such as address book, emails files, database network connections and mounted file systems. In
files, documents or text files, etc. contrast, leaving a computer running may cause
evidence to be altered or deleted. The investigator
User-created files have high forensic value and are therefore needs to decide what alternative is best in a
therefore important, and a lot of evidence may be given situation. Another approach is to use
found. If the suspect is engaged in illegal activity it specialized tools to extract volatile data from the
is possible that he/she tries to protect the illegal computer before shutting it down.
information from being disclosed. This can be
achieved by the use of encryption or by using 2.2 NTFS DISK STRUCTURE
steganography and there are other ways as well. NTFS Stands for "New Technology File System."
These kinds of files are referred to as User-protected NTFS is a file system introduced by Microsoft with
files. Some other examples of User-protected files Windows NT and is supported by subsequent
include compressed files, password-protected files, versions of Windows, such as Windows 2000,
encrypted files etc. Windows XP, Windows Server 2003, Windows
Server 2008, Windows Vista, and Windows 7,
Computer-created files are files that the computer
system creates during normal operation, and are
78
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
released on October 22, 2009. NTFS is therefore a 2.3 NTFS AND FORENSIC INVESTIGATORS
widely used file system on Windows systems today.
During an examination of a computer system the
computer forensic investigator tries to find evidence
2.2.1 VOLUMES AND FILE SYSTEMS
that can answer the following questions: who, what,
A volume is a logical partition of the disk. There when, how, where and why? But is it possible to
may be several volumes on one physical disk and answer these questions, and what degree of forensic
each volume is represented by a drive letter and a value and what forensic quality can be obtained?
colon (e.g. C: and D:) in Windows systems. Each
volume is formatted with its own file system like NTFS, like most other file systems, was not designed
FAT and NTFS on Windows systems or EXT2 and with computer forensic in mind but there is a lot of
EXT3 in UNIX/Linux systems. NTFS offers higher information on the computer that could be used in an
security and more flexibility than the previous FAT investigation.
file system.
It is possible to find evidence of computer usage
because a lot of the actions taken by the user leave
2.2.2 CLUSTERS
traces on the computer. Creating, deleting, renaming,
A computer hard disk is divided into sectors and the modifying and accessing files will all cause changes
file systems bundles one or more sectors together to to metadata files in the MFT. Executing programs
form a cluster. A simple rule is that the larger the will leave the same kind of traces, since a program is
disk the larger the cluster size. Cluster size may be treated as a file like everything else. Printing
changed when formatting the disk. Table 2.0 shows documents will also leave traces, since the document
the default cluster sizes for different disk sizes on is cached before it is printed. Examining files may
NTFS formatted disks: therefore give an understanding of what programs
Table 1: Default Cluster Size on NTFS formatted disks were executed, what files were accessed and
modified and so on.
Volume Size Default Cluster Size
2.3.1 THE IMPORTANCE OF METADATA
512 MB or less 512 bytes FILES IN COMPUTER FORENSICS
Metadata contain a lot of information about files and
513 MB – 1,024 MB 1 KB
are therefore a useful source of evidence in a
1,025 MB – 2,048 MB 2 KB computer forensics investigation. Examining
metadata files may give evidence of user activities,
Greater than 2,048 MB 4 KB the computer’s current and previous configuration
and so on.
Often when a suspect becomes aware that he/she is
under investigation, he/she might try to eliminate all
On NTFS formatted disk all clusters have a Logical traces by deleting files that could be used as
Cluster Number (LCN). LCNs are the sequential evidence. Locating and recovering metadata files
order of the clusters from the beginning of the might be enough to track user activities even if
volume to the end. LCN 0 (zero) refers to the first recovering of the actual data files is unsuccessful.
cluster in the volume (the boot sector). NTFS
converts the LCN to a physical disk address (byte 2.3.2 FILE RECOVERY
offset of the volume where the cluster resides) by
multiplying the LCN with the cluster size MFT file records belonging to deleted files may be
(Russinovich, 2003). possible to harvest, because file records are not
permanently deleted and will remain on disk until
Clusters belonging to the same file are also given a they are overwritten by new file records [5]. The
Virtual Cluster Number (VCN). VCNs are the chance to successfully recover deleted (marked for
internal order of the clusters in a file and do not need deletion) file records decreases with time, since
to be physically contiguous on the disk. NTFS overwrites deleted file records before
allocating additional space for the MFT. The file
79
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
records contains the standard information MAC times has been emptied and the system rebooted the index
amongst other things) and the file name. Such numbering starts over.
information could be very useful in an investigation.
If the file record is recovered the data-runs for the Files found in the Recycle Bin have been deleted by
file’s non-resident data will also be known and could the user and not by the system, because files deleted
easily be recovered. Without the file record a by the operating system are not moved to the Recycle
physical search of the disk could still locate and Bin. When the recycled bin is emptied the INFO2
recover the deleted file, suppose it is not fragmented. records are deleted, but it might be possible to
Fragmented files are very hard to recover completely recover them. The copies of the files are also deleted
through a physical search but even if only parts of the from the Recycle Bin folder, but with the INFO2
file are recovered it may include important evidence. records, they might be recovered.
