An open source forensic tool to visualize digital evidence

doi:10.1016/j.csi.2007.03.002

Computer Standards & Interfaces

Volume 30, Issues 1–2, January 2008, Pages 8-19

https://doi.org/10.1016/j.csi.2007.03.002 Get rights and content

Abstract

Visualizing digital evidence in an easy and constructive manner is a major problem because of the advanced techniques for hiding, wiping, encrypting and deleting digital data developed during the last few years. To tackle this problem, a system for visualizing digital data in 3-Dimensional (3D) mode has been developed. XML was used as a common language to allow fine-grained management of digital data with flexibility and ease. The extensibility of the implementation makes it particularly suitable as a research and development platform in the sector of open source computer forensics tools for the future. This article examines real-life problems that benefit from using this tool in a congenial and constructive manner to validate its key underlining concept. The design decisions that have been taken in producing the system architecture, and the features it supports are elaborated upon. To determine the effectiveness of the tool, an actual case study is presented which examines the results of the tool and why it is necessary to go for an open source model as a standard. The paper concludes with performance measurements of the tool and suggests possible extensions to make the tool even smarter.

Introduction

This article attempts to overcome the limitations of existing digital evidence presentation methods and text or command line utilities by presenting a tool for visualizing file systems that facilitates an intuitive view of deleted files, wiped files, encrypted and transformed files with the aid of a 3D visualization technique. The tool facilitates searching for data in a specific block or sector, navigation through a range of blocks as 3D square box drawings, exportation and viewing of the content of a specific file, and exploring the file list in a way which offers a better view in presenting digital evidence in cybercrime investigations. We believe that these methods of presentation are superior compared to non-visual or other data or text presentation systems. We present the manner in which the tool was implemented and tested from detailed system analysis with screenshots to technical architectural design choices in order to give an appropriate appreciation and understanding on how the whole system has been developed. For the purpose of designing and developing our open source forensic tool to visualize digital evidence, we used open source components. We present a case study to show that the tool satisfies user and system requirements and briefly discuss the limitations of the tool and what future work is necessary to make it better.

Section snippets

Related work

There are numerous tools, such as EnCase Forensic Edition [1], The Sleuth Kit/TSK [2], The Coroner's Toolkit [3] and LTOOLS [4], available for both extraction and presentation of computer data in digital forensic cases. In our research project we took this fact into account by splitting our tool into two smaller modules, one for the extraction process of the data and the other for presentation of the data so that the system components become manageable and practicable. For example, this concept

Forensic tools for XML (FTXml)

In some cases re-construction of digital evidence can be a very complex task. This is more so when data have to be obtained from a variety of sources from which digital evidence can be produced. The technologies and methods for wiping, deleting, hiding and transforming digital data have improved over the last few years, which makes it necessary that the process of finding those files in a hard disk drive be also improved. In building our system, called FTXml, to provide an improved solution to

User and system requirements

The most important requirements for the system and the user are as follows:

▪
The user shall be able to open and load the XML file created by FET tool, to search for data (file name, block number or a hash value) in the partition analysed, to export data both for files and blocks, and to print out the investigation data. In addition the user shall be able to navigate in a 3D world between blocks in partition displayed as square boxes and choose any block number to view the data that box contains.

Technical approach and design choices

The following list summarises the major choices made and decisions taken during the design phase:

▪
Choice of using Java as the main programming language: Platform independence is an attractive feature for a forensic tool, allowing it to be loaded and executed on a variety of platforms running under almost every modern operating system. The Java Programming Language provides that feat in addition with sufficient robustness.
▪
Choice of using Java3D as the programming framework to build the 3D virtual

System architecture

The main design characteristic of the implemented tool is the flexibility and the extensibility for future improvements by ensuring that the tool would be open source under the GNU GPL licensing² and can very easily be distributed to other programmers in order to improve it. The flexibility stems from the fact that the program uses XML for interchange of digital data from any forensic tool that makes use of XML language for storing the data while

JFAV architectural overview

JFAV consists of two major parts, a set of extra packages written in Java and the visualization tool, as shown in Fig. 2.

System design and implementation

FoXMLParser is the class responsible for handling the data represented in XML, i.e. reading and separating the data found in the FET-produced XML file to ensure that the visual part of the tool will display the correct data for each field in the program. See Fig. 3 for a detailed technical diagram of creating and use the parser from the main program.

Once the FoXMLParser is in place and operating, the program loads all the main panels and the tool is ready for use. If the parser reads something

Presentation panels

The decision of using separate panels for showing the same data in different ways and forms was made to easily accommodate new panels capable of presenting data in more advanced ways for the visualization tool. Each panel in the JFAV program acts independently from one another, and therefore the panels can run as standalone programs as long as the parser's result data is made available to these panels. When the parser has finished reading the XML file, the main class becomes responsible for

3D panel architecture

The 3D panel has some characteristics that are worth mentioning. First, the fact that the program shows the results in a 3D way makes the program quite heavy to load into the physical memory at runtime. In the first version of the program, during the development, we tried to implement the virtual world to draw all the objects found in the XML file at once on the screen. This made the program to request an extremely big amount of physical memory, which could not be provided. The final version

Tree panel architecture

The tree panel shows to the user in a very attractive and intuitive way the files found in the XML data file. These files are situated and separated into several categories under the Files subtree. Fig. 8 shows the panel screenshot which can be found in the left side of the panel. By selecting a leaf in the tree, the user can see its details in a text area next to the tree and the user has the option to save the tree list in a plain text format. Also the user can save the data of a selected

