Active File Identification & Deleted Data Recovery Tool Evaluation

Abstract

Evidence is a proof of facts and can be legally presented at a trial to convince the judge about the facts. There are several types of proofs i.e. oral testimony of eyewitnesses, public records, written documents, objects, pictures, depositions and the circumstantial evidence that is meant to build belief by surrounding circumstances to logically derive conclusion of the fact. Evidence must be sound enough to survive objections of opposing attorneys or other technicalities; it should be trustworthy; unaltered and reliable. Criminals can be apprehended on the bases of sound evidence. So the soundness of evidence is very important. Dealing with digital world, digital evidence constitutes the basis of digital forensics. Sound digital evidence is needed in order to solve a crime involving digital media. Forensic examiners use automated tools to gather and examine it. Hence its quality depends upon the reliability of the tools that are used to collect and examine it. Collection and examination of digital evidence with an untested and unevaluated tool is tantamount to destroying it because such evidence will be inadmissible in the court. NIST and CFTT have developed set of specifications to test such tools and thus to promote proficient and effective use of digital technology in the investigation of cybercrimes. We have improved the specifications and evaluated three deleted file recovery tools based on the extended specifications. The tools that we tested and evaluated are Wise Data Recovery 3.85.202, Recuva 1.52.1086 (64 bit) and UndeleteMyFiles Pro 3.1. We analyzed that in FAT and NTFS In scanning mode Recuva’s results were better than Wise Data Recovery and UndeleteMyFiles Pro. The main focus of this research is to help forensics examiners in their investigation of computer crime by comparing the above mentioned tools. Comparison results are discussed in the paper.