This digital forensic tool is used to automatically detect, extract, and analyze data related to peer-to-peer hard disk applications/ soft ware on machines of clients. This tool is very important because it automates the time consuming and tedious process of finding evidence of peer-to peer usage. File Marshal does its work in a forensically valid manner, presenting them in a form that is easy to read on screen and in a format which is easily integrated in a report. Its extensible, modular designs make it even possible to include extensions of new kinds of peer-to-peer (P2P) networks of clients (Adelstein & Joyce, 2007).
This is considered the most important technology because the use of its ability to rapidly determine the P2P clients present on a disk image and gives those clients’ per-user information, including peer servers, downloaded files and shared files. File Marshal is made up of two components, that is, the graphical user interface known as front-end and secondly the command line based back-end. The front-end serves by mediating connections with the investigator and ensures that the data is formatted. On the other hand, the back-end is used to search the file system for files and directions other than additionally interpreting registry files’ contents.
P2P Marshal Operation’s Phases
According to Adelstein (2009), the File Marshal has three operational phases which are discharged by mounting it on a disk image. Through invoking the File Marshal, an investigator generates an inquiry, and commences the analysis using the following phases: discovery, acquisition and analysis. At the end of the process, the final task is normally a report.
The Discovery Phase
In this phase, the P2P Marshal observes the target disk and image and establishes the current or previously installed p2p clients. This check is accomplished by p2p Marshal looking for the availability of directories, files, and registry values and keys. Consequently the configuration file identifies the artifacts that show whether a given client was installed. Occasionally, the programs could have been deleted but the data directory stays (Adelstein & Joyce, 2007). Additionally, even if the user uninstalls the P2P client, the user preferences’ registry keys may remain or continue to reside in the generated registry’s backup versions when the operating system makes a check point for system restore. Files in this phase are identified by a pathname. Similarly, they can be indentified by a hush (presently MD5, although it can support others). The registry entries can entail values, (sub) keys and their data.
Through this phase, File Marshal collects information usage information for particular P2P clients, in other words, the information gathered is user -specific. File Marshal collects log and configuration information for each user including downloaded or shared files, bootstrap or peer servers contacted and other data that is forensically relevant, maintained by particular P2P client. Once more, specific files are distinct in the configuration file. When special code is needed for displaying a file, for example, for decoding a date format or hash list, the configuration file displays the Java classes to be utilized for parsing. There can be a creation of new parsers as required using a straightforward/simple API (Malvakian, 2009).
The analysis face entails File Marshal displaying the gathered information and then allowing an investigator to observe details like files contents and sort data by a variety of fields among them last date last made contact with, server’s IP number among others. Downloaded files can be viewed by investigators through launching of suitable viewers, like using Photoshop incase of an image, Firefox in the case of HTML, Acrobat in the case of PDF and so on, and show details on log entries and configuration . They can also search for files depending on hashes or a group of hashes for instance from databases such as “NIST’s National Software Reference Library (NSRL) or the National Centre for Missing and Exploited Children” (Carrier, 2007).
Logging and Generation of Report
All operations performed by File Marshal are logged by it. The log file gives very in-depth information of low-level concerning the actions that were performed hence upholding the investigation’s forensic integrity. The log file gives details concerning the invoking of the back-end tool and any error or return codes. Farid (2008) is however categorical that the audit log is not easily readable by individuals but rather to enable investigators validate exactly what actions were performed and what was not done in the investigation and would be suitable to be added as an appendix in the final report.
File Marshal produces a synopsis report of the findings of the report in a format that can be incorporated in the report of the investigator. The file formats that can be supported initially include PDF and HTML for easy inserting of File Marshal reports into a bigger forensic report. “As a way of sustaining the forensic integrity, the out from the back-end tool are automatically hashed by File Marshal other having an additional ability of computing the hash of any obtained file. Given that the investigator uses static file system, the tool used to initially image the disk might have already computed these files’ hashes “(John, 2009). This further strengthens the investigation’s forensic integrity as the File Marshal‘s computed hashes substantiates the data it gets with imaging tools data.
