Professional Documents
Culture Documents
I. INTRODUCTION
http://www.tracksinspector.com
http://computer-forensics.sans.org/community/downloads
The hashes host process controls hash lists. These lists can
be predefined, e.g. the NIST list, or they can be uploaded by
an administrator. All files which are hashed by processing, are
compared with the known hashes in the hashes host. This can
be used for example for default system files or known hashes
of illegal materials. If matches are found, the nodes are tagged
with a predefined tag.
The session host manages the user session at the front-end.
It bridges the gap between the front-end host and the evidence
database. The case and user information are cached at the
session host to reduce the amount of RPC calls.
The case host and its associated database manage the cases
that are added by the users in the front-end. Case
administrators can link evidence units to a specific case.
The user host stores all front-end user information, like the
session and the user privileges and roles. User privileges can
differ per case.
http://www.lighttpd.net/
https://www.djangoproject.com/
5
http://www.guidancesoftware.com/
6
http://www.cellebrite.com
Category
Audio
Compressed /
Archive Files
E-mail message
Spreadsheet
Document
Presentation
Picture
Video
Misc
Filetype
AAC, MP3, WAV, WAVE, WMA
EAR, GZ, JAR, RAR, REV, WAR, XPI,
ZIP
EML, MHT, MSG, OST, PST
ODS, XLS, XLST, XLT, XLTX
DOC, DOCM, DOCX, DOT, DOTM,
DOTX, ODT, OTT, PDF, RTF, WPD,
WP, WPn, WRI
POT, POTX, PPS, PPSX, PPT, PPTM,
PPTX
BMP, DIB, GIF, ICON, JIF, JFI, JFIF,
JPE, JPEG,JPG, PGA, PNG, SVG, TIF,
TIFF, XGA
3G2, 3GP, ASF, AVI, F4A, F4B, F4P,
F4V, FLV, M4A, M4B, M4R, M4P,
M4V, MK3D, MKA, MKS, MKV, MP4,
MOV, MPE, MPEG, MPG, QT, SWF,
WM, WMA, WMV
IE History le, Windows Registry les,
Chrome / FF History les (SQLite),
Digital Business card (VCF, VCARD)
Documents
Most common Microsoft / Open office document types for
word processing, spreadsheets and presentation are supported
and meta data, e.g. author field, is extracted.
http://www.msab.com/xry/what-is-xry
E-mail archives
A variety of Email archive formats is supported. For
example Microsoft Office Outlook Pst/Ost, MBOX and
Thunderbird. In addition to these email archive formats, also
single email file formats such as MSG and EML are
supported. Lotus Notus NSF email is currently not supported
and needs to be converted prior to presenting it to Tracks
Inspector.
Data archives
Tracks Inspector processes (compressed) data archives as if
they are folders. The archives are extracted and the contents of
the archive are analyzed as a folder with subfolders. The
archives are scanned for password protection and
cryptography usage. Multi-part archives are also supported as
well as archives in archives and archives in email attachments,
emails in archives etc.
Images, Video and Audio files
Most well-known mime types for image formats are
supported. The EXIF (meta data) information is extracted as
well to give some side information about the image. Most
popular video and audio types are also supported including
typical mobile phone formats.
Internet history
The Internet history of the most modern browsers is
recognized and analyzed. This data will be extracted from the
history files, which are stored on a disk. For Internet Explorer
[12] the data is extracted per day, per week and overall. With
this information a detailed time line can be generated to give
an overview of the browsing behavior of users. This
Alink, W., Bhoedjang, R., Boncz, P., de Vries, A., 2006. Xirafxmlbased indexing and querying for digital forensics. Digital I
nvestigation 3, 5058..
[2] ArxSys, 2012. Open source digital investigation framework.
http://www.digital-forensic.org/. Last visited February 2013.
[3] Brooke, J., 1996. "SUS: a "quick and dirty" usability scale". In P. W.
Jordan, B. Thomas, B. A. Weerdmeester, & A. L. McClelland. Usability
Evaluation in Industry. London: Taylor and Francis.
[4] Bunting, S., Wei, W., 2006. EnCase computer forensics: the official
EnCE: EnCase certied examiner study guide. Sybex.
[5] Casey, E., 2012. Automation and artificial intelligence in digital
forensics. EAFS2012 Abstract published in
http://www.eafs2012.eu/sites/default/files/files/abstract book
eafs2012.pdf.
[6] Data,
Access.,
2012.
Forensic
toolkit
4
whitepaper.
http://accessdata.com/downloads/media/FTK DataSheet web.pdf.
Last visited February 2013.
[7] Doe, R., 2010. The e-dicsovery reference model (edrm). the review
stage.
[8] Garnkel, S., 2006. Forensic feature extraction and cross-drive analysis.
digital investigation 3, 7181.
[9] Grossman, M., Cormack, G., 2011. Technology-assisted review in ediscovery can be more eective and more ecient than exhaustive
manual review. Rich. JL & Tech. 17, 1116.
[10] Henseler, J., 2012. Swiping through digital evidence. EAFS2012
Abstract published in
http://www.eafs2012.eu/sites/default/les/les/abstract book
eafs2012.pdf.
[11] Henseler, J., Hofste, J., van Keulen, M., 2013. Computer assisted
extraction, merging and correlation of identities. Submitted to the ICAIL
2013.
[12] Wilson, C., 2009. Netanalysis forensic internet hisory analysis.