Abstract
This paper describes a five-phase, multi-threaded bootable approach to digital forensic triage, which is implemented in a product called Forensics2020. The first phase collects metadata for every logical file on the hard drive of a computer system. The second phase collects EXIF camera data from each image found on the hard drive. The third phase analyzes and categorizes each file based on its header information. The fourth phase parses each executable file to provide a complete audit of the software applications on the system; a signature is generated for every executable file, which is later checked against a threat detection database. The fifth and final phase hashes each file and records its hash value. All five phases are performed in the background while the first responder interacts with the system. This paper assesses the forensic soundness of Forensics2020. The tool makes certain changes to a hard drive that are similar to those made by other bootable forensic examination environments, although the changes are greater in number. The paper also describes the lessons learned from developing Forensics2020, which can help guide the development of other forensic triage tools.
Chapter PDF
Similar content being viewed by others
References
F. Adelstein, MFP: The Mobile Forensics Platform, International Journal of Digital Evidence, vol. 2(1), 2003.
N. Beebe and J. Clark, A hierarchical, objectives-based framework for the digital investigations process, Digital Investigation, vol. 2(2), pp. 147–167, 2005.
B. Carrier and E. Spafford, Getting physical with the digital investigation process, International Journal of Digital Evidence, vol. 2(2), 2003.
E. Casey, M. Ferraro and L. Nguyen, Investigation delayed is justice denied: Proposals for expediting forensic examinations of digital evidence, Journal of Forensic Sciences, vol. 54(6), pp. 1353–1364, 2009.
A. Fathy, A. Marrington, F. Iqbal and I. Baggili, Testing the forensic soundness of forensic examination environments on bootable media, submitted for publication, 2014.
S. Garfinkel, A. Nelson and J. Young, A general strategy for differential forensic analysis, Digital Investigation, vol. 9(S), pp. S50–S59, 2012.
K. Iserson and J. Moskop, Triage in medicine, Part I: Concept, history and types, Annals of Emergency Medicine, vol. 49(3), pp. 275–281, 2007.
J. James, A. Lopez-Fernandez and P. Gladyshev, Measuring accuracy of automated investigation tools and procedures in digital investigations, presented at the Fifth International Conference on Digital Forensics and Cyber Crime, 2013.
D. Kennedy and D. Sun, How to triage computer evidence: Tackling Moore’s law with less, Evidence Technology Magazine, vol. 8(2), 2010.
R. Mislan, E. Casey and G. Kessler, The growing need for on-scene triage of mobile devices, Digital Investigation, vol. 3(3-4), pp. 112–124, 2010.
M. Pollitt, An ad hoc review of digital forensic models, Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 43–54, 2007.
M. Reith, C. Carr and G. Gunsch, An examination of digital forensic models, International Journal of Digital Evidence, vol. 1(3), 2002
G. Richard III and V. Roussev, Digital forensics tools: The next generation, in Digital Crime and Forensic Science in Cyberspace, P. Kanellis, E. Kiountouzis, N. Kolokotronis and D. Martakos (Eds.), IGI Global, Hershey, Pennsylvania, pp. 76–91, 2006.
M. Rogers, J. Goldman, R. Mislan, T. Wedge and S. Debrota, Computer Forensics Field Triage Process Model, Proceedings of the Conference on Digital Forensics, Security and Law, pp. 27–40, 2006.
P. Stephenson, Modeling of post-incident root cause analysis, International Journal of Digital Evidence, vol. 2(2), 2003.
M. Suhanov, Linux for Computer Investigators: Pitfalls of Mounting Filesystems ( www.forensicfocus.com/linux-forensics-pitfalls-of-mounting-file-systems ), 2009.
C. Tilbury, NTFS $I30 index attributes: Evidence of deleted and overwritten files, SANS Digital Forensics and Incident Response ( http://computer-forensics.sans.org/blog/2011/09/20/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files ), September 20, 2011.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Baggili, I., Marrington, A., Jafar, Y. (2014). Performance of a Logical, Five- Phase, Multithreaded, Bootable Triage Tool. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics X. DigitalForensics 2014. IFIP Advances in Information and Communication Technology, vol 433. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44952-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-662-44952-3_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44951-6
Online ISBN: 978-3-662-44952-3
eBook Packages: Computer ScienceComputer Science (R0)