![Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
A survey of popular digital forensic tools
Abstract: Digital forensics is a process of interpreting electronic or digital data to
preserve any kind of evidence. Forensic investigation is done by storing, categoriz-
ing, and authenticating information to understand a sequence of events. The objec-
tive of acquiring this information is to get empirical evidence against hackers and
intruders. For example, in forensics involving operating systems, we can swap
pages or scan deleted files to obtain useful information. This chapter reviews the
work being done in various domains of digital forensics, highlighting the need for
these forensic tools to investigate and interpret evidence. Authors review many
open-source forensic tools that can help professionals and experts to perform fo-
rensic investigations on data obtained from operating systems, networks, com-
puters, and other devices. This is further highlighted with a case study, which
makes use of two forensic tools – Autopsy and Wireshark – to analyze files and
network traffic, respectively. Finally, this chapter focuses on future directions and
research work being carried out in forensic investigations.
Keywords: tools, Autopsy, investigation, digital forensics, Wireshark, security, net-
work forensics
1 Introduction
Digital forensic investigation is the part of measurable learning that incorporates the
ID, recuperation, examination, approval, and introduction of realities regarding ad-
vanced proof found on PCs or comparable advanced stockpiling media gadgets. Prob-
ably the most significant danger confronting organizations and enterprises today is
cyber-assaults and risks [1]. It could even be considered as a demonstration of cyber
psychological oppression, in which a remarkable effect can be felt in both concerning
cost and human feeling [2]. At whatever point something like this happens, two of the
most widely recognized inquiries that get posed are: How could it occur? And by what
means could this be prevented from happening again later? There are no straightfor-
Shefali Arora, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi,
India, e-mail: arorashef@gmail.com
Ruchi Mittal, Department of Computer Science, Ganga Institute of Technology and Management,
Haryana, India, e-mail: ruchi.mittal138@gmail.com
M. P. S. Bhatia, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi,
India, e-mail: bhatia.mps@gmail.com
https://doi.org/10.1515/9783110677478-001](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-15-320.jpg)
![ward responses to this, and relying upon the seriousness of the cyber-assault, it could
take weeks and even longer time to decide the reactions to these two inquiries.
1.1 Learn digital forensics
The awareness of digital forensics evolved into manufacturing an establishment of
information and abilities around PC criminology. The main points of focus are email
and program crime scene examination, network crime site analysis ideas, and many
more [3]. The task of crime scene investigation becomes possibly the most critical
factor in today’s world. For instance, any leftovers of the cyber-assault and any evi-
dence collected at the site should be gathered and investigated [4].
It is important to remember that the area of crime scene investigation, particu-
larly as it categorizes with Information Technology, is exceptionally expansive and
contains many sub-strengths [5]. These encompass advanced legal sciences, porta-
ble crime scene investigation, database criminology, intelligent access legal scien-
ces, and so forth, to simply name a few. This chapter gives an outline of the field of
PC crime scene investigation. The focus is basically on what it is about, its signifi-
cance, and the general advances that are associated with leading a PC criminology
case [6].
1.2 Definition of digital forensics
The term “legal sciences” means applying a type of reasonable process for the col-
lection, investigation, and introduction of gathered proofs. All evidence is meaning-
ful when a cyber-assault has occurred [7].
When a cyber-assault happens, gathering all significant proof is of extreme sig-
nificance to address the inquiries which were raised in the above statement [8]. It is
important to remember that the legal sciences inspector/specialist is exceedingly in-
trigued by a specific bit of proof, which is referred to explicitly as “idle information.”
In the cybersecurity world, these sorts of information (otherwise called “encom-
passing information”) is not effortlessly observed or open upon first look at the loca-
tion of a cyber-assault. It takes a much different degree of examination by the PC
crime scene investigation master to uncover them [9]. This information has numer-
ous utilizations; however, access to it is very restricted.
1.3 Need for forensic sciences
The significance of PC legal sciences to a business or an organization is enormous
[10]. For example, there is regular reasoning that the use of safeguard devices like
2 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-16-320.jpg)
![firewalls and switches is enough to impede any cyber-assault. To the security ex-
pert, the person in question realizes this is false, given the amazingly refined nature
of the present cyber programmer. This reason is additionally false from the view-
point of PC legal sciences. While these bits of equipment do give data in a specific
way concerning what is unfolded in a cyber-assault, they don’t have that more pro-
found layer of information needed to give those insights concerning what precisely
occurred [11]. This underscores the requirement for the association additionally to
execute those security components (alongside equipment above), which can give
these bits of information (instances of this are security gadgets that utilize human-
made consciousness, AI, business examination, and so on.).
Along these lines, conveying this sort of security model in which the standards
of PC crime scene investigation are likewise embraced is additionally alluded to as
“Barrier in Depth.”
With some information, there is a lot more significant likelihood that the proof
introduced will be considered acceptable in an official courtroom, consequently
bringing the culprits who propelled cyber-assault to equity [12].
Likewise, by joining the principles of a “Resistance in Depth,” the business or
organization can come into consistency promptly with the government enactments
and orders (for example, those of HIPAA, Sarbanes-Oxley). They necessitate that nu-
merous types and sorts of information (even inactive information) be filed and put
away for review purposes. On the off chance that an element flops any consistent
measures, they can confront severe budgetary punishments [13].
1.4 Expertise in digital forensics
To fill in as a scientific science expert, a competitor ought to have, at any rate, a
four-year college education in criminological science or a characteristic science.
Measurable science programs offer different regions of specialization, and advanced
science is one of them. Even though four-year college education programs are the
base, numerous businesses lean toward people who have ace degrees [14, 15].
Students with understudies in a measurable science program with a computer-
ized legal accentuation may finish courses in cybersecurity, computerized crimi-
nological innovation, and practices, propelled criminology, and critical thinking in
cybersecurity, among others. Numerous schools and colleges offer scientific science
programs through distance learning [16].
Most measurable experts are required to finish hands-on preparation before re-
ally beginning their professions. This is where people get an advantage, from actual
work understanding at work. As significant for what it is worth to have a degree
right now, reports suggest that probably not enough. What is more, the competitor
ought to have the accompanying abilities.
A survey of popular digital forensic tools 3](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-17-320.jpg)
![– Analytical abilities: The applicant must have the right stuff expected to dissect
and take care of an issue.
– Computer/tech abilities: Because most of the advanced scientific work is based
around PCs, the up-and-comer must be comfortable with PCs, PC programming,
and comparable fields.
– Knowledge of cybersecurity: Digital or criminological science is tied in with
unravelling Cyber Crimes, so, significantly, the individual knows about settling
wrongdoings as well as how to forestall them.
– Organizational aptitudes: The scientific professional must be sorted out genu-
inely and intellectually so the person in question can compose information and
present it to other people.
– Communication aptitudes: The competitor must have the option to convey un-
reservedly because the person in question will most likely be a piece of a group.
– The longing to learn: Technology keeps on developing, and the computerized
tech must be willing and ready to stay aware of preparing to vary.
1.5 History of digital forensics
It is difficult to pinpoint when the PC wrongdoing scene examination began. Most
authorities agree that the field of PC criminology began to progress more than
30 years back. The region began in the United States, in gigantic part when law
usage and military operators started seeing culprits get specific. In the end, the
fields of information security, which base on guaranteeing information and assets,
and PC lawful sciences started to interlace [17].
All through the next decades, and up to today, the field has exploded. The law
prerequisites and the military continue having tremendous vicinity in information
security and the PC logical field at the area, state, and government level. Private
affiliations and ventures have gone with a similar example – using inner informa-
tion security and PC criminological specialists or employing such specialists or
firms, subordinate upon the circumstance. The private legal industry has watched
the prerequisite for PC quantifiable evaluations in like manner authentic discus-
sions, causing an impact in the e-disclosure field [18].
The PC criminological field keeps on developing regularly. An ever-increasing num-
ber of substantial legal firms, boutique firms, and private agents are picking up infor-
mation and involvement with the ground. Programming organizations keep on creating
more up-to-date and progressively vigorous scientific programming programs [19].
Also, law requirements and the military proceed to distinguish and prepare increas-
ingly more of their workforce in the reaction to violations, including innovation [20].
4 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-18-320.jpg)
![Here, the investigation agents redesign the piece of data and get inferences
based on evidence found. It takes much time to identify the evidence and affirm the
proprietors of crime. Next, a record is created for all the data collected. The involve-
ment of proper documentation and the use of sketching and crime scene mapping
can help to recreate the crime scene. At last, the process of documentation and pre-
sentation of inferences is made.
Digital forensics into various types:
– Disk forensics: In this type of forensics, data is extracted from storage media by
searching for deleted, archived, and modified files. This can help in the identifi-
cation and collection of evidence.
– Network forensics: In this type of forensics, computer network traffic is moni-
tored and analyzed to collect evidence [21, 22]. This is used for gathering infor-
mation, evidence, and detection of intruders. Authors describe the OSCAR [23]
methodology for network forensics, which is an acronym, where O stands for
Obtaining information (getting general data about the incident and the situation
it occurred in including the date and time). The main tasks should be written
down, and priority should be assigned. S stands for Strategize, which deals with
the planning part. Prioritization should be done once evidence is acquired. This
is done by giving the explosiveness of sources and their value to the process of
search. C stands for Collect Evidence, which involves gathering evidence based
on the planning done in the previous stage. D stands for Documentation, as it is
necessary to safely guard and log the accesses made to systems as well as the
actions taken. The last letter R stands for the report, in which the results of the
investigation are conveyed to the client. The report should be understandable by
even non-technical people.
– Wireless forensics: This comes under network forensics, and it aims to make
use of tools to capture and analyze information and traffic from wireless net-
works [24].
– Database forensics: It concerns the research and analysis of databases and
their related metadata.
– Email forensics: It involves the recovery of emails, including the deleted ones
from the inbox, contacts [25], etc. With the growth in e-commerce and digitaliza-
tion, it is essential to protect ourselves from fraudulent emails. Emails have be-
come a primary means of communication among people. Thus, it is essential to
have email forensics to analyze what is going on. The different types of crimes in
emails are as follows:
– Phishing [26]: It is an attempt to obtain an individual’s information such as
usernames and passwords, by disguising oneself as a trustworthy identity.
Emails usually contain links that can redirect a user to a suspicious website.
Thus, the redirection of traffic is a malicious intent to steal a user’s sensitive
data.
6 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-20-320.jpg)
![– Pharming: Done using counterfeit emails that redirect the receiver to anony-
mous websites.
– Spoofing- In this, the user gets a mail, and he/she believes it is from a reliable
source. But it is from an unknown user who uses a forged address to mail the
user.
– Memory forensics: It works by gathering information from system memory
(system registers, cache, RAM) so that raw dump can be used to analyze the
data [27]. This sort of examination comes in handy when the intruder does not
write data to a non-volatile storage of the system during the attack as it can
help to recover encrypted keys of hard drive and network connections. It can
also help to trace previous network connections in parts of memory that are
free but not overwritten or check if network interfaces are being used in pro-
miscuous mode.
Figure 1 shows the different kinds of forensic techniques available today.
Thus, it is an essential branch of digital forensics, complementing other methods
such as network forensics [26] as it can help to recover encrypted keys of hard drive
and network connections. It can also help to trace previous network connections in
parts of memory that are free but not overwritten or check if network interfaces are
being used in promiscuous mode.
– Mobile phone forensics: It, for the most part, manages the assessment and ex-
amination of mobile phones [27]. Utilizing this, we can get hold of contacts, call
logs, sent messages, recordings, and so on. Mobile phone crime scene investiga-
tion is a part of computerized criminology that assists with gathering advanced
information from a portable under forensically stable conditions. Portable can
System
Forensics
Digital
Forensics
Cyber
Forensics
Enterprise
Forensics E-mail
Forensics
Data
Forensics
Web
Forensics
Network
Forensics
Computer
Forensics
Proactive
Forensics
Fig. 1: Categories of forensics.
A survey of popular digital forensic tools 7](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-21-320.jpg)
![refer to different gadgets, too, for example, workstations and tablets. Mobile phone
legal sciences can be trying for a few reasons: It might be hard to isolate a gadget
from the system. Most cell phones can associate utilizing GSM, Bluetooth, and so
forth. They may reconnect progressively on the off chance that essential availabil-
ity comes up short. Batteries might be non-removable, or encryption may prompt
challenges in obtaining information. Standard interface devices, for example, con-
sole or screen, may not be available. In this way, a wide assortment of apparatuses
is expected to burrow information from mobile phones.
– Cloud forensics: Cloud forensics includes the use of digital forensics with cloud
computing [28]. Thus, various tools can be used to investigate crimes committed
over the cloud. As data is spread between various data centers to ease load-
balancing and scalability issues, data needs to be indexed efficiently. This would
help to prevent duplication and improve performance. Thus, examination becomes
easier as pieces of evidence left by attackers are difficult to destroy [29].
– Cyber forensics: It involves the analysis of any kind of crime committed over
the internet. Cyber Crimes can be committed against a person or property. It can
also be done against a government. Thus, cyber forensics helps to counteract
any such activities.
– Operating system forensics: An OS is present in all computers as well as hand-
held devices. Thus, it is essential to have such tools that can monitor any kind of
activities going on [30]. This ensures that no malicious acts take place and, thus,
no data loss.
Nowadays, digital evidence is required to trace any kind of illegal activities like phish-
ing, espionage, and illegal downloads. Various tools [31–35] are being used to incor-
porate IT systems with the facility of tracing the footsteps of intruders. Security
measures applied to computers as well as handheld devices can help to protect
from any cyber-attacks [36]. Autopsy [37] is one of the software tools used by law
firms and the military to gather digital proofs against any attack. It has a GUI named
Sleuth Kit, a Unix and Window library for forensic investigation. It becomes more com-
fortable as the results of the analysis and examination are displayed on the GUI. An
Autopsy is commonly used when multiple files and machines are being worked upon,
and a central location is used for storing data. Software like SQL can be further used for
accessing such stored information. The integrity of evidence can be maintained by per-
forming hashing. It is available free of cost and has a simple GUI to operate.
The use of the MD5 hash function for each file makes sure that the integrity of
evidence is maintained [38]. This would also make search faster on the disk. While
data can be previewed dynamically, recovered files can also be deleted.
The networks become complicated with time, and many assaults become active to
take data and seize machines. In the case of network forensics [65], it is essential to
capture packets across the network. Therefore, tools like Wireshark come in handy.
Wireshark helps to capture such packets and analyze them so that any attack can be
8 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-22-320.jpg)
![detected. It plays an essential role in network forensics. It can monitor the IP and MAC
addresses across the network. TShark is the GUI of Wireshark used to see the caught
packets. It has become a popular sniffing tool [31]. Sometimes, investigators re unable
to find relevant data when undercover investigations are going on. Section 4 describes
some other popular forensic tools commonly used by forensic experts in investigations
[61, 62].
4 Popular forensic tools used for investigations
4.1 X-ways forensics [34]
It is a propelled stage for computerized legal sciences inspectors. It runs on all ac-
cessible renditions of Windows. It professes not to be very asset hungry and to work
productively. If we talk about the highlights, locate the key highlights are capacity
to peruse record framework structures inside different picture documents, programmed
location of erased or lost hard plate segment, different information recuperation sys-
tems, and ground-breaking record cutting, information validity, memory, and RAM ex-
amination and more [63].
4.2 Library recon [39]
It is a well-known vault investigation device. It extracts the library data from the proof and
afterwards reconstructs the vault portrayal. It can reconstruct libraries from both present and
past Windows establishments.
4.3 The sleuth kit (Autopsy) [40]
It is a Unix- and Windows-based tool which helps in the criminological assessment of
PCs. It goes with various mechanical assemblies, which helps in crime scene examina-
tion. These devices help in analyzing circle pictures, acting start to finish assessment of
record systems, and various things. An Autopsy is not hard to use, a GUI-based program
that grants us to stall hard drives and PDAs gainfully. It has a module plan that makes
us find add-on modules or make custom modules in Java or Python.
4.4 Xplico [41]
Xplico is a system crime scene investigation examination instrument, which is pro-
gramming that reproduces the substance of acquisitions performed with a bundle
A survey of popular digital forensic tools 9](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-23-320.jpg)
![sniffer (for example, Wireshark, tcpdump, Netsniff-ng). Xplico can remove and re-
make all the Web pages and substance (pictures, records, treats, etc.). It is an open-
source arrange scientific examination device. It is fundamentally used to separate
valuable information from applications that use the Internet and system conven-
tions. It bolsters the more significant part of the well-known conventions of internet
protocols. Yield information of the apparatus is put away in the SQLite database of
the MySQL database. It additionally underpins IPv4 and IPv6.
4.5 Volatility framework
This was introduced by the BlackHat and used for memory examination and crime
scene investigation. Its structure of unpredictability acquaints individuals with the
intensity of breaking down the runtime condition of a framework by utilizing the
information found in unstable capacity (RAM). It additionally gave a cross-stage, se-
cluded, and extensible stage to empower further work in this region of research. It
has become a necessary computerized examination apparatus dependent upon law
implementation, military, scholarly world, and business specialists all through the
world.
4.6 Coroner’s toolkit [42]
This is likewise a decent advanced legal examination apparatus. It runs under a few
Unix-related working frameworks. It very well may be utilized to help the investiga-
tion of PC catastrophes and information recuperation.
4.7 Oxygen forensic suite [43]
It is terrific programming to gather confirmation from a mobile phone to help in
cases. This apparatus helps in procuring device information (tallying creator, OS,
IMEI number, consecutive number) and contacts (messages, SMS, MMS), and re-
cover deleted messages, call logs, and calendar information. It is like a manner that
permits you to get to and analyze mobile phone data and files. It makes direct re-
ports for superior comprehension.
4.8 Mass extractor [44]
It is additionally a significant and well-known advanced legal sciences apparatus. It
filters the circle pictures, records, or catalogue of documents to remove valuable
10 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-24-320.jpg)
![data. Right now, it overlooks the record framework structure, so it is quicker than
other accessible, comparable sorts of apparatuses. It is fundamentally utilized by
insight and law organizations in comprehending digital wrongdoings.
4.9 Mandiant redline [45]
It is a famous tool for memory and document examination. It gathers data about
running procedures on a host, drivers from memory, and accumulates other in-
formation like meta information, vault information, assignments, administrations,
organizes data, and internet history to construct an appropriate report.
4.10 PC online forensic evidence extractor (COFEE) [46]
This tool is created for PC scientific specialists. This tool was created by Microsoft to
accumulate proof from Windows frameworks. It very well may be introduced on a
USB pen drive or hard outer circle. Plugin the USB gadget in the objective PC, and it
begins a live investigation. It accompanies 150 different apparatuses with a GUI-
based interface to order the tools. It is quick and can carry out the entire investiga-
tion in as not many as 20 min. To law authorization offices, Microsoft offers free
specialized help for the apparatus.
4.11 P2 eXplorer [47]
It is a measurable picture mounting device that expects to help research officials
with an assessment of a case. With this picture, you can mount criminological pic-
tures as a read-just neighborhood and physical circle and afterward investigate the
substance of the picture with document explorer. You can view erased information
and the unallocated space of the picture.
It can mount a few pictures one after another. It works on the more significant
part of the picture groups, including EnCasem, safe back, PFR, FTK DD, WinImage,
Raw pictures from Linux DD, and VMWare pictures. It underpins both coherent and
physical picture types.
4.12 Cellebrite UFED [48]
Its arrangements present a bound together work process to permit analysts, exam-
iners, and specialists on call for gathering information, and ensure and act defini-
tively on portable information with speed and precision – while never trading off
A survey of popular digital forensic tools 11](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-25-320.jpg)
![one for the other. The UFED Pro Series is intended for measurable inspectors and
agents who require the most extensive, state-of-the-art portable information ex-
traction and the unravelling of new information sources. The UFED Field Series is
intended to bring together work processes across the field and lab, creating it con-
ceivable to view, retrieve, and offer versatile information using in-vehicle worksta-
tions, PCs, tablets, or a protected, self-administration stand situated at a station.
4.13 XRY [49]
It is the versatile criminology tool created by Micro Systemin. It is utilized to dissect
and recoup critical data from cell phones. This tool accompanies an equipment gad-
get and programming. It acts as an interface between cell phones and PCs for the
purpose of investigation and extraction of information. It is intended to recuperate
information for the criminological investigation.
4.14 HELIX3 [50]
It is the advanced criminological suite made to be utilized in episode reaction. It
accompanies many open-source advanced crime scene investigation tools, includ-
ing hex editors, information cutting, and secret key splitting devices.
This tool can collect data from memory, client accounts, logs, Windows Regis-
try, applications, drivers as well as Internet records.
5 Utilizations for computer forensic tools
After exploring your framework, you are going to need to make sense of how the
intrusion was done so you can keep it from happening once again. On the off
chance, you figured out how to move beyond your current electronic guards. At that
point, there is a loophole or opening in your security shield someplace [48]. It may
not quickly be evident where this opening is, mainly if it is acceptable about con-
cealing tracks. Criminological tools can assist you with backtracking their comput-
erized strides and discover the gaps so you can fix them up [64].
12 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-26-320.jpg)
![5.1 Tidying up and rebuilding
You must make sense of precisely what the assailants did, so you know how broad
the harm is and can take reasonable action. You would prefer not to miss any
hacked servers or secondary passage accounts. Utilizing criminological apparatuses
can assist you with making sense of where the bodies are covered, as it were. On the
off chance that the assailant erased documents, you might have the option to recu-
perate some of them utilizing scientific devices [51].
