Data Generation
In order to test and examine the new editions of EnCase and FTK, we need a hard drive with existing data to work with. We want to have something specific to look for when we analyze the drives later on, so we are conducting controlled data generation using computers built for this project with newly installed hard drives. Our goal is to have a wealth of information to truly test the new editions of EnCase and FTK.
We began by doing generic browsing, as anyone with a computer might do, including random Google searches, visiting Reddit, browsing Wikipedia, etc. We also utilized the social media sector. Using the LCDI’s Facebook account, we made text posts and comments and sent private messages to people. We conducted similar activity with the LCDI Twitter account.
In addition to generic browsing content, we downloaded a variety of files. These include pictures, as well as full-scale programs such as Skype, Teamviewer, and Splashtop. We also performed non-browser-oriented actions as well, creating and saving multiple word documents (some containing our targeted keywords), Notepads, etc. We also inserted and removed an external USB drive and copied a picture off of the USB to the hard drive to generate USB activity that can be processed during analysis.
When analyzing a hard drive for a case, the forensic analyst will have a particular target in the data he or she is working with. To simulate this, not only do we need a large quantity of data, but we need quality data. We wanted to have a trend of activity that would allow us to utilize the keyword search function in the forensic tools, so, continuing with our earthquake trend, we created browsing history using multiple different browsers. In this case, we used Google Chrome, Internet Explorer, Mozilla Firefox, and Opera. We also made sure to download pictures in each browser, some relating to earthquakes, some not. This should give us a good idea of how the two forensic tools will show this information. We utilized social media once again, but this time included words relating to earthquakes. We sent private messages, posted an article to our own Facebook wall (set so only we can see it), utilized direct messages on Twitter, browsed tweets using the hashtag earthquake, and also used Google Drive to create documents.
We not only wanted to have a term we could use the keyword search option for, but we needed something that would come back with a large amount of results, so we also generated data with the letter “E.” We searched various terms in all different browsers that had the letter “E” in them, as well as downloaded pictures and visited websites that related to the letter “E.” We created various Microsoft Word and Notepad documents that had to do with the letter “E,” and downloaded various pictures saved with names that began with “E.” This should give us a good grasp on the time it takes to complete large keyword searches in both EnCase 7.1 and FTK 5.5.
Using all the data generated, we will next test the speeds at which EnCase and FTK acquire the hard drive. We will also be testing keyword search speeds, specifically with the word “earthquake,” the letter “E,” and a phrase that will return no results.