ArticlePDF Available

Comparison of Acquisition Software for Digital Forensics Purposes

  • Politeknik Negeri Cilacap
  • Institut Teknologi Telkom Purwokerto

Abstract and Figures

Digital Forensics, a term that is increasingly popular with internet needs and increasing cybercrime activity. Cybercrime is a criminal activity with digital media as a tool for committing crimes. The process for uncovering cybercrime is called digital forensics. The initial stage in digital forensics is an acquisition. The acquisition phase is very important because it will affect the level of difficulty and ease in investigating cybercrime. Software acquisition will affect the abandoned artefacts and even overwrite important evidence by the software, therefore investigators must use the best software for the acquisition stage. This study shows the difference in software for the acquisition of the best Random Access Memory (RAM) such as processing time, memory usage, registry key, DLL. This research presents five acquisition software such as FTK Imager, Belkasoft RAM Capturer, Memoryze, DumpIt, Magnet RAM Capturer. Results of this study showed that FTK Imager left about 10 times more artefacts than DumpIt and Memoryze. Magnet RAM Capture the most artefacts, 4 times more than Belkasot RAM Capturer. Software acquisition with many artefacts, namely Capture RAM Magnet and FTK Imager, while for the fastest time is DumpIt and Capture RAM Magnet for software that takes a long time
Content may be subject to copyright.
Faiz, M., & Prabowo, W. (2018). Comparison of Acquisition Software for Digital Forensics
Purposes. Kinetik: Game Technology, Information System, Computer Network, Computing,
Electronics, and Control, 4(1). doi:
Receive August 23, 2018; Revise November 04, 2018; Accepted November 09, 2018
KINETIK, Vol. 4, No. 1, February 2019, Pp. 37-44
: 2503-2259
: 2503-2267
Comparison of Acquisition Software for Digital Forensics
Muhammad Nur Faiz*1, Wahyu Adi Prabowo2
1,2IT Telkom Purwokerto/Informatics*1,
Digital Forensics, a term that is increasingly popular with internet needs and increasing
cybercrime activity. Cybercrime is a criminal activity with digital media as a tool for committing
crimes. The process for uncovering cybercrime is called digital forensics. The initial stage in digital
forensics is an acquisition. The acquisition phase is very important because it will affect the level
of difficulty and ease in investigating cybercrime. Software acquisition will affect the abandoned
artefacts and even overwrite important evidence by the software, therefore investigators must use
the best software for the acquisition stage. This study shows the difference in software for the
acquisition of the best Random-Access Memory (RAM) such as processing time, memory usage,
registry key, DLL. This research presents five acquisition software such as FTK Imager, Belkasoft
RAM Capturer, Memoryze, DumpIt, Magnet RAM Capturer. Results of this study showed that FTK
Imager left about 10 times more artefacts than DumpIt and Memoryze. Magnet RAM Capture the
most artefacts, 4 times more than Belkasot RAM Capturer. Software acquisition with many
artefacts, namely Capture RAM Magnet and FTK Imager, while for the fastest time is DumpIt and
Capture RAM Magnet for software that takes a long time.
Keywords: Acquisition, Artefacts, Digital Forensics, Software
1. Introduction
Cybercrime can be defined as a crime committed in cyberspace with computer media.
