See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/232659004

Using open source for forensic purposes

Conference Paper · June 2012

DOI: 10.1145/2316936.2316943

CITATIONS READS
5 2,875

3 authors:

Manuel Delgado Manuela Aparicio

ISCTE-Instituto Universitário de Lisboa Universidade NOVA de Lisboa
1 PUBLICATION 5 CITATIONS 141 PUBLICATIONS 3,283 CITATIONS

SEE PROFILE SEE PROFILE

Carlos J. Costa
ISEG – Lisboa School of Economics and Management. University of Lisbon
253 PUBLICATIONS 2,714 CITATIONS

SEE PROFILE

All content following this page was uploaded by Manuela Aparicio on 21 May 2014.

The user has requested enhancement of the downloaded file.

 Using Open Source for Forensic Purposes
Manuel Delgado Manuela Aparicio Carlos Costa
ISCTE-IUL Adetti-IUL/ ISCTE-IUL Adetti-IUL/ ISCTE-IUL
R. Manuel Ferreira Andrade Av.ª das Forças Armadas Av.ª das Forças Armadas
29-C 1500-416 Lisboa 1649-026 Lisboa 1649-026 Lisboa

[email protected] [email protected] [email protected]

ABSTRACT
This article provides an overview of the basic digital forensic
1. INTRODUCTION
One of the most significant developments in Information and
process. In different contexts of crime, the use of "computer
Communication Technologies in business, has to do with the
forensics" is a usual way to gather evidence. Digital data is
increasing dematerialization of supporting documents, is already
collected and analyzed in order to be presented in court as
finding that most of the information generated in the world is
evidence of illegal activities. This is already a first-line option in
created and stored in digital format and it is estimated that more
most cases for criminal investigation. For some types of crime,
than half of the documentation related to economic activity, never
particularly economic and financial research focuses on the
leave the digital domain. This means that paper documents
storage devices.
associated with business world, are only a small part, being
In the context of a crime, create and certify a full Image of suspect significantly longer majority, the number of documents in digital
devices is vital to preserve its integrity. The disk image, take format. [1].
sector by sector copy usually for forensic purposes, and as such
will contain some mechanism (internal verification) to prove that This reality contrasts with the rule, that paper documents
the copy is accurate and has not changed. In this work we present continues to play in the field of justice where, with apparent
some Open Source tools to perform an effective role in computer indifference to the impact of technological change at all levels of
forensics, which ensure the realization of these images, fulfilling today society, the research teams, particularly in the economic
all the requirements, so that any evidence recovered from his crime area, continue to base his work on "paper discovery."
analysis, may be admitted in court. The transfer of documentary support to the digital world, causes
the computer equipment in addition to instrument and / or target
Categories and Subject Descriptors of computer crimes, may constitute today as huge repositories of
K.4.2 [COMPUTERS AND SOCIETY]: Social Issues; evidence of crimes the most varied nature, including economic,
making it now essential their contribution, to the discovery of
D.4.6 [OPERATING SYSTEMS]: Security and Protection; truth in most of the investigations, regardless of the type of crime
committed [2].
General Terms Despite the growing awareness of the importance of digital
Experimentation, Security, Legal Aspects, Verification. evidence, is still not peaceful its acceptance in court, given the
divergent views of various judicial actors.
Keywords Concerning the reliability of such evidence, some judges believe
Electronic Crime, Financial Crime, Computer Forensics, Open that the precision and objectivity of the electronic evidence make
Source. it more reliable; other judges think that the lack of means to verify
the authenticity of the electronic evidence makes it more
vulnerable and, therefore, less reliable than traditional evidence in
general.
Many technical experts highlight some positive properties about
electronic evidence: exact, complete, clear, precise, true,
objective, and neutral, and the fact that in many instances,
electronic evidence appears to be essential for the resolution of
certain type of crime.

