File System Forensics
File system forensics is the process of obtaining legal evidence contained in digital devices especially their respective storage Medias (Volonino, 2005). File system forensics is a branch of digital science forensics. It is also known as digital investigation. In the process of acquiring legal evidence about a certain event which involves a digital media that lead to the breach of the societal policies, the file system forensics is majorly involved with the storage media of system (Carrier, 2005).
During the process of retrieving the evidence, several tests are carried out without the correct knowledge of the outcome i.e. the tests are hypothetical, this tests seeks to answer questions about certain events or activities concerning the digital device and the information contained in the storage media which contributed to the event being investigated (Carrier, 2005). The outcome obtained from these tests, also referred to as digital evidence can either coincide with the hypothesis developed or there may be a difference hence disputing the hypothesis in question (Carrier, 2005).
The main focus of such investigation is going to be on a substance of digital nature used in a given activity or to carry out something against the state law i.e. a crime. The digital device in question may have been used to carry out a crime physically or the device may have been used to conduct a digital event that breached the law. Therefore file system forensics can be termed as a special tool used to acquire legal evidence from a digital storage media (Wolfe, 2007).
The file system forensics is a new operation in the information technology sector. It is only a few years back that we were able to discover that all of our digital equipments leave behind pieces of information and this information is vital evidence in a great scope of inquiries. The criminal justice profession was the first to take part in this process; civil law professionals have also comfortably adapted this new source of vital information (Eckstein, 2004).
The application of forensic knowledge in order to obtain legal evidence from digital media is a new aspect in the information technology sector. In 2003, the Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital Evidence as fully acceptable evidence and the file system forensics was wholly accepted as an investigation method. The acceptance of this method came along with thirst to learn the concept of digital forensics. The Digital Forensic Working Group was formed to assist educators in developing programs in this field there are now several colleges and universities that have, or are, developing study programs in this field, there also many career opportunities to the people with the file system forensic knowledge i.e. Digital evidence investigators.
Before investigating a particular system and retrieving information the most challenging part of to the digital investigators is to have sufficient knowledge about the file system.
The people in charge of law enforcement do not have the potential or rather the permission to arrest and press charges against a proved crime that the remedies are not provided for by the law. Some actions do not necessarily lead to the breach of the generally accepted policies in the society i.e. the law. However, some of these actions are questionable and the culprits in question should face punishment for their actions. Most evil activities carried out using digital media mostly go unpunished even in the event that the act is wrong according to the law. This is because there is the issue of evidence, most of the people who carry out such crimes are acquitted simply because of the fact that there was sufficient evidence which totally prove the accused carried out the stated crime. In order to see to it that those who carry out such crimes are brought to book there is a dire need to see to it that digital investigations are well carried out to see to it that there is effective extraction of legal evidence from digital devices (Volonino, 2005).
The Investigation Process
There is no any particular or specific way to conduct the digital investigation this is because different people have different ways of carrying out the investigation. This the same way you may ask security officers to find out who accessed a given building last. One may choose to use the security cameras so as to see the video feeds to enable him detect the last person to access the building. The second person may resolve to start asking questions the eyewitnesses in order to gain information about that accessed the building last. The commonly used way for digital investigation is majorly based on the physical state of the crime scene also known as the physical crime scene investigation process (Carrier, 2005). Using this approach we have a general digital environment which is comprised of the hardware and software. This process is characterized by three major stages (Carrier, 2005).
The first stage is the preservation of the of the state of the digital crime scene, the various activities at these face vary greatly depending on the legal, business, or the present operational requirements of the investigation being carried out (Kruse, Warren and Heiser, 2002). This stage is very crucial in the investigation process; this is because the stage helps in ensuring that the chances of evidence being lost or being damaged are greatly reduced by making sure the scene remains in its original state (Kruse, Warren and Heiser, 2002).
The stage is also important to post investigation events this is because the evidence needs to be preserved for future use and even further analysis (Kruse, Warren and Heiser, 2002). There are several methods to see to it that the crime scene is well preserved. The first method is terminating all the system processes and making sure that the system is turned off then a copy of all the data in the system. Another way of ensuring that the evidence is not lost by preserving the system, all running programs which are being doubted are suspended the next step in this method is to make sure that there is no network connection, another way of doing this is applying filters that restrict remoter access to the system since the culprit involved may remotely delete the evidence. All the important data should be backed up to avoid loss during the data analysis (Carrier, 2005).