Disclosure of the cybercrime is known as digital forensics [1]. Digital forensics is a branch of
forensic science pertaining to legal evidence found in computers and digital storage media such
as flash drives, hard disk, or CD-ROM), electronic documents (such as email messages, video,
or JPEG) or even a series of data packets in network [2]. The involvement of such a device in a
computer crime is divided into three, namely: a destination computer, the computer becomes a
means to make crime and computer functions to store all the information that it contains a criminal
offence [3]. Digital forensics (computer forensics) is a discipline used to search digital evidence
with scientific methods for the identification, preservation, extraction and documentation of digital
evidence derived from digital sources to enable successful prosecution. The goal of digital
forensics is to obtain legal evidence found in digital media [4]
The initial process of digital forensic namely the phase of data acquisition, which is the
phase in which investigators make a perfect copy of the storage medium and Random Access
Memory [5]. Investigators should be aware of all the changes data quickly. Because many of the
techniques that take a long time, the software is expensive and specialized training, this makes
the investigator choose a particular expertise in the field, one of which is Live Forensic. Live
Forensic is a technique in the data acquisition phase need a computer that is being lit, the data
that are running on that computer also called volatile data [6]. The success of the investigation
depends on the quality of data collected. The quality of the copied data contains completeness of
information such as information access, time and users, data quality is also affected by artefacts
(Registry Key, DLL) left by the use of software acquisition [7]. Processing time, DLL, Registry Key
and Memory Usage will impact to potential evidence. Data stored in RAM is data that is easy to
change because data cannot be recovered after the user turns off the computer [8]. The forensics
artefacts left by the web browser after the end of this session is not just a list of web visits, cookies,
and downloads. These artefacts also contain the sites the user visits, the time and frequency of
access, and also the search engine keywords used. When conducting a digital investigation of a
system, investigators may collect evidence of the artefacts [9] . Investigators should distinguish
tools that can only collect data and analyze them. There is a toolkit from the market that allows
ISSN: 2503-2259; E-ISSN: 2503-2267
collecting digital evidence from computers such as RAM and DISK [10]. Figure 1 shows 41
respondents in the USA about using acquisition software for digital forensics. FTK Imager ranked
first with 23%, then Memoryze ranked second with 21% and ProDiscover with 16%, Belkasoft
with 10%, while DumpIt and Windows Memory Reader only 7% of the total 41 respondents [7].
Figure 1. The Use of Software Acquisition Forensics
Information or Data can be found by analyzing RAM depending on the computer and
operating system used [5]. The most valuable information: the active processes, information about
open files, Registry Key, information about the activities of the network, the drivers used, user
login, password and cryptographic key, hidden processes and data, malware, data temporarily,
portable applications (applications that do not installed on the computer itself but only run), use
etc., the session and lots of other important information [11] [12]. Windows Version uses Windows
10 operating system with 42,37% and Windows 7 with 42,14%, followed by 8,59% of Windows
8.1 and Windows XP to 3,66%. The use of the Windows Version in the world can be seen in
Figure 2 [13].
Figure 2. Windows Version Market Share 2017-2018
Forensic Toolkit Imager (FTK Imager) [14] is a forensics tool freeware developed by
AccessData who have supported the researcher digital to conduct computer forensic
examinations are complete of obtaining a forensic image of both the physical memory and logical,
read the forensic image, decrypt the data, and reporting of digital evidence. Memoryze is a
freeware forensic tool that has been developed by Mandiant. Memoryze not only can acquire
physical memory from a Windows system but also can perform analysis of live memory while the
computer is running. All analyses can be done either on the image that is acquired or a live system
[15]. DumpIt is a freeware command-line tool developed by MoonSols. This tool allows for the
KINETIK ISSN: 2503-2259; E-ISSN: 2503-2267
Comparison of Acquisition Software for Digital Forensics Purposes
Muhammad Nur Faiz, Wahyu Adi Prabowo
acquisition of physical memory and saves the results as a raw file for later analysis [16]. Belkasoft
Live Ram Capturer is a small and very powerful tool to get the memory to the operating system.
An excellent feature of Belkasoft RAM Capturer Live is able to manage to acquire memory from
the system with anti-debugging and anti-dumping memory enabled [17]. Magnet RAM Capture is
a freeware tool designed to capture the computer's memory that allows researchers to recover
and analyze valuable artefacts, as well as all the activities, are not usually stored on the local hard
disk [18].