80
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
scanners, and they can therefore tell a lot of the When the printing job is done both files are deleted
computer’s current and previous configuration, file automatically, but as with all files that have been
accesses, devices etc [5]. Shortcuts are often found stored on a hard disk it might be possible to recover
on the Windows Desktop or in the Windows start the files from unallocated space.
Menu, but there are several other locations that hold
shortcut files. 3. METHODOLOGY
3.1 CONCEPT OF NTFS UNDELETE
2.4.6 THUMBNAILS FILES (THUMBS.DB)
Windows creates thumbnails for graphic image files The methodology used in this design is the Structured
(JPG, GIF, PNG and BMP) which are used when System Analysis and Design Methodology
listing files as miniatures in Windows Explorer. (SSADM). SSADM uses a combination of text and
Thumbs.db may contain thumbnails for graphic diagrams throughout the whole life cycle of a system
images that have been deleted [5]. Other information design, from the initial design idea to the actual
that can be found in thumbs.db files is the original physical design of the application. Five steps of
filename and last modified datel10]. On Windows SSADM were applied in the development of this
2000, the full path of the original image file can also application: Feasibility Study, Requirements
be retrieved. On Windows XP the full path cannot be Analysis, Requirements Specification, Logical
found, only the file name of the original image file System Specification and Physical Design.
can be collected. Data Flow Modeling and (high-level) Logical Data
Modeling are the techniques applied during
2.4.7 REGISTRY ENTRIES development of this tool.
The registry on Windows computers are rich source
of evidence, and it contains information about 3.1.1 NTFS RECOVERY TOOL DESIGN
settings for installed hardware and software. It also A class diagram is used to describe the types of
contains the user specific settings and preferences on objects in the system and the various kinds of static
the computer, thus changes made on the computer, relationships that exist among them. It is a graphical
for example in the control panel or to installed representation of a static view on declarative static
software, is reflected in the registry entries [11]. elements and a central modeling technique that runs
through nearly all object-oriented methods. This tool
2.4.8 PRINTER SPOOLER FILES is made up of two classes. These classes are very
Printing jobs are done in the background and make useful to read the NTFS files. The function of each
use of temporary files created by the spooling class is explained as follows:
process. The content of the printing job is writing to
a spool (.spl) file and information such as username, CMFTRecord class: This is the lowest class which
document name, and data type (RAW or EMF) is does the file reading and attributes extraction.
written to a shadow (.shd) file. The data type found CNTFSDrive class: This class loads the MFT table
in the shadow file determines if the spool file is a and manipulates the file according to the user request.
RAW or Enhanced Metafile (EMF) file. EMFs are
used by the default Windows NT print spooler, and See the following class diagram for more detail on
EMF files are encoded to provide printer each of these classes.
independence. If the spool file is in RAW format
the spooled data is formatted for a particular printer,
thus RAW spool files are device-dependent [5].
The .spl and .shd files have the same file name,
usually a number such as 00002.SPL and
00002.SHD. By default, both files are written to the
following location:
C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS
81
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
5. CONCLUSION
Searching several sources of evidence increase the
possibility for the investigator to draw unambiguous
conclusions about what has happened. All evidence
collected is to be used in the relational, temporal and
functional reconstruction of the crime. Analyzing
and combining evidence collected from the various
sources help the investigator to reconstruct the crime
and draw unambiguous conclusions.
One of the major concerns in an investigation is to
link the evidence to a physical person. It could be
hard to prove that the suspect is connected with the
Fig. 2: NTFSUndelete Sequence Diagram evidence found on the computer. This is the biggest
challenge for the investigator, since anyone could
have used the computer especially if password
protected accounts have not been used. Physical
4. RESULTS evidence may tie a suspect to the computer, for
example it may be possible to prove that a specific
The NTFSUNDELETE application software was person has used the computer if fingerprints are
successfully used in recovering deleted files on NTFS found on the computer keyboard. Knowing that the
file system as shown in figure 3. suspect has used the computer makes it easier to draw
further conclusions. This is one of the reasons why
securing evidence outside the computer is important.
82
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
File recovery pervades much of the forensic work protection of BIOS, enable the ATA-password and
during a computer forensic investigation, whether it use of EFS.