Text panel architecture

The third panel, which is the last view option, has to do with more technical reporting of the retrieved data. It shows the data of each block found in the image of a disk drive in hex and plain text formats. The text panel gives the option to the user to find a block in many possible ways, as shown in Fig. 10. A screenshot of the panel, shown in Fig. 11, illustrates the following features:

▪
a dynamic slider, located in the right side of the panel, which ranges over the blocks found in the

Case study

To put our tool in context, let us consider a real forensic example where we have an ext2⁴ partition, under GNU/Linux operating system, on a hard disk drive with the size of 20 MB. With the help of the other tool (FET tool) three files were created to represent the data found in that partition. FET, firstly, creates an XML file containing all the details concerning the structure of the partition, then creates a file containing all the block data and finally a file

Results and evaluation

In general, JFAV acted without any significant problems at runtime. It has been realised that some options offered can be improved or replaced by other, more useful ones, but this is now put on our enhancement list of things to do in the future. More errors must be caught before they occur in order to achieve higher stability. Some important extensions that might be considered for further improving the functionality of this program are as follows.

▪
Support for filesystems: It is very important

Summary discussion

During the initial development, the program looked like a common forensic tool to visualize digital evidence. Subsequently, it became apparent that building a 3D world to visualize evidential information made the program heavier in terms of development effort, memory requirements and runtime performance, but it was more effective for the eye to see intuitively, and largely unique compared to other open source forensic tools available. Although a 3D world is not essential for a professional to

Why go for open source model as standards?

3D graphical tools are very complex software systems. Giving away parts of their design and source code is also a complex business, economic and security issue. It is widely acknowledged that the debate between open source software and closed source software is one of the most crucial issues in IT, computer science and especially in software development. Analysts and specialists are trying to find out which one of these two methods is most appropriate in different circumstances and

Conclusion

This paper described the design and implementation of a visualization tool called JFAV for visualizing data extracted from storage devices and represented using an XML file method to give a more comprehensive view of digital evidence. Many strengths and weaknesses identified in designing and developing the JFAV tool have been highlighted throughout this paper. The technical approach and design decisions taken during the development of the tool were discussed and described together with the

Acknowledgements

We would like to thank Ian Sutherland and Ioannis Koukouras of the Computing Department of University of Glamorgan for collaborating in this project and Panos Soufleris for testing the implemented visualisation software tool during the development phase of the prototype system. We also wish to thank Nikita Schmidt for exercising and taking the JFAV tool through its paces, as well as offering his numerous suggestions for improvements to the tool and to this paper.

References (8)

EnCase Forensic Edition (2006), see...
The Sleuth Kit (2006), see:...
The Coroner's Toolkit (2006), see...
LTOOLS (2006), see http://www.it.fht-esslingen.de/~zimmerma/software/ltools/ltools.html...

There are more references available in the full text version of this article.

Cited by (6)

Forensic Visualization: Survey and Future Research Directions
2017, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
This chapter provides a stripped-down background into the digital forensics process and the issues that practitioners face in this increasingly dynamic environment focusing on portable electronic devices for their abundance of unique data types (i.e., cell/mobile phones and media devices). We investigate a number of published papers and court cases with overwhelming datasets that need to be sifted through to identify trophy items, recognizing that current visualization methodologies may not be proficient in different situations, especially when conducting a cross analysis between different forensic software tools due to incompatibility. This research compares the current visualization methodology utilized in forensic applications and identifies several rules that visualization methodologies need to meet to be able to visualize forensic datasets effectively for human interpretation. We investigate a variety of published survey papers published since 2010 to identify an unconsidered visualization methodology that could be utilized as an effective, new form of visualization for forensic datasets and to provide different situations and benefits to the identified visualization methodology. The research was conducted between Aug. 2015 and Mar. 2016. At the time of this research, the findings were accurate to the best of the authors' knowledge. However, new research and the latest's release of forensic software may have added features and different visualization methodologies.
Forensic Visualization: Survey and Future Research Directions
2016, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
This chapter provides a stripped-down background into the digital forensics process and the issues that practitioners face in this increasingly dynamic environment focusing on portable electronic devices for their abundance of unique data types (i.e., cell/mobile phones and media devices). We investigate a number of published papers and court cases with overwhelming datasets that need to be sifted through to identify trophy items, recognizing that current visualization methodologies may not be proficient in different situations, especially when conducting a cross analysis between different forensic software tools due to incompatibility. This research compares the current visualization methodology utilized in forensic applications and identifies several rules that visualization methodologies need to meet to be able to visualize forensic datasets effectively for human interpretation. We investigate a variety of published survey papers published since 2010 to identify an unconsidered visualization methodology that could be utilized as an effective, new form of visualization for forensic datasets and to provide different situations and benefits to the identified visualization methodology. The research was conducted between Aug. 2015 and Mar. 2016. At the time of this research, the findings were accurate to the best of the authors' knowledge. However, new research and the latest's release of forensic software may have added features and different visualization methodologies.
Answering to 5W Using Digital Forensics Data
2021, Proceedings - 2021 International Symposium on Computer Science and Intelligent Controls, ISCSIC 2021
Hacktivism trends, digital forensic tools and challenges: A survey
2013, 2013 IEEE Conference on Information and Communication Technologies, ICT 2013
Parallel coordinates visualization of large data investigation on HDDs
2013, Proceedings - 10th International Conference Computer Graphics, Imaging, and Visualization, CGIV 2013
Visual analysis of portable computer forensic data
2013, Lecture Notes in Electrical Engineering

View full text