5.2 Criminal investigation
If the harm done by an assailant is sufficiently extreme, you might need to think
about squeezing criminal allegations. Straightforward Web defacing or interruptions,
for the most part, do not merit seeking after because of the significant expenses
included. In any case, if your foundation or corporate notoriety was substantially
harmed, at that point, you might need to document criminal accusations against
your aggressor. Your insurance agency may necessitate that you record a police
report to make a case. Legal devices assist you with recognizing your assailants so
you can report them and give the proof to indict them [52].
There are a couple of things you ought to consider before continuing down this
way. For little harm, you can record a report with your neighborhood police division.
Know that they frequently do not have the assets to seek after PC wrongdoing at the
nearby level appropriately, and you may wind up doing the more significant part of
the analytical work. You can utilize the apparatuses right now to help with the exer-
tion. Simply be cautious that you do not defile the proof with the goal that it is not
helpful in an official courtroom (see the sidebar on PC crime scene investigation).
If the harms are sufficiently massive or include a felony (for example, interstate
or universal trade), you can take your case to the FBI. You can discover contact data
for your nearby FBI field office in your phone directory or on the web at www.fbi.
gov. On the off chance that the case includes the infringement of government law or
real dollar harms of over $25,000, they will most likely take your case. Else, they
may allude you to nearby law specialists. If you can give some inclusion with fearmon-
gering, interstate misrepresentation, you may get them required for lesser sums. Com-
monplace hacking assaults will presumably not be explored intensely; there are an
excessive number of episodes announced day by day for the FBI to focus on whatever
is certifiably not a critical case [53].
About having criminal accusations documented against your assailant, appropri-
ate scientific examination turns into even more significant. There is an overwhelming
weight of confirmation in PC criminal cases. Tying a specific demonstration that was
performed by a client ID to an individual is very troublesome in an official courtroom.
Typically, examiners need to demonstrate that the individual was really at their
A survey of popular digital forensic tools 13](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-27-320.jpg)
![console utilizing that account while the assault was occurring. Something else, there
are numerous safeguards accessible to the charged, for example, “Another person uti-
lized my secret word,” “I was hacked.” There is additionally close consideration paid
to the chain of authority of any proof gathered [54]. This alludes to who has ap-
proached the information and could have changed or modified it en route. For a situ-
ation like this, concede to the specialists, who might need to utilize their information
assortment methods. You may likewise need to use an outsider who does this expertly
to aid your connection with law requirements.
5.3 Common action
If you locate that seeking after criminal allegations is outlandish, you may at present
need to record a universal claim to rebuff your programmer. At times this is the primary
way you can get somebody to stop their assaults. In case the attacker is originating
from another organization, on account of secret corporate activities, or unsanctioned,
on account of a wayward representative, you may have cause to document a claim and
gather critical harms. The fact that the weight of verification is less in the ordinary
courts despite everything, you must have the option to prove your case. The devices
right now help you to do as such. Be that as it may, if the case is sufficiently large and
the stake enormous enough, you should even now likely recruit a PC scientific master
as opposed to attempt to do it without anyone else’s help [27].
5.4 Inward investigations
If you speculate your interruption might be from an inner source, you must track
down this immense wellspring of business obligation. An inside programmer can do
volumes more harm than an outcast since they regularly know the workforce, frame-
works, and data that could make the most damage to an organization whenever un-
covered or traded off. By utilizing these criminological apparatuses, you can follow
them down. If disciplinary activity is justified, you have the proof to back it up. Right
now, you would prefer not to get sued by a previous worker for the wrong end [55].
5.5 ISP complaints
If you choose not to seek the individual ambushing your system and is yet doing it,
we need to document an objection with his ISP and attempt to shut him down. Fre-
quently, this is the original main plan of action that does not cost a ton of cash for
organizations hit by a programmer assault. Utilizing the legal tools right now can
follow the culprit’s path, at any rate, like their ISP. When you have followed the
14 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-28-320.jpg)
![assailant this far, you can submit a general question with the ISP, requesting that
they make a further move. Most ISPs have adequate use arrangements for their cli-
ents, which do exclude hacking. On the off chance that you can show them satisfac-
tory proof, they will, for the most part, make a move, extending a notice to remove
that client’s record. Considering protection concerns, they will not, as a rule, unveil
any close to home data about the client except if required, yet some ISPs are more
useful than others right now. Most of the significant suppliers have an uncommon
maltreatment email address that you can send your messages [56].
You should ensure you have assembled adequate data so they can discover
your attacker. This would incorporate IP delivers attached to explicit occasions.
Most ISPs gives out powerful IP addresses, which change each time somebody signs.
Without time data to match to their logs, they presumably will not have the option to
support you. If conceivable, give them different access times so they can relate to the
client from a few information perspectives, as their log records may be out of adjust-
ment with yours, and the occasions will not coordinate. Likewise, incorporate some
other information you may have, for example, logs of orders utilized, places they du-
plicated documents to, etc. The ISP might be a casualty as well and will need this
information to examine further [57].
6 Case studies using forensic tools
6.1 Autopsy
There are many tools for forensic analysis these days, including ones making use of
machine learning and other technique [58–60]. The first case study makes use of
Autopsy to examine the files stored on the system.
While using Autopsy, the investigator analyzes the deleted files, which would
help in forensic investigations. Deleted files stay on the storage until they are over-
written. Thus, it is possible to recover deleted evidence from a system until the doc-
ument software overwrites them.
In this case study, Autopsy is used for distinguishing and recovering erased re-
cords. The Sleuth Kit was first designed for Linux, but later been designed for Win-
dows as well. The steps are as follows:
– Install Autopsy on your system.
– Create a new case and add it to a base directory.
– Click on Add Data Source.
– Select a Logical File Set or image you want to analyze.
Figures 2–4 depict the GUI of Autopsy. Figures 5 and 6 illustrate how forensic inves-
tigations are performed.
A survey of popular digital forensic tools 15](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-29-320.jpg)
![6.2 Wireshark
Network forensic tools are the call of the hour as networks are becoming involved,
with hackers launching attacks to steal the identities of people [66–68]. These threats
affect users, administrators as well as forensic investigators [69–70]. Analyzing the
network related attacks, it is essential to understand the origin of attacks and analyze
packets. This can help administrators to restore systems. Wireshark is a forensic tool
that is used to analyze incoming and outgoing packets so that any kind of network
problems can be a trouble-shooter by identifying anomalies and suspicious patterns
of packets. This forensic tool is a free and open-source packet analyzer used to cap-
ture, analyze, and filter packets. It can help the system administrator to analyze net-
work packets. This can be visualized in the following figures.
The captured packets can be analyzed along with their protocols, source, and
destination address. The hex dump of these packets can be visualized in the bottom
section. Figure 7 depicts the monitoring of packets in Wireshark. Figure 8 shows
how this information can be monitored using different sections.
Using Wireshark, filters are used to analyze packets selectively, as shown in Fig. 9.
It is also used to check the total number of packets, queries, and responses in the net-
work according to a specific protocol.
Fig. 5: Flow of data in the tool.
18 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-32-320.jpg)
![References
[1] Richard III, G. G., Roussev, V. 2006. Next-generation digital forensics. Communications of the
ACM, 49(2), 76–80.
[2] Casey, E. 2009. Handbook of Digital Forensics and Investigation, Academic Press, Elsevier,
United States.
[3] Nance, K., Hay, B., Bishop, M., 2009, January. Digital forensics: defining a research agenda.
In 2009 42nd Hawaii International Conference on System Sciences, 1–6, IEEE.
[4] Holt, T. J., Bossler, A. M., Seigfried-Spellar, K. C. 2015. Cybercrime and Digital Forensics:
An Introduction, Routledge, Taylor and Francis, United Kingdom.
[5] Taylor, R. W., Fritsch, E. J., Liederbach, J. 2014. Digital Crime and Digital Terrorism, Prentice
Hall Press, One Lake Street Upper Saddle River, NJ; United States.
[6] Nance, K., Bishop, M., 2017. Deception, Digital Forensics, and Malware Minitrack
(Introduction).
[7] Nance, K., Bishop, M., 2017, January. Introduction to deception, digital forensics, and
malware minitrack. In Proceedings of the 50th Hawaii International Conference on System
Sciences.
[8] Kävrestad, J. 2017. Guide to Digital Forensics: A Concise and Practical Introduction, Springer,
Switzerland.
[9] Hassan, N. A. 2019. Introduction: Understanding Digital Forensics. In: Nihad A. Hassan (ed.)
Digital Forensics Basics. Apress, Berkeley, CA, 1–33.
[10] Chen, L., Takabi, H., Le-Khac, N. A. eds. 2019. Security, Privacy, and Digital Forensics in the
Cloud, John Wiley & Sons, United States.
[11] Casey, E. 2011. Digital Evidence and Computer Crime: Forensic Science, Computers, and the
internet, Academic press, United States.
[12] Stallard, T., Levitt, K., 2003, December. Automated analysis for digital forensic science:
Semantic integrity checking. In 19th Annual Computer Security Applications Conference,
2003. Proceedings, 160–167, IEEE.
[13] Vincze, E. A. 2016. Challenges in digital forensics. Police Practice and Research, 17(2),
183–194.
[14] Parvez, M. M., Hossain, S. A., Ali, S. M. R., 2017, March. Design and implementation of low
cost digital forensic laboratory for university. In 2017 International Conference on Wireless
Communications, Signal Processing and Networking (WiSPNET), 1524–1528, IEEE.
[15] Khalaf, R. S., Varol, A., 2019, June. Digital forensics: Focusing on image forensics. In 2019
7th International Symposium on Digital Forensics and Security (ISDFS), 1–5, IEEE.
[16] Ozel, M., Bulbul, H. I., Yavuzcan, H. G., Bay, O. F. 2018. An analytical analysis of Turkish
digital forensics. Digital Investigation, 25, 55–69.
[17] Pollitt, M., 2010, January. A history of digital forensics. In IFIP International Conference on
Digital Forensics, 3–15, Springer, Berlin, Heidelberg.
[18] Scientific Working Group on Digital Evidence (SWGDE) and United States of America, 2000.
Digital Evidence: Standards and Principles.
[19] Blyth, T. 2013. Narratives in the History of Computing: Constructing the Information Age
Gallery at the Science Museum. In: Tatnall A., Blyth T., Johnson R. (eds) Making the History of
Computing Relevant. HC 2013. IFIP Advances in Information and Communication Technology
Making the History of Computing Relevant. Springer, Berlin, Heidelberg, 25–34.
[20] Whitcomb, C. M. 2002. An historical perspective of digital evidence: A forensic scientist’s
view. International Journal of Digital Evidence, 1(1), 7–15.
[21] Shrivastava, G. 2017. Approaches of network forensic model for investigation. International
Journal of Forensic Engineering, 3(3), 195–215.
A survey of popular digital forensic tools 23](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-37-320.jpg)
![[22] Shrivastava, G., 2016. Network forensics: Methodical literature review. In 2016 3rd
International Conference on Computing for Sustainable Global Development (INDIACom),
2203–2208, IEEE.
[23] Karresand, M., Shahmehri, N., 2006, May. Oscar – file type identification of binary data in
disk clusters and ram pages. In IFIP International Information Security Conference, 413–424,
Springer, Boston, MA.
[24] Ma, W., Li, R. 2019. Digital Forensics for Frame Rate Up-Conversion in Wireless Sensor
Network. In: Al-Turjman F. (eds). Artificial Intelligence in IoT. Transactions on Computational
Science and Computational Intelligence. Springer, Cham, 151–166.
[25] Khan, M. Z., Husain, M. S., Shoaib, M. 2020. Introduction to Email, Web, and Message
Forensics. In: Mohammad Shahid Husain and Mohammad Zunnun Khan (eds.) Critical
Concepts, Standards, and Techniques in Cyber Forensics. IGI Global, Ministry of Higher
Education, Oman, Integral University, India, 174–186.
[26] Morovati, K., Kadam, S. S. 2019. Detection of phishing emails with email forensic analysis
and machine learning techniques. International Journal of Cyber-Security and Digital
Forensics, 8(2), 98–108.
[27] Case, A., Richard III, G. G. 2017. Memory forensics: The path forward. Digital Investigation,
20, 23–33.
[28] Joseph, P., Norman, J. 2020. Systematic memory forensic analysis of ransomware using
digital forensic tools. International Journal of Natural Computing Research (IJNCR), 9(2),
61–81.
[29] Su, Q., Xi, B., 2017, March. Key technologies for mobile phone forensics and application.
In 2017 2nd International Conference on Multimedia and Image Processing (ICMIP), 335–340,
IEEE.
[30] Manral, B., Somani, G., Choo, K. K. R., Conti, M., Gaur, M. S. 2019. A systematic survey on
cloud forensics challenges, solutions, and future directions. ACM Computing Surveys (CSUR),
52(6), 1–38.
[31] Cameron, L., 2018. Future of digital forensics faces six security challenges in fighting
borderless cybercrime and dark web tools.
[32] Roussev, V. 2009. Hashing and data fingerprinting in digital forensics. IEEE Security &
Privacy, 7(2), 49–55.
[33] Banerjee, U., Vashishtha, A., Saxena, M. 2010. Evaluation of the capabilities of wireshark as a
tool for intrusion detection. International Journal of computer applications, 6(7), 1–5.
[34] Wu, W., Zhao, G., Lai, W., Lan, J., 2016, May. Research on NTFS file anti-delete forensic
technology. In 2016 2nd Workshop on Advanced Research and Technology in Industry
Applications (WARTIA-16). Atlantis Press.
[35] Malan, D. F., Van Der Walt, S. J., Raidou, R. G., Van Den Berg, B., Stoel, B. C., Botha, C. P., . . .
Valstar, E. R. 2016. A fluoroscopy-based planning and guidance software tool for minimally
invasive hip refixation by cement injection. International journal of computer assisted
radiology and surgery, 11(2), 281–296.
[36] Montasari, R., Hill, R., 2019, January. Next-generation digital forensics: Challenges and future
paradigms. In 2019 IEEE 12th International Conference on Global Security, Safety and
Sustainability (ICGS3), 205–212, IEEE.
[37] Sindhu, K. K., Meshram, B. B. 2012. Digital forensic investigation tools and procedures.
International Journal of Computer Network and Information Security, 4(4), 39.
[38] Truong, J., 2017. File survival on USB drive.
[39] Recon, A., 2014. Arsenal image mounter.
[40] Carrier, B., 2011. The sleuth kits. TSK–sleuthkit. org.
24 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-38-320.jpg)
![[41] Al-Hadadi, M., AlShidhani, A. 2013. Smartphone forensics analysis: A case study.
International Journal of Computer and Electrical Engineering, 5(6), 576.
[42] Garfinkel, S. L. 2013. Digital media triage with bulk data analysis and bulk_extractor.
Computers & Security, 32, 56–72.
[43] Van De Wiel, E., Scanlon, M., Le-Khac, N. A., 2018, January. Enabling non-expert analysis of
large volumes of intercepted network traffic. In IFIP International Conference on Digital
Forensics, 183–197, Springer, Cham.
[44] Neware, R. 2017. Computer forensics for private web browsing of UC browser. IOSR Journal of
Computer Engineering (IOSR-JCE), 19(4), 56–60.
[45] Cohen, C. L. 2007. Growing challenge of computer forensics. Police Chief, 74(3), 24.
[46] Liu, H., Azadegan, S., Yu, W., Acharya, S., Sistani, A. 2012. Are we Relying too much on
Forensics Tools? In: Lee R. (ed.) Software Engineering Research, Management and
Applications 2011. Springer, Berlin, Heidelberg, 145–156.
[47] Taylor, T., Araujo, F., Kohlbrenner, A., Stoecklin, M. P., 2018, June. Hidden in plain sight:
Filesystem view separation for data integrity and deception. In International Conference on
Detection of Intrusions and Malware, and Vulnerability Assessment, 256–278, Springer,
Cham.
[48] Savoldi, A., Gubian, P., Echizen, I., 2010, January. Uncertainty in live forensics. In IFIP
International Conference on Digital Forensics, 171–184, Springer, Berlin, Heidelberg.
[49] Wang, P., Rosenberg, M., D’Cruze, H. 2018. Integration of Mobile Forensic Tool Capabilities.
In: Shahram Latifi (ed.) Information Technology-New Generations. Springer, Cham, 81–87.
[50] Davidoff, S., Ham, J. 2012. Network Forensics: Tracking Hackers Through
Cyberspace, Vol. 2014, Prentice hall, Upper Saddle River.
[51] Umair, A., Nanda, P., He, X., 2017. Online social network information forensics: A survey on
use of various tools and determining how cautious facebook users are? In 2017 IEEE
Trustcom/BigDataSE/ICESS, 1139–1144, IEEE.
[52] Meghanathan, N., Allam, S. R., Moore, L. A., 2010. Tools and techniques for network
forensics. arXiv preprint arXiv:1004.0570.
[53] Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S., 2012, January. Novel anti-forensics
approaches for smart phones. In 2012 45th Hawaii International Conference on System
Sciences, 5424–5431, IEEE.
[54] Talib, M. A., Alnanih, R., Khelifi, A. 2020. Application of quality in use model to assess the
user experience of open source digital forensics tools. International Journal of Electronic
Security and Digital Forensics, 12(1), 43–76.
[55] Umar, R., Riadi, I., Zamroni, G. M. 2018. Mobile forensic tools evaluation for digital crime
investigation. International Journal of Advance Science Engineering Information Technology,
8(3), 949.
[56] Li, S., Choo, K. K. R., Sun, Q., Buchanan, W. J., Cao, J. 2019. IoT forensics: Amazon Echo as a
use case. IEEE Internet of Things Journal, 6(4), 6487–6497.
[57] Ogden, R. 2008. Fisheries forensics: the use of DNA tools for improving compliance,
traceability, and enforcement in the fishing industry. Fish and Fisheries, 9(4), 462–472.
[58] Shrivastava, G., Sharma, K., Khari, M., Zohora, S. E. 2018. Role of Cyber Security and Cyber
Forensics in India. In: Gulshan Shrivastava, Prabhat Kumar, B. B. Gupta, Suman Bala and
Nilanjan Dey (eds.) Handbook of Research on Network Forensics and Analysis Techniques. IGI
Global, 143–161.
[59] Shrivastava, G., Peng, S. L., Bansal, H., Sharma, K., Sharma, M. eds. 2020. New Age
Analytics: Transforming the Internet through Machine Learning, IoT, and Trust Modeling,
Apple Academic Press, New York.
A survey of popular digital forensic tools 25](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-39-320.jpg)
![[60] Sharma, K., Makino, M., Shrivastava, G., Agarwal, B. eds. 2019. Forensic Investigations and
Risk Management in Mobile and Wireless Communications, IGI Global, USA.
[61] Casey, E. ed. 2001. Handbook of Computer Crime Investigation: Forensic Tools and
Technology, Elsevier, USA.
[62] Wazid, M., Katal, A., Goudar, R. H., Rao, S., 2013, April. Hacktivism trends, digital forensic
tools, and challenges: A survey. In 2013 IEEE Conference on Information & Communication
Technologies, 138–144, IEEE.
[63] Gadgil, P., Nagpure, S., 2019. Analysis of Advanced Volatile Threats Using Memory Forensics.
Available at SSRN 3358798.
[64] Garfinkel, S. L. 2010. Digital forensics research: The next 10 years. Digital Investigation, 7,
S64–S73.
[65] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N. eds. 2018. Handbook of Research on
Network Forensics and Analysis Techniques, IGI Global.
[66] Kotsiuba, I., Skarga-Bandurova, I., Giannakoulias, A., Bulda, O., 2019, December. Basic
forensic procedures for cyber crime investigation in smart grid networks. In 2019 IEEE
International Conference on Big Data (Big Data), 4255–4264, IEEE.
[67] Khari, M., Shrivastava, G., Gupta, S., Gupta, R. 2017. Role of Cyber Security in Today’s
SCENARIO. In: Raghavendra Kumar, Prasant Kumar Pattnaik, Priyanka Pandey (eds.) Detecting
and Mitigating Robotic Cyber Security Risks. IGI Global, 177–191.
[68] Raghavan, S., Raghavan, S. V., 2013, November. A study of forensic & analysis tools. In 2013
8th International Workshop on Systematic Approaches to Digital Forensics Engineering
(SADFE), 1–5, IEEE.
[69] White, J., Charlton, W. S., Solodov, A., Tobin, S. J., 2010, July. Applications of X-Ray
Fluorescence and Fission Product Correlations for Nuclear Forensics. In Proceedings of the
51st Annual Meeting for the Institute of Nuclear Materials Management, Baltimore, Maryland,
11–15.
[70] Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G. 2009. Bringing science to digital forensics
with standardized forensic corpora. Digital Investigation, 6, S2–S11.
26 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-40-320.jpg)
![For the last couple of years, forensics has grown dynamically and brought re-
searchers together with different communities like multimedia security, computer
forensics, signal, and image processing. Multimedia forensics gives a tested source
of digital sensors data to authenticate an image and to test the integrity of that
image. Multimedia data contains the images, audio, video, and those images are
processed and reconstructed by the experts by the using of an image processing sys-
tem [1]. Because of the availability of multimedia editing tools falsifying images and
videos has become widespread in the last few years. According to the discussion on
all of the previous details and overview of the details, it is clear that multimedia
forensics becomes an important and authenticated tool for investigation. Computer-
ized furthermore, mixed media crime scene investigation drives the method of three
strings. According to the Digital Forensic Research Workshop three types of commu-
nities have a conflict of interest in computer forensic. The “homegrown” bottom-up
approach started in the 1990s when labs and security researchers were started. Fig-
ure 1 describes the social media investigation for law enforcement.