After that, either of the two preservation processes is carried out to ensure that the crime scene is preserved. A cryptographic hash should be carried out, this is a mathematical formula which based on the data input generates a very big number (Schneier, 1995). According to the formula a change in the input data leads to a great change in the final outcome unlike if analysis the outcome of the computation does not show any sign of predictability. The program is developed to ensure that there no inputs which generate the same outcome, so if the final outcome of the hash value changes with your important data then the data has been changed (Mandia, Kevin and Prosise, 2003).
The other stage of the investigation process comes after the steps to preserve the data are carried out; this stage is very critical because the evidence search takes place at this stage. As stated earlier at this stage we are searching for data which will coincide with the hypothesis or conflict with the hypothesis (Mandia, Kevin and Prosise, 2003).
Basing on the type of incident this process starts with the assessment of the common locations (Carrier, 2005). As the locations are being searched we look for evidence that coincides with the hypothesis or one which conflicts with the hypothesis. It is very important to gather both types of the evidence. The searching process is relatively easy, the object being searched characteristics are outlined and then the object is looked up on a batch of data relating to the outlined characteristics for example is we are looking for files with an mp3 extension we search for all files with the characters mp3 (Carrier, 2005).
The most common way of searching for files is done using a searching program within the files, the best way is to search the files based on their reference names and common patterns present in the name (Carrier, 2005). Files can also be searched based on the various key words contained in them; the data can also be searched depending on the log i.e. such as the time the data was accessed or the last time the data was recorded. The final stage of the file system forensic analysis is the stage where the evidence acquired is used to depict what events took place in the system (Carrier, 2005). This is the final stage of the analysis since it is at this stage that a conclusion about the hypothesis is reached. The information obtained, if consistent, can be presented in a court proceeding as evidence. The following diagram shows the three stages of the file system forensic analysis
This process can be used in both live and dead systems i.e. it can be used both in a system where all the applications and the operating system are being investigated so as to obtain evidence and a system where the investigation to obtain evidence is done by running applications on a trusted operating system (Carrier, 2005)
Incremental Investigation Model
This is another method of forensic investigation that has addressed the issue the looping stages in the process of data forensics analysis (Sremack, 2004). The method explains that the looping stages of the digital investigation process is mainly the data analysis stage and the stage, the method also states that the main data retrieval process and the events which take place after the investigation do not repeat (Sremack, 2004). This model emphasizes that the data collection takes place only once, the method also states that there are changes which need to be repeatedly done to the analysis parameters which majorly occurs due to changes in the data which is very substantial that will see the need to formulate another analysis that complies with the data changes(Sremack, 2004)..
Recovery of a Volatile File
The file system of a digital device contains both a volatile part and also a non-volatile part (Sremack, 2004). The recovery of data in the no-volatile part is not hard since the information is still present in the storage media. However, according to Ellard & Gally, (2003) in tracing tools and techniques for system analysis, the concept of recovering and collecting data from a volatile source is still not well known to the computer file system forensic study and practices several researches have been dwelt upon in order to figure out the proper ways to investigate this area (Ellard and Gally, 2005).
In the recent times the analysis of volatile data is about to become a common practice in the process file system forensic activity. This is because of the development of response materials that help in retrieval of such data also referred to as toolkits. The available toolkits are in most cases automated applications that normally operate on a live system in order to collect transient data in the memory. According to Brian Carrier, (2005) file system forensic analysis, this format of data collection is not completely reliable this is because in the event that the toolkit is ran on a compromised system the tool will end up depending greatly on the operating system presently in the computer this may affect greatly the reliability of the collected data. Some of the toolkits used may end up changing the digital environment of the system this may lead to the loss of the memory data which also means the loss of the data which may be the evidence in question so it is important to carry out a study the changes and be able to figure out whether the alterations caused by the toolkit will affect the acquired data (Carrier, 2005).
There are many demerits and potential flaws of acquiring data through running an application on the original computer file system (Carrier, 2005). A hardware based operation for making a duplicate of the data included in the memory, this helps to avoid the collected data from being compromised by any malicious code or instruction of the operating system or its applications (Carrier; 2005). There are also problems associated with the acquisition of data being used in a computer system through a network based model (Noblett and Presley, 2000). Instead a more reliable method is suggested. This is a forensically sound approach in using a fire wire device to acquire live data i.e. data from running processes in the computer system (Noblett and Presley, 2000).
