Digital forensics process involves collection, preservation, analysis and presentation of evidence from digital sources. With the rise of challenges in the field of forensic investigations, problems that are more interesting are looming on the horizon for both victims and investigators. As computers become smaller, faster and cheaper, computers are increasingly being embedded inside other larger systems which allow information to be created, stored, processed, analyzed and communicated in ways that are unpredicted. Once we gathered digital evidence from monolithic, stand-alone mainframes whereas today we have PCs, supercomputers, distributed client-server networks, laptops and smart phones, and LANs and WANs to convey information across the world, each of which is a potential source of digital evidence. Evidences stored in a computer is not unique with regard to relevancy and materiality, but because it can be easily duplicated and modified, often without leaving any traces and is readily available to a miscreant using another computer half a world away and hence, should be constrained by evolving legal standards and constraints to defend privacy issues. In general, privacy means allowing or disallowing access to information. The code of ethics requires the forensics professionals to maintain the privacy of the client. In the event of proper investigation of cases, depending on the sensitivity of the issue and the requirement of the result, the privacy of the client may need to be compromised. But it is also possible the victim organization might lose out the trust over forensics team. Moreover there are organizations where in any slight leakage of the issue may attract huge media attention resulting in endangering the reputation and finally the business of organization. In such situations, privacy rights and law enforcement’s need to search and seize digital evidence during digital forensic belong together. It may also be possible that the forensics expert may not share the information with any third party but takes the advantage of the confidential information of the client himself, which is also a case of violation of right to privacy. That is why, it is the policy maker’s responsibility to see the impact of forensics in the broader context of business goals and make the hard decisions that trade off forensics capabilities with issues of privacy and, correspondingly, morale. To run a F.I, the correct tools and software play important role as aiding to the efficiency and effectiveness of the investigation. As P2P is widely used for sharing illicit material, the author discusses a

2

information about users can be extracted using a tool known as AScan. However, this tool only available for the law enforcement community. On the other hand, another great tool is used to render back the HTML file through the tcpdump program, which is known as PyFlag. Any recorder network can be capture and replicate the content. The same goes to Flash Memory in the Smartphone, the application can be used to determine any related application logs and multimedia file upon a user. The author develops a Mobile Internal Acquisition Tool (MIAT) in order to target the Symbian OS. However, because of the conflict issue regarding the user privacy information, the software is not to be released under open source license. There are special forensic tool involves in different operating system (OS) respectively. The introduction of Macintosh Evidence Gathering and Analysis (MEGA) describes how the implementation of system analysis works in Mac OSX. It has great capabilities in manage and monitor the network and even can handle Mac File Vault encrypted home directory. Nevertheless in the Linux OS, the author in mentioned about the uses of Forensic Automated Correlation Engine (FACE) as an image analyzer of the Linux partition. It may obtain any personal information of victim for forensic investigator or unauthorized personnel. A wide variety of digital forensics tools, both commercial and open source, are currently available to digital forensics investigators. These tools, to varying degrees, provide levels of abstraction that allow investigators to safely make copies of digital evidence and perform routine investigations, without becoming overwhelmed by low level details, such as physical disk organization or the specific structure of complicated file types, like the Windows registry. Many existing tools provide an intuitive user interface that turns an investigation into something resembling a structured process, rather than an arcane craft. Unfortunately, the current generation of digital forensics tools falls short in several ways. First, massive increases in storage capacity for target devices are on the horizon. The traditional approach of utilizing a single workstation to perform a digital forensics investigation against a single evidence source (e.g., a hard drive) will become completely intractable as storage capacities of hundreds of gigabytes or terabytes are seen more often in the lab. Furthermore, even if traditional investigative steps such as keyword searches or image thumbnail generation can be sped up to meet the challenge of huge data sets, much more sophisticated investigative techniques will still be needed. The field of digital forensics has become increasingly more important over the last few years as both the computer and the cellular market has grown. Digital forensics describes the process of going into a and/or is being watched. We may think that we don’t have much to hide on your technological device, so this warning need not apply to us. But just because we have hit a 'delete' button doesn't mean that a good hacker can't find a copy of it somewhere on our machine. Computers can yield evidence of a wide range of criminal and other unlawful activities, criminals engaged in network-based crimes are not the only ones who store information on computers. Many criminals engaged in murder, kidnapping, sexual assault, extortion, drug dealing, auto theft, espionage and terrorism, gun dealing, robbery/burglary, gambling, economic crimes, confidence games and criminal hacking e.g. Web defacements and theft of computer files, maintain files with incriminating evidence on their computer. Sometimes the information on the computer is key to identifying a suspect and sometimes the computer yields the most damning evidence. The use of scientifically derived and proven methods toward the preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. The process is mainly used in computer and mobile forensic investigations and consists of five steps which are listed below:

• Preservation: Preserving digital evidence early is a critical first step toward increasing our chances of a successful investigation, litigation, or incident response.