2. Related Work
Some results from the research were given by Aljaedi, in [19] shows the effect of
implementing Live Response forensic toolkit, which changed significantly volatile data
environment in some cases and can override the potential evidence. memory image analysis is
also used as an alternative approach that helps reduce the risk of losing evidence volatile. This
comparative analysis calls attention to the ability of both methods of retrieving and recovering
volatile data. Hausknecht, in [12] that shows and explains the importance of the data live
forensic and artefacts that can be found as well as the methods and tools used to extract and
analyze data from RAM. Moreover, it also shows that sometimes the forensic investigation, the
data contained in RAM can contain sufficient evidence to settle the whole case. Mcdown, et al. in
[7] Acquisition software selection greatly affects the quality of the data when copying. The results
of research analyzing the memory depth at seven acquisition software that runs on Windows 7
that FTK Imager, Belkasoft RAM Capturer, ProDiscover, Windows Memory Reader, WinEn,
DumpIt and Memoryze. RAM usage when software is being run showed different results. Relics
artefacts in FTK Imager Pro 10 times more compared with Belkasoft and Windows Memory
Reader, 8 times more than WinEn, and 5 times more than DumpIt and Memoryze. These artefacts
can overwrite important forensic content in RAM, which will negatively affect the investigation.
Campbell in [20] the other four tested software is Windows Memory Reader, WinPmem, FTK
Imager and DumpIt) were tested against two criteria (impact and completeness). WMR and
DumpIt found to have the least impact, and also showed the greatest accuracy throughout the
Belsare and Sinha in [21] showed Software and Hardware for acquisition and storage of
memory Live in getting the processes that occur during a system to turn widely available. the use
of hardware does not have an impact on the data acquired but the price for this method is too
expensive, while the use of methods of software will have an impact on the data obtained. the
purpose of this research is the algorithm to make the collected data is authentic and can be
accepted in court. Meera, Isaac and Balan in [22] that cybercrime will thrive on the virtual machine
and the techniques used must be appropriate, such as acquisition technique in obtaining VMware
via live internal file and analyzes the files obtained from the raw data stored in various grains.
Kolhe and Ahirao in [23] research examined tools for acquisition in live and dead forensics.
This Live or dead method depends on the target. this research produces the advantages and
disadvantages of both methods with acquisition tools as a comparison. the results of this study
are recommended to use the live forensics method because this method is the best way to
investigate in a short time because it takes data only on RAM that is running, it is far more effective
than dead forensics
Based on previous research, it can be concluded that research on comparison of acquisition
software has been done by McDown, Varol, Carvajal, Chen, but the software tested was different
from this study. The results of this study are expected to help investigators in determining the best
acquisition software so as not to leave many artifacts because it impacts on important evidence.
3. Methodology
The method used to compare the acquisition of five tools that run on Live forensics Image
Acquisition Proposed, as seen Figure 3.
This research begins with a device that lights up then the acquisition and completion stages.
In the acquisition phase, things are examined such as the use of Memory, Processing time, DLL,
Registry Key, because this will determine the artefacts left behind. Experiments performed on a
physical device by using the Laptop Intel (R) Core (TM) i3-2350M CPU @ 2.30GHz, RAM 4 GB
DDR3 SO-DIMMs, 250 GB hard disk, HD Seagate 1,5 TB the operating system 64-bit Windows
10 with tools FTK Imager_Lite_3.1.1, DumpIt v1.3.2.20110401, Belkasoft RAM Capturer, RAM
ISSN: 2503-2259; E-ISSN: 2503-2267
Magnet Capture V1, Memoryze Version 3.0.0. This experiment is not connected to the Internet to
prevent the computer may change the data in memory that can be caused by Internet services.
Figure 3. Live Forensics Image Acquisition Proposed
4. Results and Discussion
Experiments carried out at the research aims to determine the memory usage, the use of
DLL, the processing time and changes in the Registry Key when running these tools. The
acquisition process on the RAM is very important because the data must be clean of tools used
Figure 4 shows acquisition process with tools DumpIt run via command line on windows
and then point DumpIt layout and imaging processes. The capacity of the RAM of 4862 MB and
all data on it will be recorded on the acquisition process with the file extension RAW. Memoryze
is tools acquisition and RAM usage showed in 2600k in Figure 5. It can be seen the use of RAM
on the Windows task manager. Process Explorer also shown application use of RAM and showed
in Figure 6.