3 Taxonomy
Analog forensics was used earlier; nowadays it is not in use for investigations as
mainly the digital forensics is used; which method is used depends on the crime.
The taxonomy of digital forensics is shown in Fig. 2.
The main aim of digital forensics is to produce legal evidence in court. Digital
forensic evaluation should be controlled and supervised to ensure forensic durabil-
ity for every step of the chain [2]. The digital forensic approach will represent the
clear and true picture of privacy and protection. Digital evidence plays an important
role in civil cases. Digital forensics is also used to trace and track terrorists. It helps
soldiers as well, in the form of electronic devices [3]. In Fig. 3: how the process of
digital forensics can be done is defined. The various parts of multimedia forensics
technology taxonomies are as follows:
3.1 Live forensics
Live forensics is a subfield of digital forensics and it is the process of searching
memory in real time. This technique is controlled to address the issue of evaporative
Source
(possibly
untraceable)
Original
Forgery
Publications in
web platforms
Altered &
resaved
versions
Forensic
Analysis
Fig. 1: Social media investigation for law enforcement.
An insight review on multimedia forensics technology 29](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-43-320.jpg)
![evidence. This technique is also used in the enterprise field when media is not
nearby to collect the data for the investigation and the investigation is possible by
the amount of data [4]. This technique is used to improve efficiency and obtain volatile
data. But it is too difficult to deal with virtual machines. But virtualization is on the
boom and its popularity is increasing day by day [5]. It is based on active connections,
processes, fragments, and memories. It is used to collect volatile data. It is a tool that
can be used to collect intercepts, gather information, and spread the results to the au-
thorities of the relevant member states that have requested the investigation. Three
questions that must be answered before the investigation and the questions are:
(a) Is live forensic investigation mandatory in this case?
(b) If yes, then what data is needed to collect for the investigation?
(c) How can the collection of the data be possible and ensure its authenticity?
Possession Recognition
Physical
Context
Logical
Context
Legal
Context
Evaluation
Admission
as
evidence
Fig. 3: Investigation process of digital forensics.
Digital
Forensics
Multimedia
Forensics
Live
FOrensics
Network
Forensics
Mobile
Forensics
Database
Forensics
Cyber
Forensics
Fig. 2: Taxonomy of digital forensics.
30 Swati Gupta, Puneet Garg](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-44-320.jpg)
![To answer the first question, it is necessary to check the necessity of live investiga-
tion. To complete the second question user needs to find the places or area from
where data is collected. And to answer the third question it requires an authentic
person or machine for the verification and the person or machine must be verified.
3.2 Database forensics
Database forensics is another subfield of digital forensics. This is a forensic study of
database and their metadata. It is not based upon database recovery. The main aim
of this technique is to rebuild metadata from the failed database. The following da-
tabase scenarios are required in the investigation:
(i) Failure of a database
(ii) Deletion of information from the database
(iii) Inconsistencies of the data in the database
(iv) Detection of suspicious behavior of users
Specialists utilize as a rule read the solitary strategy while interfacing with the infor-
mation so that no bargain with the information. Methodologies of the database are
shown in Fig. 4; the reconstruction process is followed only when the expert wants
some very essential information from the database. There are two research areas:
(a) Reactive approach
(b) Proactive approach
3.3 Network forensics
Network forensic is also a type of digital forensics. Network forensics is a new field
of digital forensics. Network forensics works on dynamic data. This is the continu-
ous process in which an investigator continuously analyzes the events to find secu-
rity issues [6]. There are two uses of network traffic. The first relates to security and
the second relates to the law of enforcement. The first involves monitoring of the
network and finding out the intrusion; the second involves reassembling the files to
be transferred. In the investigation phase the following rules must be followed:
(a) Identification
(b) Preservation
(c) Collection
Investigation
Preparedness
Incident
Verification
Artifact
Collection
Artifact
Analysis
Fig. 4: Database forensics methodologies.
An insight review on multimedia forensics technology 31](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-45-320.jpg)
![(d) Examination
(e) Analysis
(f) Presentation
(g) Decision
3.4 Cyber forensics
Computers are machines that form some reality physically. The principle of exchange is
applied to cyber forensics. The evaluation of electronic data is carried out scientifically
so that information can be used in the court as a piece of evidence [7]. Cyber forensic
uses the process of DFS. Many organizations use cyber forensic for the investigation
purpose. But it is used only while they have the highest understanding of the standards.
The focus of cyber forensic is on the three levels: acquire, authenticate, analyze. Ever,
digital scientific was a space of law requirement. Digital legal incorporates investigation
of gadgets and information from a registering gadget. Portrays the utilization of logical
techniques to get benefit and truth of the wrongdoing with the assistance of PCs [7].
(a) It works as an important tool in the real world to find out the crime.
(b) It assists with discovering the wrongdoing from the central matter.
(c) Memory forensic and network forensics also come under this type of forensics.
3.5 Mobile forensics
Mobile device resides in between the three modes: IoT, cloud computing, big data. The
main aim is to retrieve digital evidence or related data from a mobile device. Mobile
forensics needs to fix exact rules to analyze and to present digital evidence from the
device. In versatile criminology cell phones explores inside memory and communica-
tion capacity [6]. In Fig. 5: mobile forensic classifications are shown with the help of a
pyramid. There are two problems in the mobile forensics process. (i) lock activation
and (ii) network connection. Mobile forensics have some features like being more inva-
sive, requiring more training, having longer analysis times, and being more technical.
Micro
read
Chip Off
Hex Dump / JTAG
Logical Extraction
Manual Extraction
Fig. 5: Mobile forensics classification.
32 Swati Gupta, Puneet Garg](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-46-320.jpg)
![3.6 Multimedia forensics
Multimedia forensics is an important class of digital data. When media comes into
daily life in a high manner then it is not so easy to hide anything from multimedia.
Because of the enhancement of multimedia technology people enjoy and spread
their thoughts over the world. But with benefits, there are some drawbacks in this
as anybody can easily be manipulated with voice, image, as well as video, so it be-
comes a complex hurdle in the investigation process for the investigation group. In-
teractive media legal sciences has seen in mid 2001. For the last few years, its usage
has been increasing sprightly. In digital media, the first step is seizure. Multimedia
forensics technology is helpful in daily communication and for interaction or shar-
ing content [7]. In this type of forensics, digital image and digital audio/video foren-
sics are also covered: Mobile devices come under this type of technique. It is not
about scrutinizing the exegetics of digital media. Like cyber forensics, multimedia
forensics depends on digital evidence. Multimedia forensics is growing day by day
and brings researchers from different locations like security, imaging, and signal
processing [8]. There are two approaches to multimedia forensics: (a) manipulation
detection (b) identification discretely. These methods are used to investigate things
with authenticity. Figure 6 shows the approach of multimedia forensics. Multimedia
forensics involves two approaches: (i) passive approach (ii) active approach as shown
in Fig. 6. The passive approach contains video, image, and audio data, and the active
approach contains the techniques of digital fingerprinting and digital watermarking.
There are so many ways to divulge multimedia. In multimedia forensics it is consid-
ered that the investigator does not know how to deduce productively and the tech-
nique is called “Blind” [9] and the main focus is on two main sources:
– Attributes of increase gadgets can be analyzed for their quality or uniform.
– Heirloom of last processing work can be discovered in the manipulation detection.
Multimedia Forensics
Passive Approach
Video Image Audio
Active Approach
Digital Finger
print
Digital
Watermark
Fig. 6: Multimedia forensics approach.
An insight review on multimedia forensics technology 33](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-47-320.jpg)
![(ii) Distance and interactive training: It is a medium of course delivery. Distance edu-
cation is an instructional delivery method for students of different locations. In
this both the student and instructor are from different locations. In this tech-
nique, communication is established when any of the students need some data,
video, and audio data becomes the bridge to fill this gap. In this learning, under-
studies go to the class however not on the fundamental grounds. This technique
minimizes the limitations of the classroom approach. In this classroom comes to
the student rather than the student coming in the classroom. This type of study
is also known as an offline study or classroom.
(iii) Encyclopedia of multimedia:It is also known as a book of multimedia because it
contains both multimedia and an encyclopedia. It contains the details of the
related topic. It contains a brief description of multimedia, so it is known as
the encyclopedia of multimedia.
(iv) Interactive training on the web: All the online courses come under this tech-
nique. This is helpful when the client can’t go to do a portion of the courses or
preparing then clients utilize the mode, and that mode is known as on the web
preparing in light of the fact that in this sort understudies can ask their inqui-
ries from the teacher furthermore, the correspondence can be handily settled
through the web. In the interactive training both learner and tutor are online at
the same time and they can communicate with each other. This is different
from distance learning because in distance learning both may not be online at
the same time but in interactive learning both must be online at the same time.
4.4 Operations
Multimedia helps in some of the basic operations like online monitoring, air traffic
control, CAD/CAM, process control and command and control, and multimedia se-
curity control. The methods of applying these are given below:
(i) Command and control: It is the combination of organizational and technical at-
tributes and information resources that are used to solve the problem. In this
political position order by tolerating a law to achieve conduct and use appara-
tus to get individuals to comply with the standards. Command and control are
cost-ineffective, inflexible, and have limited efficiency [10].
(ii) Process control: It is a continuous process of production in the field of engineer-
ing. Process control technology allows the manufacturers to run the operations
within the limits, to get the maximum profit and better quality with safety. This
term is seen in five steps: (i) standard establishment (ii) performance measure-
ment (iii) comparison of actual performance with the standards (iv) determining
the reasons for deviations of the result (v) taking the correct action as required.
36 Swati Gupta, Puneet Garg](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-50-320.jpg)
![(iii) CAD/CAM: In the analysis of 3D documentation CAD is used to scan the pho-
tography. CAD technology is used for identification and confirmation [11]. Ad-
vantages: Provides law enforcement, produces scaled diagrams used in the
court, seamless integration, making digitized data for the investigation, rota-
tion of the object becomes possible [12–14].
(iv) Air traffic control: The air traffic control system must provide the capability to
schedule the traveling between airports landing and taking off time. To man-
age all things a center is created by the committee and from the center, all
things are monitored from source to destination [15]. Airport regulation pin-
nacles deal with the obligation of taking offs, taking care of, the development
of an air terminal. So that if any plane crash due to any reason then the manag-
ing team can easily find the reason.
(v) Online monitoring: Online monitoring and analysis requires developing an
open-source architecture known as All Packet monitors. It attaches the high-
execution parcel screen and promptly moveable the basic equipment. AMON
screens all the parcel travel in the rush hour gridlock at that point processes
by the fast hashing and figures the continuous of the product. AMON has
been moved in the web traffic. It is extensible and permits the expansion and
channel modules for real forensics [14]. It is clear to all that internet is the
biggest resource for business and society.
(vi) Multimedia security systems: Multimedia encryption is the method that ap-
handles to computerized sight and sound to ensure the privacy of the media
substance to forestall unapproved get to and give the entrance power to the
approved the entirety of this will be done due to security [16].
4.5 Public
Multimedia provides benefits in digital libraries, electronic museums, and networked
system processing as described in detail here. The demand for multimedia increases
day by day [17].
(i) Digital libraries: It is difficult to collect evidence against Cyber Crime. The tech-
nique of reproduction of the complete hard disk is not a solution and easy. Se-
crecy is main part in the process of investigation. The problem is how to collect
information without the knowledge of the investigator and other irrelevant data
while the server administrator does not know what the investigator is searching
[18]. To resolve the problem of secrecy different ways are used and encrypt
the data[19, 20]. While the schemes are theoretical efficiency is a concern.
Data integrity and authenticity are not concerned; re-encryption is required for
the investigator. The investigator does not have any right for accessing the data
and then the solution is to ask the administrator to retrieve the information.
An insight review on multimedia forensics technology 37](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-51-320.jpg)
![(vi) Advertising: It is the medium to the client of an item or administration; these
are the messages to pay for the individuals who send the things. With the as-
sistance of sight and sound, notice turns out to be simple, sell, buy, or keep
up our record, so multimedia assumes a significant part in publicizing.
(vii) Collaborative work: It resembles the association working, in these at least two
organizations or perhaps individuals cooperate. There are various types of col-
laborative working: (i) Separate organization but working jointly. (ii) Two organ-
izations work within the small areas. (iii) The new association works mutually in
light of the fact that it needs to more readily begin and information. (iv) A parent
organization having more subgroups. Collaborative work is required for growing
the business or organization speedy. Collaborative working may be with the life
of business or with a proper agreement.
(viii) Electronic publishing: Electronic distributing is a technique that is utilized by
the distributer to distribute books, articles, and with this paper, the arrange-
ment is given that E-book or E-paper. This publishing is a new arm of publish-
ing houses. It is like desktop publishing. This is also known as e-publishing.
Due to this cost of the publishing has reduced.
4.7 Visual information systems
In this methodology attempt to deal with our responsibility with the assistance of some
inventive thoughts, in Fig. 7: completely define that by which how to manage critical
situations furthermore, control the information without any problem. The main aim of
this technology is the management may of any type: Workload management, Ware-
house inventory control management, government HRM, legal case tracking, and case-
load management [21].
Meta Database
Image
database
Video
database
Text
database
Image +
text
daatabse
Client1
Client 2
Client 3
Client 4
Fig. 7: Distribution of visual information system.
An insight review on multimedia forensics technology 39](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-53-320.jpg)
![5 Technology
There are numerous technologies used to investigate multimedia forensics technol-
ogy as described below:
5.1 Tamper detection via cryptographic hash function
The cryptographic hash function is a tool and tamper detection is also a technique
used to support the secure delivery of contents after investigation. In tamper detec-
tion two basic approaches are used:
(i) Online Processing: In these transactions are run and hash values are digitally
endorsed and affirmation, in which the hash values are evaluated again and
compared with the previously endorsed. The two execution phases inaugu-
rate together the normal processing phase as opposed to the forensic analysis
phase [22].
(ii) Audit log validation: Audit log is a log file that maintains the database in which
all the activities of users are stored. In the first attempt audit log file is main-
tained in the background by specified relation as a transaction timetable. It
follows some standards for data security. Figure 8(a) and (b) focus on the
techniques of tamper detection via a cryptographic hash function. In its sur-
vey report, it found that 70% of intruders are internal users or DBA who tam-
pered with data [23].
DBMS
Bank
Application
Audit Log
Database
Digital
Notarzer
service
Fig. 8(a): Normal operation.
DBMS
Validator
Audit Log
Database
Digital
Notarzer
service
Fig. 8(b): Audit log operation.
40 Swati Gupta, Puneet Garg](https://image.slidesharecdn.com/25183809-250512212736-28c87bbf/85/Cyber-Crime-And-Forensic-Computing-Modern-Principles-Practices-And-Algorithms-Gulshan-Shrivastava-54-320.jpg)
Cyber Crime And Forensic Computing Modern Principles Practices And Algorithms Gulshan Shrivastava
- 1. Cyber Crime And Forensic Computing Modern Principles Practices And Algorithms Gulshan Shrivastava download https://ebookbell.com/product/cyber-crime-and-forensic-computing- modern-principles-practices-and-algorithms-gulshan- shrivastava-50367618 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Cyber Security Cyber Crime And Cyber Forensics Applications And Perspectives Raghu Santanam https://ebookbell.com/product/cyber-security-cyber-crime-and-cyber- forensics-applications-and-perspectives-raghu-santanam-44645630 Digital Forensics And Cyber Crime 13th Eai International Conference Icdf2c 2022 Boston Ma November 1618 2022 Proceedings Sanjay Goel https://ebookbell.com/product/digital-forensics-and-cyber-crime-13th- eai-international-conference-icdf2c-2022-boston-ma- november-1618-2022-proceedings-sanjay-goel-50864530 Digital Forensics And Cyber Crime Second International Icst Conference Icdf2c 2010 Abu Dhabi United Arab Emirates October 46 2010 Revised Selected Papers 1st Edition Ali Alkaabi https://ebookbell.com/product/digital-forensics-and-cyber-crime- second-international-icst-conference-icdf2c-2010-abu-dhabi-united- arab-emirates-october-46-2010-revised-selected-papers-1st-edition-ali- alkaabi-2095630 Computer Forensics And Cyber Crime An Introduction Britz Marjie https://ebookbell.com/product/computer-forensics-and-cyber-crime-an- introduction-britz-marjie-22059272
- 3. Digital Forensics And Cyber Crime First International Icst Conference Icdf2c 2009 Albany Ny Usa September 30october 2 2009 Revised Selected Papers 1st Edition Sriram Raghavan https://ebookbell.com/product/digital-forensics-and-cyber-crime-first- international-icst-conference-icdf2c-2009-albany-ny-usa- september-30october-2-2009-revised-selected-papers-1st-edition-sriram- raghavan-4201662 Digital Forensics And Cyber Crime Third International Icst Conference Icdf2c 2011 Dublin Ireland October 2628 2011 Revised Selected Papers 1st Edition Cynthia A Murphy Auth https://ebookbell.com/product/digital-forensics-and-cyber-crime-third- international-icst-conference-icdf2c-2011-dublin-ireland- october-2628-2011-revised-selected-papers-1st-edition-cynthia-a- murphy-auth-4202658 Digital Forensics And Cyber Crime 4th International Conference Icdf2c 2012 Lafayette In Usa October 2526 2012 Revised Selected Papers 1st Edition Keyun Ruan https://ebookbell.com/product/digital-forensics-and-cyber-crime-4th- international-conference-icdf2c-2012-lafayette-in-usa- october-2526-2012-revised-selected-papers-1st-edition-keyun- ruan-4380570 Digital Forensics And Cyber Crime Fifth International Conference Icdf2c 2013 Moscow Russia September 2627 2013 Revised Selected Papers 1st Edition Pavel Gladyshev https://ebookbell.com/product/digital-forensics-and-cyber-crime-fifth- international-conference-icdf2c-2013-moscow-russia- september-2627-2013-revised-selected-papers-1st-edition-pavel- gladyshev-4973906 Digital Forensics And Cyber Crime 7th International Conference Icdf2c 2015 Seoul South Korea October 68 2015 Revised Selected Papers 1st Edition Joshua I James https://ebookbell.com/product/digital-forensics-and-cyber-crime-7th- international-conference-icdf2c-2015-seoul-south-korea- october-68-2015-revised-selected-papers-1st-edition-joshua-i- james-5236694
- 5. Gulshan Shrivastava, Deepak Gupta, Kavita Sharma (Eds.) Cyber Crime and Forensic Computing
- 6. De Gruyter Frontiers in Computational Intelligence Edited by Siddhartha Bhattacharyya Volume 11
- 7. Cyber Crime and Forensic Computing Modern Principles, Practices, and Algorithms Edited by Gulshan Shrivastava, Deepak Gupta, Kavita Sharma
- 8. Editors Gulshan Shrivastava Department of Computer Science and Engineering Sharda University Greater Noida, U.P., India gulshanstv@gmail.com Deepak Gupta Department of Computer Science and Engineering Maharaja Agrasen Institute of Technology Delhi, India deepakgupta@mait.ac.in Kavita Sharma Department of Computer Science and Engineering G.L. Bajaj Institute of Technology & Management Greater Noida, U.P., India kavitasharma_06@yahoo.co.in ISBN 978-3-11-067737-9 e-ISBN (PDF) 978-3-11-067747-8 e-ISBN (EPUB) 978-3-11-067754-6 ISSN 2512-8868 Library of Congress Control Number: 2021942528 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available on the Internet at http://dnb.dnb.de. © 2021 Walter de Gruyter GmbH, Berlin/Boston Cover image: shulz/E+/getty images Typesetting: Integra Software Services Pvt. Ltd. Printing and binding: CPI books GmbH, Leck www.degruyter.com
- 9. Dedicated to our friends and families for their constant support during the course of this book
- 11. Contents About the editors IX Shefali Arora, Ruchi Mittal, M. P. S. Bhatia A survey of popular digital forensic tools 1 Swati Gupta, Puneet Garg An insight review on multimedia forensics technology 27 Meet Kumari An overview on advanced multimedia forensic techniques and future direction 49 Anand Sharma Computer forensics and Cyber Crimes: COVID-19 perspective 71 Sachil Kumar, Geetika Saxena Biometric forensic tools for criminal investigation 85 K. Hariharan, K. Rajkumar, R. Manikandan, Ambeshwar Kumar, Deepak Gupta Deep learning for optimization of e-evidence 111 N. Sivasankari, R. Shantha Selvakumari Electronic voting machine security issues and solution protocol by physical unclonable function 137 Meenakshi, Puneet Garg, Pranav Shrivastava Machine learning for mobile malware analysis 151 Prashant Kumar, Gaurav Purohit, Pramod Tanwar, Kota Solomon Raju Mobile platform security: issues and countermeasures 179 Pranav Shrivastava, Prerna Agarwal, Kavita Sharma, Puneet Garg Data leakage detection in Wi-Fi networks 215 Index 229
- 13. About the editors Dr. Gulshan Shrivastava is working as an Assistant Professor in the Department of Computer Science and Engineering at Sharda University, Greater Noida, Uttar Pradesh (U.P.), India. Prior to his current role, he was associated with Galgotias University and Dronacharya Group of Institutions, Greater Noida, U.P., India. He also visited at Datec Ltd., Papua New Guinea (PNG) as a technical trainer and researcher. He received his Ph.D. (CSE) from the NIT Patna, M.Tech. (Information Security) from Guru Gobind Singh Indraprastha University (GGSIPU), Delhi, and MBA (IT & Finance) from I. K. Gujral Punjab Technical University (IKGPTU) and B.E. (Computer Science & Engineering) from the Maharshi Dayanand University (MDU) Rohtak, Haryana. He also earned numerous international certifications from Coursera, NPTEL, Sun Microsystem, etc. in Security and Machine Learning. He has 5 patents (1 Granted, 4 Published), an editor/author of more than 7 books, author of more than 10 book chapters and 34 articles and editorials in international journals and conferences of high importance. He is Associate Editor of IJ-ICT (Scopus Indexed); served as Associate Editor of JGIM (SCIE Indexed) and IJDCF (Scopus Indexed), IGI Global; and Section Editor of Scalable Computing (SCPE) (Scopus Indexed). He is also serving many reputed journals as guest editor, editorial board member, international advisory board member, and reviewer board member. Moreover, Dr. Shrivastava has also delivered the expert talk, guest lectures in international conferences and serving as the reviewer for journals of IEEE, Springer, Inderscience, etc. He is Convener in ICICC 2021, ICICC 2020, and ICICC-2019; Organizing Chair in 5th IEEE ICCCIS-2021 and ICCIDA-2018; and Publication Chair in MARC-2018. He is the life member of ISTE; senior member of IEEE; and professional member of ACM, SIGCOMM, and many professional bodies. He has an ardent inclination toward the field of Data Analytics and Security. His research interests include Information Security, Digital Forensic, Data Analytics, Machine Learning, and Malware Detection and Analysis. Dr. Deepak Gupta received a B.Tech. in 2006 from the Guru Gobind Singh Indraprastha University, India. He received M.E. in 2010 from Delhi Technological University, India, and Ph.D. in 2017 from Dr. APJ Abdul Kalam Technical University, India. He has completed his Post-Doc from Inatel, Brazil. With 13 years of rich expertise in teaching and 2 years in the industry, he focuses on rational and practical learning. He has contributed massive literature in the fields of Intelligent Data Analysis, BioMedical Engineering, Artificial Intelligence, and Soft Computing. He has served as Editor-in-Chief, Guest Editor, Associate Editor in SCI and various other reputed journals (IEEE, Elsevier, Springer, and Wiley). He has actively been an organizing end of various reputed international conferences. He has authored/edited 50 books with national/international-level publishers (IEEE, Elsevier, Springer, Wiley, Katson). He has published 184 scientific research publications in reputed international journals and conferences, including 96 SCI Indexed Journals of IEEE, Elsevier, Springer, Wiley, and many more. https://doi.org/10.1515/9783110677478-203
