FTK Imager Research Articles

Understanding Digital Forensic Tools: Their Features, Applicability and Key Short Comings. A Compendium

The Paper provides a comprehensive overview of various digital forensic investigation tools. The paper outlines the significance of digital forensics in collecting and preserving evidence for computer crimes and cybersecurity incidents. It discusses several prominent tools, including Encase Professional, Magnet Axiom, Passware Kit Forensic, Falcon Neo, Tableau USB Write Blocker, FTK Imager, and Autopsy, detailing their features, applications, and shortcomings. Key features highlighted include data acquisition methods, advanced file analysis capabilities, and reporting functionalities. The paper also addresses the potential limitations of these tools, such as issues with user authentication, performance under load, and chain of custody concerns. By examining these tools' strengths and weaknesses, the document aims to provide insights into their applicability in various investigative contexts and emphasize the importance of selecting appropriate tools for effective digital evidence management.

Volatile data acquisition and analysis by using Memory Forensics techniques

Memory forensics is a vital component of digital investigations, involving the analysis of volatile memory (RAM) in computer systems to gather evidence, identify malicious activities, and reconstruct cybercrime incidents. This paper provides an overview of memory forensics, highlighting its definition, importance, purpose, and scope. It explores the evolution and significance of memory forensics in response to increasingly complex cyber threats. The memory forensics process is discussed, covering memory acquisition and analysis. Legal and ethical considerations related to the admissibility of memory evidence and privacy protection are examined. The paper also discusses the types of memory, including physical and virtual memory, and their characteristics and significance in memory forensics. Furthermore, it explores the memory acquisition process, different methods, tools, and techniques used, as well as the importance of preserving evidence integrity. Finally, the paper introduces various tools for memory analysis, such as Volatility, Volatility Workbench, FTK Imager, Encase, Hibernation Recon, and Xplico, and highlights their role in extracting valuable evidence from memory dumps.

Automated Windows-Based Timelining Tool for Memory and Disk Image Analysis: Leveraging Timsort Algorithm with WinPmem, FTK Imager, Volatility 3 and The Sleuth Kit

As technology evolves, so does the threat of cyberattacks – making Digital Forensics crucial for damage control and prevention. This paper aims to address the inefficiencies faced by investigators in a forensic setting by automating the processes necessary for disk and memory image acquisition, forensic artifact parsing, and timeline generation. Leveraging publicly available tools such as: WinPmem, FTK Imager, Volatility 3 (VOL3), and The Sleuth Kit (TSK), the developed Python script is then able to provide for a clearer insight into the series of events that have transpired during a cyber incident through the generation of detailed and cohesively organized timelines, then using the Timsort algorithm for timeline analysis.

Comparative Analysis of NIJ and NIST Methods for MicroSD Investigations: A Technopreneur Approach

This research aims to compare the performance of two forensic investigation methods, the National Institute of Justice (NIJ) and the National Institute of Standards and Technology (NIST), specifically for evidence analysis of MicroSD cards. MicroSD cards are frequently used as external storage in various digital devices, making them critical in digital forensic investigations. The study evaluates the effectiveness of these methods using tools such as Access Data FTK Imager and autopsy. The NIJ method enthis comparative passes detailed stages of preparation, collection, examination, analysis, and reporting, while the NIST method includes stages of collection, examination, analysis, and reporting. Results indicate that the NIJ method provides more comprehensive and detailed results, while the NIST method offers a faster investigation process. Additionally, tables and graphs illustrating performance metrics are included to substantiate the findings. This comparative analysis provides valuable insights for technopreneurs in optimizing digital forensic methods for better data integrity and efficiency, ultimately enhancing decision-making processes in technological entrepreneurship. Furthermore, this study aligns with the United Nations' Sustainable Development Goals (SDGs), particularly Goal 9: Industry, Innovation, and Infrastructure, by promoting innovative forensic methods that support the development of resilient infrastructure and foster innovation in the digital age. This study highlights the importance of effective forensic methods in supporting technopreneurial ventures.