Figure 4. Acquisition Process Using DumpIt
Figure 5. RAM Usage of Memoryze by Windows Task Manager
KINETIK ISSN: 2503-2259; E-ISSN: 2503-2267
Comparison of Acquisition Software for Digital Forensics Purposes
Muhammad Nur Faiz, Wahyu Adi Prabowo
Figure 6. RAM usage of Memoryze by Process Explorer
Figure 7 can be seen all of the keys that are used to run the FTK Imager so that this key
will turn on the RAM which will be useful for a forensic process. Registry Key will record all log
the use of programs including access time, walking and even modify the program. Tools FTK
Imager 13.736 Kb of RAM, this is because FTK Imager multithread resulting takes a lot of RAM.
In DumpIt tools using the smallest RAM is equal to 692 Kb, this happens because DumpIt runs
on the command line so it takes up little RAM shown in Figure 8.
Acquisition tools on Figure 9 shows the time difference in the acquisition process of the
five tools, from five tools, can be seen that DumpIt has the fastest time is 184.54s compared to
other tools and Magnet RAM Capture lowest time is 220.24s. Different uses of the DLL and
change the Registry Key for running software, can be obtained Magnet RAM Capture uses the
highest DLL that is 285 to change the Registry Key for 98. At DumpIt tools using the smallest DLL
by 44 and Registry Key as 4. this makes the best DumpIt on heritage artifacts in the operating
system shown in Figure 10.
In the Table 1, are known to the software with the use of a memory with a small size that is
DumpIt, Memoryze, Belka RAM Capturer. FTK Imager on the memory usage using the highest
memory is 117 Mb, while the lowest with 10.9 Mb DumpIt. At Magnetic RAM Capture processing
time takes a lot for the acquisition of 4 Gb of RAM memory that is 220.24 s while Memoryze only
takes 184.54 s. The use of RAM Capture Key Registry Majority Magnet by using 98 keys and
DumpIt only need 4 key. RAM usage Magnet Capture DLL for use with the highest DLL 285 and
DLL little DumpIt use only 44
Figure 7. Analysis Key of FTK Imager
ISSN: 2503-2259; E-ISSN: 2503-2267
Figure 8. RAM Usage Acquisition Tools
Figure 9. Processing Time Acquisition Software
Figure 10. DLL and Registry Key of Acquisition Software
Table 1. Comparison Acquisition Software
Usage (Mb)
Time (second)
FTK Imager
Belka RAM Capturer
Magnet RAM Capture
5. Conclusion
Volatile data on RAM is very important in the process of digital forensic investigation
because errors in turbulent data acquisition can potentially overwrite evidence and tool selection
is also a determinant of the investigator's success in obtaining the first evidence. This research
KINETIK ISSN: 2503-2259; E-ISSN: 2503-2267
Comparison of Acquisition Software for Digital Forensics Purposes
Muhammad Nur Faiz, Wahyu Adi Prabowo
presents five acquisition software with a fast process, leaving little artifacts and RAM usage. The
five forensic acquisition software analyzed were FTK Imager, Memoryze, Belkasoft RAM
Capturer, Magnet RAM Capturer, DumpIt. As a result of this study, the FTK Imager left around 10
times more artifacts from DumpIt and Memoryze. Magnet RAM Capture artifacts at most, four
times more than Belkasot RAM Capturer. Software acquisition with many artifacts, namely
Capture RAM Magnet and FTK Imager, while for the fastest time is DumpIt and for software that
takes a long time, namely RAM Capture Magnet. Suggestions for future research is to compare
with hardware, other operating systems with software commonly used by digital forensics
[1] Sindhu. K. K and B. Meshram, “Digital Forensic Investigation using WinHex Tool,”
International Journal of Computer Science and Technology, Vol. 3, No. 1, Pp. 1-7, 2012.