- 14. Dr. Kavita Sharma is Associate Professor in the Department of CSE at G. L. Bajaj Institute of Technology and Management, Greater Noida, India. She received her Ph.D. in Computer Engineering from National Institute of Technology, Kurukshetra (Institution of National Importance), India, and M.Tech. in Information Security from GGSIPU, Delhi, India. She has also completed her B.Tech. in IT from UPTU, Lucknow, India. In addition, she is also awarded research fellowship from Ministry of Electronics and Information Technology, Government of India. She has worked as an Assistant Professor in Dronacharya College of Engineering, Greater Noida, India. She has 4 patents (2 granted and 2 published), published 6 books, and published 47 research articles in international journals and conferences of high repute. She has also served as Section Editor of Scalable Computing (SCPE). She is also serving many reputed journals as guest editor, as editorial board member, and as a member of international advisory board. Moreover, Dr. Sharma has also delivered expert talks and guest lectures in international conference, and serving as a reviewer for journals of IEEE, Springer, Inderscience, Wiley, etc. She is the Senior Member of IEEE; Professional Member of ACM; Life Member of CSI, ISTE, IAENG, and Institute of Nanotechnology; and Member of SDIWC, Internet Society, IACSIT, CSTA, IAOE, etc. She has actively participated and organized several international conferences, Faculty Development Programs, and various national and international workshops. Her area of interest includes Information and Cyber Security, Mobile Computing, IoT Security, Data Analytics, and Machine Learning. X About the editors
- 15. Shefali Arora, Ruchi Mittal, M. P. S. Bhatia A survey of popular digital forensic tools Abstract: Digital forensics is a process of interpreting electronic or digital data to preserve any kind of evidence. Forensic investigation is done by storing, categoriz- ing, and authenticating information to understand a sequence of events. The objec- tive of acquiring this information is to get empirical evidence against hackers and intruders. For example, in forensics involving operating systems, we can swap pages or scan deleted files to obtain useful information. This chapter reviews the work being done in various domains of digital forensics, highlighting the need for these forensic tools to investigate and interpret evidence. Authors review many open-source forensic tools that can help professionals and experts to perform fo- rensic investigations on data obtained from operating systems, networks, com- puters, and other devices. This is further highlighted with a case study, which makes use of two forensic tools – Autopsy and Wireshark – to analyze files and network traffic, respectively. Finally, this chapter focuses on future directions and research work being carried out in forensic investigations. Keywords: tools, Autopsy, investigation, digital forensics, Wireshark, security, net- work forensics 1 Introduction Digital forensic investigation is the part of measurable learning that incorporates the ID, recuperation, examination, approval, and introduction of realities regarding ad- vanced proof found on PCs or comparable advanced stockpiling media gadgets. Prob- ably the most significant danger confronting organizations and enterprises today is cyber-assaults and risks [1]. It could even be considered as a demonstration of cyber psychological oppression, in which a remarkable effect can be felt in both concerning cost and human feeling [2]. At whatever point something like this happens, two of the most widely recognized inquiries that get posed are: How could it occur? And by what means could this be prevented from happening again later? There are no straightfor- Shefali Arora, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi, India, e-mail: arorashef@gmail.com Ruchi Mittal, Department of Computer Science, Ganga Institute of Technology and Management, Haryana, India, e-mail: ruchi.mittal138@gmail.com M. P. S. Bhatia, Division of Computer Engineering, Netaji Subhas Institute of Technology, Delhi, India, e-mail: bhatia.mps@gmail.com https://doi.org/10.1515/9783110677478-001
- 16. ward responses to this, and relying upon the seriousness of the cyber-assault, it could take weeks and even longer time to decide the reactions to these two inquiries. 1.1 Learn digital forensics The awareness of digital forensics evolved into manufacturing an establishment of information and abilities around PC criminology. The main points of focus are email and program crime scene examination, network crime site analysis ideas, and many more [3]. The task of crime scene investigation becomes possibly the most critical factor in today’s world. For instance, any leftovers of the cyber-assault and any evi- dence collected at the site should be gathered and investigated [4]. It is important to remember that the area of crime scene investigation, particu- larly as it categorizes with Information Technology, is exceptionally expansive and contains many sub-strengths [5]. These encompass advanced legal sciences, porta- ble crime scene investigation, database criminology, intelligent access legal scien- ces, and so forth, to simply name a few. This chapter gives an outline of the field of PC crime scene investigation. The focus is basically on what it is about, its signifi- cance, and the general advances that are associated with leading a PC criminology case [6]. 1.2 Definition of digital forensics The term “legal sciences” means applying a type of reasonable process for the col- lection, investigation, and introduction of gathered proofs. All evidence is meaning- ful when a cyber-assault has occurred [7]. When a cyber-assault happens, gathering all significant proof is of extreme sig- nificance to address the inquiries which were raised in the above statement [8]. It is important to remember that the legal sciences inspector/specialist is exceedingly in- trigued by a specific bit of proof, which is referred to explicitly as “idle information.” In the cybersecurity world, these sorts of information (otherwise called “encom- passing information”) is not effortlessly observed or open upon first look at the loca- tion of a cyber-assault. It takes a much different degree of examination by the PC crime scene investigation master to uncover them [9]. This information has numer- ous utilizations; however, access to it is very restricted. 1.3 Need for forensic sciences The significance of PC legal sciences to a business or an organization is enormous [10]. For example, there is regular reasoning that the use of safeguard devices like 2 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 17. firewalls and switches is enough to impede any cyber-assault. To the security ex- pert, the person in question realizes this is false, given the amazingly refined nature of the present cyber programmer. This reason is additionally false from the view- point of PC legal sciences. While these bits of equipment do give data in a specific way concerning what is unfolded in a cyber-assault, they don’t have that more pro- found layer of information needed to give those insights concerning what precisely occurred [11]. This underscores the requirement for the association additionally to execute those security components (alongside equipment above), which can give these bits of information (instances of this are security gadgets that utilize human- made consciousness, AI, business examination, and so on.). Along these lines, conveying this sort of security model in which the standards of PC crime scene investigation are likewise embraced is additionally alluded to as “Barrier in Depth.” With some information, there is a lot more significant likelihood that the proof introduced will be considered acceptable in an official courtroom, consequently bringing the culprits who propelled cyber-assault to equity [12]. Likewise, by joining the principles of a “Resistance in Depth,” the business or organization can come into consistency promptly with the government enactments and orders (for example, those of HIPAA, Sarbanes-Oxley). They necessitate that nu- merous types and sorts of information (even inactive information) be filed and put away for review purposes. On the off chance that an element flops any consistent measures, they can confront severe budgetary punishments [13]. 1.4 Expertise in digital forensics To fill in as a scientific science expert, a competitor ought to have, at any rate, a four-year college education in criminological science or a characteristic science. Measurable science programs offer different regions of specialization, and advanced science is one of them. Even though four-year college education programs are the base, numerous businesses lean toward people who have ace degrees [14, 15]. Students with understudies in a measurable science program with a computer- ized legal accentuation may finish courses in cybersecurity, computerized crimi- nological innovation, and practices, propelled criminology, and critical thinking in cybersecurity, among others. Numerous schools and colleges offer scientific science programs through distance learning [16]. Most measurable experts are required to finish hands-on preparation before re- ally beginning their professions. This is where people get an advantage, from actual work understanding at work. As significant for what it is worth to have a degree right now, reports suggest that probably not enough. What is more, the competitor ought to have the accompanying abilities. A survey of popular digital forensic tools 3
- 18. – Analytical abilities: The applicant must have the right stuff expected to dissect and take care of an issue. – Computer/tech abilities: Because most of the advanced scientific work is based around PCs, the up-and-comer must be comfortable with PCs, PC programming, and comparable fields. – Knowledge of cybersecurity: Digital or criminological science is tied in with unravelling Cyber Crimes, so, significantly, the individual knows about settling wrongdoings as well as how to forestall them. – Organizational aptitudes: The scientific professional must be sorted out genu- inely and intellectually so the person in question can compose information and present it to other people. – Communication aptitudes: The competitor must have the option to convey un- reservedly because the person in question will most likely be a piece of a group. – The longing to learn: Technology keeps on developing, and the computerized tech must be willing and ready to stay aware of preparing to vary. 1.5 History of digital forensics It is difficult to pinpoint when the PC wrongdoing scene examination began. Most authorities agree that the field of PC criminology began to progress more than 30 years back. The region began in the United States, in gigantic part when law usage and military operators started seeing culprits get specific. In the end, the fields of information security, which base on guaranteeing information and assets, and PC lawful sciences started to interlace [17]. All through the next decades, and up to today, the field has exploded. The law prerequisites and the military continue having tremendous vicinity in information security and the PC logical field at the area, state, and government level. Private affiliations and ventures have gone with a similar example – using inner informa- tion security and PC criminological specialists or employing such specialists or firms, subordinate upon the circumstance. The private legal industry has watched the prerequisite for PC quantifiable evaluations in like manner authentic discus- sions, causing an impact in the e-disclosure field [18]. The PC criminological field keeps on developing regularly. An ever-increasing num- ber of substantial legal firms, boutique firms, and private agents are picking up infor- mation and involvement with the ground. Programming organizations keep on creating more up-to-date and progressively vigorous scientific programming programs [19]. Also, law requirements and the military proceed to distinguish and prepare increas- ingly more of their workforce in the reaction to violations, including innovation [20]. 4 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 19. 2 Objectives of digital forensics There are many objectives of digital forensics, some of which are the following: – It helps with suggesting the objective behind the crime and personality of the principal criminal. – Planning strategies at a speculated crime site helps you to guarantee that the evi- dence obtained is not defiled. – To professionalize and propel the study of digital security, computerized and PC crime scene investigation, and different territories of criminology. – To give a reasonable, positive procedure for confirming the competency of digi- tal security, advanced and PC legal sciences inspectors. – To set high legal sciences and moral principles for digital security, computerized and PC crime scene investigation, analysts. – To direct innovative work into new and developing advances and techniques in the different fields of legal sciences. – To give digital security, computerized and PC crime scene investigation also pre- pare program (formal preparing, enrolment, courses, workshops, and gatherings) that will provide individuals with the competency to know about the present and create standards and to ensure digital security. – Providing a comprehension of the specialized ability of programmers and the countermeasures against such malevolent assaults help the federal, state, and local governments, the private area, budgetary organizations, law requirement offi- ces, the judiciary, and people in the anticipation and discovery of digital security. – To distribute articles in the print and electronic media on computerized and PC legal sciences. 3 Types of forensics and related work Digital forensics needs the following steps: – Identification – Preservation – Analysis – Documentation – Presentation Identification involves finding the presence of evidence, where and how it is stored. Storage could be on mobile phones, PDAs, and computers. Preservation is the isola- tion and preservation of data, also the prevention of tampering with the digital evi- dence and storage media. This is followed by the reconstruction of data fragments to conclude what has been found. A survey of popular digital forensic tools 5
- 20. Here, the investigation agents redesign the piece of data and get inferences based on evidence found. It takes much time to identify the evidence and affirm the proprietors of crime. Next, a record is created for all the data collected. The involve- ment of proper documentation and the use of sketching and crime scene mapping can help to recreate the crime scene. At last, the process of documentation and pre- sentation of inferences is made. Digital forensics into various types: – Disk forensics: In this type of forensics, data is extracted from storage media by searching for deleted, archived, and modified files. This can help in the identifi- cation and collection of evidence. – Network forensics: In this type of forensics, computer network traffic is moni- tored and analyzed to collect evidence [21, 22]. This is used for gathering infor- mation, evidence, and detection of intruders. Authors describe the OSCAR [23] methodology for network forensics, which is an acronym, where O stands for Obtaining information (getting general data about the incident and the situation it occurred in including the date and time). The main tasks should be written down, and priority should be assigned. S stands for Strategize, which deals with the planning part. Prioritization should be done once evidence is acquired. This is done by giving the explosiveness of sources and their value to the process of search. C stands for Collect Evidence, which involves gathering evidence based on the planning done in the previous stage. D stands for Documentation, as it is necessary to safely guard and log the accesses made to systems as well as the actions taken. The last letter R stands for the report, in which the results of the investigation are conveyed to the client. The report should be understandable by even non-technical people. – Wireless forensics: This comes under network forensics, and it aims to make use of tools to capture and analyze information and traffic from wireless net- works [24]. – Database forensics: It concerns the research and analysis of databases and their related metadata. – Email forensics: It involves the recovery of emails, including the deleted ones from the inbox, contacts [25], etc. With the growth in e-commerce and digitaliza- tion, it is essential to protect ourselves from fraudulent emails. Emails have be- come a primary means of communication among people. Thus, it is essential to have email forensics to analyze what is going on. The different types of crimes in emails are as follows: – Phishing [26]: It is an attempt to obtain an individual’s information such as usernames and passwords, by disguising oneself as a trustworthy identity. Emails usually contain links that can redirect a user to a suspicious website. Thus, the redirection of traffic is a malicious intent to steal a user’s sensitive data. 6 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 21. – Pharming: Done using counterfeit emails that redirect the receiver to anony- mous websites. – Spoofing- In this, the user gets a mail, and he/she believes it is from a reliable source. But it is from an unknown user who uses a forged address to mail the user. – Memory forensics: It works by gathering information from system memory (system registers, cache, RAM) so that raw dump can be used to analyze the data [27]. This sort of examination comes in handy when the intruder does not write data to a non-volatile storage of the system during the attack as it can help to recover encrypted keys of hard drive and network connections. It can also help to trace previous network connections in parts of memory that are free but not overwritten or check if network interfaces are being used in pro- miscuous mode. Figure 1 shows the different kinds of forensic techniques available today. Thus, it is an essential branch of digital forensics, complementing other methods such as network forensics [26] as it can help to recover encrypted keys of hard drive and network connections. It can also help to trace previous network connections in parts of memory that are free but not overwritten or check if network interfaces are being used in promiscuous mode. – Mobile phone forensics: It, for the most part, manages the assessment and ex- amination of mobile phones [27]. Utilizing this, we can get hold of contacts, call logs, sent messages, recordings, and so on. Mobile phone crime scene investiga- tion is a part of computerized criminology that assists with gathering advanced information from a portable under forensically stable conditions. Portable can System Forensics Digital Forensics Cyber Forensics Enterprise Forensics E-mail Forensics Data Forensics Web Forensics Network Forensics Computer Forensics Proactive Forensics Fig. 1: Categories of forensics. A survey of popular digital forensic tools 7
- 22. refer to different gadgets, too, for example, workstations and tablets. Mobile phone legal sciences can be trying for a few reasons: It might be hard to isolate a gadget from the system. Most cell phones can associate utilizing GSM, Bluetooth, and so forth. They may reconnect progressively on the off chance that essential availabil- ity comes up short. Batteries might be non-removable, or encryption may prompt challenges in obtaining information. Standard interface devices, for example, con- sole or screen, may not be available. In this way, a wide assortment of apparatuses is expected to burrow information from mobile phones. – Cloud forensics: Cloud forensics includes the use of digital forensics with cloud computing [28]. Thus, various tools can be used to investigate crimes committed over the cloud. As data is spread between various data centers to ease load- balancing and scalability issues, data needs to be indexed efficiently. This would help to prevent duplication and improve performance. Thus, examination becomes easier as pieces of evidence left by attackers are difficult to destroy [29]. – Cyber forensics: It involves the analysis of any kind of crime committed over the internet. Cyber Crimes can be committed against a person or property. It can also be done against a government. Thus, cyber forensics helps to counteract any such activities. – Operating system forensics: An OS is present in all computers as well as hand- held devices. Thus, it is essential to have such tools that can monitor any kind of activities going on [30]. This ensures that no malicious acts take place and, thus, no data loss. Nowadays, digital evidence is required to trace any kind of illegal activities like phish- ing, espionage, and illegal downloads. Various tools [31–35] are being used to incor- porate IT systems with the facility of tracing the footsteps of intruders. Security measures applied to computers as well as handheld devices can help to protect from any cyber-attacks [36]. Autopsy [37] is one of the software tools used by law firms and the military to gather digital proofs against any attack. It has a GUI named Sleuth Kit, a Unix and Window library for forensic investigation. It becomes more com- fortable as the results of the analysis and examination are displayed on the GUI. An Autopsy is commonly used when multiple files and machines are being worked upon, and a central location is used for storing data. Software like SQL can be further used for accessing such stored information. The integrity of evidence can be maintained by per- forming hashing. It is available free of cost and has a simple GUI to operate. The use of the MD5 hash function for each file makes sure that the integrity of evidence is maintained [38]. This would also make search faster on the disk. While data can be previewed dynamically, recovered files can also be deleted. The networks become complicated with time, and many assaults become active to take data and seize machines. In the case of network forensics [65], it is essential to capture packets across the network. Therefore, tools like Wireshark come in handy. Wireshark helps to capture such packets and analyze them so that any attack can be 8 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 23. detected. It plays an essential role in network forensics. It can monitor the IP and MAC addresses across the network. TShark is the GUI of Wireshark used to see the caught packets. It has become a popular sniffing tool [31]. Sometimes, investigators re unable to find relevant data when undercover investigations are going on. Section 4 describes some other popular forensic tools commonly used by forensic experts in investigations [61, 62]. 4 Popular forensic tools used for investigations 4.1 X-ways forensics [34] It is a propelled stage for computerized legal sciences inspectors. It runs on all ac- cessible renditions of Windows. It professes not to be very asset hungry and to work productively. If we talk about the highlights, locate the key highlights are capacity to peruse record framework structures inside different picture documents, programmed location of erased or lost hard plate segment, different information recuperation sys- tems, and ground-breaking record cutting, information validity, memory, and RAM ex- amination and more [63]. 4.2 Library recon [39] It is a well-known vault investigation device. It extracts the library data from the proof and afterwards reconstructs the vault portrayal. It can reconstruct libraries from both present and past Windows establishments. 4.3 The sleuth kit (Autopsy) [40] It is a Unix- and Windows-based tool which helps in the criminological assessment of PCs. It goes with various mechanical assemblies, which helps in crime scene examina- tion. These devices help in analyzing circle pictures, acting start to finish assessment of record systems, and various things. An Autopsy is not hard to use, a GUI-based program that grants us to stall hard drives and PDAs gainfully. It has a module plan that makes us find add-on modules or make custom modules in Java or Python. 4.4 Xplico [41] Xplico is a system crime scene investigation examination instrument, which is pro- gramming that reproduces the substance of acquisitions performed with a bundle A survey of popular digital forensic tools 9