 Collection: Since digital information is stored in computers, collection of digital information means either collection of the equipment containing the information, or recording the information on some medium.

protects and preserves the integrity of the evidence.

• Analysis: During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material.

• Reporting: When an investigation is completed the information is often reported in a form suitable for nontechnical individuals. Reports may also include audit information and other meta-documentation.

Prior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy, harassment e.g., cyber bullying, cyber stalking, and online predators and child pornography. It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. Throughout the 1990s there was high demand for these new, and basic, investigative resources. Since 2000, in response to the need for standardization, various bodies and agencies have published guidelines for digital forensics. A European lead international treaty, the Convention on Cybercrime, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other European nations). A February 2010 report by the United States Joint Forces Command concluded that through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains. In 2010 Simon Garfunkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators. IDFPM Framework - Integrated Digital Forensic Process Model consist of following processes: Preparation, Incident, Incident response, Physical included in the IDFPM as a continuous process. The documentation process includes investigation on documents and chain of custody recorded as accurately as possible in the entire investigation. The infrastructure and operational readiness process is also a process that occurs in parallel.

• Preparation: This is encapsulated process by stating that forensic readiness has two main objectives, firstly to maximize the collection of credible digital evidence from an incident environment, and secondly to minimize the cost of a forensic incident response. Any defects may be exploited during presentation of the digital evidence findings.

• Incident: An incident may be detected by an automated incident detection system, or a similar set of event sequences is recognized by an investigator, based on possible previous experience. Incidents are often detected secretly and dealt with secretly within an organization. In these instances it is imperative that the organization’s policies and procedures are studied to determine any possible investigative limitation.

• Incident Response: Depending on the type of investigation, witnesses need to be safeguarded, suspects need to be detained as soon as possible after arrival and potential evidence must be secured. The first responder is the first custodian to maintain the chain of evidence and custody of potential digital evidence. The first responder must be able to accurately describe the scene in the initial drafting of documentation; these include photographs, video and sketches.

• Digital forensic Investigation: The physical investigation process occurs in parallel with the digital investigation if the crime is not isolated to the digital space. The focus of the physical investigation is to analyze DNA, fingerprints and other possible physical evidence obtained from the incident scene.

 Presentation: Based on the presentation report, a decision is made regarding the person to whom the incident can be attributed. The decision must be recorded in some database for future reference. All other relevant documentation that was compiled during the investigation and that might be relevant in reaching a decision is included in the final presentation report. The legal

4

Study of Tools - Tools are the predefined software or methods which are available for application of digital forensic. Some of the following tools are listed below:

• FTK (Forensic Toolkit): IT is an advanced Code Breaking and Password Recover. This tool is full Unicode and provides code Page Support. It also gives advanced Email support. Powerful Search Functionality. Registry Supplemental Reports are provided by FTK. It is very easy to use as interface.

• Encase: It securely investigate/analyze many machines simultaneously. Limit incident impact and eliminate system downtime with immediate response capabilities. Investigates and analyze multiple platforms. Efficiently collect only potentially relevant data. Audit large groups of machines for sensitive or classified information. Identify fraud, security events and employee integrity issues.

• Sleuth kit: Collection of UNIX-based command line file and volume system forensic analysis tools. Analyzes raw, Expert Witness (i.e. Encase) and AFF file system and disk images. Various analysis Techniques-meta-data structure analysis, time line generation, sort files based on their types etc.

Fig.2 Integrated Digital Forensic Process Model Framework server model. Various analysis Techniques-meta-data structure analysis, keyword search, time line generation, sort files based on their types etc.

• FIT4D (Forensic Investigation Toolkit 4 Developing countries): A software toolkit utilizes the limited resources in developing countries. Improves the efficiency, privacy and usability. Addresses the problem of lack of forensic experts in developing countries. A low-cost, distributed infrastructure to deploy the FIT4D software toolkit.

There are two fundamental problems with the design of today’s computer forensic tools:

• Today’s tools are designed to help examiners find specific pieces of evidence, not to assist in investigations.