According to D. Ellard and J. Gally, (2003) tracing tools and techniques for system analysis the inconsistency and unreliability of memory totally violates the computer file system forensic principles, this is majorly because the data in the memory during the data retrieval operation are not consistently maintained during the system operation. This issue presents a great obstacle for computer forensics and needs to be addressed before taking further action with the evidence acquired for example presenting it to court. Inconsistent data is very unreliable and therefore may not be good for use as legal evidence (Ellard and Gally, 2003)
The Sarbanes-Oxley Act year 2002
According to Stults, (2004) an overview of Sarbanes-Oxley for the information security professional, there has been a series of cooperate financial scandals; to this effect the congress enacted the Sarbanes-Oxley Act in the year 2002 (Sarbanes-Oxley Act, 2002). The Act is arranged into eleven different sections which were referred to as titles. The aim objective of this act is to increase accounting oversight and ensuring that the level of cooperate responsibility rise by ensuring that all presentation and disclosure procedures are adhered to accordingly. This will see to it that there is increased accountability and increasing penalties to the current financial crimes (Sarbanes-Oxley Act, 2002).
In several Titles the Act tries to address the issue which is culminating around the high rate of electronic records are being produced in cooperate environments, this means that the rate at which the production of electronic documents in the various cooperate environments there is also an urgent need that electronic evidence accounting for such should be produced (Sarbanes-Oxley Act, 2002). This means that the cooperate bodies are now faced with the challenge of retention of all electronic records or else face the legal consequences concerning presentation and disclosure of electronic documents (Sarbanes-Oxley Act, 2002).
The Sarbanes-Oxley has to a great extent changed the file system forensic procedure of most limited public companies. Section 404 of the Act states that a limited company should assess all its internal controls and file the later report with the Security and exchange commission (Sarbanes-Oxley Act, 2002). The produced report must also be reviewed by an independent and external auditor in order to provide a reasonable assurance concerning the internal data controls of the company (Sarbanes-Oxley Act, 2002).
A limited company should develop excellent strategies and plans concerning its internal data control this means that the file system forensics should also be evaluated in accordance with the act so as to see to it that whatever lost financial records stored in electronic media is quick retrieved (Sarbanes-Oxley Act, 2002). The employees and the other stakeholders involved should have extensive knowledge of the Act. The employees should not only have the required digital investigation skills but they should be ready every time to assess the possibility of breach of the set digital forensic protocols (Richardson, 2005). The company should also take the initiative of seeking external consultancy this helps in ensuring that the internal employees are not working against the respective set standards and policies (Richardson, 2005). External consultancy should also be sought in the event that there is suspected malicious activities carried out by the employees, this is very important because it for a great extent minimize the chances of the employees going against the set standards and procedures (Richardson, 2005).
There are also obligations and liabilities facing anyone who tries to temper with digital evidence under investigation by digital investigators (Sarbanes-Oxley Act, 2002). The act also forbids the alteration or destruction of records about a particular subject matter that is under investigation or may be on the verge of facing investigation (Sarbanes-Oxley Act, 2002). In to see to it that the set procedures and policies are not breached the public companies are forced to see it that the employees and other external parties involved understands the provisions of the Sarbanes-Oxley act. Sarbanes-Oxley gives new provisions concerning the preservation and good maintenance of electronic records; under no circumstance should the respective records be destroyed. The organization should only destroy the records in the event that they have a legal green light (Sarbanes-Oxley Act, 2002).
In order to make sure that the company is secure from the act of breaching the provisions of the Sarbanes-Oxley Act, the organization should have effective recovery strategies in the event that the electronic records are breach. This gives rise to the need to have ready file system forensic investigators with the right expertise. The organization should also make sure that if there is any suspected incident of loss of electronic information file system investigators are notified in order to see to it that further damage does not take place (Richardson, 2005)
From the above we see that, the provisions of Sarbanes-Oxley makes it very important and compulsory to see to it that there is application of file system forensic investigators in an organization’s undertakings (Richardson, 2005). This will help the organization have an effective way to respond to whatever accusations concerning electronic records, the use of file system forensics will also help in preservation of the files of the organization such as employee details and information concerning operations (Richardson, 2005).