- 24. sniffer (for example, Wireshark, tcpdump, Netsniff-ng). Xplico can remove and re- make all the Web pages and substance (pictures, records, treats, etc.). It is an open- source arrange scientific examination device. It is fundamentally used to separate valuable information from applications that use the Internet and system conven- tions. It bolsters the more significant part of the well-known conventions of internet protocols. Yield information of the apparatus is put away in the SQLite database of the MySQL database. It additionally underpins IPv4 and IPv6. 4.5 Volatility framework This was introduced by the BlackHat and used for memory examination and crime scene investigation. Its structure of unpredictability acquaints individuals with the intensity of breaking down the runtime condition of a framework by utilizing the information found in unstable capacity (RAM). It additionally gave a cross-stage, se- cluded, and extensible stage to empower further work in this region of research. It has become a necessary computerized examination apparatus dependent upon law implementation, military, scholarly world, and business specialists all through the world. 4.6 Coroner’s toolkit [42] This is likewise a decent advanced legal examination apparatus. It runs under a few Unix-related working frameworks. It very well may be utilized to help the investiga- tion of PC catastrophes and information recuperation. 4.7 Oxygen forensic suite [43] It is terrific programming to gather confirmation from a mobile phone to help in cases. This apparatus helps in procuring device information (tallying creator, OS, IMEI number, consecutive number) and contacts (messages, SMS, MMS), and re- cover deleted messages, call logs, and calendar information. It is like a manner that permits you to get to and analyze mobile phone data and files. It makes direct re- ports for superior comprehension. 4.8 Mass extractor [44] It is additionally a significant and well-known advanced legal sciences apparatus. It filters the circle pictures, records, or catalogue of documents to remove valuable 10 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 25. data. Right now, it overlooks the record framework structure, so it is quicker than other accessible, comparable sorts of apparatuses. It is fundamentally utilized by insight and law organizations in comprehending digital wrongdoings. 4.9 Mandiant redline [45] It is a famous tool for memory and document examination. It gathers data about running procedures on a host, drivers from memory, and accumulates other in- formation like meta information, vault information, assignments, administrations, organizes data, and internet history to construct an appropriate report. 4.10 PC online forensic evidence extractor (COFEE) [46] This tool is created for PC scientific specialists. This tool was created by Microsoft to accumulate proof from Windows frameworks. It very well may be introduced on a USB pen drive or hard outer circle. Plugin the USB gadget in the objective PC, and it begins a live investigation. It accompanies 150 different apparatuses with a GUI- based interface to order the tools. It is quick and can carry out the entire investiga- tion in as not many as 20 min. To law authorization offices, Microsoft offers free specialized help for the apparatus. 4.11 P2 eXplorer [47] It is a measurable picture mounting device that expects to help research officials with an assessment of a case. With this picture, you can mount criminological pic- tures as a read-just neighborhood and physical circle and afterward investigate the substance of the picture with document explorer. You can view erased information and the unallocated space of the picture. It can mount a few pictures one after another. It works on the more significant part of the picture groups, including EnCasem, safe back, PFR, FTK DD, WinImage, Raw pictures from Linux DD, and VMWare pictures. It underpins both coherent and physical picture types. 4.12 Cellebrite UFED [48] Its arrangements present a bound together work process to permit analysts, exam- iners, and specialists on call for gathering information, and ensure and act defini- tively on portable information with speed and precision – while never trading off A survey of popular digital forensic tools 11
- 26. one for the other. The UFED Pro Series is intended for measurable inspectors and agents who require the most extensive, state-of-the-art portable information ex- traction and the unravelling of new information sources. The UFED Field Series is intended to bring together work processes across the field and lab, creating it con- ceivable to view, retrieve, and offer versatile information using in-vehicle worksta- tions, PCs, tablets, or a protected, self-administration stand situated at a station. 4.13 XRY [49] It is the versatile criminology tool created by Micro Systemin. It is utilized to dissect and recoup critical data from cell phones. This tool accompanies an equipment gad- get and programming. It acts as an interface between cell phones and PCs for the purpose of investigation and extraction of information. It is intended to recuperate information for the criminological investigation. 4.14 HELIX3 [50] It is the advanced criminological suite made to be utilized in episode reaction. It accompanies many open-source advanced crime scene investigation tools, includ- ing hex editors, information cutting, and secret key splitting devices. This tool can collect data from memory, client accounts, logs, Windows Regis- try, applications, drivers as well as Internet records. 5 Utilizations for computer forensic tools After exploring your framework, you are going to need to make sense of how the intrusion was done so you can keep it from happening once again. On the off chance, you figured out how to move beyond your current electronic guards. At that point, there is a loophole or opening in your security shield someplace [48]. It may not quickly be evident where this opening is, mainly if it is acceptable about con- cealing tracks. Criminological tools can assist you with backtracking their comput- erized strides and discover the gaps so you can fix them up [64]. 12 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 27. 5.1 Tidying up and rebuilding You must make sense of precisely what the assailants did, so you know how broad the harm is and can take reasonable action. You would prefer not to miss any hacked servers or secondary passage accounts. Utilizing criminological apparatuses can assist you with making sense of where the bodies are covered, as it were. On the off chance that the assailant erased documents, you might have the option to recu- perate some of them utilizing scientific devices [51]. 5.2 Criminal investigation If the harm done by an assailant is sufficiently extreme, you might need to think about squeezing criminal allegations. Straightforward Web defacing or interruptions, for the most part, do not merit seeking after because of the significant expenses included. In any case, if your foundation or corporate notoriety was substantially harmed, at that point, you might need to document criminal accusations against your aggressor. Your insurance agency may necessitate that you record a police report to make a case. Legal devices assist you with recognizing your assailants so you can report them and give the proof to indict them [52]. There are a couple of things you ought to consider before continuing down this way. For little harm, you can record a report with your neighborhood police division. Know that they frequently do not have the assets to seek after PC wrongdoing at the nearby level appropriately, and you may wind up doing the more significant part of the analytical work. You can utilize the apparatuses right now to help with the exer- tion. Simply be cautious that you do not defile the proof with the goal that it is not helpful in an official courtroom (see the sidebar on PC crime scene investigation). If the harms are sufficiently massive or include a felony (for example, interstate or universal trade), you can take your case to the FBI. You can discover contact data for your nearby FBI field office in your phone directory or on the web at www.fbi. gov. On the off chance that the case includes the infringement of government law or real dollar harms of over $25,000, they will most likely take your case. Else, they may allude you to nearby law specialists. If you can give some inclusion with fearmon- gering, interstate misrepresentation, you may get them required for lesser sums. Com- monplace hacking assaults will presumably not be explored intensely; there are an excessive number of episodes announced day by day for the FBI to focus on whatever is certifiably not a critical case [53]. About having criminal accusations documented against your assailant, appropri- ate scientific examination turns into even more significant. There is an overwhelming weight of confirmation in PC criminal cases. Tying a specific demonstration that was performed by a client ID to an individual is very troublesome in an official courtroom. Typically, examiners need to demonstrate that the individual was really at their A survey of popular digital forensic tools 13
- 28. console utilizing that account while the assault was occurring. Something else, there are numerous safeguards accessible to the charged, for example, “Another person uti- lized my secret word,” “I was hacked.” There is additionally close consideration paid to the chain of authority of any proof gathered [54]. This alludes to who has ap- proached the information and could have changed or modified it en route. For a situ- ation like this, concede to the specialists, who might need to utilize their information assortment methods. You may likewise need to use an outsider who does this expertly to aid your connection with law requirements. 5.3 Common action If you locate that seeking after criminal allegations is outlandish, you may at present need to record a universal claim to rebuff your programmer. At times this is the primary way you can get somebody to stop their assaults. In case the attacker is originating from another organization, on account of secret corporate activities, or unsanctioned, on account of a wayward representative, you may have cause to document a claim and gather critical harms. The fact that the weight of verification is less in the ordinary courts despite everything, you must have the option to prove your case. The devices right now help you to do as such. Be that as it may, if the case is sufficiently large and the stake enormous enough, you should even now likely recruit a PC scientific master as opposed to attempt to do it without anyone else’s help [27]. 5.4 Inward investigations If you speculate your interruption might be from an inner source, you must track down this immense wellspring of business obligation. An inside programmer can do volumes more harm than an outcast since they regularly know the workforce, frame- works, and data that could make the most damage to an organization whenever un- covered or traded off. By utilizing these criminological apparatuses, you can follow them down. If disciplinary activity is justified, you have the proof to back it up. Right now, you would prefer not to get sued by a previous worker for the wrong end [55]. 5.5 ISP complaints If you choose not to seek the individual ambushing your system and is yet doing it, we need to document an objection with his ISP and attempt to shut him down. Fre- quently, this is the original main plan of action that does not cost a ton of cash for organizations hit by a programmer assault. Utilizing the legal tools right now can follow the culprit’s path, at any rate, like their ISP. When you have followed the 14 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 29. assailant this far, you can submit a general question with the ISP, requesting that they make a further move. Most ISPs have adequate use arrangements for their cli- ents, which do exclude hacking. On the off chance that you can show them satisfac- tory proof, they will, for the most part, make a move, extending a notice to remove that client’s record. Considering protection concerns, they will not, as a rule, unveil any close to home data about the client except if required, yet some ISPs are more useful than others right now. Most of the significant suppliers have an uncommon maltreatment email address that you can send your messages [56]. You should ensure you have assembled adequate data so they can discover your attacker. This would incorporate IP delivers attached to explicit occasions. Most ISPs gives out powerful IP addresses, which change each time somebody signs. Without time data to match to their logs, they presumably will not have the option to support you. If conceivable, give them different access times so they can relate to the client from a few information perspectives, as their log records may be out of adjust- ment with yours, and the occasions will not coordinate. Likewise, incorporate some other information you may have, for example, logs of orders utilized, places they du- plicated documents to, etc. The ISP might be a casualty as well and will need this information to examine further [57]. 6 Case studies using forensic tools 6.1 Autopsy There are many tools for forensic analysis these days, including ones making use of machine learning and other technique [58–60]. The first case study makes use of Autopsy to examine the files stored on the system. While using Autopsy, the investigator analyzes the deleted files, which would help in forensic investigations. Deleted files stay on the storage until they are over- written. Thus, it is possible to recover deleted evidence from a system until the doc- ument software overwrites them. In this case study, Autopsy is used for distinguishing and recovering erased re- cords. The Sleuth Kit was first designed for Linux, but later been designed for Win- dows as well. The steps are as follows: – Install Autopsy on your system. – Create a new case and add it to a base directory. – Click on Add Data Source. – Select a Logical File Set or image you want to analyze. Figures 2–4 depict the GUI of Autopsy. Figures 5 and 6 illustrate how forensic inves- tigations are performed. A survey of popular digital forensic tools 15
- 30. Fig. 2: Selection of data. Fig. 3: Selection of source. 16 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 31. Fig. 4: Configure ingest modules. A survey of popular digital forensic tools 17
- 32. 6.2 Wireshark Network forensic tools are the call of the hour as networks are becoming involved, with hackers launching attacks to steal the identities of people [66–68]. These threats affect users, administrators as well as forensic investigators [69–70]. Analyzing the network related attacks, it is essential to understand the origin of attacks and analyze packets. This can help administrators to restore systems. Wireshark is a forensic tool that is used to analyze incoming and outgoing packets so that any kind of network problems can be a trouble-shooter by identifying anomalies and suspicious patterns of packets. This forensic tool is a free and open-source packet analyzer used to cap- ture, analyze, and filter packets. It can help the system administrator to analyze net- work packets. This can be visualized in the following figures. The captured packets can be analyzed along with their protocols, source, and destination address. The hex dump of these packets can be visualized in the bottom section. Figure 7 depicts the monitoring of packets in Wireshark. Figure 8 shows how this information can be monitored using different sections. Using Wireshark, filters are used to analyze packets selectively, as shown in Fig. 9. It is also used to check the total number of packets, queries, and responses in the net- work according to a specific protocol. Fig. 5: Flow of data in the tool. 18 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 33. Fig. 6: Final results of the tool. A survey of popular digital forensic tools 19
- 34. Fig. 7: Monitoring the IP and protocols of information. 20 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 35. Fig. 8: Monitoring information flow in tool. A survey of popular digital forensic tools 21
- 36. 7 Conclusion and future work The utilization of forensic tools is essential as a great deal of individual information is accessible on the web, be it on online interpersonal organizations or internet- based life. Unfortunately, gathering data to recreate and establish an assault can seriously damage security and is connected to different obstacles when distributed computing is included. This chapter is a review of the use of digital forensics in the investigation of Cyber Crimes to gather evidence. The use of forensic tools is essential to analyze any kind of data, which could range from text to videos, to deal with intrusion in operating systems, networks, etc. Much work is being done in the domain of foren- sic investigations as there are multiple issues related to the storage and retrieval of large data. As digital information is being marketed on a large scale, digital evi- dence is needed to analyze what kind of tampering was done with essential data. This is further illustrated by the analysis of files stored on the Windows operating system using the Sleuth Kit interface of the Autopsy forensics tool. In the future, authors will work on more aspects of privacy preservation using forensic tools. Fig. 9: Detailed information on a specific protocol. 22 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 37. References [1] Richard III, G. G., Roussev, V. 2006. Next-generation digital forensics. Communications of the ACM, 49(2), 76–80. [2] Casey, E. 2009. Handbook of Digital Forensics and Investigation, Academic Press, Elsevier, United States. [3] Nance, K., Hay, B., Bishop, M., 2009, January. Digital forensics: defining a research agenda. In 2009 42nd Hawaii International Conference on System Sciences, 1–6, IEEE. [4] Holt, T. J., Bossler, A. M., Seigfried-Spellar, K. C. 2015. Cybercrime and Digital Forensics: An Introduction, Routledge, Taylor and Francis, United Kingdom. [5] Taylor, R. W., Fritsch, E. J., Liederbach, J. 2014. Digital Crime and Digital Terrorism, Prentice Hall Press, One Lake Street Upper Saddle River, NJ; United States. [6] Nance, K., Bishop, M., 2017. Deception, Digital Forensics, and Malware Minitrack (Introduction). [7] Nance, K., Bishop, M., 2017, January. Introduction to deception, digital forensics, and malware minitrack. In Proceedings of the 50th Hawaii International Conference on System Sciences. [8] Kävrestad, J. 2017. Guide to Digital Forensics: A Concise and Practical Introduction, Springer, Switzerland. [9] Hassan, N. A. 2019. Introduction: Understanding Digital Forensics. In: Nihad A. Hassan (ed.) Digital Forensics Basics. Apress, Berkeley, CA, 1–33. [10] Chen, L., Takabi, H., Le-Khac, N. A. eds. 2019. Security, Privacy, and Digital Forensics in the Cloud, John Wiley & Sons, United States. [11] Casey, E. 2011. Digital Evidence and Computer Crime: Forensic Science, Computers, and the internet, Academic press, United States. [12] Stallard, T., Levitt, K., 2003, December. Automated analysis for digital forensic science: Semantic integrity checking. In 19th Annual Computer Security Applications Conference, 2003. Proceedings, 160–167, IEEE. [13] Vincze, E. A. 2016. Challenges in digital forensics. Police Practice and Research, 17(2), 183–194. [14] Parvez, M. M., Hossain, S. A., Ali, S. M. R., 2017, March. Design and implementation of low cost digital forensic laboratory for university. In 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), 1524–1528, IEEE. [15] Khalaf, R. S., Varol, A., 2019, June. Digital forensics: Focusing on image forensics. In 2019 7th International Symposium on Digital Forensics and Security (ISDFS), 1–5, IEEE. [16] Ozel, M., Bulbul, H. I., Yavuzcan, H. G., Bay, O. F. 2018. An analytical analysis of Turkish digital forensics. Digital Investigation, 25, 55–69. [17] Pollitt, M., 2010, January. A history of digital forensics. In IFIP International Conference on Digital Forensics, 3–15, Springer, Berlin, Heidelberg. [18] Scientific Working Group on Digital Evidence (SWGDE) and United States of America, 2000. Digital Evidence: Standards and Principles. [19] Blyth, T. 2013. Narratives in the History of Computing: Constructing the Information Age Gallery at the Science Museum. In: Tatnall A., Blyth T., Johnson R. (eds) Making the History of Computing Relevant. HC 2013. IFIP Advances in Information and Communication Technology Making the History of Computing Relevant. Springer, Berlin, Heidelberg, 25–34. [20] Whitcomb, C. M. 2002. An historical perspective of digital evidence: A forensic scientist’s view. International Journal of Digital Evidence, 1(1), 7–15. [21] Shrivastava, G. 2017. Approaches of network forensic model for investigation. International Journal of Forensic Engineering, 3(3), 195–215. A survey of popular digital forensic tools 23
- 38. [22] Shrivastava, G., 2016. Network forensics: Methodical literature review. In 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), 2203–2208, IEEE. [23] Karresand, M., Shahmehri, N., 2006, May. Oscar – file type identification of binary data in disk clusters and ram pages. In IFIP International Information Security Conference, 413–424, Springer, Boston, MA. [24] Ma, W., Li, R. 2019. Digital Forensics for Frame Rate Up-Conversion in Wireless Sensor Network. In: Al-Turjman F. (eds). Artificial Intelligence in IoT. Transactions on Computational Science and Computational Intelligence. Springer, Cham, 151–166. [25] Khan, M. Z., Husain, M. S., Shoaib, M. 2020. Introduction to Email, Web, and Message Forensics. In: Mohammad Shahid Husain and Mohammad Zunnun Khan (eds.) Critical Concepts, Standards, and Techniques in Cyber Forensics. IGI Global, Ministry of Higher Education, Oman, Integral University, India, 174–186. [26] Morovati, K., Kadam, S. S. 2019. Detection of phishing emails with email forensic analysis and machine learning techniques. International Journal of Cyber-Security and Digital Forensics, 8(2), 98–108. [27] Case, A., Richard III, G. G. 2017. Memory forensics: The path forward. Digital Investigation, 20, 23–33. [28] Joseph, P., Norman, J. 2020. Systematic memory forensic analysis of ransomware using digital forensic tools. International Journal of Natural Computing Research (IJNCR), 9(2), 61–81. [29] Su, Q., Xi, B., 2017, March. Key technologies for mobile phone forensics and application. In 2017 2nd International Conference on Multimedia and Image Processing (ICMIP), 335–340, IEEE. [30] Manral, B., Somani, G., Choo, K. K. R., Conti, M., Gaur, M. S. 2019. A systematic survey on cloud forensics challenges, solutions, and future directions. ACM Computing Surveys (CSUR), 52(6), 1–38. [31] Cameron, L., 2018. Future of digital forensics faces six security challenges in fighting borderless cybercrime and dark web tools. [32] Roussev, V. 2009. Hashing and data fingerprinting in digital forensics. IEEE Security & Privacy, 7(2), 49–55. [33] Banerjee, U., Vashishtha, A., Saxena, M. 2010. Evaluation of the capabilities of wireshark as a tool for intrusion detection. International Journal of computer applications, 6(7), 1–5. [34] Wu, W., Zhao, G., Lai, W., Lan, J., 2016, May. Research on NTFS file anti-delete forensic technology. In 2016 2nd Workshop on Advanced Research and Technology in Industry Applications (WARTIA-16). Atlantis Press. [35] Malan, D. F., Van Der Walt, S. J., Raidou, R. G., Van Den Berg, B., Stoel, B. C., Botha, C. P., . . . Valstar, E. R. 2016. A fluoroscopy-based planning and guidance software tool for minimally invasive hip refixation by cement injection. International journal of computer assisted radiology and surgery, 11(2), 281–296. [36] Montasari, R., Hill, R., 2019, January. Next-generation digital forensics: Challenges and future paradigms. In 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3), 205–212, IEEE. [37] Sindhu, K. K., Meshram, B. B. 2012. Digital forensic investigation tools and procedures. International Journal of Computer Network and Information Security, 4(4), 39. [38] Truong, J., 2017. File survival on USB drive. [39] Recon, A., 2014. Arsenal image mounter. [40] Carrier, B., 2011. The sleuth kits. TSK–sleuthkit. org. 24 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 39. [41] Al-Hadadi, M., AlShidhani, A. 2013. Smartphone forensics analysis: A case study. International Journal of Computer and Electrical Engineering, 5(6), 576. [42] Garfinkel, S. L. 2013. Digital media triage with bulk data analysis and bulk_extractor. Computers & Security, 32, 56–72. [43] Van De Wiel, E., Scanlon, M., Le-Khac, N. A., 2018, January. Enabling non-expert analysis of large volumes of intercepted network traffic. In IFIP International Conference on Digital Forensics, 183–197, Springer, Cham. [44] Neware, R. 2017. Computer forensics for private web browsing of UC browser. IOSR Journal of Computer Engineering (IOSR-JCE), 19(4), 56–60. [45] Cohen, C. L. 2007. Growing challenge of computer forensics. Police Chief, 74(3), 24. [46] Liu, H., Azadegan, S., Yu, W., Acharya, S., Sistani, A. 2012. Are we Relying too much on Forensics Tools? In: Lee R. (ed.) Software Engineering Research, Management and Applications 2011. Springer, Berlin, Heidelberg, 145–156. [47] Taylor, T., Araujo, F., Kohlbrenner, A., Stoecklin, M. P., 2018, June. Hidden in plain sight: Filesystem view separation for data integrity and deception. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 256–278, Springer, Cham. [48] Savoldi, A., Gubian, P., Echizen, I., 2010, January. Uncertainty in live forensics. In IFIP International Conference on Digital Forensics, 171–184, Springer, Berlin, Heidelberg. [49] Wang, P., Rosenberg, M., D’Cruze, H. 2018. Integration of Mobile Forensic Tool Capabilities. In: Shahram Latifi (ed.) Information Technology-New Generations. Springer, Cham, 81–87. [50] Davidoff, S., Ham, J. 2012. Network Forensics: Tracking Hackers Through Cyberspace, Vol. 2014, Prentice hall, Upper Saddle River. [51] Umair, A., Nanda, P., He, X., 2017. Online social network information forensics: A survey on use of various tools and determining how cautious facebook users are? In 2017 IEEE Trustcom/BigDataSE/ICESS, 1139–1144, IEEE. [52] Meghanathan, N., Allam, S. R., Moore, L. A., 2010. Tools and techniques for network forensics. arXiv preprint arXiv:1004.0570. [53] Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S., 2012, January. Novel anti-forensics approaches for smart phones. In 2012 45th Hawaii International Conference on System Sciences, 5424–5431, IEEE. [54] Talib, M. A., Alnanih, R., Khelifi, A. 2020. Application of quality in use model to assess the user experience of open source digital forensics tools. International Journal of Electronic Security and Digital Forensics, 12(1), 43–76. [55] Umar, R., Riadi, I., Zamroni, G. M. 2018. Mobile forensic tools evaluation for digital crime investigation. International Journal of Advance Science Engineering Information Technology, 8(3), 949. [56] Li, S., Choo, K. K. R., Sun, Q., Buchanan, W. J., Cao, J. 2019. IoT forensics: Amazon Echo as a use case. IEEE Internet of Things Journal, 6(4), 6487–6497. [57] Ogden, R. 2008. Fisheries forensics: the use of DNA tools for improving compliance, traceability, and enforcement in the fishing industry. Fish and Fisheries, 9(4), 462–472. [58] Shrivastava, G., Sharma, K., Khari, M., Zohora, S. E. 2018. Role of Cyber Security and Cyber Forensics in India. In: Gulshan Shrivastava, Prabhat Kumar, B. B. Gupta, Suman Bala and Nilanjan Dey (eds.) Handbook of Research on Network Forensics and Analysis Techniques. IGI Global, 143–161. [59] Shrivastava, G., Peng, S. L., Bansal, H., Sharma, K., Sharma, M. eds. 2020. New Age Analytics: Transforming the Internet through Machine Learning, IoT, and Trust Modeling, Apple Academic Press, New York. A survey of popular digital forensic tools 25