File Marshal enables investigators to search for a range of usage-specific entries. They include file names, peer servers’ DNS names, and IP addresses and file hashes such as SHA-1, MDS and so on. For example if investigators wish for tracing all contacts with a specific server, the search tool could retrieve all contacts despite of the clients or P2P clients used.
During the discovery phase, File Marshal searches for artifacts demonstrating that P2p program has been used or installed. One of the examined artifacts is the registry (Hirst, 2007). Although due to the fact that File marshal conducts static registry files, offline analysis, there is dismal support for recovering values and keys from a file (contrary to the running system’s registry).
The variations between majorities of P2P client program are usually limited to the file paths they make use of and the information’s format in cache, log and configuration files. File marshal employs a configuration file to identify the specific details of P2p client. Addition of support for new client calls for creation of a new configuration file to illustrate the new client, and probably adding a plug-in or module to the user interface to show any information that is exceptional to the new client. This enables File Marshal to be straightforwardly extensible to sustain new P2P clients that are unconstrained (Adelstein, 2009).
The configuration file is normally in the form of XML and is made up if three sections, that is, client data, installation artifacts and lastly usage artifacts. The first section, the client data, is made up of details concerning the p2p client, entailing its version and name, and the name of the module which is charged with displaying information concerning this client. The second section identifies installation artifacts like registry keys, files and directories, which show whether the client is on or has been set up on the system. These directories and files are precise by path.
Additionally, files can contain an MD5 has characteristic to match the file’s content other than its name, and a version characteristic to demonstrate that the file is a binary for a particular version of the client. This surpasses the version information in the section of client data. When all entries in the installation artifacts match, it is described by the File Marshal as full installation (Adelstein & Joyce, 2007). Correspondingly, when only some entries match, it is expressed as partial installation. On the other hand, if none matches, there will e no information displayed by the File Marshal on the client. Nevertheless, the report entails a list of all clients that were searched by File Marshal.
Thirdly the section identifies usage artifacts that entail four different kinds of files that is, log, config, cache, and shared (Steight, 2010). Log files have information concerning the manner in which the program was run, for instance the used search terms. On the other hand, configuration files describe how the client is installed, and may also indicate the location of log files. Cache files keep temporary results like the kinds of peer servers that have been used or the files already obtained. Lastly, shared folders store downloaded and shared files. File Marshal differentiates downloaded and shared files, if the P2P does.
Features of P2P Marshal
The tool has many important features that make it the best choice for forensic investigations. First of all as already talked about, P2P executes all tasks in a forensically sound way, making it no doubt the best invention ever. The second characteristic f this tool is its ability to give full analysis for LimeWire, BitTorrent, among others. Chao (2010) adds that it also decreases customizable reports in PDF, CSV, HTML, and RTF other than identifying and showing download locations. Lastly, P2P Marshal gives search capabilities that are extensive.
Important Purposes the new Tool Serves
The celebrated tool, File Marshal has even more advantages that makes it the most important invention ever to be made for the period of the last five years because what is more to it is that it has been made available on USB since 2009 (developed by ATC-NY). It is one of kind file detection software based on USB and documentation of evidence by an investigator can commence immediately on network devices and computer hard drives (Adelste, 2009). Contrary as to what was the case before, with this new tool, there is no need of carrying a laptop to the crime scene or physically disconnecting the machine or computer from their network. This has enhanced speed of carrying out forensic investigations to make them even faster. Due to this fact, the tool is very portable with a high ability to fully analyze LimeWire, Azereus and uTorrent, analyze the usage of peer -to- peer network and lastly detect and indicate default download positions for Kazaa, Google Hello and Ares.
P2P Marshal latest technology is meant to achieve many positive results in as far as forensic investigation is concerned. As already described above, this new tool is a subject to best practices of forensics and sustains a comprehensive log file of all tasks it performs. To make it even more appealing, its design makes it fully extensible to sustain new P2P networks and clients. In the wake of increased cyber crimes, the tool is just what the field needs to help restore security in digital devices.