• Today’s tools are created for solving crimes committed against people where the evidence resides on a computer, they were not created to assist in solving typical crimes committed with computers or against computers.

Digital forensics tools play a critical role in providing reliable computer analysis and digital evidence collection to serve a variety of legal and industry purposes. These tools are typically used to conduct investigations of computer crimes by identifying evidence that can be used in a court of law. In addition to criminal investigation, these same tools are used for purposes of maintenance, debugging, data recovery, and reverse engineering of computer systems in private settings. Digital forensics tools are designed for use by forensics investigators. It is important to consider the background, computer expertise, workflow, and practices of these users. Suppose we consider five tools which are used presently.  Award Key Logger: Award Key logger [4] is a program for tracking key presses on a keyboard. The program is an easy-to-use surveillance tool, and its invisibility can find out what other people do with your computer while we are away. Award Key logger[4] records every keystroke to a log file, which will reflect everything that is typed (Google searches, visited sites, etc. ) during your absence. The program can send the log files secretly by email or FTP to a specific receiver. On the other hand, the program

• Recuva: Recuva is important file recovery software used to back up deleted file data information accidentally done by the user from their Windows PC, recycle bin or from an MP3 player. Every one of us has witnessed the problem of accidentally deleting files containing some useful information from their computer. But what if, that file is permanently deleted from the hardware of the system? We may have come across the situation on our Windows PC where we delete files from your computer, delete all the necessary rubbish from your Recycle Bin and start to wonder did you mistakenly deleted our most important file for our office or personal use? All these questions have one solution - Recuva. Even if we delete a particular file, we can undo the same from our recycle bin.

• USB DE view: USB De view is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used. For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, Vendor ID, Product ID, and more. USB De view also allows you to uninstall USB devices previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices. We can also use USB DE view on a remote computer, as long as you login to that computer with admin user. USB De view is a free application for Windows computers that provides a useful tool for USB devices plugged to Windows-based computers.

• Win Hex: Win Hex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use, inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

• Open Puff: Open Puff is a professional steganography tool, with unique features we won’t find among any other free or commercial software. Open Puff is 100% free and suitable for highly sensitive data covert transmission. Open Puff is used primarily for anonymous asynchronous data sharing, i.e. the sender hides a hidden stream inside some public

secret key.

In general, the goal of digital forensic analysis is to identify digital evidence for an investigation. An investigation typically uses both physical and digital evidence with the scientific method to draw conclusions. Examples of investigations that use digital forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect

6

- Acquisition - Analysis - Presentation The Acquisition Phase saves the state of a digital system so that it can be later analyzed. This is analogous to taking photographs, fingerprints, blood samples, or tire patterns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values. At a minimum, the allocated and unallocated areas of a hard disk are copied, which is commonly called an image. Tools are used in the acquisition phase to copy data from the suspect storage device to a trusted device. These tools must modify the suspect device as little as possible and copy all data. The Analysis Phase takes the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence we are looking for: - Exculpatory Evidence: That which contradicts a given theory - Evidence of tampering: That which cannot be related to any theory, but shows that the system was tampered with to avoid identification this phase includes examining file and directory contents and recovering deleted content. The scientific method is used in this phase to draw conclusions based on the evidence that was found. Tools in this phase will analyze a file system to list directory contents and names of deleted files; perform deleted file recovery, and present data in a format that is most useful. This phase should use an exact copy of the original, which can be verified by calculating an MD5 checksum. It is important that these tools show all data that exists in an image.

In the Computer Forensics Tool Testing (CFTT) project, NIST developed methodologies to validate a range of forensics tools, initially focusing on data acquisition tools and write blocker (software and hardware based). This study illustrates the methodology used to assess the tools. When a tool will be tested, the NIST methodology starts by acquiring the tool, with a review of the tool documentation. If this documentation is non-existent, the tool is analysed in order to generate such documentation, This methodology is based on rigorous and scientific methods, and the results are reviewed by both of the stakeholders (vendor and testing organization), ensuring a certain level of fairness. However, this is also the major weakness of this methodology, as the time required for the evaluation can be significant. The resources needed to carry out each test do not enable a single organisation to test all tools along with all versions. Thus, by the time the results are publicly available, the version of the tested tool might be deprecated. In addition, the requirements of features might evolve which need to be reflected in the test strategy. Moreover, the time needed to define the requirement of a single function need to be counted in years. NIST has defined standards for string searching tools, but since additional work has been made publicly available. The specifications for digital data acquisition tools are still in a draft version since 2004, and these examples show that this methodology is not viable for law enforcement agencies to rely only on organisations which evaluate DFTs. Some categories of tools commonly used in digital investigation are only not covered, such as file carving tools. For these reasons, it is essential for digital investigators to validate DFTs themselves.