Permission to make digital or hard copies of all or part of this work for For judges, electronic evidence is easy to be collected, stored, and
personal or classroom use is granted without fee provided that copies are preserved. About the inconveniences, law professionals often
not made or distributed for profit or commercial advantage and that copies invoke the establishment of legal value on this type of evidence as
bear this notice and the full citation on the first page. To copy otherwise, or a difficulty due to the existing ignorance about procedures of data
republish, to post on servers or to redistribute to lists, requires prior processing and the interpretation of prosecutorial law in this
specific permission and/or a fee. mater.
OSDOC'12, June 11, 2012, Lisbon, Portugal.
Copyright 2012 ACM 978-1-4503-1284-4 This difficulty is generated by the lack of suitable and systematic
regulation and also the lack of homogeneous jurisprudence.
Jurists admit their fears of the vulnerability (the high degree of
volatility of electronic evidence’s nature). On the other side,
31
judges and prosecutors do not understand very well this kind of The available data clearly suggest that the economic and financial
evidence and that is the reason why they often reject it in trials. crime continues to grow rapidly [6], mainly under the influence of
new information technologies, the spread of electronic banking
All of we as computer experts, have responsibility not only to
and the expansion of Internet services on a global scale.
make clear to law enforcement officials, the real value of digital
evidence, but rather to investigate and develop tools to isolate this
type of evidence in a safe and reliable manner and also timely 3.2 Impact on Sustainable Development
useful. Usually fraudulent activities, take the place of legitimate
economic activity, discouraging investment. Hence, the economic
As in Portugal, the use of Computer Forensics is still very limited, and financial crimes constitute the long term, a serious threat to
particularly in the economic crime investigation, I think it is the peaceful and democratic socio-economic development. The
important to disclose the reasons and potential to promote this countries where the illegal economic and financial activities are
scientific area as a new field of research. socially accepted, do not offer conditions for financial markets to
develop, given the high standards and professional values, legal
This paper as a survey paper of previous results, aims to show that
and moral, in which they are based. The mere notion of being
tools are available that enable a qualitative jump in research
committed illegal economic and financial acts, can cause
processes, without jeopardizing the budget balance of justice
irreparable economic harm. The public suspicion inevitably
departments, as current economic situation requires.
undermines the legitimacy of government [7].

2. METHODOLOGY The universality of this phenomenon is an inescapable reality. Jain

In addition to the literature review, the material in this paper is states that the effects of corruption tend to have repercussions
based on the authors' experience using computer forensics in the throughout the economy, not confined to the specific act. It found
economic crimes investigation. that in a country with an inefficient legal system, the level of
corruption tends to increase and may lead to their political elite
The paper is very much a descriptive reflection about the cannot resist the increased income it provides. Once corrupted,
importance of computer forensics in economic crime the elite will try to reduce the effectiveness of legal systems,
investigations, warning to the existence of tools to develop this through the manipulation of resource allocation and appointments
work with quality and reduced costs. to key positions. In turn, reducing the resources, the match will
condition, thereby allowing the further spread of corruption [8].
3. ECONOMIC AND FINANCIAL The recent economic crisis, made to multiply the voices calling
CRIME for the urgent need to investigate and punish the guilty, to the
Corruption and all practices related to economic and financial point, eminent experts, advocate that the magnitude of some of the
crime, should be seen as acts of deviant and criminal nature. In crimes should lead to its being classified as "crimes against
addition to violating the rules for the normal functioning of humanity"[9].
institutions as a whole, acts of this type contribute to raise the
citizens, general feelings of social mistrust and may, at worst, 4. COMPUTER FORENSICS
degenerate into a dizzying process of decay of the most Our increasingly complex world, puts us at a very particular social
elementary rules of healthy social life cultural, economic and and cultural crossroad. At no other time the society was so
political [3]. dependent on technology in its various expressions. Nearly every
facet of our lives suffer in some way the impact of technology (e-
3.1 Definition and Range mail, instant messaging, online banking, video and digital music,
"Economic and Financial crime" means any form of non-violent etc..). This dependence and, in general, dependence on
crime which results in a financial loss. This type of crime thus, technology, had a cascading effect on other less obvious areas of
encompassing a wide range of illegal activities such as corruption, society, as eloquently portrays Bruse Schneier, in his book Secrets
fraud, tax evasion and money laundering. and Lies - Digital Security in a Networked World [10].