Volatile Data Acquisition and Analysis by Using Memory Forensics Techniques

Memory forensics is a vital component of digital investigations, involving the analysis of volatile memory (RAM) in computer systems to gather evidence, identify malicious activities, and reconstruct cybercrime incidents. This paper provides an overview of memory forensics, highlighting its defini-tion, importance, purpose, and scope. It explores the evolution and significance of memory forensics in response to increasingly complex cyber threats. The memory forensics process is discussed, cover-ing memory acquisition and analysis. Legal and ethical considerations related to the admissibility of memory evidence and privacy protection are examined. The paper also discusses the types of memory, including physical and virtual memory, and their characteristics and significance in memory forensics. Furthermore, it explores the memory acquisition process, different methods, tools, and techniques used, as well as the importance of preserving evidence integrity. Finally, the paper introduces various tools for memory analysis, such as Volatility, Volatility Workbench, FTK Imager, Encase, Hibernation Recon, and Xplico, and highlights their role in extracting valuable evidence from memory dumps.

Analisis Forensik Pada Instagram dan Tik Tok Dalam Mendapatkan Bukti Digital Dengan Menggunakan Metode NIST 800-86

Crime is currently increasing with the development of this smartphone, one of which is the crime of using social media. Instagram and Tik Tok are one of the most widely used social media applications in this era. The more users of this social media, it does not rule out the emergence of crimes against fellow users of this social media. Every activity carried out on social media, including criminal acts, leaves evidence or digital traces; whether deleted or not, all will be visible. Digital forensics is the study of how to obtain digital evidence obtained from digital devices. This study aims to determine the process of finding digital evidence on Instagram and Tik Tok social media applications that are accessed via smartphones using the National Institute of Standards and Technology (NIST) method. The stages in this digital forensic method include Collection, Examination, Analysis, and Reporting to obtain digital evidence on Instagram and TikTok using tools in the form of third-party software, namely MOBILedit Forensic Express, Autopsy, and FTK Imager tools. With the final result for the Instagram application tools, MOBILedit Forensic Express is able to acquire evidence with a percentage of 0.02%, for autopsy tools at 40%, and FTK Imager with a percentage of 57%. In the Tiktok application itself, MOBILedit Forensic Express gets a percentage of 27%, while an autopsy is 29%, and the last is the FTK Imager tool with a percentage of 71%. In this study, the FTK Imager tool is superior in the acquisition of evidence between the two tools.

Forensic Digital Analysis of Telegram Applications Using the National Institute Of Justice and Naïve Bayes Methods

Currently, Telegram is an instant messaging application that is often used by the Indonesian people as a means of long-distance communication with other users. Telegram also has good security features to protect all data from its users. However, Telegram has a positive impact on its users. This security feature can be used by several people to protect against digital crimes, especially cases of sexual harassment. To overcome the existing crimes, analysis, and forensic methods are needed to help solve crimes. This research is guided by the investigation process using the National Institute Of Justice (NIJ) method and the Naïve Bayes method to classify the conversations found. It can be concluded that MOBILedit Forensic Express has a poor performance in finding digital evidence in the Telegram application and FTK Imager is very good at finding digital evidence in the Telegram application. In this research, the classification process using the Naïve Bayes method has been able to classify conversations that contain sexual harassment or not. Evaluation of the classification method uses a confusion matrix to determine the best classification model.

Comparative Analysis of Cloning-Hashing Applications for Securing Digital Evidence

The development of the Internet has resulted in an increasing variety of cyber crimes. Cybercrime is closely related to digital evidence, so cybercriminals tend to delete, hide, and format all collected data to eliminate traces of digital evidence. This digital evidence is very vital in proving at trial, so it is necessary to develop applications to secure digital evidence. This study aims to compare the results of cloning and hashing in securing digital evidence and evaluate the performance of a digital forensic application developed under the name Clon-Hash Application v1 compared to applications commonly used by investigators including Autopsy, FTK Imager, md5.exe in terms of its function, the result, CPU usage. The results of the research conducted show that the cloning process is perfectly successful, as evidenced by the hash value results which are the same as paid applications and there are even several other applications that have not been able to display the hash value. Hash values in the Clon-Hash v1 application also vary from MD5, SHA1, and SHA256 which do not exist in other applications. Applications developed are better in terms of function, results, and CPU usage.

