PANDIT DEENDAYAL ENERGY UNIVERSITY

SCHOOL OF TECHNOLOGY

Course: Digital Forensics

Course Code : 20CP411P

Assignment – 2

B.Tech. (Computer Science and Engineering)

Semester – 7

Submitted To: Submitted By:

Prarthana Mehta Dev Nayak

21BCP444D
G7 Batch
21BCP444D DF - CLASS Dev Nayak

Theory (Class) Assignment - 2

Data Acquisition is the first phase of Digital Forensics

Pick two research papers of your choice in the domain of data acquisition in context to digital
forensics.
Period (2018-2024)
Submit the following after studying these two papers
 Why you have chosen the article
 The article is about data acquisition from which medium
 What are the tools and techniques used
 challenges faced if any
 future scope
 your learning outcome

1. Comparison of Acquisition Software for Digital Forensics Purposes by

Muhammad Nur Faiz and Wahyu Adi Prabowo(NurFaizOK).

i. Why I Chose the Article:

I selected this article because it provides a comparative study of software tools used in digital
forensics, particularly focusing on the acquisition phase—a critical step in any forensic
investigation. The paper highlights how different tools handle the process of capturing
volatile data, which is essential for effective cybercrime investigations. This is directly
relevant to understanding the strengths and weaknesses of available forensic tools in handling
volatile memory, such as RAM.

ii. Data Acquisition Medium:

This article primarily deals with the acquisition of data from volatile memory (RAM).
Volatile memory contains valuable information that exists only while the computer is
running. Acquiring data from RAM is a key part of live forensics and is especially crucial in
cases involving malware, active processes, or other real-time activities that leave little trace
after a system is powered down.

1
21BCP444D DF - CLASS Dev Nayak

iii. Tools and Techniques Used:

The study compares five different software tools for RAM acquisition in a live forensic
setting:
 FTK Imager: A widely used tool for acquiring and analyzing digital evidence from
volatile memory. It can handle both physical and logical memory imaging but leaves
behind more artifacts compared to other tools.
 Belkasoft RAM Capturer: Known for its small footprint, this tool is designed to
work with anti-debugging and anti-dumping features in operating systems, making it
suitable for stealthy acquisitions.
 Memoryze: A freeware tool developed by Mandiant, capable of both acquisition and
analysis of live memory. It can acquire physical memory while the system is running
and is considered effective for deeper analysis.
 DumpIt: A command-line tool that is light on system resources and can capture the
physical memory efficiently. It uses minimal RAM during the process, making it ideal
for minimizing the impact on the running system.
 Magnet RAM Capture: A tool specifically designed to capture memory and retrieve
artifacts such as active processes, passwords, and cryptographic keys that are not
stored on the hard disk.

iv. Challenges Faced:

The study highlights several challenges related to the tools:
1. Artifacts: One of the most significant issues is the creation of artifacts by some tools
during the acquisition process. For instance, FTK Imager was found to leave about 10
times more artifacts than other tools like DumpIt and Memoryze. These artifacts can
potentially overwrite or alter crucial evidence, affecting the integrity of the
investigation.
2. Processing Time: The time taken by each tool to acquire memory data varies
significantly. While DumpIt is the fastest tool, taking only 184.54 seconds, Magnet
RAM Capture was the slowest, taking 220.24 seconds to capture 4 GB of RAM. This
is critical in live forensics, where the system must be operational during the
acquisition process.
3. Memory Usage: Tools like FTK Imager consume a significant amount of memory
(117 MB), which can affect the performance of the target system during acquisition.
In contrast, DumpIt uses only 10.9 MB of memory, making it the most efficient in
terms of resource consumption.

2
21BCP444D DF - CLASS Dev Nayak

v. Future Scope:
The study suggests several areas for future research, including:
 Hardware-Based Acquisition: Exploring hardware-based solutions that can
minimize the intrusion of acquisition software and prevent the alteration of evidence.
 Cross-Operating System Testing: Future work could expand the research to cover
different operating systems, as the current study focuses only on Windows 10. This
would help in understanding how acquisition tools perform in different environments,
such as Linux and macOS.
 Artifact Minimization: Research into new methods that minimize the introduction of
artifacts during the acquisition process should be pursued, ensuring the integrity of
forensic evidence.

vi. Learning Outcome:

This article provided a comprehensive understanding of how different acquisition tools
perform under live forensic conditions, particularly when handling volatile memory. The key
takeaway is that choosing the right acquisition tool is essential to maintaining the
integrity of evidence. Tools like DumpIt are better for minimal footprint, while others like
FTK Imager are more comprehensive but risk leaving more forensic artifacts. The study
highlights the trade-off between acquisition speed, memory usage, and the potential for
evidence alteration, making it clear that no single tool is perfect for all scenarios.