File System Forensic Analysis of Instant Messaging Smart Phones
Instant messaging is the process of exchanging of text messages on a real time basis between two or more people who are registered and logged onto an instant messaging service provider (Tipton and Krause, 2007). The instant messaging service started as a simple UNIX command line application, this grew into a large information technology market with greatly developed features which allow the respective user s to vary out more activities more than simply sending a text message (Tipton and Krause, 2007). Initially the service required the various users to download the application but in recent times there has been introduction of a feature known as the volatile instant messaging which do not require the users to download, in this case the participants use their respective web browsers to access the service without installing any particular application in their system (Tipton and Krause, 2007).
Phones with internet capability are turning out to be very popular with specialized features such as chat and e mail (Tipton and Krause, 2007). This includes an instant messaging feature which enables people to exchange messages over a network using the iphone. According to Mohammed Iftekhar (2010), in the article Forensic analysis of instant messaging the vast usage of instant messages and its privacy, it is important to take measures from a forensic standpoint forecasting the potential cybercrimes such as cyber stalking and cyber bullying. Despite the fact that the applications used in Iphone are not of the same size as the instant messaging applications used in computers but the Smartphone poses other great unique challenges to file systems forensic examiners foe recovering and analysis of any conversation under investigation. The most commonly used instant messaging application are yahoo messenger, Google talk and apple iphone. According to these results the forensic analysis of instant messages on smart phones has significant effects and it needs to be given all the specialized attention needed (Tipton and Krause, 2007).
File System Journal Forensics
Journaling is a new modern file system format that is not yet exploited by most file system forensic toolkits. A file system journal catches data to be written to the file system to ensure that the information is not lost in the event of an emergency such as power loss or a system failure. Analysis of journal data can identify which files were overwritten recently (Noblett and Presley, 2000). Under the right circumstances, analyzing a file system journal can reveal deleted files without having to review the various primary sectors of the hard drive (Noblett and Presley, 2000).
Traditional computer forensics majorly involves acquiring and analyzing file system images. Most file system forensic tools exploit the file system features in order to obtain evidence. For example the tools may find hidden files or deleted data in a FAT and NTFS file systems by examining the free space, or by searching through the file system. Journaling is an advanced file system integrity feature which is not exploited by most file system forensic tools (Noblett and Presley, 2000). According to C. Philips, (2007) International Federation for Information Processing, the journal works by caching some or all of the data writes in a reserved portion of the disk before they are committed to the file system. In the event of unexpected power loss, malfunction or other anomaly, the journal could be replayed to complete any unfinished writers, preventing file system corruption due to incomplete write operations.
It is very apparent that we require a reliable tool and proper procedure and proper procedure in order to collect data from a live system without distorting the data or compromising the memory of the system in any particular way since this will compromise the evidence being investigated on by the file system forensic investigators (Ellard and Gally, 2003). The final data may turn out to be none withstanding because of the inconsistency of the memory, the acquired data may raise several challenges in the context of court proceedings, since this is legal evidence it needs to be very consistent and reliable so as to enable a final judgment to be done based on it (Ellard and Gally, 2003).
To overcome the problem of unreliable evidence due to inconsistent data memory, a mechanism should be devised to enable the forensic data investigators to identify a reliable source in order to obtain consistent information which can be used to obtain reliable evidence (Carrier, 2005). A data source may have both consistent and none consistent data, a way should also be developed to enable identification of consistent sources in a storage media. Data which is consistent in a storage memory are said to be static, this is a type of data that can still be in the storage media even in the event of power failure unlike dynamic data which show signs of inconsistency and at the event of an emergency such as power failure it is not a guarantee that such data will be recovered and the chances of its recovery are very minimal (Ellard and Gally, 2003).
From the above we notice that this research only done on analyzing data within a consistent logical memory, more work should be done to develop a method of identifying and obtaining the same kind of consistent data within the whole system memory (Kruse and Heiser, 2001). The aspect of volatile memory and live data collection are still new in the field of file system forensics therefore a reasonable number of researches need to be done in order to give a reasonable assurance that data recovered from a live system can be entirely relied upon (Kruse and Heiser, 2001).The digital evidence obtained through file system forensics is generally fragile, easily altered, damaged and destroyed; further research and development should be conducted in order to see to it that after the data has been retrieved from the file system, the data is kept well even for future reference. It will be unreasonable to devise good mechanisms of forensic data recovery but at the end the data does not last long enough to assist the society, hence there is need to carry out thorough study to ensure that the volatile data obtained is well kept and maintained so as to assist even in future investigations, this will be a great stride in the field of file system forensics (Kruse and Heiser, 2001).