Digital Forensic Investigates Sexual Harassment on Telegram using Naïve Bayes

The widespread use of Telegram in Indonesia has had both positive and negative effects. While the app offers strong security features, it has also become a platform for digital crimes, including sexual harassment. This study aims to address the need for effective forensic analysis and classification methods by employing the National Institute of Justice (NIJ) methodology and Naïve Bayes classifier to analyze conversations on Telegram. The research evaluates the performance of digital forensic tools and the effectiveness of the Naïve Bayes method in identifying instances of sexual harassment conversation. The data analyzed is about conversations on the telegram application that contain sexual harassment. Data collection involves extracting relevant conversations and subjecting them to forensic analysis using MOBIL edit Forensic Express and FTK Imager. Based on the test results, the naïve Bayes algorithm can be used to classify conversations into positive and negative about sexual harassment. The value obtained from naïve Bayes testing is the accuracy value of 91.3%, Precision 100%, and Recall 90%.

Forensic Web Analysis on The Latest Version of Whatsapp Browser

With the rapid growth of technology and the increasing number of smartphone users, social media applications have proliferated. Among them, WhatsApp has emerged as the most widely used application, with over a quarter of the world's population using it since 2009. To meet the increasing customer demands, WhatsApp has introduced a browser version, which has undergone continuous updates and improvements. The latest version of WhatsApp exhibits significant differences in features and settings compared to its predecessors, particularly in conversations, images, video recordings, and other aspects. Consequently, this research focuses on analyzing artifacts that can aid in forensic investigations. The study aims to extract artifacts related to conversation sessions, as well as media data such as audio files, contact numbers, photos, videos, and more. To achieve these objectives, various forensic tools will be employed to assist in the artifact search within the WhatsApp browser. The research adopts the NIST framework and utilizes forensic techniques like Autopsy and FTK Imager to read encrypted backup database files. These files contain valuable information such as deleted conversations, phone logs, photos, videos, and other data of interest. Analyzing the artifacts from the WhatsApp browser version contributes to forensic activities, providing valuable insights into the evidence that can be obtained from conversations and media files. By leveraging forensic tools and techniques, forensic practitioners can effectively retrieve and analyze data from the encrypted backup database files. In summary, this research explores the artifacts within the WhatsApp browser version, sheds light on its distinct features, and presents a forensic approach utilizing the NIST framework and forensic tools like Autopsy and FTK Imager to examine encrypted backup database files containing crucial deleted data, conversations, and media files.

Detection and Investigation Model for the Hard Disk Drive Attacks using FTK Imager

Detection and Investigation Model for the Hard Disk Drive Attacks using FTK Imager

ANALISIS KEAMANAN BROWSER DALAM BERSOSIAL MEDIA MENGGUNAKAN METODE INSTITUTE OF JUSTICE (NIJ)

Active users of social media in Indonesia continue to increase every year. But there are still many users who do not understand the security of accessing social media, especially when accessing with a browser. For this reason, the browsers analyzed in this study are the Google Chrome and Mozilla Firefox browsers with two modes, namely public mode and incognito mode. This study aims to identify the level of browser security in using social media in the browser. The method used is the NIJ (National Institute of Justice) methodology. The tool used to get the data is using the FTK Imager 4.5.0.3 application. The results of this study are when accessing social media Facebook, Instagram, Twitter is not safe using Google Chrome and Mozilla Firefox browsers with public mode and incognito mode because user_id, email and some passwords are still detected in the FTK Imager tool. For the percentage results obtained in the study, namely 89% of user_id data, passwords, emails found in public mode Google Chrome browsers, 67% data found in incognito mode Google Chrome browsers, 78% data found in public mode Mozilla Firefox browsers, and 89% of data found in Mozilla Firefox browser incognito mode.Keywords: Live Forensics; Institute of Justice; Browser; Media Sosial; FTK Imager

It is about time–Do exFAT implementations handle timestamps correctly?