The tool has wide-ranging search abilities and generates reports in formats such as HTML, RTF, CSV and PDF and runs on operating systems that are Windows-based. This comes with a greater meaning for crime scene investigators because it generates more room in the field kit to accommodate other important tools for investigation. Due to the changing nature of cybercrimes, there is also a need for investigators to change tactics and come along with more tools for investigation that are not necessarily as obvious to the human eye such as the traditional laptop (Adelstein & Joyce, 2007).
The ability to plug into any free USB port both on computers while at the crime scene and those ones back at the lab makes it will free all the time hence increasing its user friendliness and convenience. P2P Marshal has made the forensic investigations that could take ages to take a shorter time than expected. Forensic Edition is the software’s lone version, it is set up and run on workstation of the investigator to analyze an accumulate disk image.
Postings on ATC-NY’s website/ press release, indicates P2P Marshal are presently being used by law enforcers to investigate cyber crimes from many corners of the world. International, federal, state and local investigators prefer this tool over many others to dispense their duties. Devoid of automated tools, the work of forensic investigators to obtain evidence of unlawful file sharing and circulation is time consuming and manually intensive. Hence they found a solution in P2P Marshal that offers a solution to problem. It has to a great extent helped them to reduce time needed for the analysis practice (Liu et al, 2010).
How much time is saved?
The question that remains to be answered is the amount of time that USD based File Marshal saves. Computer hard drives gathered by law enforcers in a variety of searches in homes of suspects present a virtual fortune trove of evidence for qualified forensic investigators. I most cases, it takes many hours or even days to manually search every single hard drive for p2p file sharing’s evidence especially when the investigator’s backlog keeps on to increasing (John, 2009). Conversely employing P2P Marshal Tool will use only minutes to disclose the information of the same magnitude (Malvakian, 2009).
A lot of time that will be saved by using P2P Marshal for data farming can be unswervingly translated into other aspects of the investigation. For instance, it will facilitate the leads that would have been latent for many days to be immediately obtained. Additionally, investigators have an added advantage as the rapid process of analysis gives offenders little for cover-up while enabling for quick action by the relevant authorities.
The tool is accessible for any law enforcing agency because of its ability for civil application. However all users have to submit their contact information for the purposes of registration. Law enforcers can now easily locate cyber crime offenders who engage in not only tailing copyright materials like music and sharing of other p2p files but also most outstandingly child pornography sharing. This tool not only saves time but also goes to a large extent of helping the investigators to attest relations between individuals and assist departments increase investigations (Steight, 2010).
Digital Forensics has been widely applied by law enforcers to obtain digital evidence from cyber crimes. Today, the expansion of Information Communication Technology on a global scale has facilitated an increased number of individuals accessing the internet and other digital materials such as mobile phones, digital cameras, computers among others. Consequently, the cases of cyber crimes have increased tremendously over the last decade. Digital Forensic, defined as the practice of putting to use technical methods and techniques/tools that have been scientifically derived and proven, to collect, validate, identify, analyze, interpret, document and present after the fact digital data obtained from digital sources with a view of furthering or facilitating the rebuilding of events as a forensic evidence, has been there to offer solution to this problem.
However, the nature and number of cybercrimes committed in the recent past called for development of tools to analyze them in a way that was more efficient and rapid enough to prevent the offenders form clearing the evidence and covering up. This coupled with many reasons known to the forensic crime investigators saw the development of File Marshal (Hirst, 2009). This tool is very suitable for obtaining forensic evidence through evaluating p2p handling on file structure. It does this by automatically identifying the kinds of p2p client programs, or those that were available. It then takes out log information and configuration and presents the investigator with the shared files.
The availability of P2P Marshal on USB has made this tool enormously portable replacing the necessity of having a laptop or a computer at the scene of the crime. It allows criminal investigation to commence evidence recording on network devices and computer hard disks right away. This tool has many advantages to the investigator and is viewed by many s the most important technology in Digital Forensics to be ever invented.