Comparison of Acquisition Software for Digital Forensics Purposes

Comparison of Acquisition Software for Digital Forensics Purposes

Muhammad Nur Faiz, Wahyu Adi Prabowo

Abstract

Digital Forensics, a term that is increasingly popular with internet needs and increasing cybercrime activity. Cybercrime is a criminal activity with digital media as a tool for committing crimes. The process for uncovering cybercrime is called digital forensics. The initial stage in digital forensics is an acquisition. The acquisition phase is very important because it will affect the level of difficulty and ease in investigating cybercrime. Software acquisition will affect the abandoned artefacts and even overwrite important evidence by the software, therefore investigators must use the best software for the acquisition stage. This study shows the difference in software for the acquisition of the best Random Access Memory (RAM) such as processing time, memory usage, registry key, DLL. This research presents five acquisition software such as FTK Imager, Belkasoft RAM Capturer, Memoryze, DumpIt, Magnet RAM Capturer. Results of this study showed that FTK Imager left about 10 times more artefacts than DumpIt and Memoryze. Magnet RAM Capture the most artefacts, 4 times more than Belkasot RAM Capturer. Software acquisition with many artefacts, namely Capture RAM Magnet and FTK Imager, while for the fastest time is DumpIt and Capture RAM Magnet for software that takes a long time.

Keywords

Acquisition, Artefacts, Digital Forensics, Software

Full Text:

PDF

References

[1] S. K. K and B. Meshram, “Digital Forensic Investigation using WinHex Tool,” Int. J. Comput. Sci. Technol., vol. 8491, no. 1, pp. 547–553, 2012.

[2] N. R. Syambas and N. El Farisi, “Two-Step Injection Method for Collecting Digital Evidence in Digital Forensics,” J. ICT Res. Appl., vol. 8, no. 2, pp. 141–156, 2014.

[3] F. Gianni and F. Solinas, “Live digital forensics: Windows XP vs Windows 7,” 2013 2nd Int. Conf. Informatics Appl. ICIA 2013, pp. 1–6, 2013.

[4] M. M. Nasreldin, M. El-hennawy, H. K. Aslan, and A. El-hennawy, “Digital Forensics Evidence Acquisition and Chain of Custody in Cloud Computing,” in IJCSI International Journal of Computer Science Issues, 2015, vol. 12, no. 1, pp. 153–160.

[5] M. Kaur, N. Kaur, and S. Khurana, “A Literature Review on Cyber Forensic and its Analysis tools,” Int. J. Adv. Res. Comput. Commun. Eng., vol. 5, no. 1, pp. 23–28, 2016.

[6] M. N. Faiz, R. Umar, and A. Yudhana, “Analisis Live Forensics Untuk Perbandingan Keamanan Email Pada Sistem Operasi Proprietary,” J. Ilm. Ilk., vol. 8, no. 3, pp. 242–247, 2016.

[7] R. J. Mcdown, C. Varol, L. Carvajal, and L. Chen, “In-Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes,” J. Forensic Sci., vol. 61, no. January, pp. 110–116, 2016.

[8] S. Thongjul and S. Tritilanunt, “Analyzing and Searching Process of Internet Username and Password Stored in Random Access Memory (RAM),” in 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), 2015, pp. 257–262.

[9] U. Rusydi, A. Yudhana, and M. N. Faiz, “Experimental Analysis of Web Browser Sessions Using Live Forensics Method,” Int. J. Electr. Comput. Eng., vol. 8, no. 5, p. 5, 2018.

[10] P. Lallement, “The cybercrime process : an overview of scientific challenges and methods,” Int. J. Adv. Comput. Sci. Appl., vol. 4, no. 12, pp. 72–78, 2013.

[11] M. H. Ligh, A. Case, J. Levy, and Aa. Walters, The Art of Memory Forensics. Indianapolis: Wiley Publishing, Inc., 2013.

[12] K. Hausknecht, D. Foit, and J. Burić, “RAM data significance in digital forensics,” in 38th International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2015 - Proceedings, 2015, pp. 1372–1375.

[13] StatCounter Global Stats, “Windows Version,‘Market Share Perc. (July 2017 - July 2018),’” 2018.

[14] AccessData, FTK Imager. Lindon: AccessData Group, 2016.

[15] P. Hazel, “User Guide Memoryze Mandiants.” mandiant, Cambridge, pp. 1–33, 2008.

[16] A. Borges, “Memory Acquisition,” 2015.

[17] R. Dave, N. R. Mistry, and M. S. Dahiya, “Volatile Memory Based Forensic Artifacts & Analysis,” Int. J. Res. Appl. Sci. Eng. Technol., vol. 2, no. I, pp. 120–124, 2014.

[18] T. Willett, “Forensic Image Acquisition Process – Windows,” 2017.

[19] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari, “Comparative Analysis of Volatile Memory Forensics,” IEEE Int. Conf. Privacy, Secur. Risk Trust IEEE Int. Conf. Soc. Comput., pp. 1253–1258, 2011.

[20] W. Campbell, “Volatile Memory Acquisition Tools – A Comparison Across Taint And Correctness,” Aust. Digit. Forensics Conf., pp. 9–19, 2013.

[21] J. Belsare and A. Sinha, “Live Memory Forensic Analysis,” Int. J. Recent Innov. trends Comput. Commun., vol. 3, no. 5, pp. 2775–2778, 2015.

[22] V. Meera, M. M. Isaac, and C. Balan, “Forensic acquisition and analysis of VMware virtual machine artifacts,” Proc. - 2013 IEEE Int. Multi Conf. Autom. Comput. Control. Commun. Compress. Sensing, iMac4s 2013, pp. 255–259, 2013.

[23] M. Kolhe and P. Ahirao, “Live Vs Dead Computer Forensic Image Acquisition,” Int. J. Comput. Sci. Inf. Technol., vol. 8, no. 3, pp. 455–457, 2017.

Refbacks

Referencing Software:

Checked by:

Supervised by:

Statistic:

View My Stats


Creative Commons License Kinetik : Game Technology, Information System, Computer Network, Computing, Electronics, and Control by http://kinetik.umm.ac.id is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.