Digital forensic investigations require that file metadata are interpreted correctly. In this paper we focus on the timestamps of the exFAT file system. How these timestamps are written may depend on the implementation of the file system. We have performed experiments using Windows, MacOS and Linux to examine whether the respective file system drivers for exFAT use timestamps in the same manner, and whether they take the directory entry UTCOffset fields into account. We have also studied whether the forensic tools: Autopsy, X-Ways Forensics, EnCase Examiner, and FTK Imager interpret the timestamps consistently.The results show that there are substantial inconsistencies both in the file system implementations and in how forensic tools handle these inconsistencies. For the unwary forensic examiner, there is a clear risk of interpreting timestamps incorrectly by a substantial margin.We conclude that timestamp interpretation during criminal investigations should not be based on the assumption that the file system specifications are followed flawlessly by the file system driver developers or necessarily interpreted and displayed correctly by the digital forensic tools.

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how to communicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager.
 This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.

Evaluation of free software tools, for the Windows operating system, in the acquisition of RAM memory evidences.

The objective of this article, is to evaluate free software tools of the Windows operating system, for the acquisition of evidence of RAM memory, using the ISO/IEC 25010 standard that defines characteristics and measures of quality of use of a product. The above takes into consideration the technical form for RAM dump analysis and the use of the specific tools DumpIt, FTK Imager, Windows Forensic Toolchest (WFT), OS Forensic and RamCapturer.
 In order to guarantee the usefulness of the selected tools, it is contemplated to define, classify, identify, obtain, analyze and interpret results obtained with the Volatility tool, and thus be able to detect which instrument recovers more, the most efficient one that affects the evidence less. The latter is of utmost importance, since a very subtle alteration could change the HASH obtaining large scale problems in a trial.

The Influence of Virtual Secure Mode (VSM) on Memory Acquisition

Recently, acquiring the Random Access Memory (RAM) full memory and access data is gaining significant interest in digital forensics. However, a security feature on the Windows operating system - Virtual Secure Mode (VSM) - presents challenges to the acquisition process by causing a system crash known as a Blue Screen of Death (BSoD). The crash is likely to occur when memory acquisition tools are being used. Subsequently, it disrupts the goal of memory acquisition since the system must be restarted, and the RAM content is no longer available. This study analyzes the implications of VSM on memory acquisition tools as well as examines to what extent its impact on the acquisition process. Two memory acquisition tools, namely FTK Imager and Belkasoft RAM Capturer, were used to conduct the acquisition process. Static and dynamic code analyses were performed by using reverse engineering techniques that are disassembler and debugger. The results were compared based on the percentage of unreadable memory between active and inactive VSM. Static analysis showed that there is no difference between all applications’ functions for both active and inactive VSM. Further Bugcheck analysis of the MEMORY.DMP is pointed to the ad_driver.sys module in FTK Imager that causes the system to crash. The percentage of unreadable memory while running on active VSM and inactive VSM for Belkasoft is about 0.6% and 0.0021%, respectively. These results are significant as a reference to digital investigators as consistent with the importance of RAM dump in live forensics.

Data Recovery Comparative Analysis using Open-based Forensic Tools Source on Linux

Data recovery is one of the forensic techniques used to recover data that has been lost or deleted. Data recovery is carried out if there is a condition where the data that has been owned is deleted or damaged. If the data has been lost or deleted or even tampered with, then a forensic expert has several ways to restore data that has been lost or damaged. One of them is to use a complete data recovery method using forensic tools, namely, TSK Recover, FTK Imager, Foremost Recover, and Testdisk Recover. Unfortunately, tools such as FTK imager and TSK recover have a weakness, namely that some damaged or corrupted data files cannot be restored in their entirety; they can only be recovered but not be opened. This study uses a tool comparison method approach using foremost recover and Testdisk recover. It's just that this method cannot be used using the graphic user interface (GUI) but using the CLI (Command Line) in the LINUX operating system. And the files that have been recovered will be fully recovered.