A research should also be conducted on the issue of private websites and blogs, this will greatly help in the process of preventing the publication and presentation of information which results into cyber crimes, this information includes, harassing of persons through the internet and other digital material and the spread of false rumors (Kruse and Heiser, 2001). This research can be perfected through making sure that before information is posted to the internet is well investigated on so as to establish any possible presence of information which leads to the breach of the law and general principles (Kruse and Heiser, 2001). The aspect of file system forensics cannot be evaluated on without having to evaluate the various legal rights and obligations involved. If a particular crime is not addressed in the constitution governing a society therefore the n there will be no need to carry out investigations, therefore there is need to see to it that rules and regulations are put in place so as to see to it the after the retrieval of evidence from a particular source by digital investigators, the evidence is presented to court and the people responsible for the crime punished according to the set rules and standards. Efforts should also be made to see to it that these rules are accepted globally in order to depict uniformity (Kruse and Heiser, 2001).
There is also need for improvement of the file system forensics classifier kit (Han & Kamber, 2010). The ability to process blocks of data is much more important than the ability to process whole files, thus an interesting area of research would attempt to determine why the system can classify files with much greater accuracy than it can classify blocks (Han & Kamber, 2010). One possible reason is that the blocks contain two little data spread out among many attributes, so it might help to replace or supplement the markov chain frequencies with byte frequencies (Han & Kamber, 2010).
It is also possible that a more advanced classification algorithm might provide better results for this particular data set (Han and Kamber, 2010). It might be a worthwhile task to test various classification methods in order to find the best possible classifier for this data set (Han and Kamber, 2010). It might be interesting to see if there is an algorithm than can classify blocks with higher accuracy than it can classify whole files (Han and Kamber, 2010). If the accuracy of the classifier could be improved, then the file reassembler would be useful to the system (Carrier, 2005). For file systems that store files in a single contiguous series of blocks, the file reassemble would not be needed (Carrier, 2005). However, for any file system that breaks up files to reduce the number of empty blocks, the reassembler is essential for recovering data (Carrier, 2005).
The task of reassembling files would consist of examining the blocks of each class and attempting to calculate the probability that two blocks are from the same file (Carrier, 2005). If this could be achieved, then the task of determining the order of the blocks, for this to work, some knowledge about file systems could be used. For instance, files that are written onto the disk at once are more likely to occupy sequential blocks in their proper order when written to the disk. Files that are constantly appended, such as log files, are less likely to be recovered by this method (Carrier, 2005). It’s possible that clustering could be used to divide the known blocks into their respective files. Although, this might not be feasible, since the act of classifying the files has already grouped the blocks based on their attributes (Carrier, 2005). Another method that could be used is to utilize known properties of the files. An example of this would be attempting to piece together html files in an attempt to balance the tags (Carrier, 2005).However, this would likely require more human intervention to implement and might be difficult to apply to binary files (Carrier, 2005).
Brian Carrier. (2005). Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers, International Journal of Digital Evidence
Ellard. D. and M. Gally (2003), New NFS Tracing Tools and Techniques for System Analysis, In Proceedings of the Annual USENIX Conference on Large Installation Systems Administration, October 2003.
Jiawei Han and Micheline Kamber, (2001) Data Mining concepts and techniques, Morgan
Kauffman Publishers Joseph C. Sremack. (2004) Formalizing Computer Forensic Analysis: A Proof-Based Methodology, Master’s thesis, North Carolina State University
Kruse, W., & Heiser, J (2001) Computer forensics: Incident response Essentials, Boston: Addison-Wesley
Michael Noblett, Mark.M.Pollitt and Lawrence Presley, (2000) Recovering and Examining Computer Forensic Evidence, Forensic Science Communications,
Mohammed Iftekhar, (2010) Forensic analysis of instant messaging, online article Retrieved Nov 5, 2010 from http://www.springerlink.com.
Robinson, B. (2007). Computer Forensics Foils Financial Data Theft. ISSA Journal August, 2007. Retrieved Nov 5, 2010, from