International Journal of Computer Networking,

Wireless and Mobile Communications (IJCNWMC)

ISSN(P): 2250-1568; ISSN(E): 2278-9448
Vol. 6, Issue 5, Oct 2016, 33-40
TJPRC Pvt. Ltd.

INSTRUMENT AND TECHNOLOGY FOR COMPUTER

FORENSIC: RESEARCH IN GHANA
NANA KWAME GYAMFI1, LILY EDINAM BENSAH2, MAKAFUI NYAMADI3 & RICHARD AGGREY4
1

Computer Science Department, Kumasi Polytechnic-Kumasi, Ghana

2, 3

Computer Science Department, Ho Polytechnic, Ghana

Department of Information Technology, Ghana Technology University College, Ghana

ABSTRACT
With the expanded utilization of data innovation and Internet everywhere throughout the world, there is an
expanded measure of criminal exercises that include registering and computerized information. These advanced
wrongdoings (otherwise called e-violations) force new difficulties on aversion, location, examination, and indictment of
the relating offenses. PC legal sciences (otherwise called digital legal sciences) are a rising exploration region that
applies PC examination and investigation procedures to help location of these wrongdoings and social occasion of
advanced confirmation reasonable for presentation at the laws courts. This new range joins the learning of data
identified with PC security and cryptography that are yet to be illuminated. In this paper, we exhibit and talk about some
of these issues together with PC legal sciences innovation device called DESK, which will empower the law authorization
divisions to recognize and explore advanced wrongdoings all the more productively and adequately. We trust that PC
crime scene investigation exploration is a vital range in applying security and PC information to manufacture a superior
society in Ghana.
KEYWORDS: PCs Security, Computer Legal Sciences, Digital Violations, Forensics Innovation, Cryptography,

Original Article

innovation, crime scene investigation science, and law and offers ascend to various fascinating and testing issues

Received: Aug 16, 2016; Accepted: Aug 30, 2016; Published: Sep 14, 2016; Paper Id.: IJCNWMCOCT20164

INTRODUCTION
The utilization of Internet and data innovation has been expanding enormously everywhere throughout
the world. In Ghana, as per the reviews led by Census and Statistics Department of the Government and out group,
the rate of families with PCs at home that are associated with Internet has expanded by more than half from 2004
to 2014 (see Table 1) while for the business segment, the rate of business receipts through electronic means has
expanded (see Table 2). Group additionally discovered that web bistro likewise expanded by more than 75% from
2004 to 2014. As one may expect, the measure of criminal exercises that include registering
Whats more, advanced information (computerized wrongdoings) has additionally expanded [4].
From the insights gave by the Ghana Police Service, the quantity of advanced violations in Ghana has expanded
from 2004 to 2014.
Table 1: Infiltration of Data Innovation in Family Unit
Family Unit with PCs at Home
Family Unit with PCs at Home
Associated with Internet
www.tjprc.org

2004
3%

2014
45%

0.06%

5%
editor@tjprc.org

34

Nana Kwame Gyamfi, Lily Edinam Bensah, Makafui Nyamadi & Richard Aggrey

Table 2: Infiltration of Data Innovation in the Business Segment

Foundation with Individual Computers
Foundation with Web Connection

2004
10%
1%

2014
68%
46%

These advanced wrongdoings force new difficulties on aversion, recognition, examination, and arraignment of the
relating offenses. PC criminology is a developing examination range that applies PC examination and investigation
procedures to help identification of these violations and social event of advanced proof reasonable for presentation in
courts [1]. While legal procedures for investigating paper archives are exceptionally entrenched, not very many of these
systems can be connected to advanced information and they were not intended for gathering proof from PCs and systems
[1].