Maintaining and Evaluating the Integrity of Digital Evidence in Chain of Custody

The Chain of Custody is an intrinsic part of any inspection. Maintaining and evaluating the integrity of evidence procured from a crime scene is an important part that needs to be done properly by following a certain set of protocols to make the evidence admissible in the court. Keeping track of the evidence right from the moment it was collected from the crime scene till the time it reaches court is also a major task. It is important for the investigator to know how, where and who handles the evidence during analysis at each phase in order to safeguard the integrity of the evidence. Over a period of time, various tools and technologies have been created to handle evidence. Researchers from across the globe have presented various techniques on how evidence should be handled. Many researchers have even incorporated blockchain technology with the chain of custody or life cycle of evidence to make the process stronger. The growth in this domain has been at a rapid pace. This paper presents a method on “Maintaining and Evaluating the Integrity of a Digital Evidence in Chain of Custody” using a global positioning system. The methodology focuses on the use of global positioning system tags or chips which when embedded with the collected evidence enables an investigator to track the evidence throughout its life cycle. The proposed methodology aims to help the investigators to keep track of the evidence throughout its life cycle using very basic tools like FTK Imager and technology like a global positioning system.

DATA PROTECTION TECHNIQUES: A CRYPTOGRAPHY APPROACH

Purpose: Digital world is a complex and a constantly evolving world alongside the modernization. This has been through the improvement of the technology from physical nature information to digitized data that is the information technology. Data is, therefore, becoming a basic element in today's world than they were anticipated some three decades ago, now being shared and stored electronically. This study, therefore, sought to establish the ways in protecting information privacy using cryptography. Methodology: The study adopted a desktop literature review method (desk study). This involved an in-depth review of studies related to data protection and cryptography. Three sorting stages were implemented on the subject under study that is data protection and cryptography in order to determine the viability of the subject for research. The first stage that comprised the initial identification of all articles that were based on data protection and cryptography from various data bases. A second search involved fully available publications on the subject of data protection and cryptography. the third step involved the selection of fully accessible publications. Reduction of the literature to only fully accessible publications yielded specificity and allowed the researcher to focus on the articles that related to data protection and cryptography which was split into top key words. After an in-depth search into the top key words (data protection and cryptography), the researcher arrived at 12 articles that were suitable for analysis. Analysis was done using Excel where the study presented the findings in form of themes. Findings: The research findings point towards several methods that can be used in cryptography which were concluded to include symmetric encryption, asymmetric encryption and hashing. Unique contribution to theory, policy, and practice: Previous studies were reviewed and some of them presented several knowledge gaps. The review of the literature presented knowledge gaps in the contextual, conceptual and methodological fronts. For instance, one of the gap that was presented was the contextual gap (geographical gap). This is because some of the studies were done in different geographical contexts such as the United States, China and Japan. The application of the findings will be challenged by the technological advancements in Kenya since Kenya is still a developing country in the process of up taking new technologies. Other studies in their research applied different methodologies such as the use of the FTK Imager and the use of Hashing. The studies did not entirely focus on the use of cryptography as a method of data security and thus they presented a methodological gap.

Investigasi Bukti Digital Optical Drive Menggunakan Metode National Institute of Standard and Technology (NIST)

DVD-R is a type of optical drive that can store data in one burning process. However, there is a feature that allows erasing data in a read-only type, namely multisession. The research was conducted to implement the data acquisition process which was deleted from a DVD-R using Autopsy forensic tools and FTK Imager. The National Institute of Standards and Technology (NIST) is a method commonly used in digital forensics in scope storage with stages, namely collection, examination, analysis, and reporting. The acquisition results from Autopsy and FTK-Imager show the same results as the original file before being deleted, validated by matching the hash value. Based on the results obtained from the analysis and presentation stages, it can be concluded from the ten files resulting from data acquisition using the FTK Imager and Autopsy tools on DVD-R. FTK Imager detects two file systems, namely ISO9660 and Joliet, while the Autopsy tool only has one file system, namely UDF. The findings on the FTK Imager tool successfully acquired ten files with matching hash values and Autopsy Tools detected seven files with did not find three files with extensions, *.MOV, *.exe, *.rar. Based on the results of the comparative analysis of the performance test carried out on the FTK Imager, it got a value of 100% because it managed to find all deleted files and Autopsy got a value of 70% because 3 files were not detected because 3 files were not detected and the hash values ​​were empty with the extensions * .exe, * .rar and *.MOV. This is because the Autopsy tool cannot detect the three file extensions.