INTRODUCTION

The dynamic nature of the contemporary world has brought an era where computers are a necessity in almost every facet of life. People today have become increasingly dependent on computers primarily for the simplicity and efficiency of work. A progressive trend on the increasing necessity of computers has explosively led to the discovery of new computer technologies, systems and software. Similarly, the progress has also exploded into new forms of crime where criminals use technology to exploit existing vulnerabilities in computer systems. In order to maintain control and take care of the menace created by these new forms of crimes, the field of computer forensics came to exist. The primary role of computer forensics is to collect and examine evidence of a crime as electronic data. This process involves processes such as acquisition, documentation, analysis and authentication of any electronic data collected from computers and the internet. Primarily, this is to establish the validity of evidence before being used in court. A handpick of computer forensic tools enhance this functionality. This paper aims to magnify the field of computer forensics with a close focus on the similarities and differences of various computer forensic tools.

VARIOUS TOOLS IN COMPUTER FORENSICS

Generally, computer forensics tools have been classified into hardware and software computer forensics tools. However, Lee and Soh (2020) highlighted cloud forensics tools as a third class considering the nature of data sources extending beyond to the internet virtual environment. Hardware forensics concentrate much on the physical components of the computer. These physical devices house software’s used in the forensic process. In contrast, software computer forensics tools are tools that necessitate access to the suspected files in the computer. In most cases, they exist as software’s, executable files, programs and applications. Elsewhere, GUI based apps and command-line is the basic play for software forensics tools. These tools are used to gain access and copy the electronic data from the suspected storage. Further, hardware computer forensics tools are been narrowed into simple, single-use, overall systems and server tools. A good example of the hardware tool is the Forensics Recovery of Evidence Device (FRED) as discussed in the paper. Tools are selected depending on the nature of forensic work being conducted. This is why forensic experts must possess unending know-how on the nature of the computer hardware, particular software functionality and its fit in the selected tool. Details of these tools will be discussed in chapter 5.

FACTORS CONSIDERED WHEN CHOOSING A COMPUTER FORENSICS TOOL

Cobwebs Technologies (2020) are completely rational by stating that the most dispensable way to be effective and productive when challenging any cybercrime is to choose the right computer forensic tool when conducting investigations. Digital forensics can be termed as forms of AI mainly for navigating various complex layers of computers, their systems and the internet. Aided by the capabilities of AI tools such as cobwebs, forensic tools can be able to optimize cybercrime investigations by extracting precise electronic data and sifting an unlimited amount of sensitive information in real-time. The overall smoothness of the forensic process depends on the ultimate performance of the forensic tool. Generally, the digital forensic tool selected for the investigation process must be to demonstrate superb overall performance depending on the reliability and validity of electronic data presented as evidence. There are various factors considered when selecting the right forensics tool;

The complexity of the tool

The forensic tool must be capable of dealing with the nature of the computer investigation process in question. Computer forensics tools must be able to provide unmatched forensic service by retrieving and analyzing electronic data while exposing, categorizing and locating numerous malicious agents. In other cases, forensic tools should be featured with aspects such as specific alerts and notification buttons and automated forensic reports to be extracted whenever needed. Forensic tools can be expensive making it costly to use different tools for various functions. Based on the factors, typical forensic tools ranges between $5, 000 to $20,000 while others exceed $100,000 (Mikhailov n.d).

Limitless data

Computer forensics tools used in the process must be able to detect the footprint left by the malicious actor to produce unappalled and vast amounts of information. The tool selected must be able to penetrate the computer system and the internet aggressively to detect any illicit networks and risks executing vulnerabilities. In return, the tool must generate vast electronic data not limited to timestamps, packets, network certificates, IP addresses and device identities.

Time

Regardless of the capability of the tool to handle the complexity of the forensic process, the digital forensic tool must demonstrate efficiency by delivering forensic evidence in a timely manner. Not ignoring other factors such as accuracy, use of algorithms, command-line and deep searches, the forensic process must be fast-tracked to speed up the court process of trial and judgment.

Other factors

Other important factors include support to multiple OS, security of the tool, presence of analytic features, plugins support, supporting multiple devices, various file formats, integrations and a user-friendly interface.

GENERAL FUNCTIONS OF COMPUTER FORENSICS TOOLS

Computer forensics tools functions are not limited to extraction, analysis, validation and verification among other key features of electronic data. Extracted computer data must be kept safely. Forensic experts must be able to verify that stored electronic data has not been accessed and tampered with to preserve the reliability of evidence in the court. Forensic tools have an important role of detecting and retrieving forensic data even if it has been deleted, scrambled or protected using passwords (O’Connor, 2005). Using forensic tools, electronic data can be modified, copied and manipulated in a manner be understood, used in operating systems, hardware and software used in the court. These tools are also critical in analyzing the status of the computer or the system including unallocated spaces, protected files and drives that may house forensic data needed in the court process. The general functions have been narrowed down below;

Extraction

Extraction is the most vital part of the forensics process. Extraction refers to the recovery of data from whatever media the data is stored on. In most cases of data investigation, data extraction or data recovery is the first process of analysis. There are a few strategies for conducting a data recovery process that make the process easier. They include the ability to view data in the suspect’s drives, collecting specific data for the investigation through the use of keyword search, decompressing data and decrypting data found. The availability of sub-functions in a forensic tool makes the data recovery process more manageable. Data viewing in its original form, ability to decrypt data as well as decompress said data are added to a tool with the said sub-functions.