- 40. [60] Sharma, K., Makino, M., Shrivastava, G., Agarwal, B. eds. 2019. Forensic Investigations and Risk Management in Mobile and Wireless Communications, IGI Global, USA. [61] Casey, E. ed. 2001. Handbook of Computer Crime Investigation: Forensic Tools and Technology, Elsevier, USA. [62] Wazid, M., Katal, A., Goudar, R. H., Rao, S., 2013, April. Hacktivism trends, digital forensic tools, and challenges: A survey. In 2013 IEEE Conference on Information & Communication Technologies, 138–144, IEEE. [63] Gadgil, P., Nagpure, S., 2019. Analysis of Advanced Volatile Threats Using Memory Forensics. Available at SSRN 3358798. [64] Garfinkel, S. L. 2010. Digital forensics research: The next 10 years. Digital Investigation, 7, S64–S73. [65] Shrivastava, G., Kumar, P., Gupta, B. B., Bala, S., Dey, N. eds. 2018. Handbook of Research on Network Forensics and Analysis Techniques, IGI Global. [66] Kotsiuba, I., Skarga-Bandurova, I., Giannakoulias, A., Bulda, O., 2019, December. Basic forensic procedures for cyber crime investigation in smart grid networks. In 2019 IEEE International Conference on Big Data (Big Data), 4255–4264, IEEE. [67] Khari, M., Shrivastava, G., Gupta, S., Gupta, R. 2017. Role of Cyber Security in Today’s SCENARIO. In: Raghavendra Kumar, Prasant Kumar Pattnaik, Priyanka Pandey (eds.) Detecting and Mitigating Robotic Cyber Security Risks. IGI Global, 177–191. [68] Raghavan, S., Raghavan, S. V., 2013, November. A study of forensic & analysis tools. In 2013 8th International Workshop on Systematic Approaches to Digital Forensics Engineering (SADFE), 1–5, IEEE. [69] White, J., Charlton, W. S., Solodov, A., Tobin, S. J., 2010, July. Applications of X-Ray Fluorescence and Fission Product Correlations for Nuclear Forensics. In Proceedings of the 51st Annual Meeting for the Institute of Nuclear Materials Management, Baltimore, Maryland, 11–15. [70] Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G. 2009. Bringing science to digital forensics with standardized forensic corpora. Digital Investigation, 6, S2–S11. 26 Shefali Arora, Ruchi Mittal, M. P. S. Bhatia
- 41. Swati Gupta, Puneet Garg An insight review on multimedia forensics technology Abstract: Crime will turn into the principle issue step by step of our general public so it is important to find a few ways to beat the issue; that is the reason the expres- sion “media legal” is presented. Mixed media measurable can be characterized as a science by which breaking down of an advanced resource for an appraisal for some particular reason to extricate some significant data and in some sort of examination for computerized narrative. Multimedia forensics provides the path to test the digi- tal data from a source that may be an authorized image, order, or any other docu- ment that is used to identify in the forensic. In the multimedia forensics images, video, audio, etc. are covered. In multimedia forensic techniques, the focus is to identify the source of the digital device, which may be a mobile phone, digital cam- era, etc., with the help of media; similarly, the forensic media detects the evidence by which it is obtained. For preventing false detection lens are used with the charac- teristics of dust spots. All results depend on the lens detection, even under heavy compression and downsampling. Investigation of a crime is a complex process that starts at the crime scene, continues in the lab for in-depth investigation, and ends in the courtroom, where the final judgment is made. Investigators need support in all these steps to make their jobs as effective and efficient as possible. Now the question arises as to why multimedia forensics is required. A few answers are to gather the proof before it is lost and obliterated, utilizing some integral assets for altering. Keywords: digital forensic, multimedia forensic, forensic investigation, cyber forensic, database forensic, network forensic 1 Introduction In criminal and civil legal actions, evidence of digital type helps us in unbounded times. Digital evidence plays an especially important role in the investigation of cases. However, both are dependent on the government and legal agencies. In digital forensics, the process is like a collection of data, how to present the data, how to ana- lyze the results and in the end how to present the evidence in the court with the Swati Gupta, Vaish College of Engineering, Rohtak, Haryana, India, e-mail:swati.mangla. 555@gmail.com Puneet Garg, J. C. Bose University of Science and Technology YMCA, Faridabad, Haryana, India, e-mail: puneetgarg.er@gmail.com https://doi.org/10.1515/9783110677478-002
- 42. help of digital sources. Multimedia information system manages the communication, multimedia data, images, video, and audio; it also manages the text data. It is neces- sary to ensure that the data is protected from unauthorized access so that various techniques are used for the investigation, but it depends only on the crime which technique is going to be used on the multimedia data. Before applying the technique, the user will go through the various techniques and then discuss the access control policy; after the study of all the things the user will be able to decide which machine is suitable for what data; this is the first step. Then the user will find out the availabil- ity of digital libraries that are used as a helping hand in the investigation; this will become the second step of the whole process. The third step is to find out the security in multimedia communication for securing our data. And the last step is the data is handed over to the national security analysis for monitoring. Multimedia is not only to represent the things or our views; it is also information about production and thinking. On account of the effectiveness in accessibility, less expense, and straight- forwardness to work with the goal that confirmation of computerized information gets troublesome in the present time. So it is easy to manipulate and process the image and video any number of times from different users. Digital forensics is a sub- type of forensics science. Definition of digital forensics was given in the first work- shop of digital forensics. Due to digital sensors, it becomes more complex. Sensors can easily capture every part of reality and transform it into a digital representation. To test the source of the digital sensor data multimedia provides a better technique; it covers the content of audio, video, and images. Image forensics analyzes an image by using image processing techniques. 2 History The first digital forensic evidence came in the 1970s and was started by the federal gov- ernment (US); after that real investigation started in the 1980s when agents started to take computers in the work of searching for evidence. The process continued in the 1990s and researchers started to find out the problems with the investigation process. In forensics, the scenario becomes more complex because of the wider use of sensors. Since sensors catch the pictures, sounds record all the more obviously for portrayal in digital. Digital representation gives better results from an investigation point of view. According to the report of DFRWS (Digital Forensic Research Workshop) in August 2001 Utica New York, “The use of scientifically derived and proven methods towards the presentation, collection, validation, identification, analysis, interpretation, docu- mentation, and presentation of digital evidence derived from digital sources to fa- cilitate or further the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” 28 Swati Gupta, Puneet Garg
- 43. For the last couple of years, forensics has grown dynamically and brought re- searchers together with different communities like multimedia security, computer forensics, signal, and image processing. Multimedia forensics gives a tested source of digital sensors data to authenticate an image and to test the integrity of that image. Multimedia data contains the images, audio, video, and those images are processed and reconstructed by the experts by the using of an image processing sys- tem [1]. Because of the availability of multimedia editing tools falsifying images and videos has become widespread in the last few years. According to the discussion on all of the previous details and overview of the details, it is clear that multimedia forensics becomes an important and authenticated tool for investigation. Computer- ized furthermore, mixed media crime scene investigation drives the method of three strings. According to the Digital Forensic Research Workshop three types of commu- nities have a conflict of interest in computer forensic. The “homegrown” bottom-up approach started in the 1990s when labs and security researchers were started. Fig- ure 1 describes the social media investigation for law enforcement. 3 Taxonomy Analog forensics was used earlier; nowadays it is not in use for investigations as mainly the digital forensics is used; which method is used depends on the crime. The taxonomy of digital forensics is shown in Fig. 2. The main aim of digital forensics is to produce legal evidence in court. Digital forensic evaluation should be controlled and supervised to ensure forensic durabil- ity for every step of the chain [2]. The digital forensic approach will represent the clear and true picture of privacy and protection. Digital evidence plays an important role in civil cases. Digital forensics is also used to trace and track terrorists. It helps soldiers as well, in the form of electronic devices [3]. In Fig. 3: how the process of digital forensics can be done is defined. The various parts of multimedia forensics technology taxonomies are as follows: 3.1 Live forensics Live forensics is a subfield of digital forensics and it is the process of searching memory in real time. This technique is controlled to address the issue of evaporative Source (possibly untraceable) Original Forgery Publications in web platforms Altered & resaved versions Forensic Analysis Fig. 1: Social media investigation for law enforcement. An insight review on multimedia forensics technology 29
- 44. evidence. This technique is also used in the enterprise field when media is not nearby to collect the data for the investigation and the investigation is possible by the amount of data [4]. This technique is used to improve efficiency and obtain volatile data. But it is too difficult to deal with virtual machines. But virtualization is on the boom and its popularity is increasing day by day [5]. It is based on active connections, processes, fragments, and memories. It is used to collect volatile data. It is a tool that can be used to collect intercepts, gather information, and spread the results to the au- thorities of the relevant member states that have requested the investigation. Three questions that must be answered before the investigation and the questions are: (a) Is live forensic investigation mandatory in this case? (b) If yes, then what data is needed to collect for the investigation? (c) How can the collection of the data be possible and ensure its authenticity? Possession Recognition Physical Context Logical Context Legal Context Evaluation Admission as evidence Fig. 3: Investigation process of digital forensics. Digital Forensics Multimedia Forensics Live FOrensics Network Forensics Mobile Forensics Database Forensics Cyber Forensics Fig. 2: Taxonomy of digital forensics. 30 Swati Gupta, Puneet Garg
- 45. To answer the first question, it is necessary to check the necessity of live investiga- tion. To complete the second question user needs to find the places or area from where data is collected. And to answer the third question it requires an authentic person or machine for the verification and the person or machine must be verified. 3.2 Database forensics Database forensics is another subfield of digital forensics. This is a forensic study of database and their metadata. It is not based upon database recovery. The main aim of this technique is to rebuild metadata from the failed database. The following da- tabase scenarios are required in the investigation: (i) Failure of a database (ii) Deletion of information from the database (iii) Inconsistencies of the data in the database (iv) Detection of suspicious behavior of users Specialists utilize as a rule read the solitary strategy while interfacing with the infor- mation so that no bargain with the information. Methodologies of the database are shown in Fig. 4; the reconstruction process is followed only when the expert wants some very essential information from the database. There are two research areas: (a) Reactive approach (b) Proactive approach 3.3 Network forensics Network forensic is also a type of digital forensics. Network forensics is a new field of digital forensics. Network forensics works on dynamic data. This is the continu- ous process in which an investigator continuously analyzes the events to find secu- rity issues [6]. There are two uses of network traffic. The first relates to security and the second relates to the law of enforcement. The first involves monitoring of the network and finding out the intrusion; the second involves reassembling the files to be transferred. In the investigation phase the following rules must be followed: (a) Identification (b) Preservation (c) Collection Investigation Preparedness Incident Verification Artifact Collection Artifact Analysis Fig. 4: Database forensics methodologies. An insight review on multimedia forensics technology 31
- 46. (d) Examination (e) Analysis (f) Presentation (g) Decision 3.4 Cyber forensics Computers are machines that form some reality physically. The principle of exchange is applied to cyber forensics. The evaluation of electronic data is carried out scientifically so that information can be used in the court as a piece of evidence [7]. Cyber forensic uses the process of DFS. Many organizations use cyber forensic for the investigation purpose. But it is used only while they have the highest understanding of the standards. The focus of cyber forensic is on the three levels: acquire, authenticate, analyze. Ever, digital scientific was a space of law requirement. Digital legal incorporates investigation of gadgets and information from a registering gadget. Portrays the utilization of logical techniques to get benefit and truth of the wrongdoing with the assistance of PCs [7]. (a) It works as an important tool in the real world to find out the crime. (b) It assists with discovering the wrongdoing from the central matter. (c) Memory forensic and network forensics also come under this type of forensics. 3.5 Mobile forensics Mobile device resides in between the three modes: IoT, cloud computing, big data. The main aim is to retrieve digital evidence or related data from a mobile device. Mobile forensics needs to fix exact rules to analyze and to present digital evidence from the device. In versatile criminology cell phones explores inside memory and communica- tion capacity [6]. In Fig. 5: mobile forensic classifications are shown with the help of a pyramid. There are two problems in the mobile forensics process. (i) lock activation and (ii) network connection. Mobile forensics have some features like being more inva- sive, requiring more training, having longer analysis times, and being more technical. Micro read Chip Off Hex Dump / JTAG Logical Extraction Manual Extraction Fig. 5: Mobile forensics classification. 32 Swati Gupta, Puneet Garg
- 47. 3.6 Multimedia forensics Multimedia forensics is an important class of digital data. When media comes into daily life in a high manner then it is not so easy to hide anything from multimedia. Because of the enhancement of multimedia technology people enjoy and spread their thoughts over the world. But with benefits, there are some drawbacks in this as anybody can easily be manipulated with voice, image, as well as video, so it be- comes a complex hurdle in the investigation process for the investigation group. In- teractive media legal sciences has seen in mid 2001. For the last few years, its usage has been increasing sprightly. In digital media, the first step is seizure. Multimedia forensics technology is helpful in daily communication and for interaction or shar- ing content [7]. In this type of forensics, digital image and digital audio/video foren- sics are also covered: Mobile devices come under this type of technique. It is not about scrutinizing the exegetics of digital media. Like cyber forensics, multimedia forensics depends on digital evidence. Multimedia forensics is growing day by day and brings researchers from different locations like security, imaging, and signal processing [8]. There are two approaches to multimedia forensics: (a) manipulation detection (b) identification discretely. These methods are used to investigate things with authenticity. Figure 6 shows the approach of multimedia forensics. Multimedia forensics involves two approaches: (i) passive approach (ii) active approach as shown in Fig. 6. The passive approach contains video, image, and audio data, and the active approach contains the techniques of digital fingerprinting and digital watermarking. There are so many ways to divulge multimedia. In multimedia forensics it is consid- ered that the investigator does not know how to deduce productively and the tech- nique is called “Blind” [9] and the main focus is on two main sources: – Attributes of increase gadgets can be analyzed for their quality or uniform. – Heirloom of last processing work can be discovered in the manipulation detection. Multimedia Forensics Passive Approach Video Image Audio Active Approach Digital Finger print Digital Watermark Fig. 6: Multimedia forensics approach. An insight review on multimedia forensics technology 33
- 48. 4 Applications Various applications of multimedia forensics technologies are as follows: 4.1 Prototype multimedia systems and platforms Prototype multimedia system works for multimedia forensics. It is likewise called multi- media on data expressway it very well might be characterized as it can guar- antee to create another industry. This term has been popular since 1990 to refer to the digital communication system and internet telecommunication network. At the focal point of the interstate is mixed media innovation so it can only walk, yet it is being pushed to unwind the duct of data heaven. Presently the program is broad- cast on TV and the timetable is pre-settled. 4.2 Home Multimedia forensics is a helpful technique in homes for video on demand, interac- tive TV, online shopping, remote home care, electronic album, etc. All of these are helpful in multimedia forensics and are also beneficial for the home. Multimedia forensics also helps in our daily life. (i) Video-on-demand: When there is a requirement for some endorser lines and have a few watchers to get the video through those correspondence lines and access the TV by the telephone to demand a program or video. This process is known as video on demand. In this way teleshopping, tele-traveling, and tele-education can be established. Some years back optical fiber links were utilized for correspondence, yet now computerized endorser lines are uti- lized for information transmission. (ii) Interactive TV: These TV services are attached to data services. The main goal of interactive TV is to provide an attractive experience to the viewer. It is an approach to TV advertising and programming that allows the viewers to com- municate with the advertisers and the executives of the program. It is a two- way cable channel that permits a user to interact and to send feedback in the form of commands. The set-top box is part of an interactive television and can be used by the user to select programs. (iii) Home shopping: It is also known as e-shopping. In this privacy remains the same it allows a customer to purchase goods. Home mail delivery systems are television, phone, and internet. In home shopping, online shopping plays an important role in today’s life. In the online shopping concept products can be directly delivered to the customer’s address. It saves physical energy, time, and cost of travelling. However, in this type of shopping bargaining is not possible 34 Swati Gupta, Puneet Garg
- 49. and a fixed-price system is followed. But if the comparison technique is used by the user then the money can be saved. Home shopping is much better than physical shopping. Accommodation to the client, Variety of things, the com- parison is simple, web based following is conceivable, yet haggling is prepos- terous, Quality isn’t item not judged. (iv) Remote home care: It is also known as remote medical care. It is a telemedicine service. In this technique patients can be monitored and treated remotely. This service is performed at the patient’s home. This technique becomes possible by mobile devices and then results are transmitted to remote medical care and with the help of results they can analyze and detect the symptoms and start to treat the patient. Benefits of home care are quick recovery and reduction of pain level. The main benefit for patients is that they feel comfortable with the familiar environment so that the recovery speed increases. (v) Electronic album: It is the music that engages electronic instruments and digital music–based technology. In this, a sound can be produced by any of the musical instruments which must be electronic. These instruments are also known as elec- tromechanical because they use some mechanical device to produce a sound like loudspeakers, power amplifiers, and pickups. Its request increment step by step and innovation develops itself in the nineteenth century the size of the in- strument was huge and these days the thing goes change and the size decreases, and the things become better. (vi) Personalized electronic journal: Electronic journals will change the future of the research in both their function and in the result. For example, browsing and searching are far better than the print environment. Personalized means by cus- tomizing the user interface things will be provided according to the need of the user. But for this, it is necessary to give personal details to maintain the record. Personalization implies getting the client data for this entryway is made like yahoo and gmail. In the personalized e-journal, it is mandatory to fill the re- quired details in the form and then only the user can access the journal. 4.3 Education and training Nowadays multimedia plays an important role in education it helps in distance learning, CAI, encyclopedia of multimedia, helpful in interactive training because communication is especially useful for collecting information. (i) Computer-aided instruction: Computer-aided instruction becomes important be- cause with every program will become easy and fast in every field. This course was recorded by the server and daily correlate with the content. This technology is based on hypermedia and hypertext mechanism. This technique evaluates how humans learn from multimedia. An insight review on multimedia forensics technology 35
- 50. (ii) Distance and interactive training: It is a medium of course delivery. Distance edu- cation is an instructional delivery method for students of different locations. In this both the student and instructor are from different locations. In this tech- nique, communication is established when any of the students need some data, video, and audio data becomes the bridge to fill this gap. In this learning, under- studies go to the class however not on the fundamental grounds. This technique minimizes the limitations of the classroom approach. In this classroom comes to the student rather than the student coming in the classroom. This type of study is also known as an offline study or classroom. (iii) Encyclopedia of multimedia:It is also known as a book of multimedia because it contains both multimedia and an encyclopedia. It contains the details of the related topic. It contains a brief description of multimedia, so it is known as the encyclopedia of multimedia. (iv) Interactive training on the web: All the online courses come under this tech- nique. This is helpful when the client can’t go to do a portion of the courses or preparing then clients utilize the mode, and that mode is known as on the web preparing in light of the fact that in this sort understudies can ask their inqui- ries from the teacher furthermore, the correspondence can be handily settled through the web. In the interactive training both learner and tutor are online at the same time and they can communicate with each other. This is different from distance learning because in distance learning both may not be online at the same time but in interactive learning both must be online at the same time. 4.4 Operations Multimedia helps in some of the basic operations like online monitoring, air traffic control, CAD/CAM, process control and command and control, and multimedia se- curity control. The methods of applying these are given below: (i) Command and control: It is the combination of organizational and technical at- tributes and information resources that are used to solve the problem. In this political position order by tolerating a law to achieve conduct and use appara- tus to get individuals to comply with the standards. Command and control are cost-ineffective, inflexible, and have limited efficiency [10]. (ii) Process control: It is a continuous process of production in the field of engineer- ing. Process control technology allows the manufacturers to run the operations within the limits, to get the maximum profit and better quality with safety. This term is seen in five steps: (i) standard establishment (ii) performance measure- ment (iii) comparison of actual performance with the standards (iv) determining the reasons for deviations of the result (v) taking the correct action as required. 36 Swati Gupta, Puneet Garg