Beckett explained that testing may not find all errors of a DFT, due to the fact that a complete evaluation of a product would require extensive resources. The requirements defined by ISO 17025:2005 specify that validation is a balance between cost, risk and technical possibilities. However, testing should be able to provide information on the reliability of the tool. Before looking at solutions to validate and verify digital forensic processes, it is essential to define: • Validation. This is the confirmation by examination and the provision of objective evidence that the particular requirements for a specific intended use are fulfilled” • Verification. This is the confirmation of validation with a laboratories tools, techniques and procedures” The methodology created is represented in Figure 4, and proposes that, in order to validate a DFT, it is essential to know the expected results of the tested forensic function along with its domain. This process is named function mapping, and enables them to draw diagrams which represent the different components of the function. This

the comparison of forensics functions which are from the same domain. The expected results are defined by Beckett and Slay as reference sets, which enable the evaluation methodology to meet the following requirements: • Extensibility: The reference set is used to model all specifications of a particular function. If new specifications are found, they can be easily added to the reference set. • Tool Neutrality: Any tools which implement forensics functions from the same domain can be evaluated with the same reference set. • Tool Version Neutrality: Same as the previous statement. As long as functions are part of the same domain, the reference set will not be required to be modified. • Transparency: The reference set can be publicly available and anyone can audit it in order to improve its quality

Finally, they argue that if a function fails in a particular scenario, the function should not be invalidated. Instead, the results should be used to correct the tool weakness. Such a methodology can be implemented in the Software Development Life Cycle (Software Development Life Cycle) for vendors. This would help them improving tools’ functionality and ensure that there is no loss of quality when these functions are updated. This methodology has been further refined by Guo, who mapped the requirements for string searching functions and defined a reference set. They did the same for the data recovery function; however, they did not perform actual validation and verification on any existing tools. and poorly for others. If the tool was rated as a whole, the results would not be useful to anyone. In addition, the definition of metrics is strongly linked with the tested function. A range of metrics can be defined but they will not apply for each function. Therefore, it is required to define them for each function. Finally, they propose to use reference sets in order to enable the reproducibility of the evaluation process.

The advent of low-cost and high-resolution digital cameras, and sophisticated photo-editing software, has made it remarkably easy to manipulate and alter digital images. In addition, digital forgeries, often leaving no visual clues of having been tampered with, can be indistinguishable from authentic photographs. And while the technology to manipulate digital media is developing at break-neck speeds, the technology to contend with its ramifications is lagging behind. Digital watermarking has been proposed as a means by which an image can be authenticated (see, for example, for general surveys).Within this broad area, several authentication schemes have been proposed: Embedded signatures, erasable fragile watermarks, semi-fragile watermarks, robust tell-tale watermarks, and self-embedding watermarks. All of these approaches work by either inserting at the time of recording an imperceptible digital code (a watermark) into the image, or extracting at the time of recording a digital code (a signature) from the image and re-inserting it into the image. With the assumption that tampering will alter a watermark, an image can be authenticated by verifying that the extracted watermark is the same as that which was inserted. The major drawback of this approach is that a watermark must be inserted at precisely the time of recording, which would limit this approach to specially equipped digital cameras. This method also relies on the assumption that the watermark cannot be easily removed and reinserted. It is not yet clear whether this is a reasonable assumption (e.g., ). In contrast to these approaches, we describe a class of statistical techniques for detecting traces of digital tampering in the absence of any watermark or signature. These approaches work on the assumption that although digital forgeries may leave no visual clues of having been tampered with, they may, nevertheless, alter the underlying statistics of an image. Consider, for example, the creation of a digital forgery that shows a pair of famous movie stars, rumored to have a romantic relationship, walking hand-in-hand. Such a photograph could be

8

convincing match, it is often necessary to (1) re-size, rotate, or stretch portions of the images; (2) apply luminance non-linearities (e.g., gamma correction) to portions of the image in order to adjust for brightness differences; (3) add small amounts of noise to conceal evidence of tampering; and (4) re-save the final image (typically with lossy compression such as JPEG). Although these manipulations are often imperceptible to the human eye, they may introduce specific correlations into the image, which when detected can be used as evidence of digital tampering. In this paper, we quantify statistical correlations that result from each of these specific forms of digital tampering, and devise detection schemes to reveal the correlations. The effectiveness of these techniques is shown on a number of simple synthetic examples and on perceptually credible forgeries.