This

new

range

joins

the

learning

of

data

innovation,

crime

scene

investigation

Science, and law and offers ascend to numerous fascinating and testing issues identified with PC security and cryptography
that are yet to be tended to.
Among different issues in gathering proof from PCs, one basic distinction between paper archives and advanced
information is that electronic information can be effortlessly duplicated and adjusted. A suspect may effortlessly contend
that the proof found in his/her PC was embedded or changed by the law authorization office after the PC has been seized
by the organization. It is essential to confirm the record framework honesty of the suspect's PC after it has been seized by
the law requirement organization.
Another issue is that there are various record groups, working frameworks and document framework structures.
Electronic records can be created by different sorts of utilization projects, for example, word processors, spreadsheet
programming, database programming, realistic editors and electronic mail frameworks. The records can be put away as
client documents in client registries, or as fake framework documents in the framework catalogs, or shrouded documents.
Now and then, proof can likewise be found in the erased Records. At the point when a document is erased, the operation
framework typically just expels the references to the record in the record assignment table (FAT). The real substance of the
record is still physically put away on the circle until that territory has been overwritten by another document. It is a period
devouring undertaking to assess each conceivable stockpiling range of the entire PC for possibly valuable proof. What's
more, it is likewise unrealistic to check each record utilizing all accessible application programs physically. In this paper,
We will quickly portray a digital wrongdoing proof accumulation device [2]; called Digital Evidence Search Kit (DESK) it
tries to handle the above issues. Work area is the item created by Hong Kong research group. We along these lines acquaint
this legal innovation device with be utilized by the Ghana police administrations for computerized examination.
Forensic Tools
These are devices for breaking down a rupture in security somehow. Regularly they are utilized for gathering
information about the rupture sometime later, or breaking down programming to perceive how it plays out the assault.
Amid the 1980s, most computerized criminological examinations comprised of "live investigation", analyzing
advanced media directly utilizing non-pro apparatuses. In the 1990s, a few freeware and other restrictive instruments
(both equipment and programming) were made to permit examinations to occur without altering media. This first
arrangement of devices chiefly centered on PC crime scene investigation, in spite of the fact that lately comparable
instruments have developed for the field of cell phone criminology [5].
Impact Factor (JCC): 6.2143

NAAS Rating: 3.27

Instrument and Technology for Computer Forensic: Research in Ghana

35

PC legal sciences are an essential branch of software engineering in connection to PC and Internet related
wrongdoings. Prior, PCs were just used to deliver information however now it has extended to all gadgets identified with
computerized information. The objective of Computer legal sciences is to perform wrongdoing examinations by utilizing
proof from advanced information to discover who was the in charge of that specific wrong doing.
For better research and examination, designers have made numerous PC legal sciences devices. Police divisions
and examination offices select the devices in light of different elements including spending plan and accessible specialists
on the group.
These PC crime scene investigation apparatuses can likewise be ordered into different classes:

Disk and information catch instruments

File viewers

File investigation devices

Registry investigation devices

Internet investigation devices

Email investigation devices

Mobile gadgets investigation devices

Mac OS investigation devices

Network criminology devices

Database criminology devices

Also, this paper records a couple of vital and prominent information legal sciences instruments, with some of their

cost and the sort of stage they perform better. These are:
Digital Forensics Framework
Advanced Forensics Framework is another prominent stage committed to computerized crime scene investigation.
The instrument is open source and goes under GPL License. It can be utilized either by experts or non-specialists with no
bothersome. It can be utilized for advanced chain of care, to get to the remote or neighborhood gadgets, criminology of
Windows or Linux OS, recuperation covered up of erased documents, speedy quest for records' Meta information, and
different things.
Open Computer Forensics Architecture
Open Computer Forensics Architecture (OCFA) is one more famous conveyed open-source PC criminology
structure. This system was based on Linux stage and uses postgreSQL database for putting away information.
It was worked by the Dutch National Police Agency for robotizing advanced crime scene investigation process. It
is accessible to download under GPL permit.

www.tjprc.org

editor@tjprc.org

36

Nana Kwame Gyamfi, Lily Edinam Bensah, Makafui Nyamadi & Richard Aggrey

CAINE
CAINE (Computer Aided Investigative Environment) is the Linux distro made for computerized crime scene
investigation. It offers a situation to coordinate existing programming devices as programming modules in an easy to use
way. This apparatus is open source.
X-Ways Forensics
X-Ways Forensics is a propelled stage for computerized legal sciences analysts. It keeps running on every single
accessible rendition of Windows. It cases to not be extremely asset hungry and to work proficiently. In the event that we
discuss the components, locate the key elements in the rundown beneath:

Disk Imaging and Cloning

Ability to peruse record framework structures inside different picture documents

It bolsters the majority of the record frameworks including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, UDF

Automatic location of erased or lost hard circle parcel

Various information recuperation systems and intense document cutting

Bulk hash figuring

Viewing and altering double information structures utilizing layouts

Easy recognition of and access NTFS ADS

Well kept up document header

Automated action logging

Data realness

Complete case administration

Memory and RAM examination

Gallery view for pictures

Internal viewer for Windows registry document

Automated registry report

Evoke metadata from different record sorts

Ability to concentrate messages from different accessible email customers.

And some More

SANS Investigative Forensics Toolkit SIFT

SANS Investigative Forensics Toolkit or SIFT is a multi-reason scientific working framework which accompanies

Impact Factor (JCC): 6.2143

NAAS Rating: 3.27

Instrument and Technology for Computer Forensic: Research in Ghana

37

all the essential devices utilized as a part of the advanced measurable procedure. It is based on Ubuntu with numerous
apparatuses identified with computerized crime scene investigation. Not long ago, SIFT 3.0 was discharged. It wants free
or charge and contains free open-source criminological instruments.
In a past post at resource.infosecinstitute.com, we effectively secured SIFT in point of interest. You can read those
presents about SIFT on know more about this advanced crime scene investigation stage.
EnCase
EnCase is another prominent multi-reason legal stage with numerous pleasant instruments for a few regions of the
computerized criminological procedure. This device can quickly accumulate information from different gadgets and
uncover potential proof. It additionally creates a report in view of the confirmation. This apparatus does not want free.
The permit costs $995.
Registry Recon
Registry Recon is a famous registry examination device. It removes the registry data from the proof and after that
reconstructs the registry representation. It can remake registries from both present and past Windows establishments. It is
not a free apparatus. It costs $399.
The Sleuth Kit
The Sleuth Kit is a UNIX and Windows based device which helps in measurable examination of PCs. It
accompanies different instruments which help in computerized crime scene investigation. These instruments help in
breaking down plate pictures, performing inside and out investigation of record frameworks, and different things.
Libforensics
Libforensics is a library for creating advanced criminology applications. It was produced in Python and
accompanies different demo instruments to concentrate data from different sorts of proof.
Volatility
Unpredictability is the memory criminology system. It utilized for occurrence reaction and malware investigation.
With this apparatus, you can extricate data from running procedures, system attachments, system association, DLLs and
registry hives. It additionally has support for separating data from Windows crash dump documents and hibernation
records. This device is accessible for nothing under GPL permit.

THE DIGITAL EVIDENCE SEARCH KIT

Work area (The Digital Evidence Search Kit) is a universally useful PC criminology framework concentrating on
uprightness control of the computerized information. There are two outline goals of this device. One of the goals is to
guarantee the legitimacy and unwavering quality of the computerized proof. When it has been demonstrated that the
apparatus has been utilized appropriately and as a part of consistence with the Evidence Ordinance [2], the computerized
proof found in the suspect's PC can be displayed and utilized as a part of courts for
Indictment
Another goal is to give a proficient and programmed hunt capacity to seek down computerized substance that can
www.tjprc.org

editor@tjprc.org

38

Nana Kwame Gyamfi, Lily Edinam Bensah, Makafui Nyamadi & Richard Aggrey

be utilized as confirmation for the - wrongdoing. Work area is additionally uncommonly intended to be utilized as a part of
the bilingual environment of Ghana, so is equipped for seeking word designs in both English and Chinese.
The Framework of DESK
The DESK framework comprises of a DESK machine which is commonly a journal PC with a serial port and a
floppy diskette used to fire up the suspect's machine (subject machine). The DESK machine will be associated with the
subject machine utilizing a serial (RS-232) link. There are two programming parts of DESK: the DESK customer that is
introduced on the DESK machine; and the DESK server that is contained on the floppy diskette to be performed by the
subject machine. The DESK customer is chiefly used to give a UI to issuing orders to examine the subject machine.
The DESK server part, introduced on the floppy diskette, has extra
Functionalities which Incorporate the Followings.