It is, however, difficult to define the notion of "economic crime", One such area is law enforcement and, more specifically, the part
and its exact concept remains a challenge. The task is further that concerns the criminal investigation [11]. Historically, the
complicated due to technological advances that provide new ways criminal investigation had concepts such as physical evidence,
to develop and perpetuate such crimes [4]. eyewitnesses, and confessions. Today, the criminal investigator
cannot fail to recognize that a significant part of the proof lies in
It is also difficult to determine the overall extent of the electronic or digital form.
phenomenon, partly due to the absence of a clear concept and
accepted by all, by virtue of the registration systems of economic As Carrier stated in his Article "Getting physical with Digital
and financial crime, differ considerably from country to country as Investigation Process", [12], for many crimes of today, the crime
well, because the companies or financial institutions choose to scene may consist of a simple computer that, by itself, can hold a
resolve incidents internally, refraining from participating to the large number of evidence, as opposed to the traditional physical
authorities [5]. crime scene. The witness today, can be tomorrow a 'log' file
generated on a computer.
Since, most of the economic crimes, committed on the basis of
technology, do not require the physical presence of the offender. In order to deal effectively with this new reality, computer
Thanks to significant differences between the legal frameworks of forensics, while embryonic branch of science, has been
different countries, this allows criminals to choose to base their developing methodologies and creating rules aimed at drawing
activities, on countries with more lenient legal frameworks. attention to the care that must be taken to ensure that it is not

32
overlooked the primary objective of research process, which We must say that, "Digital Evidence" is any information stored or
ultimately aims to identify the party or parties responsible for transmitted in digital format, with probative value in criminal or
illegal practices. civil prosecution. Again, the Locard exchange principle is valid,
[17], thanks to the control loop currently available in operating
4.1 Forensic Science systems, allowing the screening of all activities on the systems.

Such as medicine or engineering, forensic analysis of physical

Thus, a basic principle that cannot be overlooked, is the
evidence is an applied science, which relies on the basic scientific
preservation of all original traces, which advises that the research
principles of physics, chemistry and biology. As such, every
be done on the original media, but whenever possible, on a full
experience and each case must follow the scientific method of
and exact copy of that, “Bit Stream Image”, [18].
testing hypothesis.

Notwithstanding the conclusions reached by Inmon and Rudin, in Investigation of digital evidence is a process that develops in two
his work "Principles and Practice of Criminalistics," referring to areas: investigative and legal domain, however, remains a gap that
the legal practice is not strictly experimental, given the nature of separates them, and the size of that gap, varies inversely with the
the sample completely uncontrolled, which characterizes the computer literacy of prosecutors.
process of investigation, as opposed to highly controlled
conditions in which scientific experiments are carried out with As represented in figure 1, the first concern in the investigative
variables intentionally altered, one at a time, etc., the scientific domain, relates to the preservation of evidence, which is usually
method has been one of the most powerful tools available to the ensured by carrying out a "bit stream image" of the suspect
forensic investigator to ensure the fulfillment of his responsibility device. This image is in the final, certified through a hash
to provide accurate relevant evidence in an objective and impartial function.
manner, [13]
Than it must be done a search on the image, usually based on a
Starting with a collection of facts, continues with the formulation
keyword list, searching all spaces of the device including
of a hypothesis based on the evidence available, while retaining
unallocated and slack spaces as well within any kind of hidden
the awareness of the possibility that the observations and
control files at the operating system level, such as swap, log and
analyzes, may not be correct. Thus, to assess the veracity of the
registry files, among others, in order to locate and select the
hypothesis is not only necessary to seek support for the evidence
evidence.
found but equally important to consider alternative hypotheses.
The process of trying to refute our own hypothesis involves
performing experiments that allow testing our underlying Finally Validation relates to the question of whether the located
assumptions and obtaining a better understanding of digital tracks evidence is what it seems to be. For instance, the assertion that an
that we are considering. important file, was deleted would require confirmation of the
existence of the deleted file, in the unallocated space. This phase
This is a process inherently inductive, in that, the results obtained ends with a detailed report.
from a forensic sample, are not a simple experiment, but a test or
analysis in which the analyst collects material on a piece of
evidence that later, will combine with other facts and hypotheses,
to form a theory about what actually happened in the case.

4.2 Locard Exchange Principle

The fundamental rule followed by forensic science is the Locard
exchange principle, according to which, every contact leaves
traces."No one can act [commit a crime] with the force [intensity]
that the criminal act requires without leaving behind numerous
signs [marks] of it: either the wrong-doer [felon; malefactor,
offender] has left signs at the scene of the crime, or, on the other
hand, has taken away with him — on his person [body] or clothes
— indications of where he has been or what he has done. [13]".