- 51. (iii) CAD/CAM: In the analysis of 3D documentation CAD is used to scan the pho- tography. CAD technology is used for identification and confirmation [11]. Ad- vantages: Provides law enforcement, produces scaled diagrams used in the court, seamless integration, making digitized data for the investigation, rota- tion of the object becomes possible [12–14]. (iv) Air traffic control: The air traffic control system must provide the capability to schedule the traveling between airports landing and taking off time. To man- age all things a center is created by the committee and from the center, all things are monitored from source to destination [15]. Airport regulation pin- nacles deal with the obligation of taking offs, taking care of, the development of an air terminal. So that if any plane crash due to any reason then the manag- ing team can easily find the reason. (v) Online monitoring: Online monitoring and analysis requires developing an open-source architecture known as All Packet monitors. It attaches the high- execution parcel screen and promptly moveable the basic equipment. AMON screens all the parcel travel in the rush hour gridlock at that point processes by the fast hashing and figures the continuous of the product. AMON has been moved in the web traffic. It is extensible and permits the expansion and channel modules for real forensics [14]. It is clear to all that internet is the biggest resource for business and society. (vi) Multimedia security systems: Multimedia encryption is the method that ap- handles to computerized sight and sound to ensure the privacy of the media substance to forestall unapproved get to and give the entrance power to the approved the entirety of this will be done due to security [16]. 4.5 Public Multimedia provides benefits in digital libraries, electronic museums, and networked system processing as described in detail here. The demand for multimedia increases day by day [17]. (i) Digital libraries: It is difficult to collect evidence against Cyber Crime. The tech- nique of reproduction of the complete hard disk is not a solution and easy. Se- crecy is main part in the process of investigation. The problem is how to collect information without the knowledge of the investigator and other irrelevant data while the server administrator does not know what the investigator is searching [18]. To resolve the problem of secrecy different ways are used and encrypt the data[19, 20]. While the schemes are theoretical efficiency is a concern. Data integrity and authenticity are not concerned; re-encryption is required for the investigator. The investigator does not have any right for accessing the data and then the solution is to ask the administrator to retrieve the information. An insight review on multimedia forensics technology 37
- 52. (ii) Electronic museums: There are a variety of places to work in the investigation of crime. Forensic teamwork with the police the security in a financial institution and IT company who have specialization in security services. With the help of the investigating team, the analyst tries to search the evidence of a crime. (iii) Networked systems: Intelligent banking provides a cost-effective and better solution for rural areas. The principle point of the ATM is to gather money and check to deal with it. But many of the services cannot be provided by the ATM. Network systems help in medicine, banking, shopping, and tourism. 4.6 Business office Nowadays every person does their business and manage and operate the business in a better way; multimedia plays an important role in this, which is explained in detail as follows: (i) Executive information systems: It is an executive support system; it also provides easy access to information that may be internal or external. There are different types of information systems (i) Knowledge management (ii) Transaction proc- essing system (iii) Learning management system (iv) decision support system (v) DBMS (vi) Office information system. It is real-time representative informa- tion for high-level management. Components of Information system: hardware, software, telecommunication, database, human resource. It is a particularly im- portant and workable resource executive. (ii) Remote consulting systems: It is used when complete, meaning full written, per- mission is not required to do some work. It works for the following situations (a) When a consultant advises someone for the improvement. (b) When anybody wants to change any management and is not interested in the interference of others. (c) When the process of hiring is in continuation. (iii) Video conferencing: It is a visual communication between two or more than users but the locations of all are different. Video conferencing is of various types: telepresence, desktop, etc. This technology is successful only with mul- timedia devices. (iv) Multimedia mail: If the mail contains data rather than text then it is called multi- media mail. To manage this sort of mail utilize a standard known as MIME (sight and sound Internet mail Extension), it is the augmentation used to characterize the different sorts of mail. Emulate has been of various kinds of encoding how- ever generally, it utilizes base 64 documents it is a double record for encoding. (v) Multimedia document: Multimedia document contains files in the form of text or images. This type of document is in digital form and contain both verbal and pictorial data. Because of the different advantages happen like: Education, ac- count, business, Gaming, expressions, and so on. 38 Swati Gupta, Puneet Garg
- 53. (vi) Advertising: It is the medium to the client of an item or administration; these are the messages to pay for the individuals who send the things. With the as- sistance of sight and sound, notice turns out to be simple, sell, buy, or keep up our record, so multimedia assumes a significant part in publicizing. (vii) Collaborative work: It resembles the association working, in these at least two organizations or perhaps individuals cooperate. There are various types of col- laborative working: (i) Separate organization but working jointly. (ii) Two organ- izations work within the small areas. (iii) The new association works mutually in light of the fact that it needs to more readily begin and information. (iv) A parent organization having more subgroups. Collaborative work is required for growing the business or organization speedy. Collaborative working may be with the life of business or with a proper agreement. (viii) Electronic publishing: Electronic distributing is a technique that is utilized by the distributer to distribute books, articles, and with this paper, the arrange- ment is given that E-book or E-paper. This publishing is a new arm of publish- ing houses. It is like desktop publishing. This is also known as e-publishing. Due to this cost of the publishing has reduced. 4.7 Visual information systems In this methodology attempt to deal with our responsibility with the assistance of some inventive thoughts, in Fig. 7: completely define that by which how to manage critical situations furthermore, control the information without any problem. The main aim of this technology is the management may of any type: Workload management, Ware- house inventory control management, government HRM, legal case tracking, and case- load management [21]. Meta Database Image database Video database Text database Image + text daatabse Client1 Client 2 Client 3 Client 4 Fig. 7: Distribution of visual information system. An insight review on multimedia forensics technology 39
- 54. 5 Technology There are numerous technologies used to investigate multimedia forensics technol- ogy as described below: 5.1 Tamper detection via cryptographic hash function The cryptographic hash function is a tool and tamper detection is also a technique used to support the secure delivery of contents after investigation. In tamper detec- tion two basic approaches are used: (i) Online Processing: In these transactions are run and hash values are digitally endorsed and affirmation, in which the hash values are evaluated again and compared with the previously endorsed. The two execution phases inaugu- rate together the normal processing phase as opposed to the forensic analysis phase [22]. (ii) Audit log validation: Audit log is a log file that maintains the database in which all the activities of users are stored. In the first attempt audit log file is main- tained in the background by specified relation as a transaction timetable. It follows some standards for data security. Figure 8(a) and (b) focus on the techniques of tamper detection via a cryptographic hash function. In its sur- vey report, it found that 70% of intruders are internal users or DBA who tam- pered with data [23]. DBMS Bank Application Audit Log Database Digital Notarzer service Fig. 8(a): Normal operation. DBMS Validator Audit Log Database Digital Notarzer service Fig. 8(b): Audit log operation. 40 Swati Gupta, Puneet Garg
- 55. Random documents with unrelated content Scribd suggests to you:
- 56. Incontinence of urine after shell-shock and burial. Case 384. (Guillain and Barré, November, 1917.) An infantryman was subject to shell explosion and burial May 10, 1917. He lost consciousness for a few hours and spat blood for two days. He was carried to an evacuation hospital and thence to the neurological center at Amiens. Incontinence day and night lasted from the period of shock up to May 29, when the patient was transferred again, to another hospital. The man had never, either in childhood or adult life, had incontinence. He showed a slight tendency to latero-pulsion toward the left. Puncture fluid normal. Guillain and Barré report but 12 cases of sphincter disorder following shell-shock without external wound among hundreds of cases, and among 12 instances of sphincter disorder there were but three of incontinence, of which the above is one example. Incontinence lasted longer in these cases than retention. Guillain and Barré are unable to assign a cause for the findings.
- 57. Struck in back by shell splinter: Crural monoplegia; absence of plantar reflex. Case 385. (Paulian, February, 1915.) An infantryman, 20, was struck by a shell fragment in the small of the back while lying in the firing position, about 2 p.m. August 22, 1914, at Eth in Belgium. He felt as if he had been struck by the butt of a gun in the lumbar region. He was unable to get back with his comrades. His sack had been cut. He was without ammunition, and getting to a bridge he was able to jump a distance of about 8 meters. He fell and fainted. On coming to himself, his left side felt bad and he could not move his left leg. He dragged himself to the relief post which was being bombarded just as he arrived, and he got a bullet in the left frontal region. He was evacuated to another ambulance and decided to go back to France. Supported by his Lieutenant, he walked all night making about 35 kilometers on foot. He arrived at Charancy and got by train to Mont-Midi. On alighting, he could not walk. He said he was bent in two, and shuffled on in this position. The “bent-back” lasted about a month, when he began to stand up again. He passed through various hospitals and was evacuated to the Salpêtrière. He then walked with the left leg in extension on the thigh and the foot in external rotation. He was hardly able to stand on either foot, and especially fell if he tried to stand on the left foot. He made no resistance to passive movements of the left lower extremity. The reflexes were normal except that the left plantar reflex was abolished. On the right, the plantar reflex was normal, and an attempt to elicit this reflex was followed by strong defensive movements. There was a tactile, thermic, and pain anesthesia of the
- 58. foot and leg as far up as the lower third of the thigh. Above this anesthesia, there was a zone of hypesthesia. Position sense was also abolished in this region, and there was a bony hypesthesia likewise. A slight muscular atrophy (2 cm.) affected the lower leg and thigh. There were no hereditary or acquired features of importance in the case except that there had been at 14 a chorea for a year. In particular this man appears not to have been an emotional person. The point in the case is the abolition of the plantar reflex on the left side, in association with a functional paraplegia and hemianesthesia. Re plantar reflex modification in hysteria, Babinski believes that the same law which holds that hysteria is not in line to alter either the tendon reflexes or the pupil reflexes, is true for the skin reflexes. Dejerine brought forward three cases which appeared to him, however, to demonstrate absolutely that functional anesthesia might abolish or greatly diminish the skin reactions of the sole of the foot, that is, the plantar reflexes and movements of defense. Case 385 was alleged in support of Dejerine, as also were cases of Jeanselme and Huet, and of Sollier. Babinski’s critique of Dejerine’s cases ran to the effect that two of them showed contractures, and accordingly were not pure cases in which to demonstrate plantar reflexes or movements of defense. In the third case, Babinski at a meeting of the Neurological Society, himself obtained definite flexion of the little toes by stimulating the planta. According to Babinski, therefore, Dejerine’s cases, far from proving that hysterical anesthesia could abolish the plantar cutaneous reflexes, proved that hysterical contracture might mask reflex movements. Hysterical contracture, therefore, may be as important a factor to consider re reflexes as voluntary muscular contracture itself. As Babinski pointed out, many normal persons can keep the leg immobile when the sole is stimulated. Moreover, Babinski pointed out, many cases regarded as hysterical were actually cases of a physiopathic or reflex nature which had actually undergone trauma. It will be noted that the above case of Paulian is just such a case of trauma.
- 59. Shell-shock; unconsciousness: Crural monoplegia; sciatica (neural changes). Case 386. (Souques, February, 1915.) A reserve lieutenant, September, 1914, was blown up by a shell and lost consciousness for an hour. On coming to, he felt pains in the loins, right thigh, knee and heel, and found himself unable to move the right leg at all. Urinary incontinence lasted three or four days. Violent pains lasted weeks, now and then actual crises (sleep only with hypnotics). The pains then passed off. The flaccid crural monoplegia lasted. There was a hydrarthrosis of the right knee and a sciatica (physical nerve changes?) and a crural monoplegia without trophic, electrical, reflex or vesico-rectal trouble. Lumbar puncture showed no lymphocytes or excess of albumin. It would, of course, be difficult to tell whether this case was hysteria or simulation. Re hysterical monoplegia, Babinski inquires whether a hysterical monoplegia can automatically appear as a result of emotion without any intellectual element whatever. Emotion produces sweat, diarrhea or erythema, without any intellectual intermediate. Can emotion— that is, emotional shock—produce a monoplegia in the same way as it produces an erythema? The narratives of patients might indicate that emotion can do such things. But according to Babinski there is no genuine case of monoplegia or paraplegia directly produced by emotional shock. One must be careful in this discussion not to confuse emotional shock and emotion of a gradual nature. Babinski wishes to define emotion as a violent affective change as a result of a sudden mental shock upsetting physiologic or psychic balance during a usually brief period. As for the more gradual affective states
- 60. or emotions, there is obviously so much of the imaginative and intellectual compounded therewith, that plenty of opportunity exists for the production by suggestion of such phenomena as monoplegia, paraplegia, hemi-anesthesia. Re sciatica, see remarks above under Case 329.
- 61. Functional paraplegia and internal popliteal neuritis. Case 387. (Roussy, February, 1915.) A Zouave was taken out from under a trench shelter beam, the night of December 21, 1914, at Tracy-le-Mont. The beam had fallen upon eight men, killing one, and striking the Zouave in the hypogastrium. He was pulled out two hours later, unable to take a step. He was evacuated on his back, to Paris; stayed a month in the hospital at Croix-Rouge, bedfast. According to the patient, he was entirely anesthetic in the legs. He went to Villejuif, January 22, with the diagnosis of spinal contusion and hemiplegia. He could then walk on crutches, leaning on the left leg. He felt a sharp pain at the level of the spinous process of the first lumbar vertebra and all along the sacrum. Spontaneous movements of the left leg were possible, but they were slow and weak. The hypesthesia rose to the navel. There was a suggestion of a cauda syndrome. The knee-jerks were normal, but on the left side the Achilles jerk was absent. There was a partial R. D. in the posterior muscles of the left leg. The diagnosis was functional paraplegia plus left internal popliteal neuritis. The crutches were removed, he was isolated, and given motor reëducation. In a week he was able to walk alone with ease. Re popliteal nerve lesions, Athanassio-Benisty remarks that the external popliteal nerve of the leg resembles pathologically the musculospiral nerve of the arm, whereas the internal popliteal behaves like the median. The musculospiral nerve of the arm shows very variable and usually slight sensory changes. The median nerve more than any other nerve in the arm yields painful sensations during its recovery from section.
- 62. Re differentiation of peripheral neuritis and hysterical paralysis, Babinski gives as signs peculiar to neuritis, and never found in hysterical paralysis, the following: (a) diminution or loss of bone and tendon reflexes; (b) muscular atrophy (except for slight amyotrophy exceptionally found in hysteria); (c) the reaction of degeneration (only of value after eight or ten days); (d) hypotonus; (e) distribution characteristic of peripheral motor sensory and trophic disorder. Re diagnosis of organic paraplegia as against hysterical paraplegia, the latter is to be recognized chiefly by the absence of the organic signs, as (a) alteration of tendon reflexes, (b) the Babinski sign (toe phenomenon), (c) exaggeration of defense reflexes (dorsal flexion of foot on sharp pinching of dorsum of foot or leg), (d) muscular atrophy with R. D., (e) sphincter disorder, (f) skin changes, such as decubitus.
- 63. Bullet in hip: Local “stupor” of leg. Case 388. (Sebileau, November, 1914.) A Moroccan sharpshooter, 20, was wounded September 27, at Soissons. One bullet scratched the left thigh. A second entered below the anterosuperior iliac spine at least 6 cm. outside the femoral artery and emerged above the ischiotrochanteric line, 2 cm. above and 4 cm. behind the upper extremity of the great trochanter, thus passing through the tensor of the fascia lata and without breaking a bone. There was a complete paralysis of the left leg. The man had to walk with a crutch and a cane, dragging the leg like a weight. There was no active or passive movement of thigh, lower leg and foot muscles, except that there was a slight tendency to abduction of the toes, from innervation of the dorsal interossei of the foot. The iliopsoas was also involved, as well as the gluteal and pelvic trochanteric muscles. There was a certain amount of muscular tone preserved, so that the bony elements of the skeleton were held together. The foot did not fall and the leg did not elongate, as it might have in a case of paralysis of the sciatic nerve. Electro- diagnosis showed an early reaction of degeneration according to one examiner, but Sebileau believes that there was no R. D. There was anesthesia of a large part of the leg, which stretched over the anterior and internal aspects of the thigh, covered the entire territory of obturator and crural nerves but did not stretch above the fold of the groin. The region of the femorocutaneous nerve was slightly sensitive and the posterior aspect of the thigh and buttock was sensitive. There was a slight sensation on the external aspect of the lower leg. Foot and toes were entirely insensitive. The
- 64. anesthesia was for all forms of common sensation. No vasomotor, thermic or trophic disorder. The reflexes were all abolished, except for a tendency to cremasteric reflex. It is clear that these conditions cannot be simulated. Possibly they are hysteric and to be explained on the basis of a kind of autosuggestion or perhaps, according to Sebileau, the local and nervous apparatus under the mechanical and caloric effects of the fragment had undergone a sort of local stupor. No large nerve could have been affected by the injury, according to the analysis made by Sebileau. Re stupor, see Case 253 of Tinel. Re such local “stupor” it may be noted that this case was published in 1914, before Babinski’s larger publications on reflex disorders. As for the loss of cutaneous reflexes, Babinski remarks that immersion in hot water may cause the cutaneous reflexes in the so-called physiopathic cases to reappear for a time. He regards the loss of cutaneous reflexes in the physiopathic cases as due to a circulatory disturbance, and recalls the fact that compression by an Esmarch bandage can cause the tendon reflexes to vanish for a time, and can even cause pathologically excessive reflexes to disappear. The cutaneous reflexes have also been caused to disappear by compression. According to Babinski, Sebileau’s explanation that such matters as loss of reflexes could be explained by autosuggestion is erroneous. Re muscular hypertonus in reflex cases, Babinski remarks that though it may be very pronounced, it is as a rule restricted in area. Re sensory disorders in reflex cases, pains are found (they were very slight ones in the present case); hypesthesia has also been found by Babinski.
- 65. Localized catalepsy: Hysterotraumatic. Case 389. (Sollier, January, 1917.) An invalided soldier had been suffering for a year with marked atrophies and the right knee in extension. There had been a bullet wound of the upper third of the tibia, which did not affect the joint. There was a total anesthesia, both superficial and deep, which stopped sharply at the upper part of the thigh. At the time of the very first examination, this apparent ankylosis was reduced, to the great stupefaction of the patient. There was, however, a peculiar phenomenon in this subject. There was a localized catalepsy of the limb, which was able to preserve any desired attitude in which it was placed; and this attitude could be indefinitely prolonged, just as in cataleptic hysterics. Here, then, was a case of localized hystero- traumatism precisely imitating the classical hysteria of Charcot except for its localization. Re hysterotraumatism, Charcot developed ideas concerning trauma and localized hysteria in 1886, thereby overthrowing the ideas of Erichsen concerning the organic nature of “railway spine” and “railway brain” as developed twenty years before. In a case of local trauma such as the bullet-wound of Case 388, Babinski’s explanation would be that the pain and inhibition of movement resulting from the bullet wound at the time of injury, formed the focus of a process of autosuggestion. According to Babinski’s figure, the organic factor acts as a bait for the hysterical symptoms. According to the Salpêtrière experience, hysteria is incapable of producing a real superficial and deep anesthesia such as is mentioned for this case. For example, no hysterical patient in the Charcot clinic, according to Sicard, could undergo a scalpel operation
- 66. without some general or local anesthetic. When, therefore, a true deep anesthesia occurs, Sicard’s conception would be that the anesthesia is not a truly hysterical one but belongs to the group of physiopathic phenomena.
- 67. Contracture: Hysterotraumatic. Case 390. (Sollier, January, 1917.) A sailor, 41, got hygroma of the right knee in 1915, was operated on in July, returned to his dépôt a month later, and thence to Vizille Urage by reason of contracture in extension of the right leg. It was thought he was simulating (since there was no muscular atrophy), and he was sent to the neurological center, where under anesthesia the joint was found free. This man developed, when the knee was bent, extraordinary cracklings in the joint, and he showed pain unequivocally, making a defensive movement, partly reflex, partly voluntary, when the leg was flexed beyond a certain point. There was 3.5 cm. atrophy in the thigh, a reflex atrophy due to the joint disorder. There were no other signs of hysterotraumatic contracture. According to Sollier, the diagnosis of hysterotraumatic contractures depends upon: first, a characteristic special attitude of the contractured limb; secondly, the participation of the antagonists as a group (global); thirdly, the superposition of sensory disorder upon motor disorder (Charcot’s law); fourthly, the segmentary topography of sensory disorder; fifthly, the extension of the contractured joint; sixthly, the persistence of the contracture in the same form, whether at rest or in attempted movements; seventhly, muscular rigidity; eighthly, normal tendon reflexes; ninthly, normal electrical reactions (though R. D. is hard to determine in muscles contracted to the maximum); tenthly, special reactions during attempts to reduce, such as pains, and equal and regular resistance to changed attitude, pseudoclonus in cases of foot contracture; eleventhly, immediate reproduction of the contracture after reduction under chloroform; twelfthly, co-existence of various hysterical stigmata.
- 68. Crural monoplegia, tetanic. Recovery. Case 391. (Routier, 1915.) An ensign was wounded by a shell splinter in the right scapular region September 25, 1915. A large hematoma was drawn off and drains inserted. Antitetanic serum was given 24 hours after the trauma. The wound looked well. The patient complained merely of the heaviness of his arm, and after September 27, the temperature fell to normal. Magnesium chloride solution was applied every other day, and progress was so good that evacuation was ordered. However, October 8, the patient suddenly began to complain of a sharp pain in the right thigh, which next day became intolerable and threw the muscles into a slight contracture, the adductors being extremely stiff. Headache developed in the course of the day, with slight stiffness of neck, exaggeration of reflexes in the right leg, and ankle clonus. Temperature: 37.6 morning, 38.5 evening. The patient was isolated and given chloral. October 10, paroxysmal crises of pain, more marked stiff neck, and lumbar stiffness appeared, with nervousness, photophobia, and hyperesthesia to noise. The wound seemed to be doing well. Chloral was given. Slight trismus developed October 11. The tongue became dry and the patient drank little. The condition held and the same treatments were repeated up to October 15, when the temperature fell and the contractures and pains were diminished. The chloral was continued. There were still a few cramps in the neck. October 22, however, the patient was practically well.