To fire up the subject machine: Usually the record (e.g. framework records) in the subject machine will be
changed in the event that it is booted up by its own particular working framework.

To bolt the subject machine: This is to shield the subject machine from any unintentional defilement by the
hinders of the machine. This progression is imperative as it can guarantee that the substance found on the subject
machine can't be altered, in this way guarantees the respectability of the subject machine while different
criminological operations are being performed.

To give a straightforward UI to basic inquiry operations: The UI is a great deal less advanced than that of the
DESK customer running on the journal because of the capacity confinements of floppy diskettes.
There are two primary operations of DESK: watchword hunt and record framework honesty checker.
Catchphrase Search: A pre-characterized content example record which contains vital watchwords that can be

particular to a specific case, in Chinese and/or English, to be looked for on the subject machine, is utilized for three distinct
sorts of inquiry, to be specific physical hunt; consistent pursuit and erased document seek [3]. Physical inquiry plays out a
pursuit of the examples in each physical part of the subject machine's stockpiling framework. E-wrongdoing proof put
away deliberately in unused areas can be found. Legitimate hunt, then again, makes utilization of the data about the record
framework, so designs put away crosswise over various divisions can be found. Erased record pursuit will attempt to find
the erased document gave it is not yet overwritten by another document and play out the example seek on these documents.
Record System Integrity Checker: There are two capacities in this checker. Firstly, it is to guarantee the honesty
of the record arrangement of the subject machine. We figure a hash estimation of the entire record framework
(e.g. a hard plate) of the subject machine. By recording this hard plate hash esteem appropriately, the law implementation
organization can without much of a stretch demonstrate that the substance of the hard circle has not been changed after the
machine has been caught by the office. Additionally, with a specific end goal to decrease the likelihood of bringing about
unintentional harm to the hard circle, normally precise of plates (too
Called clone pictures) are made for the ensuing investigation. The hashes estimations of the clone pictures and the
first hard plate can be contrasted with demonstrate that the clone pictures are precisely the same as the first hard circle.
Also, the suspect may store some wrongdoing proof in standard records of normal programming applications
(e.g. freecell.exe). A hash esteem database that contains fingerprints (hash qualities) of all records in a standard
Impact Factor (JCC): 6.2143

NAAS Rating: 3.27

Instrument and Technology for Computer Forensic: Research in Ghana

39

programming appropriation is utilized to contrast and the hash estimations of the comparing documents in the subject
machine. More subtle elements of the DESK framework can be found in [4]

CONCLUSIONS
In this paper we displayed the review DESK, as a scientific instrument to utilized by Ghana Police Service for it
measurable examination. There are different issues identified with this exploration. For illustrations, it is likely that there
might miss/awful divisions in the hard plate which may degenerate the information documents in the framework. How this
can be taken care of to ensure that the recouped part of the records can in any case be displayed in courts needs more
examination. Additionally, the respectability checker depends particularly on the hash capacities. With the late splitting of
some outstanding hash capacities, for example, SHA-1 and MD5 might be a more nitty gritty concentrate should be done to
ensure that the legitimacy of the advanced proof is not flawed. We give the above issue as future examination to be led.
REFERENCES
1.

Frank Adelstein. Live forensics: Diagnosing your system without killing it first. Communications of the ACM, 49(2):6366,
2006.

2.

K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K.H. Pun, W.W. Tsang, and H.W.Chan. Digital evidence search kit. In
Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering, pages 187194,
2005.

3.

K.P. Chow, K.Y. Cheng, L.Y. Man, K.Y. Lai, L.C.K. Hui, C.F. Chong, K.H. Pun, W.W. Tsang, and H.W. Chan. A rule-based bt
monitoring scheme for detecting copyright infringement activities, 2007. Manuscript in preparation.

4.

The Government of Ghana Special Administrative Regional Police. Technology crime statistics in Ghana, 2014.

5.

Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4

www.tjprc.org

editor@tjprc.org