a b s t r a c t
The architecture of existing – first generation – computer forensic tools, including the
widely used EnCase and FTK products, is rapidly becoming outdated. Tools are not keeping
pace with increased complexity and data volumes of modern investigations. This paper
discuses the limitations of first generation computer forensic tools. Several metrics for
measuring the efficacy and performance of computer forensic tools are introduced. A set of
requirements for second generation tools are proposed. A high-level design for a (work in
progress) second generation computer forensic analysis system is presented.
ª 2009 Digital Forensic Research workshop. Published by Elsevier Ltd. All rights reserved
1. Introduction
During the late 1990s the fledgling field of computer forensics
was enhanced by the development of the first generation of
dedicated forensic analysis tools. These tools facilitated
convenient access to and review of evidential data in a forensically safe manner. Tools such as EnCase (Guidance Software
Inc) and FTK (AccessData Corp) have become the industry
standard tools for computer forensic investigation.
First generation (general purpose) computer forensic tools
share a common architecture – application programs that
execute on desktop computers, generally under the Microsoft Windows operating system. Although database systems,
such as Oracle in the case of FTK, may be used for information storage a first generation tool executes on a single
computer.
In the decade since the inception of first generation tools
the limitations of this architecture have become apparent.
Existing tools are failing to keep pace with the increasing
complexity and evidential volumes of modern computer
forensic investigations (Roussev and Richard, 2004).
In recent years researchers and tool vendors have
proposed incremental improvements upon the first generation architecture. These improvements have focussed on
increasing the computing capacity available so as to speed up
forensic analysis. Roussev and Richard (2004, 2006) proposed
a prototype system, DELV, that spread forensic processing
workload across a commodity Beowulf cluster with evidence
data stored on a central file server and in the main memory of
cluster nodes. AccessData Corporation have announced
a ‘‘Professional’’ version of their FTK 2 product that supports
multiple processing nodes connected to a central database
and analysis workstation.
The use of parallel processing to provide additional processing capacity is an important advance in computer forensic
tools. However, this addresses only one of the significant
limitations of first generation tools, and for that reason I
describe such tools as ‘‘Generation 1.5’’. Other issues such as
tool reliability,
1 auditability, data abstraction, efficient data
storage and repeatability of results must also be addressed if
computer forensic tools are to truly move into a ‘‘second
generation’’.
Related sites
0 comments:
Post a Comment