- 69. We are here dealing with an instance of local tetanus of monoplegic form, developing a fortnight after the wound (there is an early group developing, as a rule, from the fifth to the tenth day, and a group of later development, after the twentieth day; the interval in this case was of intermediate duration). According to Courtois-Suffit and Giroux, the differential diagnosis is not easy, since, besides tetanus, must be considered tetany, spastic monoplegia of cerebral or spinal origin, partial hemiplegia, peripheral neuritis, contractures due to bone, joint, muscle or tendon lesions, strychnine intoxication and hysterical contractures. Three cases out of six described by Routier were fatal. Re differential diagnosis of tetanic conditions, see Courtois-Suffit and Giroux in the Collection Horizon. The cases as a rule appear in subjects that have had serum treatment, and may occur in subjects in whom no trismus ever develops (the above case showed slight trismus). The recognition of localized tetanic contracture is based upon (a) the intensity of the contracture, which causes the limb to feel wooden (in one case the foot, leg, and thigh were welded to the pelvis like an iron bar); (b) paroxysmal contractions resembling those of tetanus, confined to one limb, and started by a variety of external causes, forming the principal symptom in the disease; (c) contracture of comparatively brief duration (hardly ever over two or three weeks). A slight fever may help in the differential diagnosis.
- 70. Wound of left leg: Local spasms, later contracture, and painful crises (these associated with suppuration), the whole treated as tetanic. Case 392. (Mériel, 1916.) An infantryman was wounded by shell fragments September 28, 1915, at Virginy and was given a first dressing an hour later and a second at the ambulance, where antitetanic injection was also made. October 3, the patient arrived at Foix, showing a superficial wound of the left frontal region, a penetrating wound of the upper third of the left thigh, and another in the lower third of the left lower leg. The evening of October 8, the man began to feel pain in the left leg, though the wounds looked well and there was no fever. October 9, sudden involuntary contractions of the left leg developed, and these increased in amplitude if the limb was touched. The other extremities were normal. Temperature 38.2; pulse 102. Restlessness at night. Next day 10 c.c. of antitetanic serum was administered and more on the 11th, with chloral and isolation; but on the evening of the 11th, with the contractions still completely localized to the left lower extremity, came an extremely painful crisis interfering with sleep and at last requiring morphine. Up to the 15th the antitetanic injections, chloral and morphine were continued, but on the 15th the contractions were replaced in part by a contracture affecting the muscles of the posterior aspect of the thigh. In the meantime, the patient howled with pain, especially in the night. Chloral and morphine were given.
- 71. During the next five days the contractures and pains became still more violent, and on the 21st the antitetanic injections were begun once more and kept up through the 26th in 5 c.c. doses. The patient began to urinate in bed and to be delirious. The contractions now disappeared, but the contracture persisted. Antitetanic serum was given every other day from October 28 to November 2; every third day from November 4 to November 19; every fourth day from November 22 to December 3; and every fifth day from December 3 to December 17. The chloral was diminished from 15 to 5 grams per diem and by the 20th of December all administration of chloral had ceased. The morphine was given up December 25. The tetanic symptoms of the left leg now gradually diminished. The leg, which had been flexed at a right angle, began to extend little by little, and the toes, which had been strongly flexed, reassumed their normal position. The wounds suppurated freely during the tetanic crises, but then healed. In January the man could get up and walk, dragging his leg somewhat, and January 20 a complete recovery had been obtained. There was no hysteria in the history of this patient, although the man was subject to “professional” alcoholism, being carter for a wholesale wine dealer, drinking 5 liters of wine a day.
- 72. Shell-shock by windage: Hysterical paraplegia, flaccid type, develops 10 days later, after strain, capture, privation, recapture. Paraplegia at first complete. Recovery by suggestion (one séance). Case 393. (Léri, February, 1915.) A corporal, 21, told how at Goselmind, during the Sarrebourg retreat, August 20, 1914, a shell burst a meter behind him, flattening his knapsack, throwing him to the ground, blowing him forward (as he said, by the pressure of the air) seven or eight meters, leaving him stunned though conscious for about twenty minutes. Uhlans fell upon him but did not trouble themselves further with him as he could not walk. He crawled along on elbows and knees about a kilometer and a half to some Frenchmen in a wood. He now found himself able to walk a whole day supported by two comrades, making about 12 kilometers. He got by carriage to Gerbéviller, but here fell again into the hands of Germans, who left him nine days in the corner of a barn without care. Gerbéviller was retaken, and he was evacuated to Bayon. He had now had for some time pains in the kidney region below the point struck, some difficulty in turning his head, and some numbness and jerkings in the legs; and the legs that had carried him 14 kilometers were unable to move at all, even in bed. It was only 8 days later that he could perform the slightest movement, and two months followed before he could go a few steps on crutches. December 14, three months and a half after his accident,—he was demonstrated as “spinal contusion.” Upon examination, however, there were no reflex disorders, no sensory disorders, and the muscular weakness was equal in all parts of the lower extremities
- 73. and trunk. On crutches, he lunged the trunk forward, painfully dragging his legs one after the other, the right foot in external rotation, never passing the left foot, toes scraping ground,—a functional flaccid paraplegia, completely dissolved by suggestion at a single sitting.
- 74. Scalp wound; probably no loss of consciousness: Quadriparesis, later paraplegia; tremors; profound sensory disorders, some apparently hysterical; cataleptic rigidity of (anesthetic) legs on passive movement. Diagnosis? Case 394. (Clarke, July, 1916.) A soldier, 40, got a scalp wound but probably did not lose consciousness. However, when observed three months after the injury, though fat and well-looking, the patient could not stand or walk, and his hands and arms were feeble. He complained of headache, insomnia and anorexia, and remained in a state of mental inertia. All efforts to read and write produced fatigue. Memory was bad both for remote and for recent events. He was able to feed himself slowly, execute a few movements of arms and hands, and raise his feet from the bed. Upon passive movement, there was a sort of spastic state, which did not amount to a true rigidity. Now and then a clonic spasm was induced by such passive movements. After the repetition of those few voluntary movements which were possible, the muscles passed into a flaccid condition. There was a tremor of a type called swooping; the tremor resembled that of Friedreich’s disease, such as is thought to occur in cases of marked loss of muscular sense. The deep reflexes were exaggerated. Concentric narrowing of the visual fields was easily induced by testing them. There was a general slight dulness of perception on sensory tests. There was astereognosis, and apparently an absolute loss of position sense. Movements of the large joints through an angle of 90 degrees were, however, vaguely recognized. Although the patient could not touch, for example, his left forefinger with his right, yet, if he had once seen the position of a limb and it was not moved, he could remember its position and touch it after some time.
- 75. His localizing sense was from two to four inches out in the hands, the localization being generally of points proximal to the point tested. Two months later the patient was somewhat less dull and apathetic. His memory had improved. He was able to read, and he was successfully making a rug; but the legs were worse, having become anesthetic to touch and pain. When the legs were placed in any position, they would assume a cataleptic rigidity, and remain rigidly fixed in any position for some time. The patient could sit up in bed. The muscles were well nourished and the electric reactions were normal. Re catatonic rigidity, see Case 389 (Sollier).
- 76. Shell explosion; pitched in air: Spasmodic contractions of sartorii, persistent in sleep. Case 395. (Myers, January, 1916.) A private, 23, was admitted to a casualty clearing station and the next day told the examiner, Major Myers, that the Germans had been sending whizz-bangs and coal-boxes over, and the last he remembered was being on guard and then digging himself out of fallen sandbags. His comrades told him that he had been pitched in the air, but this he did not remember. He remembered running to the shell trench, but finding this “too hot,” he returned to the firing trench, noticing on the way that he could not see well. He lay in the dug-out, flinching at each shell, and “trying to get into the smallest possible corner.” He tried to do guard duty that night, but, when some one noticed involuntary spasmodic movements, he was ordered to go back to the dug-out, was helped to the regimental aid post by two men, and was sent to hospital. He had been in France eight months and had been shaken up somewhat four months before, when bombs threw dirt in his face. At that time, his hands and handwriting had become tremulous, but he had not reported sick. He was depressed and wanted Major Myers to make him well. It seems that he had shrugged his shoulders and made leg movements, diving beneath the bedclothes, and bringing his knees to his chin. When Major Myers examined him, the leg movements were due solely “to strong periodic simultaneous contractions of the two sartorius muscles, the rate of contraction of which varied from 60 to 70 per minute, increasing to 90 during the excitement of examination.” There were special changes of sensibility in the right leg and arm and right side of the face and chest, not involving the abdomen. The patellar reflex was exaggerated; plantar reflexes
- 77. could not be obtained. The legs were tremulous, especially when the patient lifted them, whereas the hands and tongue were only faintly tremulous. Under light hypnosis, events in the amnestic period were recalled, and details as to the shell’s direction, process of lifting up, and fall. Under deeper hypnosis, the sartorius contractions diminished but did not disappear. Appropriate suggestion was made, and upon arousal from hypnosis, the movements ceased, the headache disappeared, memory was recovered, and the unilateral disturbances of sensibility had vanished. As to the possibility of malingering in this case, Major Myers calls attention to the disorders of sensibility which he believes could hardly have been simulated, to the persistence of spasmodic movements during sleep, to their confinement to the sartorii, and to the spastic condition of legs, such that when the thighs were passively raised the knees remained extended. Re persistence of hysterical phenomena in sleep, Ballet felt that he could prove that some hysterical contractures persisted during sleep, and Sollier has written a special article to the same effect. Ballet’s case had a contracture developing after an operation on the first metacarpal bone. The contracture which followed would be then probably, upon Babinski’s analysis, a reflex contracture and not a hysterical one. Duvernay, Sicard, and Babinski himself have noted the persistence of reflex contractures during sleep, to say nothing of their persistence under an advanced stage of chloroform narcosis. In fact, these reflex contractures are exactly as fixed and persistent as contractures of clearly organic origin. It is probable that Babinski would define Myers’ case (395) as a physiopathic one; yet against this diagnosis would be the disappearance of the movements after hypnosis. As against hysteria, it will be noted that the patellar reflex was exaggerated, and that the plantar reflexes could not be obtained.
- 78. Shell-shock: Brown-Séquard syndrome, hematomyelic? Case 396. (Ballet, August, 1915.) A soldier, 24, went to the front November 12, 1914, and June 1, 1915, had a shell burst near him in the trench, on the occasion of which he felt a violent shock, as if a blow in the kidneys. He felt suddenly paralyzed in both legs. He was crouching at the time of the shell burst. His legs felt dead, and he had such violent pain in the thorax as to make breathing difficult. He was carried to a shelter. After a few hours, the left leg began to move again. He was carried to the ambulance, remaining there five days, unable to walk, though able to move and turn in bed, slightly constipated, with persistent pains in back. He was then carried to Auxiliary Hospital 231, at Paris, and a bullet (!) was found superficially lodged in the region of the left scapula. Neither patient nor physicians had hitherto observed the bullet, which could have had nothing to do with any spinal lesion. The pains, in the course of a month, grew less, and at the end of two or three weeks he began to walk and was sent to the psychoneurosis service at Ville-Évrard, July 10. He then complained of pain in the right thorax, especially on movement or after sitting up some time. He could hardly bring himself to the sitting posture from the bed, and found difficulty in raising the right leg therefrom. In walking, the right leg was dragged behind. The reflexes were increased on the right side. There was ankle clonus without Babinski sign. Anesthesia to touch over the whole of the left leg. Anesthesia to pin prick and temperature as far as the umbilicus. Cold was not felt on the left side.
- 79. The water of a bath seemed lukewarm on the left side and warm on the right. The left side of the scrotum and the left half of the penis showed the same disorder of sensibility. There was a zone of hypesthesia on the right side of the thorax in the region of the lower ribs. The patient compared his sensations while at rest and without contact to a sensation of painful pressure occurring intermittently, or rather in paroxysms, not advancing beyond the median line of the back. Here was a question of Brown-Séquard syndrome, probably due to a slight hematomyelia, but associated with no external lesion or any injury to the vertebral column. Re Brown-Séquard’s syndrome, see Athanassio-Benisty with respect to spinal cord symptoms associated with lesions of the brachial plexus. It appears that the combination of spinal cord and brachial plexus injury is not uncommon. Note in this case that a bullet was found in the left scapula region. According to Ballet, this bullet could have had nothing to do with a spinal lesion.
- 80. Violence to back: Dysbasia. Antebellum injury. Case 397. (Smyly, April, 1917.) A man (also injured in 1906 by the fall of a heavy weight on his back) went to France in 1914 as a soldier, and eight months later was hurled into a shell hole so that his back struck the edge. He was rendered unconscious. Upon recovery of consciousness, the right leg was found to be swollen, and there were severe pains in the legs and back. Upon return home the patient went from one hospital to another, for the most part unable to walk, suffering from agonizing pain in head and eyes. Insomnia and waking dreams. He was able to bring himself to an upright position and to rush a few steps. He has now acquired considerable control of the feet by the aid of crutches. Insomnia persisted.
- 81. Dysbasia: Psychogenic (cerebellar nucleus (?)) Case 398. (Cassirer, February, 1916.) On March 9, 1915, a shell wounded a man slightly, and burned off some of the hair of his head. He was unconscious two days, and on waking vomited for a time. Shortly after the injury difficulties in standing and walking set in, with headache, noises in the left ear, difficulty in the intake of ideas, excitability, and poor memory. Then, slight improvement. About the middle of June he was no longer closely confined to bed and could take a few steps with two canes; but the gait was still unsteady and the left leg tended to make abnormal-looking movements. There was nystagmus, rapid, though constant, on looking to the left,—more in the left eye; and nystagmus on looking to the right,—more in the right eye. Adiadochokinesis absent. Vestibular nerve somewhat excitable. Deviation outward in finger-pointing test. According to Cassirer, this case is one largely of psychogenic origin, with possibly an organic cerebellar nucleus. The knee-jerks absent (even up to March 31). W. R. negative.
- 82. Shell-shock; unconsciousness: Dysbasia, in part hysterical, in part organic (?). Case 399. (Hurst, May, 1915.) A private, 29, was knocked over by a shell explosion December, 1914. He was unconscious two days, found that he could not move either right arm or left leg, got some power back shortly, but, if he tried to stand, experienced involuntary violent movements in the left leg. April 1, 1915, response to questions was slow and speech slow. The right arm and grip were weak. If the left hand was clenched, there was an associated movement of the right hand; but on clenching the right hand, no associated movement was produced in the left. The musculature was equal on the two sides, and the tendon reflexes of the arms were brisk and equal. Light tactile stimuli were hard to localize. Movements of the left leg were somewhat weak, though the musculature was equal on the two sides. The knee-jerks were brisk, the left slightly brisker. Sometimes a well-marked ankle clonus could be obtained on the left side, but sometimes not. The plantar reflex was constantly flexor. Babinski’s second sign (combined flexion of thigh and pelvis) was well marked on the left side. On attempts to walk, the left leg would move rapidly from side to side, round the point of contact of toes with ground. When a step forward was taken with the right leg, the left one dragged, and made irregular movements. This gait seemed obviously hysterical. The patient was kept in hospital for a month. He was very easily hypnotizable, but even in
- 83. deep hypnosis leg movements could not be controlled when he was told to walk. The first whiff of ether hypnotized but did not cure him. On the whole, upon review, Hurst believes that there may have been organic brain changes, which (a) the associated movement of the paralyzed hand when the normal hand was contracting, (b) the slightly increased left knee-jerk, (c) tendency to ankle-clonus, and (d) Babinski’s second sign, may show.
- 84. Peculiar walking tic. Case 400. (Chavigny, April, 1917.) A soldier was found with a peculiar walking tic. He would rest a good deal longer on the left leg than on the right. He would make a sudden movement of the right leg forward, as if on a spring. At the same time, the man’s head would give a violent movement to the right just as the right leg was receiving the weight of the body. The idea of this movement seemed to be that the center of gravity would be shifted and the work of the right leg would be relieved. This peculiar walk was naturally very slow. If the walk was slowed down, it became quite normal. There was no pain at the basis of this walk. If the man hopped, he hopped no more painfully on the right leg, nor with greater difficulty, than upon the left. This man was guilty of desertion in the face of the enemy, and of desertion in the interior in time of war. He said he could not walk well and that he needed to take care of himself at his mother’s house, as he was not considered sick in his regiment. He had been wounded with two bullets, September 28, 1914, which struck him on the internal aspects of the knees. He was treated in hospital from October to the end of November, 1914; was held at the dépôt of his regiment from December to August, 1915. He was then put in hospital a month, and returned to his dépôt for three more months. He was examined by three physicians in August, 1915, and the commission decided that he was fit for service, and a simulator. Thorough examination, including electrical and X-ray examinations, showed no lesion. Chavigny observed the patient for a long time, from the 21st of November, 1916, to January 5, 1917. Shells dropped near the hospital, December 2, and, following orders,
- 85. the patients were taken into a vaulted cellar, and they ran thither very rapidly; but this patient could not hurry. He walked slowly, with the same tic. Surely the tic would be rather a difficult one to imagine, and a somewhat more probable set of symptoms would ordinarily be chosen. The man has not the unstable nature of the ordinary victim of tic. On the contrary, he has rather the invincible obstinacy of a hysterotraumatic. On being shown that he could walk properly without these “para” movements, he would reply, “I can’t do anything else,” and he shook his head upon being told that he could be cured. Reëducation of his anesthetic areas (there was a zone of diminution in sensibility to pin-prick in the knee region, and a complete anesthesia of the sole of the foot, with abolition of the plantar reflex), reëducation by appropriate gymnastics, and mental reëducation, might be attempted in a special neurological hospital. Re disorders of gait, Laignel-Lavastine and Courbon divide functional gait disorders into three groups: (a) A group called dynamogenic; (b) an inhibitory group; and (c) a group showing both forms of disorder. Roussy and Lhermitte have attempted to divide the gait disorders into two groups: (a) A group termed by them basophobic, in which there is a marked psychogenic and emotional basis; and (b) a dysbasic group, the basis of which is suggestion rather than emotion. Following is a skeleton of their classification: 1. Astasia-abasia and dysbasia group. Astasia-abasia. Pseudo tabetic dysbasia. Pseudo polyneuritic dysbasia. Tight-rope walker’s gait. Scrubber’s gait. Choreiform dysbasia. Knock-kneed gait. Walking as if on sticky surface.
- 86. Bather’s gait. 2. Stasobasophobia group. 3. Habit limping.
- 87. Mine explosion; unconsciousness: Camptocormia. Hospital rounder twenty months (bedfast five months) without complete neurological examination. Cure by persuasive electrotherapy in one hour. Case 401. (Marie, Meige, Béhagne, February, 1917; Souques and Mégevand, February, 1917.) A man became a hospital rounder to all points of the compass in France during a period of twenty months, with such diagnoses as myelopathic disorder, complex spinal trouble, ataxic phenomena. As a matter of fact he was a camptocormic: trunk bent, knees semi-flexed, legs in external rotation. He used two canes in locomotion, made a bowing movement with each 20 cm. step, then another bowing movement, and another little step with the other foot. Made to lie down, his legs would elongate, the right completely but the left with some difficulty, the feet going into hyperextension, with the big toe raised, others flexed; the feet externally rotating, plantae turned in. In horizontal decubitus, there was only slight lumbar discomfort, but the legs stiffened and gave quick convulsive jerks. Taking the posture several times in succession would diminish these phenomena. Kneeling, he could bring his heels within 10 cm. of the buttock, whereas in spontaneous flexion of the leg on the thigh, the knee remained a distance of 40 cm. from the buttock. A complete examination showed no joint disorder or any diminution in muscular strength, or any reflex disorder except that all the tendon reflexes were rather powerful. There was a question of possible X-ray demonstration of lesions and ankylosis of the fourth and fifth lumbar vertebrae, and there was a question of some incontinence of urine. On the basis of these phenomena apparently,
- 88. this camptocormic patient had been saddled with the diagnosis of myelopathic and ataxic disorder for a period of 16 months. A neurologist was at last consulted, and on his advice, it proved possible to get the patient evacuated to a neurological center in a period of four months. Facts of this species are unfortunately still too common, state Marie, Meige and Béhagne, February 1, 1917, despite the remarkable and rapid cures obtained in camptocormia by Souques. In point of fact, no complete neurological examination had been performed upon this man during a period of 20 months. This particular patient was given to Souques for treatment (Souques and Mégevand). His cure was completed by persuasive electrotherapy, in an hour. It appears that the man was buried in a mine explosion, June 5, 1915, lost consciousness and came to twenty hours later, able to rise and take a few steps, but bent in two with a sharp dorsolumbar pain. The pain grew more violent and generalized during the next few days, and he began to lose all power in his legs, so that he could walk with the greatest difficulty. He was practically bedfast for five months. He then tried to rise and walk, but suffered so much that he could not get up except in a camptocormic position. It was in fact only January 23, 1917, at the Salpêtrière, that the diagnosis of camptocormia was made. The man complained of pains at the lower dorsal and lumbar regions of the spinal column with slight irradiation sidewise. The following diagnoses had been made: June 8, 1915. Severe contusion of chest and back. July 9, 1915. Multiple contusions, commotio spinalis; lesions and ankylosis of the 4th and 5th lumbar vertebrae (X-ray examination). Sept. 3, 1916. Lumbar intervertebral arthritis with compression of roots. Nov. 4, 1916. Myelopathic disorder. Dec. 5, 1916. Old complex spinal disorder.
- 89. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com