3
21BCP444D DF - CLASS Dev Nayak

2. Using Blockchain to Ensure the Integrity of Digital Forensic Evidence in

an IoT Environment by Muhammad Shoaib Akhtar and Tao Feng
(Using_Blockchain_to_Ens…).

i. Why I Chose the Article:

I chose this article because it addresses the critical challenge of data integrity in digital
forensic investigations, particularly in the context of the Internet of Things (IoT). IoT
devices are increasingly being used in both criminal activities and forensic investigations, but
they pose unique challenges due to their distributed nature and lack of standardized data
security measures. The article proposes using Blockchain technology to ensure the
immutability and security of forensic evidence collected from IoT devices, which is a novel
and timely approach.

ii. Data Acquisition Medium:

The medium of data acquisition discussed in this paper is IoT devices, which generate vast
amounts of data that can serve as digital evidence. These devices often collect sensitive
information from various environments, such as smart homes, industrial systems, and
healthcare devices. The paper focuses on securing this evidence once it is collected,
ensuring that it cannot be tampered with as it moves through the investigative process.

iii. Tools and Techniques Used:

The paper proposes a combination of Blockchain technology and Machine Learning to
secure forensic evidence from IoT devices:
1. Blockchain: By using Blockchain, the paper suggests that digital forensic evidence
can be stored in an immutable, decentralized ledger. This prevents tampering and
ensures that the evidence remains unchanged throughout the investigation process.
The blockchain also provides a transparent chain of custody, which is crucial for
legal proceedings.
2. Machine Learning: The paper also introduces the idea of using machine learning
models to detect anomalies in the forensic evidence. This would allow investigators
to identify potential threats or tampered data early in the process, enhancing the
security of the investigation.
3. Hashing Algorithms: These are used to ensure the integrity of the data by generating
a unique digital fingerprint (hash) for each piece of evidence. Any change to the data
would alter the hash, immediately indicating that the evidence has been compromised.

4
21BCP444D DF - CLASS Dev Nayak

iv. Challenges Faced:

Several challenges are outlined in the paper:
1. Security and Integrity of IoT Data: IoT devices often lack robust security measures,
making them vulnerable to tampering. Ensuring the integrity of the evidence collected
from these devices is a major challenge, particularly when the devices are located in
different jurisdictions with varying legal standards.
2. Scalability: The volume of data generated by IoT devices is enormous, and scaling
Blockchain to handle this data effectively while maintaining performance is another
significant challenge.
3. Anonymity and Privacy: While Blockchain ensures data integrity, it also raises
concerns about privacy. Ensuring that the data is securely anonymized while
retaining its forensic value is a complex task, especially in cases involving sensitive
personal data.

v. Future Scope:
The article suggests several areas for further research:
 Blockchain Integration with IoT Systems: There is a need to explore deeper
integration of Blockchain technology with IoT systems to provide real-time, tamper-
proof evidence collection. This would involve creating specialized protocols for
secure communication between IoT devices and Blockchain networks.
 Improved Machine Learning Models: Developing more sophisticated machine
learning models that can accurately detect anomalies in forensic evidence is a
promising area for future work. These models could be trained on large datasets of
IoT activity to better predict attacks or evidence tampering.
 Cross-Jurisdictional Legal Frameworks: Since IoT devices often span multiple
legal jurisdictions, developing international standards for the use of Blockchain in
forensic investigations is crucial. This would ensure that evidence collected from IoT
devices is admissible in court regardless of where the devices are located.

vi. Learning Outcome:

The article provided valuable insights into how Blockchain can be applied to ensure the
integrity and security of forensic evidence in IoT environments. The most significant
takeaway is that Blockchain’s decentralized and immutable structure makes it ideal for
forensic applications, particularly when dealing with distributed systems like IoT. The
integration of Machine Learning to detect anomalies adds an extra layer of security, making
this approach highly effective for modern digital forensics.

5
21BCP444D DF - CLASS Dev Nayak

Conclusion:
Both articles address different aspects of digital forensics one focuses on the tools used to
acquire volatile data, while the other emphasizes securing the integrity of the data once it has
been collected. Together, they offer a comprehensive view of the challenges and solutions in
modern digital forensics. The first article teaches us the importance of selecting the right
tools to avoid altering evidence during acquisition, while the second demonstrates the
potential of Blockchain and Machine Learning in safeguarding evidence in distributed
environments like IoT.