Based on the definition of digital evidence by three leading

organizations in this field:

• "Information Transmitted or stored in binary form That may

be relied upon in court" [14];

• "Information of probative value that is stored in binary form

or Transmitted" [15];

• "Information and data of investigative value that is stored on

or Transmitted by a computer" [16].
Figure 1. Computer Forensic Domains.[19]
33
The Legal Domain has to do with the intervention of the lawyer, Table 1. Investigative Process for Digital Forensic Science[23]
who, based on the report supplied by the investigator, shall test
each piece of evidence to determine its weight in legal argument
and its suitability for use to prove or disprove the case.

4.3 Forensic science in the digital field

Regarding Computer Forensics, some authors consider that it
combines the advantages of forensic science with the art of
research. Farmer and Venema in his book Forensic Discovery,
note that sometimes the expert acts as an archaeologist (digital),
others as a geologist (digital). [20].

Digital Archaeology, when acting on the direct effects of user

activity, such as the file contents, access times, deleted file
information, and information about network traffic;

Digital geology, when acting on the autonomous process system,

on which the user has no direct control, as the allocation and
recycling of disk blocks, file identifiers, memory pages or process
identifiers.

As an example, the authors note that users have direct control Table 1 shows the main categories or phases of the investigative
over the content of the files (archeology), but when a file is process in the header. The contents of the columns below of each
deleted, users no longer have any control over the sequence of category, are techniques or methods used in the development tasks
destruction wrought by the system (geology). related to the phase that heads the column. This paper will only
deal with the first three phases: Identification, Collection and
Similarly, Carrier, reflects on how this activity should be assigned
Preservation.
by comparing it with the common forensic analysis. In his
opinion, contrary to common forensic analysis (physics), in which In practice, the investigation process referred in Figure 1, is
the expert is confronted with a discrete set of questions about developed in two stages, as represented in Figure 2:
samples (fluids, bullets, samples of skin, hair, etc.), which are
delivered by a detective, being responsible for tasks of - first phase takes place in the field, ensuring target
identification and individualization, computer forensics identification,
encompasses the role of the detective himself, developing into two information gathering
steps: searching for evidence, then its analysis and interpretation. and preservation;
To that extent, the author proposes for this activity, the name - second phase is
"Computer Forensic Investigation" or "Digital Forensic developed in the
Investigation". [21]. laboratory and ensures
examination, analysis
4.4 Digital Investigation Methodology and presentation of
results.
The first Digital Forensic Research Workshop (DFRWS) held in
2001 produced the following definition: 5. FORENSIC
“The use of scientifically derived and proven methods toward
TOOLS
the preservation, collection, validation, identification, Digital forensic tools, aims
analysis, interpretation, documentation and presentation of the analysis of digital
digital evidence derived from digital sources for the purpose information, in order to
of facilitating or furthering the reconstruction of events found incriminate or exonerate
to be criminal, or helping to anticipate unauthorized actions someone suspected of
illegal activities. Often in
shown to be disruptive to planned operations “[22].
decision context, the usual
This definition itself, contains a sequential procedure translated in confrontation Open Source
Table 1, which in general constitute a framework for further vs Closed Source, is not
research in this area. only just reduced to the Figure 2.
mere philosophical Digital Forensic Model.
questions, but also other
reasons arise such as costs or security.
.
Computer Forensics, is more focused on the reliability of the
results provided by the tools. It is essential to assess to what
extent the tools meet the legal requirements governing the
admissibility of evidence.

34
In the article "Gatekeeping Out Of The Box: Open Source - partitioning of the image files of a given size, in this case it
Software As A Mechanism To Assess Reliability For Digital was decided to split into files of 640 MB so that it can be
Evidence", published in the Virginia Journal of Law and burned to CD-ROM;
Technology Association, Kenneally done a fairly comprehensive
analysis on this dichotomy, and its surroundings in the middle - two compression ratios, this option should take into account
court, concluding that, allow unrestricted access to code their own trade-off, more compression / high speed. In this case, the
tools, in this context, confers a significant advantage to open choice was "best" that corresponds to the higher rate of
source, given the "black box" proprietary [24]. compression which makes the acquisition process slower;
5.1 Targets of the tools
- the possibility of calculating the HASH certification, based on
Given the retrospective nature that characterizes the process of MD5 and SHA1 algorithms, individually or jointly. We chose
investigating economic and financial crimes, normally, computers the first, which corresponds to the most common practice
play in this type of crime, the role of mere repository of evidence, adopted by the community.
making their storage units the main target of analysis.
At the end of the EnCase process returns the particulars given in
According to the recommendations of the Working Group on figure 4.
Digital Evidence Software [25], the analysis of digital evidence
should not be performed on the original media, but over a full
copy of that, as indicated in 4.2, in order to preserve any damage
that could cause direct manipulation.

