Digital forensic investigation reduction model (DIFReM) for Windows 10 OS

The adoption of the digital age, globalization of the world and move towards automation has made life for individuals and businesses easy. With the increasing use of digital devices and internet, cybercrimes are also increasing day by day so, digital forensics has become more important. And the investigator relies on the effectiveness and efficiency of digital forensics tools. Digital Forensics as defined in ISO/IEC 27001 (Information security standards published jointly by the International Organization for Standardization – ISO and the International Electrotechnical Commission - IEC), provides guidance on identifying, gathering/collecting/acquiring, handling and protecting/preserving Digital Forensic evidence i.e. “digital data that may be of evidential value” for use in court. The six basic steps defined by Digital Forensics Research Workshop (DFRWS) and generally followed in the forensic investigation are Identification, Preservation, Collection, Examination, Analysis and Presentation. The most important part of Digital Forensic Investigation (DFI) is the examination of data – knowing the data type and nature beforehand makes this easier. Unfortunately, most of the time an investigation is required, such helpful details are not available and the investigator has to “grope in the dark”. The examination phase is the most challenging for an investigator; in Microsoft Windows OS (Operating System), investigators have to go through large storage in Terabytes having hundreds of thousands of OS data most of which are irrelevant (to the investigation) or application files gathered from a suspect’s computer. We propose a data reduction model (DIFReM) and tool which will not only help the investigator in identifying modified system files but also the ability to detect files inserted into system directories and also be able to verify integrity using hashing. We created an index of clean Windows 10 Professional 64-bit edition. After which a filename, filepath and hash analysis of all files was done. The result of which was used as our database for the DIFReM. This database was used by the tool (which is built on Python and C#) to investigate suspect’s system for files that were added to Windows directory or have their content modified in the system files directory regardless of the time the file was Modified, Accessed or Created (MACtimes). An algorithm was used to verify filetypes by looking up a File Signature library to compare files’ header with their extension. Also, a hash integrity comparison was performed on all files. By putting a very few files (12) in such large dataset, we made it more difficult to detect but the tool detected all modified files, added files, deleted files with modified file header, files with changed extension and also files with failed hash verification – this represented a 100% detection rate. We believe this reduction model with its tool geared towards Microsoft Windows 10 Professional operating system is a more efficient forensic tool for windows 10 64-bit professional than generic tools used and will open a path for OS-defined Forensic tools which will definitely be a delight to many investigators as it will hasten the examination phase of digital forensic process.

Preview Text FSKTM 2018 49 - IR.pdf Download (402kB) | Preview

Actions (login required)

View Item