Free Open Source Forensic Tools, Research Paper Example

As with any profession that involves the intensive use of computers, the following forensic tools have an important role in the profession they represent.  These powerful tools may not serve as high-end programs or tools, but they are effective low-end utilities that can help analysts look through log (and other) files.  The following represent open-source programs that can aid the professional in the forensic world.

The Sleuth Kit (TSK)

Digital investigator Brian Carrier created a collection of tools and utilities that can be used to extract data from images and perform investigations.  It is of course a free, open source suite that includes a number of command-line based utilities that is beyond the grasp of this analysis.  According to Carrier (2011), The Sleuth Kit (TSK) is available on Linux, Mac OS X, Windows, CYGWIN, Open & FreeBSD, and Solaris.

The tools within TSK were however originally compiled in Linux.  This means that a knowledge of this language is generally needed to navigate this basic, yet powerful, program.  Additionally, the user will need to know basic file systems associated with computer forensics, including NTFS, FAT, and EXT3, according to Marcos (2005).

The set of tools within TSK work within multiple layers to approach the data needed.  The initial “File System Layer” includes a number of partitions present, which can then be analyzed with the tools on TSK, such as the “fsstat” program, which displays details of the volume in ASCII format.  It is followed by the “Content Layer,” “Metadata Layer,” and finally the “Human Interface Layer.”

Overall TSK works within these layers to extract data, in regards to the many tools at the user’s disposal.  For instance, there is a command line tool that can check for a Host Protected Area (HPA), which “is an area of disk that is often not seen by disk imaging applications (Marcos 2005).”  One of TSK’s advantages is its ability to view deleted and hidden content, which is due to  (according to Carrier, 2011) how the tools do not rely on the OS to process the file systems.

As TSK provides a number of powerful tools, it may be a bit above the head of some individuals.  If the user does not understand the unpolished set of tools that TSK offers, they are advises (this is common, as well) to use a front-end application to employ a friendly interface.  This leads directly into the Autopsy Brower, though there are other choices.  The newer PTK Forensics is a commercial alternative, for instance.

Autopsy Browser

Autopsy Browser, or more formally the Autopsy Forensic Browser (Carrier 2011), is a graphical interface that is specifically designed for use with TSK.  Not only is it made easier and more pleasant for the user, it is not just for elementary users.  The Autopsy Browser is a common way to approach the forensics tools and UNIX utilities in TSK.

The Autopsy Browser integrates the impressive number of tools and features of TSK seamlessly.  One interesting feature is the choice of analysis modes, where a live analysis (as opposed to a “dead analysis” from a dedicated analysis system) can be performed from an untrusted environment.  The live analysis mode eliminates saving data to the local disk.

The interface supports a number of useful functions that works hand-in-hand with TSK.  The program supports plenty of evidence search techniques: file listing, file content, hash databases, file type sorting, timeline of file activity, keyword search, meta data analysis, data unit analysis, and image details.  There are also several types of features in case management: case management, event sequencer, notes, image integrity, reports, logging, open design, and client server model (Carrier 2011).

Not all of these features are directly related to that of TSK.  In other words, although it is a graphical interface, it allows the user to take advantage of the interface for more efficient work.  Logs, MD5 values, and other elements are created, for instance.  As Autopsy is HTML-based, other investigators can concurrently work on a server at any given time from their system.  These and other features specific to Autopsy Browser are thus significant.

Microsoft Log Parser

Microsoft Log Parser is another powerful and open-source application.  It is interestingly not exclusive to forensic software, however.  The command line utility was originally included with the IIS 6.0 Resource Kit Tools.

The program provides “university query access” to data, including log files, CSV files, XML files, and others (Microsoft 2011).  It even has the ability to access key data sources such as the Registry, Event Log, and the file system.  Versatility is a strong point of the application, as queries and outputs, as it will be demonstrated, can be customized into specialty targets, such as SYSLOG, SQL, or a chart.

To briefly approach the main part of the program, the input/output formats, there are an impressive options in both regards.  To the current version of Log Parser (2.2), the program can extract information from TSV, NCSA, W3C, and XML standards.  Input formats pertaining to the Windows Event Log, those generated by IIS, Active Directory objects (including registry keys, files and directories, and registry keys), and formats that parses NetMon capture files.  The user can also write custom input format plug-ins if none of the available input formats are suitable.

Log Parser unsurprisingly has plenty of output formats for the user.  The user is able to save to text files from CSV, TSV, W3C, and XML files.  Custom templates that save to text files, records to a SQL database, Syslog standards, and Excel-style charts are among the many possibilities as well.

In addition to the input/output formats, perhaps the other main portion of the program is the core engine.  It is in the dialect of the SQL language, which holds together the functions on both side of the queries of the program.  There are plenty of queries with the language, such as sorting, aggregating data, and sending results to an output format to display distilled information, that serve the user well.  The program can be used from the command line, the executable file, and from other applications.

Conclusion

The three open-source tools briefly covered all have a place in the world of data forensic tools.  While no tool can take care of the many functions needed from an investigator, these tools are rather powerful.  They certain have an impressive array of abilities, and offer more potential going forward (as many open-source applications continue to evolve, of course).

The tandem of TSK and the Autopsy Browser offer a great deal of potential.  The sheer variety in regards to the functions available are indeed impressive.  The other program, the Microsoft Log Parser, also has a great deal of functionality, especially when its custom queries come into play (in addition to the wealth of data types supported).

These programs represent powerful applications that can extract, order, and find data for investigators, in addition to other functions.  Relevant to the Microsoft Log Parser, there are even additional functions for the program.  As open-source programs, these applications represent important developments in the field, with a vast array of functions and abilities that were only briefly covered.

References

Carrier, Brian. (2011). “Autopsy Overview.”  The Sleuth Kit.  Retrieved from http://www.sleuthkit.org/autopsy/index.php

Carrier, Brian. (2011).  “Sleuth Kit Overview.”  The Sleuth Kit.  Retrieved from http://www.sleuthkit.org/sleuthkit/

Marco, Chris. (2005). “Introduction to The Sleuth Kit (TSK).”  Retrieved from http://www.markosworld.com/forensics/cmarko-tskintro.pdf

Microsoft.  (2011).  Log Parser 2.2.  Microsoft Download Center.  Retrieved from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en