There are several Open Source tools that fully accomplish all the
requirements of this process, as will shown in the following
section.

6. USAGE SCENARIO
In a real case, after identifying the target device, the first step to
accomplish is the creation of their image, " Bit Stream Image ", in
which the researcher will then perform the analysis. Figure 4. Final Process information.

By way of demonstration, this task is first performed using the 6.2 Bit Stream Image using “dd”
proprietary platform for forensic analysis, "EnCase Forencic." The "dd" command is a common Unix program whose primary
purpose is the low-level copying and conversion of raw data,
designed to perform copy and convert files from one place to
The same operation is repeated with the use of Open Source tools,
another. (there is also a version for Windows systems).
and in the end, the results are compared.

6.1 Bit Stream Image using EnCase

The suspect device that, under this case study, will be analyzed, is
a USB Flash Pen 1 GB of which will start by creating an image.

Figure 5. Creating Image with “dd”.

Figure 6. Hashing the created image (MD5)

This command has not been created for forensic purposes, so it

does not include any specific features such as compression,
certification, etc., being necessary to perform these tasks in
addition, using other tools.

Figure 3. EnCase GUI. Tool: Acquire.

The process of creating the image provides a set of options such Figure 7. Hashing the device to confirm (MD5)
as:

35
 6.3 Bit Stream Image using “EwfAcquire”
The "ewfacquire" is an Open Source utility included in the
"LIBEWF" library, designed to acquire data from various storage
devices (floppy, Zip, Jaz, CDROM, DVDs, flash drives, hard
drives, among others).

It records files in the EWF format (Expert Witness Compression

format), adopted by the two most spread proprietary Forensic
platforms: EnCase Forensic and Forensic Toolkit (FTK) Imager.

Figure 10. Summary of the introduced parameters

Figure 8. EwfAcquire characteristics of the target device

When running Ewfacquire this command requests, by command

line, a wide range of elements, not only for the parameterization
of the image we want to achieve, but also identification elements
of the case in research and the identification of the technician who
performs the work, among other elements.

All that data will be part of the image metadata.

Figure 11. Final Process information.

Calculating the hash of the original device, if it matches the hash
returned by Ewfacquire, we have the image properly certified.

Figure 12. Hashing the device to confirm (MD5)

7. CONCLUSION
In practice this small example covers the first three phases of a
research process:
Figure 9. EwfAcquire parameters required
1. Identification - After the incident notice, was isolated
suspicious device - USB Flash Pen 1 GB;

2. Preservation - were taken every precaution so that the

content does not undergo any changes by inhibiting the option
of writing to the device (Write blocking / mounting device in
read only mode);

3 - Collection and certification - Creating a "Bit-Stream"

image using "dd" and “EwfAcquire” and calculating the hash
signature with the "md5sum" command.

36
Using these samples and taking into account the matching of the [11] Kruse, Warren G., Heiser, Jay G., 2001. Computer forensics
hash calculated “A845445FB5A07E677FD51C0D4B4EAB89” incident response essentials – Published by Addison-Wesley
on the result of the different commands, and the content of the Professional; 1 edition.
target device, we can ensure that, as regards the process of
"acquisition", Open Source tools do not show any disadvantage [12] Carrier, B. 2002 “Defining Digital Forensic Examination and
for the proprietary reference tool "EnCase Forensic" or any other. Analysis Tools”. Digital Forensic Research Workshop 2002,
Syracuse - http://www.dfrws.org/2002/papers/Papers/Brian
Similar conclusions can be obtained in the broad field of analysis _carrier.pdf.
of digital evidence, characterized by multiple specificities, for
which there is a huge variety of open source tools ready for use, [13] Inmon, Keith e Rudin, Norah (2001) - Principles and
most of which, validated and certified. Practice of Criminalistics - The Profession of Forensic
Science
Most of these Open Source tools in no way are less reliable and
effective, when compared with the proprietary suits who join on [14] IOCE – International Organization on Computer Evidence -
the same platform, a wide range of features of friendly usability, General Definitions relating to digital evidence -
but whose reliability is not always possible to evaluate or certify, http://www.ioce.org/core.php?ID=5.
However this does not prevent the huge licensing costs,
sometimes even prohibitive. [15] SWGDE - Best Practices for Computer Forensics -
http://www.swgde.org/documents/current-documents/.