Validation and Verification

Validation is confirmation by examination and provision of objective evidence that a tool, technique or procedure functions correctly and as intended while verification is the confirmation of validation with laboratories tools, techniques and procedures. According to (Nelson et al.,2014), validation ratifies a tool performs a function as it is supposed to while verification enables the investigator to know if two sets of data are similar when subjected to different methods of analysis. Behind these two processes, there is a filtering process. The filtering process is used as means to separate useful data from suspicious data. The Legal scholar websites for forensics indicate that specific expected result is recorded when a particular forensic tool is used during the validation process. Verification as well differs between the tools, between the tools has the same outcome as a standard procedure during data investigation. Some acquisition tools are considered more than others because they do extra functions during data recovery.

Reconstruction

Reconstruction is the process of determining the sequence of events about what occurred during and after a crime.  Reconstruction closely follows the extraction process. This involves the ability to gather data from unallocated disk spaces. In a readable format, the data is prearranged from an allegedly deleted drive. Tracker copies of data fragments are located, and attempted restoration is made from fragmentation. Consequently, the restorative and reconstruction processes differ among forensics tools. The best forensics tool is selected on consideration of the type of tool for the said operating system and available functions to the reliability of data collected.

Digital Forensics Reporting

The digital forensics report summarizes the evidence in a criminal or civil investigation. In order to compile a report, data is collected from analysis of data gathered and putting together results for examination done from the drive to compare and make a final result. The reports are often used for several purposes, including billing, affidavits, and as proof of what was found and not found.

COMPARING AND CONTRASTING COMPUTER FORENSICS TOOLS

The grounds of comparing and contrasting various computer forensics tools are set by the general and specific functions performed, as well as the factors considered when choosing one forensic tool over the other.

Hardware and Software Tools Examples

There are many hardware forensics tools, some include;

• Forensic Recovery of Evidence Device (FRED)
• Tableau T35U
• Wiebitech Forensic UltraDock v5
• Cellebrite UFED Touch 2
• MSAB XRY / MSAB XRY Field

Software Tools Include;

• Encase Forensics
• AccessData FTK
• Magnet AXIOM
• Oxygen software
• X-Ways Forensics
• SIFT
• Eric Zimmerman Tools
• Autopsy and many more.

HARDWARE FORENSICS TOOLS

Mobile Forensics

Cellebrite UFED Touch 2 and MSAB XRY / MSAB XRY Field

Both Cellebrite UFED Touch 2 and MSAB XRY / MSAB XRY Field are hardware forensics tools used in mobile investigative environments. The tools are very critical for the extraction of data from dead devices. Cellebrite was developed in Israel in 1999. Soon, the tool became a crucial aspect among agencies that needed to collect, analyze and manage digital data including law enforcement agencies in the nation. MSAB XRY was developed by a Swedish company as an analog version of Cellebrite. Cellebrite was designed to work in field situations in two classes. One is a UFED 4PC software analogue main used for data extraction in an investigative computer. Second, a UFED Physical Analyzer is mainly used for analyzing the forensic data extracted. Conceptually, the tool creates a concept where a UFED 4PC (touch 2) extracts data from a forensic computer and assumes a lab where the UFED Physical Analyzer analyzes the digital data for processing. The main advantage of the Cellebrite UFED Touch 2 tool is that numerous mobile devices can be worked on effectively regardless of their complexity. However, the tool may be affected by prior unfixed bags and lose some data in the process. In contrast, MSAB XRY works most on mobile PCs and desktops. It is supplied in form of a USB-hub will a set of data cables and adapters to link various devices. It offers features such as kiosk and tablet which have proved superb in extracting electronic digital data from obsolete devices. Precisely, investigators benefit when extracting data from dead devices even when protected with passwords, fingerprint, face-lock, pins and other features. The challenge of using MSAB XRY is encryption. The increasing use of encryption of data among advanced enterprises is increasingly making the tool-less reliable as data may be extracted but its decryption becomes nearly impossible.

Write-Blockers

Tableau T35U and Wiebitech Forensic UltraDock v5

These are the most popular write blockers in the field of computer forensics. Tableau T35U uses a USB bus to connect the forensic computer to the investigator's computer. The investigator exploits the SATA and IDE interfaces to ‘read-write’ the forensic computer hard drives. Manually, the investigator can identify any malicious factor in the computer. Closely comparable to Tableau T35U, Wiebitech Forensic UltraDock v5 accesses forensic computer’s hard drives by using a large number of interfaces inclusive of USB, FireWire interfaces and SATA. The tool is effective in copying data even disk drive has been concealed in the device configuration overlay (DCO). However, it may not be used when an ATA password has been used in the forensic device.