[2] N. R. Syambas and N. El Farisi, Two-Step Injection Method for Collecting Digital Evidence
in Digital Forensics,” Journal of ICT Research Applications, Vol. 8, No. 2, Pp. 141156, 2014.
[3] F. Gianni and F. Solinas, “Live digital forensics: Windows XP vs Windows 7,” 2013 2nd
International Conference Informatics Applications (ICIA), Pp. 16, 2013.
[4] M. M. Nasreldin, M. El-hennawy, H. K. Aslan, and A. El-hennawy, “Digital Forensics
Evidence Acquisition and Chain of Custody in Cloud Computing,” in IJCSI International
Journal of Computer Science Issues, Vol. 12, No. 1, Pp. 153160, 2015.
[5] M. Kaur, N. Kaur, and S. Khurana, “A Literature Review on Cyber Forensic and its Analysis
tools,” International Journal of Advanced Research in Computer and Communication
Engineering, Vol. 5, No. 1, Pp. 2328, 2016.
[6] M. N. Faiz, R. Umar, and A. Yudhana, “Analisis Live Forensics Untuk Perbandingan
Keamanan Email Pada Sistem Operasi Proprietary,” Jurnal Ilmiah ILKOM, Vol. 8, No. 3, Pp.
242247, 2016.
[7] R. J. Mcdown, C. Varol, L. Carvajal, and L. Chen, “In-Depth Analysis of Computer Memory
Acquisition Software for Forensic Purposes,” Journal of Forensic Sciences, Vol. 61, No.
January, Pp. 110116, 2016.
[8] S. Thongjul and S. Tritilanunt, “Analyzing and Searching Process of Internet Username and
Password Stored in Random Access Memory (RAM),” in 2015 12th International Joint
Conference on Computer Science and Software Engineering (JCSSE), Pp. 257262, 2015.
[9] U. Rusydi, A. Yudhana, and M. N. Faiz, “Experimental Analysis of Web Browser Sessions
Using Live Forensics Method,” International Journal of Electrical and Computer Engineering,
Vol. 8, No. 5, Pp. 5, 2018.
[10] P. Lallement, The Cybercrime Process : An Overview of Scientific Challenges and
Methods,” International Journal of Advanced Computer Science & Applications, Vol. 4, No.
12, Pp. 7278, 2013.
[11] M. H. Ligh, A. Case, J. Levy, and Aa. Walters, "The Art of Memory Forensics," Indianapolis:
Wiley Publishing, Inc., 2013.
[12] K. Hausknecht, D. Foit, and J. Burić, “RAM Data Significance in Digital Forensics,” in 38th
International Convention on Information and Communication Technology, Electronics and
Microelectronics, MIPRO 2015 - Proceedings, Pp. 13721375, 2015.
[13] StatCounter Global Stats, “Windows Version," Market Share Perc. (July 2017 - July 2018),
[14] AccessData, "FTK Imager," Lindon: AccessData Group, 2016.
[15] P. Hazel, “User Guide Memoryze Mandiants.” Mandiant, Cambridge, Pp. 133, 2008.
[16] A. Borges, “Memory Acquisition,” 2015.
[17] R. Dave, N. R. Mistry, and M. S. Dahiya, “Volatile Memory Based Forensic Artifacts &
Analysis,” International Journal for Research in Applied Science and Engineering
Technology, Vol. 2, No. I, Pp. 120124, 2014.
[18] T. Willett, “Forensic Image Acquisition Process – Windows,” 2017.
[19] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari, “Comparative Analysis of
Volatile Memory Forensics,” IEEE International Conference Privacy, Security, Risk and Trust
IEEE International Conference on Social Computing, Pp. 12531258, 2011.
[20] W. Campbell, “Volatile Memory Acquisition Tools A Comparison Across Taint And
Correctness,” Australian Digital Forensics Conference, Pp. 919, 2013.