8. REFERENCES [16] ACPO – Association of Chief Police Officers – UK Good

[1] Gantz, John e Reinsel, David - The Digital Universe Decade Practice Guide for Computer-Based Electronic Evidence
– Are You Ready? – IDC – IVIEW http://www.emc.com/ http://www.7safe.com/electronic_evidence/ACPO_guidelines
collateral/demos/microsites/emc-digital-universe- _computer_evidence.pdf
2011/index.htm
[17] Carrey Eoghan, 2009 – “Handbook of Digital Forensics and
[2] Vacca, Jonh R(2005) – Computer Forensics – Computer Investigation” Published by Elsevier Academic Press
Crime scene Investigation 2.ª Edição - Published by pela
editora Charles River Media - ISBN: 1-58450-389-0 [18] Brown, Christopher L. T. 2006 - Computer evidence:
Collection & Preservation Thomson/Delmar learning.
[3] Jain A. (2001) “Corruption: A Review”- Journal of published by: Charles River Media, inc.Tavel, P. 2007.
Economic Surveys Vol. 15, n.º 1 Concordia University Modeling and Simulation Design. AK Peters Ltd., Natick,
MA.
[4] UNODC (2005) Economic and Financial Crimes: Challenges
to Sustainable Development - http://www.unis.unvienna.org/ [19] Boddington R.,Hobbs V. and Mann G. - Validating digital
pdf/05-82108_E_5_pr_SFS.pdf evidence for legal argument - Murdoch University

[5] Pimenta, C. (2009) “Esboço de Quantificação da Fraude em [20] Farmer, D. Venema, W. 2005 – “Forensic Discovery”
Portugal” Working Papers Nº 3/2009 OBEGEF – Addison-Wesley Professional Computing Series
Observatório de Economia e Gestão de Fraude.
[21] Carrier, B. 2006 – “Digital Investigation and Digital Forensic
[6] Pwc, 2011 - Global economic crime survey 2011 Basics” - Disponivel em: http://www.digital-evidence.org/
http://www.pwc.com/gx/en/economic-crime- di_basics.html
survey/download-economic-crime-people-culture-
controls.jhtml [22] Palmer, Gary L. 2001 “A Road Map for Digital Forensic
Research”. Technical Report DTR-T001-01, DFRWS,
[7] Branco, M. 2010 “Empresas, Responsabilidade Social e November 2001. Report From the First Digital Forensic
Corrupção” Working Papers Nº 6/2010 OBEGEF – Research Workshop (DFRWS).
Observatório de Economia e Gestão de Fraude
[23] DFRWS TECHNICAL REPORT, 2001 - A Road Map for
[8] Jain A. (2001) “Corruption: A Review”- Journal of Digital Forensic Research. -Report From the First Digital
Economic Surveys Vol. 15, n.º 1 Concordia University Forensic Research Workshop (DFRWS)

[9] Zuboff, S. (2009) Wall Street's Economic Crimes Against [24] Kenneally, Erin E. - Open Source Software As A Mechanism
Humanity - BusinessWeek – VIEWPOINT - March 20, 2009 To Assess Reliability For Digital Evidence Published by
http://www.businessweek.com/managing/content/mar2009/ca Virginia Journal of Law and Technology Association -
20090319_591214.htm http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally
.html#_edn3
[10] Schneier, B , 2004 “Secrets and Lies - Digital Security in a
Networked World” - Wiley Computer Publishing, Inc [25] SWGDE - Best Practices for Computer Forensics -
http://www.swgde.org/documents/current-documents/

37
 38

View publication stats