Project on Digital Forensic Tool
Added on - 16 Sep 2019
IntroductionMy project is to develop a forensic tool that is capable of mounting digital forensic evidencefile of expert witness format (.E01) and perform simple searches on the evidence file whilesharing of information is enabled between different users of the system. The basicunderstanding of the system will be that it will work similarly to a typical digital forensic toolbut with limited functionalities as it is just a proof of concept.Real World ProblemsAlthough digital forensics field is considered a very professional and small field, there are stillmultiple major digital forensic tools available in the market both off the shelf and freeware.They each have their own strengths and weaknesses but they all share one common whichis lack of customizability and sharing of information. These digital forensic tools that arecommonly used are usually used the way it is as it is purchased or downloaded, users lackthe capabilities of customizing the system for functions that they require or might not require.Furthermore, there is a lack of communication between these digital forensic tools which attimes causes redundancy in work due to lack of communication. Forensic investigators areunable to communicate or check on the work done by others efficiently which may resultslow progress in the investigation.SolutionsThe solution to solving the mentioned problem is to provide users with a system withcustomizability which enables the user to only select modules or functions that are requiredby the user to develop a system that fits the requirements of the user as best as possible.Another solution is to include a module or function that allows the communication betweeninvestigators to share notes or follow ups on the same case at the same time alsoimplementing user access control.Modules Proposed to be included in the systemThe modules proposed are to be included into the system with minimal functionalities toproof the concept of the system.Mounting – The system is capable of mounting digital evidence files. The system will be ableto mount files of Expert Witness Format (.E01) as a proof of concept with write-blockcapabilities. After mounting the evidence file, the evidence file will not be tampered with inany way while investigating which can be checked using the hash.Create .dd image – The system will not be mounting the original evidence file onto thefilesystem to prevent contaminating the original evidence file. Hence, a .dd image will becreated based on the original evidence file and the image created will be used to mount ontothe filesystem where all investigation process will take place. The image created will beidentical to the original digital evidence.Generate Hash – The system is capable of generating a hash value of the selected evidencefile to be compared with the original hash value which is included in the original evidence file.Both hashes will be compared to prove that they are identical.Share notes- The system will be able to share findings and notes that has been submitted bydifferent investigators on the case to check and share progress between each other. Useraccess control will be implemented to protect data privacy.
Search – Users can search the mounted image using three different parameters and thesystem will return the results. Users can search by filename, file type, and also a specificstring in files.Generate Report – The system is able to compile all notes by different investigators of thesame case into a single document containing all notes.3.3 Proposed System3.3.1 GeneralThe proposed system consists of three different module, these three modules are said to bethe main function of the system which are Mounting, Search and Submit Findings. Therequirements of the project will not be achieved if these three modules are not implementedinto the system.Mounting is regarded as the most important module in the entire project as without themounting function, investigators are not able to access the evidence file and the proposedsystem itself is not able to access the evidence file if the evidence file is not in the device ofthe investigator. The Mounting module will allow investigator to mount the evidence file sothat investigator are able to gain access to the investigator in order to conduct the evidenceanalysis.In order to ease the investigation process, the proposed system provides a function calledsearch where investigators are able to search the mounted evidence file. The search moduleprovides three different types of search function which are file type, keyword and file name.These three search function will ask user to enter the parameter which will be used byalgorithm in order to search for the matching parameter and display the result.After conducting the evidence analysis, investigators are able to submit the findings of theinvestigation into the investigation case with the help of the submit findings module. Themodule allows investigators to pick the investigation case that they have access and write thefindings in the proposed system provided.
Besides the three core functionalities of the proposed system, the system also provides otherfunction which completes the system. One of the so called subsidiary functions is called viewnotes where investigator are able to view findings of the investigation case. Investigators areable to view the findings submitted to the case along with the findings that they submitted aswell.Besides that, the proposed system will also have a hash module whereby it will generate aMD5 hash value. This hash value will be use to compare with the hash value obtain from theevidence file information. The hash value will be use as a way to make sure that the integrityof the evidence file has been kept.After conducting the investigation, investigator are able to unmount the evidence file fromthe device by using the unmount function provided. The unmount function is implemented sothat investigators are able to unmount the evidence file which takes up a chuck of memory inthe device.All of the modules explain above are able to be access by both the investigators andinvestigation team leader but there are two more additional functions which can be onlyaccess by the investigation team leader. These two functions are generate report and createcase module.The generate report module is similar to the submit and view findings where it requires theuse of the database. The generate report module will retrieve all the findings that wassubmitted to the investigation case and print all the findings along with the investigator nameinto a text file. The text file will serve as the report that will be use by the investigator teamleader for other purposes.Lastly, the create investigation case module allows investigation team leader to create a caseand invite investigators of their desire to have access to the case. Once the investigators haveaccess to the investigation case, they are able to submit findings into the system under theinvestigation case.