ISSN: 2503-2259; E-ISSN: 2503-2267
[21] J. Belsare and A. Sinha, “Live Memory Forensic Analysis,” International
Journal on Recent and Innovation Trends in Computing and Communication, Vol. 3, No. 5,
Pp. 27752778, 2015.
[22] V. Meera, M. M. Isaac, and C. Balan, “Forensic Acquisition and Analysis of VMware Virtual
Machine Artifacts,” Proc. - 2013 IEEE International Multi-Conference Automation,
Computing, Communication, Control and Compressed Sensing, iMac4s 2013, Pp. 255259,
[23] M. Kolhe and P. Ahirao, “Live Vs Dead Computer Forensic Image Acquisition,” International
Journal of Computer Science and Information Technologies, Vol. 8, No. 3, Pp. 455457,
... Muhammad Nur Faiz dengan judul penelitian "Comparison of Acquisition Software for Digital Forensics Purposes" peneliti melakukan penelitian perbandingan perangkat lunak akuisisi terbaik terhadap random access memory berdasarkan waktu proses, penggunaan memory, registry dan lain sebagainya, penelitian tersebut membandingkan perangkat lunak FTK Imager, Belkasoft, RAM Capturer, Memoryze, Dumpit, Magnet RAM Capturer, hasil penelitian tersebut adalah FTK Imager tertinggal 10 kali artifak dari Dumpit dan Memoryze, dalam hal menangkap artifak Magnet RAM 4 kali lebih banyak dari Belkasoft dan Ram Capturer [13]. Lubis Panjaitan dengan judul penelitian "Analisis Perbandingan Aplikasi Open Source Forensic Image untuk Akuisisi Bukti Digital Ke Dalam Bentuk Image File" meneliti tentang perbandingan tools IT forensic dengan membandingkan fitur dari masing-masing tools yaitu: Winhex, FTK Imager, Encase, Registry Recon dan Belkasoft, hasil penelitian tersebut adalah tools IT forensic yang disarankan berupa Winhex dan Belkasoft Evidence Center [14]. ...
Full-text available
Perkembangan teknologi berbanding lurus dengan kasus kejahatan siber (cybercrime),hal tersebut menjadi kunci perkembangan modus-modus dalam kejahatan siber, namun dapat dipastikan kejahatan tersebut akan meninggalkan jejak pada barang bukti, agar penyidik dapatleluasa melakukan penyidikan, barang bukti harus di duplikasi terlebih dahulu, namun hanyasedikit yang dapat berjalan pada sistem operasi linux. Tujuan penelitian ini adalah untukmelakukan analisis dan menemukan perbedaan kinerja diantara perangkat lunak forensicimaging pada sistem operasi linux tersebut dengan indikator keberhasilan duplikasi harussesuai dengan keaslian barang bukti. Metode yang digunakan static forensic sertamenggunakan kerangka kerja National Institute of Standards and Technology (NIST). Hasilpenelitian ini menemukan bahwa proses imaging FTK imager lebih cepat 2 menit 18 detik dariperangkat lunak dc3dd dan 12 detik dari DDrescue, DDrescue merupakan perangkat lunakyang menggunakan resource paling sedikit, validasi nilai hashing sha1 pada analisis hasilimaging file perangkat lunak DC3DD, DDrescue dan FTK Imager adalah sama atau valid, haltersebut membuktikan bahwa perangkat lunak tersebut mampu melakukan imaging dan dapatdigunakan untuk mengakuisisi barang bukti kasus kejahatan siber di persidangan.
... A study in [12] compared four tools, namely Windows Memory Reader, Belkasoft"s Live Ram Capturer, ProDiscover, and FTK Imager, to examine their performance in capturing memory including their ease of use. Another study in [13] showed the differences in processing time, memory usage, registry key, and DLL for FTK Imager, Belkasoft RAM Capturer, Memoryze, DumpIt, and Magnet RAM Capturer. Similarly, [14] also examined how the combination of Belkasoft RAM Capturer, FTK Imager, and Winhex can be utilized to obtain data for the Line app in Windows 8.1. ...