SOFTWARES FORENSIC TOOLS

Mobile Forensics

Encase Forensics and AccessData FTK

These two have been undisputed market leaders for over 15 years. A study by Lee and Soh (2020) established a benchmark framework to compare the quality of Encase Forensics and AccessData FTK although the study included Sans Sift forensics that qualifies to be both a mobile and open-source forensic tool. Both tools have a complete powerhouse to get, analyze and report electronic data findings. The tools complement each other in enhancing forensics in form of numerous artifacts.

Encase Forensics has special considerations. The standard format of Encase Forensics acquires data by creating an image, E01. The user uses hash # MD5 and SHASH 1 to authenticate data in physical or reasonable acquisition to check the reliability of data. Encase gives access to analysis of numerous file systems and several operating systems because it is inbuilt with a large number of programming language scripts. The creation of images from storage devices and other devices is done by AccessData FTK software (Khalaf & Varol, 2019). AccessData FTK software accesses many storage systems due to its ability to contact several sorts of files. It utilizes four components, the FTK Client Interface (UI), Oracle Database, Distributed Processing Engine and Client-side Processing Engine (Sammons, 2012). AccessData FTK has access to erratic file formats but of slight count thus sponsoring the ownership of numerous forensic tools. High processing time is vital when the applications are running at the same time. This software, utilizes the basic elements of data extraction, reconstruction and analysis during comparison and reconstruction.

In terms of the effectiveness of performance results, O’Connor (2005) credited Encase. Encase performed best in time-saving, the efficiency of using computer resources and performance in terms of verification and validity. In contrast, AccessData FTK utilizes more processing time compared to EnCase, which consumes much valuable time for the investigator. The forensic tools complemented each other in the capability to use record logs and bookmarks to produce reports of the analysis.  They share most of the basic functions of forensic tools, which are data acquisition, analysis and reporting.

San Sift

For the sake of comparison, San Sift was included in the analysis. AccessData and Sans Sift reconstruct an image from deleted files and recreate the scene of the suspect. EnCase and San Sift extract data from drives and authenticate the data using numerous hashing protocols. In terms of budget friendlessness and cost, Manson et al., (2007) gave credit to the Sans Sift is the best option compared to AccessData and EnCase. Moreover, it can run multiple tools as it is able to run as a stand-alone operating system. This includes the Autopsy, vitality Framework among others. Sans Sift is compatible with several systems like E01, Raw and AFT. It also works in many operating systems, Linux efficiently as in Windows. However, during the experiment, Sans Sift software crashed indicating limiting software jams to efficient operation.  The software crashed while loading multiple programs because it did not meet the minimum recommendations. Sans Sifts accessibility to several forensic software at hand, runs an investigation completely. It requires a high amount of working power for data verification and reconstruction programs running on it. Additional memory is required for hash protocols enacted and space for data recovered.

Young and Promising

X-Ways

High-speed data processing has credited X-Ways over all existing software forensic tools in multiple fields. The X-Ways, new software in the market, is being embraced by investigators due to good performances and efficiency (Lee & Soh, 2020). X-Ways is being considered reliable, cheaper and fast in performance compared to its predecessors by scholars in the field. It is a windows-based disseminated forensic software.  Investigators in the field enjoy using the software because it is portable. It has a complex user interface that is customized to suit the case at hand. In order to complete the investigation case, I would select the X-Ways forensic software to acquire data, extract, reconstruct, or report on the case. X-Ways is a modern software with frequent updates thus ensuring the stability of the program through debugging and the addition of new features. X-Ways is able to run multiple instances simultaneously while sustaining data integrity with minor effects. Among the data processing function is a live preview of the process being carried out. X-Ways lets the user have a variety of filtering options, leading in all the basic forensic functions. In addition to data extraction, disk cloning and the ability to read multiple file systems make the software superior. The software allows operation under numerous operating systems, and create reports from lost or deleted partitions. It has access to various drives as well as a perk with the ability to read and write to the drive as well as write to protect particular drives. X-Ways run on multiple scripts gaining access to various files types and file formats. All discussed functions of X-Ways are within the scope of recommended performance and utilization of as minimal resources as possible with effectiveness.

CONCLUSION

With the dynamic nature of technology, the field of computer forensics is also changing at the pace of the changing dynamics of cybercrime. The advancement of forensic tools has helped bring down cybercriminals by presenting valid and uncompromisable evidence from digital data. Excellent forensic personnel must evaluate the forensic environment to select the best forensic tool to use. This paper has presented the vast scope of computer forensics with a special focus on computer forensics tools. Both hardware and software tools have been broken down into mobile and write-block examination tools. Among them, high-speed data processing has credited X-Ways forensic tools with unmatched efficiency and performance over the others.