Computer related crime is growing as fast as the Internet itself. Today, enterprises focus on implementing preventative security solutions that reduce vulnerabilities, with little concern for systematic recovery or investigation. We have reviewed the literatures in Digital forensics and identified three main categories of activity in Digital forensics. The three research categories are framework, Digital forensics Investigation process, and Tools. The advances such as framework, process and tools of Digital Forensic have been reviewed and discussed. We should not leave everything to Digital forensics experts. If we are going to find a solution to the computer crime problem, it will be through a collaborative effort. Everyone from individual users, to company owners have to get involved. The considered tools, investigation process, and the framework, enhance the forensics of computer security by helping experts in the field do their job faster and more efficiently. It is up to the companies and users to adopt these policies according to their needs.

A multidisciplinary approach is required to fully foresee the future of cybercrime forensics. The most obvious change will be in the type, size and speed of storage media, memory, and processors. In the next 5 years, standard computers will come with 5TB of storage while flash drives will carry 250 GB of data. Thus, there will a significant greater amount of data to sort through than there is today. However, computers will become up to 7 or 8 times faster (this is not even considering the development of quantum computing). The forensics field will broaden in terms of expertise. Forensics tools will advance, developing the ability to automate data collection and preliminary processing. This means that less-trained people will be able to use forensics tools. However, computers themselves will probably evolve to a complexity that we are not used with the sophisticated knowledge needed to handle software and hardware.

Digital forensic tools are used to fire employees, convict criminals, and demonstrate innocence. All are serious issues and the digital forensic application market should not be approached in the same way that other software markets are. The goal of a digital forensic tool should not be market domination by keeping procedural techniques secret. Digital forensics is a maturing science that needs to be continuously held to higher standards. The procedures used should be clearly published, reviewed, and debated. The availability of analysis tools to the general public has likely increased their quality and usability. The next step is to increase confidence in the tools through publication, review, and formal testing. This paper results to provide strong evidence that current digital forensics tools are not considered user-friendly and that they lack intuitive interfaces. It is a challenge for investigators to directly find answers to their high level, case related questions. Usability is a critical issue in the tools because misunderstanding that leads to false interpretations may impact real-life cases. Computer forensics is a vital part of the computer security process. As more knowledge is obtained about how crimes are committed with the use of computers, more forensic tools can be fine-tuned to gather evidence more efficiently and combat the crime wave on technology. Digital forensics is important for solving crimes with digital devices, against digital devices, against people where evidence may reside in a device. Several sound tools and techniques exist to search and analyse digital data. Regardless of existing tools, evolving digital age and development of technology requires heavier research in digital forensics.

• Arvind Kumar,Sunil Kumar Sahu,Saurav Tyagi,Vikas Sangwan, Prof. Rupali Bagate, Data Recovery Using Restoration Tool. International Journal of Mathematics and Computer Research, Volume 1 issue 3, pp. 119-122, Pune, India (2013).

 B. Carrier, “Defining digital forensic examination and analysis tools,” in Digital Forensic Research Workshop 2002, 2002.

• Hanan Hibshi, Timothy Vidas, Lorrie Cranor, Usability of Forensics Tools: A User Study. Sixth International Conference on IT Security Incident Management and IT Forensics, USA (2011).

• I.J. Cox, M.L. Miller, and J.A. Bloom. Digital Watermarking. Morgan Kaufmann Publishers, 2002.

• J. Beckett and J. Slay, “Digital forensics: Validation and verification in a dynamic work environment,” in Proceedings of the 40th Hawaii International Conference on System Sciences, 2007.

• M.D. Kohn, M.M. Eloff, J.H.P. Eloff, Integrated digital forensic process model. computers & security 38, pp. 103-115, South Africa (2013).

• NIST, “Computer forensics tool testing (cftt) project overview,” January 2011. 26 January 2011.

• Ravneet Kaur, Amandeep Kaur, Digital Forensics. International Journal of Computer Applications, Volume 50 – No.5, India (2012).

• S.-J. Wang, D.-Y.Kao, and F. F.-Y.Huang, "Procedure guidance for Internet forensics coping with copyright arguments of client-server based P2P models," Computer Standards & Interfaces, vol. 31, pp. 795-800, 2009.