... They conclude that Belkasoft Live RAM capture takes minimum time to capture memory and leaves minimal evidence as compared to other tools. Faiz et al. (Faiz & Prabowo, 2018) have compared five different tools (FTK Imager, Belkasoft Live RAM Capturer, Memoryze, DumpIt, Magnet RAM Capturer) for RAM capturing. Parameters selected to compare the tools are the time taken to collect evidence, memory usage, use of dll, and changes in Registry keys. ...
Full-text available
Forensically sound evidence processing is the key component of prosecution to convict the perpetrator. When an investigator approaches the crime scene and encounters the running system, the most essential thing to do is to capture the system's memory. Memory forensic plays a significant role in the analysis of different forensic artifacts that may not be present on the hard disk. Memory is divided into two regions, user space and kernel space. Incident responders should collect all user space and kernel space for a comprehensive forensic examination. Moreover, memory is fragile in nature, so during the evidence gathering process, the minimum contamination should be performed. Therefore, the best memory acquisition tool must be identified that can assist the forensic examiner with the thorough examination of collected evidence. In this paper, among five commonly used memory acquisition tools, an attempt was made to find the best memory acquisition tool.
... DumpIT also supports x86 and x64 based systems. As shown by Faiz and Prabowo [20], DumpIT leaves the least footprint in the memory. Therefore, it can be considered an ideal tool for Windows based memory acquisition. ...
Full-text available
The development of the Internet has resulted in an increasing variety of cyber crimes. Cybercrime is closely related to digital evidence, so cybercriminals tend to delete, hide, and format all collected data to eliminate traces of digital evidence. This digital evidence is very vital in proving at trial, so it is necessary to develop applications to secure digital evidence. This study aims to compare the results of cloning and hashing in securing digital evidence and evaluate the performance of a digital forensic application developed under the name Clon-Hash Application v1 compared to applications commonly used by investigators including Autopsy, FTK Imager, md5.exe in terms of its function, the result, CPU usage. The results of the research conducted show that the cloning process is perfectly successful, as evidenced by the hash value results which are the same as paid applications and there are even several other applications that have not been able to display the hash value. Hash values in the Clon-Hash v1 application also vary from MD5, SHA1, and SHA256 which do not exist in other applications. Applications developed are better in terms of function, results, and CPU usage.
Currently, computers and the Internet are used to conduct the majority of business transactions, communications and the automated control of industrial equipment, among other things. Working online makes the process more efficient and convenient. The risk of cyber-attacks has also increased significantly as a result of devices being exposed to the Internet on a daily basis. The Internet’s speed, ease of use and invisibility, lack of geographical boundaries cyber financial crimes, stalking and bullying are becoming more commonplace, according to the FBI. A digital forensic investigation carried out with the assistance of software tools yields evidence against cybercriminals that can be presented in court. This review work aimed to evaluate and compare the performance and applications of ten online digital forensic tools. The conclusions, limitations of these tools and how after moral improvement, they can be used to assist digital forensics professionals in discovering digital evidence are presented.KeywordsDigital forensic toolsCybercrimeOpen-source softwarePerformanceApplication
Full-text available
Information technology has become an essential thing in the digital era as it is today. With the support of computer networks, information technology is used as a medium for exchanging data and information. Much information is confidential. Therefore, security is also essential. Metasploit is one of the frameworks commonly used by penetration testers to audit or test the security of a computer system legally, but it does not rule out the possibility that Metasploit can also be used for crime. For this reason, it is necessary to carry out a digital forensic process to uncover these crimes. In this study, a simulation of attacks on Windows 10 will be carried out with Metasploit. Then the digital forensics process uses live forensics techniques on computer RAM, where the computer RAM contains information about the processes running on the computer. The live forensic technique is important because information on RAM will be lost if the computer is off. This research will use FTK Imager, Dumpit, and Magnet RAM Capture as the RAM acquisition tool and Volatility as the analysis tool. The results of the research have successfully shown that the live forensics technique in RAM is able to obtain digital evidence in the form of an attacker's IP, evidence of exploits/Trojans, processes running on RAM, operating system profiles used and the location of the exploits/Trojan when executed by the victim.