is to recover the actual deleted files (word
documents, graphics image files etc.), temporary files Given the enormity of task in cyber crime control and
(printer spool files) or files containing metadata policing, the absence of dearth of trained and
(index.dat, thumbs.db, INFO2). File recovery is qualified computer forensics law enforcement
important in an examination of a computer, since a officers, there is urgent need for the Federal
lot of the information may be deleted. Deleting file Government to pay attention to the training of
on NTFS computers does not mean that the file is adequate EFCC and police officers in the computer
permanently deleted. The file is often recoverable forensic sciences to enhance effective policing of the
from unallocated space or slack space. Even if the ever increasing cyber criminals. The problem is
data has been overwritten and the file is not serious, particularly now that the Federal
successfully recovered there may still be a lot of Government has passed the information Technology
traces left on the computer that can give evidence of Bill for this purpose. A law made but cannot be
the files existence. The chance of successfully enforced is no law. Cyber criminals will be forced to
recovering files decreases with time, because the retreat if a large percentage of fraudsters are arrested,
clusters in unallocated space may be overwritten. prosecuted and punished at first attempt. It is
NTFS also overwrites MFT records relatively strongly recommended that Polytechnics and
quickly, making file recovery harder. Universities should establish Computer Forensics
certificate, diploma and degree courses to meet the
Software tools are part of the solution in an ever-increasing demand for this type of urgently
investigation and the tools should be tested to verify needed personnel. The provision of adequately
that they behave in a certain manner. It is always qualified experts will beef up their deployment in the
important to understand how a tool handles different police and military. This may well be antidote to the
tasks and this is even more important if the tool is fast eroding confidence in e-commerce and
new and has not been thoroughly scrutinized by international trade in Nigeria.
independent bodies. Other tools that are less used and
developed for a specific task may also be used but the In conclusion, this paper should give the reader the
investigator should be prepared to answer questions knowledge and skill needed to begin analyzing
in court related to the tool and its inner workings. Microsoft Windows computers and to assist forensic
The decision on which tool to use should depend on teams during computer forensic investigation. The
the purpose of the investigation. The investigator’s file recovery tool could be used to recover
knowledge and skill with various tools could also be accidentally deleted files under NTFS file systems on
of importance. Microsoft Windows computers. This software is
license free.
No matter how skilled an investigator is with a tool it
is important that he is familiar with the file system 6. FUTURE WORK
running on the computer. Understanding how the file This paper covers Windows NTFS file system, but
system works will help the investigator to interpret computers may use other file systems. Windows
the data found. computers may, for example use FAT and or NTFS
There is also another side of computer forensics file systems while Linux computers use EXT2 or
where tools developed for the purpose of computer EXT3 file systems. A computer may also have
forensic examinations may be used with a malicious several operating systems and different file systems
intent. Such tools may be used to steal sensitive on one physical hard disk. Future studies could be
information or keep an eye on someone. Using a done on file systems not covered by this paper and
forensic tool makes it possible to bypass security should at least cover the most widely used file
measures like password protected accounts, but there systems on computers today.
are several ways to protect the computer and the Computer forensic tools can help find hidden data in
information stored on it. Some examples of security unallocated space or in hidden partitions, but as far as
measures that could be used is the password I know, there is no tool that looks for data in clusters
marked as bad by NTFS. It is possible to manually
83
International Journal of Information Technology and Business Management
29th July 2014. Vol.27 No.1
© 2012 -2014 JITBM & ARF. All rights reserved
mark and unmark bad clusters and therefore logically [5] Casey, Eoghan (2001). Handbook of Computer
it could be possible to hide information in such data Crime Investigation: Academic Press; 1st edition
areas. Future studies should be made on this topic. (October 15, 2001)
[6] Jones Keith J., (2002) Forensic Analysis of Internet
A research could also be carried out on a single tool Explorer Activity Files
that operates on different operating system; Http://www.foundstone.com/pdf/wp_index_dat.pdf
multiplatform computer forensic tool. (Retrieved on July 5, 2009)
[7] NIJ, (2001) National Institute of Justice. Electronic
Crime Scene Investigation: A Guide for First
Responder:. Washington, D.C.: U.S. Department of
Reference: Justice, National Institute of Justice, 2004. NCJ
[1] Albert J. Marcella, Jr. and Dough Menendez (2008). 187736. http://www.ojp.usdoj.gov/nij
Cyber Forensics: A Field Manual for Collecting, [8] Russinovich, Mark(2003). Inside NTFS:
http://www.windowsitpro.com/Articles/Index.cfm?Iss
Examining, and Preserving Evidence of Computer
Crimes, (2nd Edition): Taylor & Francis Group, LLC. ueID=27&ArticleID=3455 (Retrieved on August 5,
[2] Buchholz, Florian and Spafford, Eugene. On the Role 2009)
of file system metadata in digital forensics: Digital [9] Solomon, David A. and Russinovich, Mark E (2000).
Investigation Volume 1, Issue 4, Pages 18-23 Inside Microsoft® Windows® 2000, Third Edition:
(December, 2004) Microsoft Press, Redmond, Washington.
[3] Carrier, Brian (2003). Defining Forensic [10] Svensson, Anders (2005). Computer Forensics
Examination and Analysis Tools Using Abstraction Applied to Windows NTFS Computers:
Layers: International Journal of Digital Evidence Stockholm’s University Kista, Stockholm, Sweden.
Winter 2003, Volume 1 Issue 4 [11] WinGuides,(2006). Windows Registry Tutorial
[4] Casey, Eoghan (2000). Digital Evidence and http://www.winguides.com/article.php?id=1&guide=r
Computer Crime: Academic Press; 1st edition egistry (Retrieved on August 22, 2010)
(March 15, 2000)
84