Full-text available
In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions. © 2018 Institute of Advanced Engineering and Science. All rights reserved.
Full-text available
Email menjadi salah satu media untuk berkomunikasi dan bisa menyimpan bukti kejahatan, saat ini telah banyak kejahatan yang terjadi melalui media ini. Digital forensics merupakan salah satu ilmu untuk menemukan barang bukti termasuk email sebagai bukti digital. Analisis digital forensik terbagi menjadi dua, yaitu tradisional / dead dan live forensics. Analisis forensics tekni digital tradisional menyangkut data yang disimpan secara permanen di perangkat, sedangkan analisis live forensics yaitu analisis menyangkut data sementara yang disimpan dalam peralatan atau transit di jaringan. jurnal ini mengusulkan analisis forensics live di sistem operasi terbaru yaitu Windows 10. Studi kasus berfokus pada kemanan beberapa email seperti Gmail, Yahoo dan Outlook dan beberapa browser secara umum seperti Google Chrome, Mozilla Firefox, dan Microsoft Edge. Hasil Eksperimen penelitian ini yaitu masing-masing penyedia email menambahkan fitur tersendiri demi keamanan user.
Full-text available
Today's technology grows its roots in positive and negatives both directions. Cyber criminals are always get one step ahead then the investigator. Digital forensics in the live environment is the biggest challenge. Aquistion of live artifacts on running system needs expertise to achieve expected results. One of the most important areas where every forensicator looks into is Memory, i.e. RAM-Random Access Memory. RAM is a volatile memory which flushes when system is shut down or restart. So before shutting down the system Memory dump should be taken. It is very important aspect for carving information resided into the volatile memory.[1] Here a role of a volatile memory analysis in digital forensics and the importance of the physical memory analysis is proposed. It is very useful in real time evidence acquisition analysis. Further we have introduced some of the tools and techniques used in acquisition and analysis of memory.
Full-text available
.In digital forensicinvestigations, the investigators take digital evidence from computers, laptops or other electronic goods. There are many complications when a suspect or related person does not want to cooperate orhas removed digital evidence. A lot of research has been done with the goal of retrieving data from flash memory or other digital storagemediafromwhich the content has been deleted. Unfortunately, such methods cannot guarantee that all data will be recovered. Most data can only be recovered partially and sometimes not perfectly, so that some or all files cannot be opened. This paper proposes the development of a new method for the retrieval of digital evidence called theTwo-StepInjection method (TSI).It focuses on the prevention of the loss of digital evidence through the deletion of data by suspects or other parties. The advantage of this method is that the system works in secret and can be combined with other digital evidence applications that already exist, so that the accuracy and completeness of the resulting digital evidence can be improved. An experimentto test the effectiveness of the method was set up.The developed TSI system worked properlyand had a 100%success rate.
Full-text available
The aim of this article is to describe the cybercrime process and to identify all issues that appear at the different steps, between the detection of incident to the final report that must be exploitable for a judge. It is to identify at all steps, issues and methods to address them.
The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64-bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not-wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.
Conference Paper
Virtual Forensics is a new trend in the area of computer forensics. Virtualization technology paved the way for the growth of virtual forensics. VMware virtual environment provides a completely virtualized set of hardware to the guest operating system. The features of Virtual Machine make it an interesting platform to commit cyber crimes. The combination of innovative criminal techniques and advanced technologies makes the traditional techniques out-dated for detecting such crimes. This paper discusses how live acquisition can be performed to acquire virtual machine related files from the host operating system. The paper also describes how to analyze these acquired files to obtain raw data stored in various grains. The study is supported by methods that assist forensic examiners by providing valuable information from the raw data which is retrieved from various grains pointed by grain table entries.