Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

Transcription

1 Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology

2 Abstract Windows and Linux are the most common operating systems used on personal computers. There are many different versions and editions for both operating systems. Basic differences for those two operating systems influence existing special tools for computer forensics. Knowing the basics of operating system and choosing the right toll is crucial for any computer forensics investigation. This paper will try to name the basic differences, tools and techniques used in both Windows and Linux Forensics. I will not go in detail about the operating systems themselves assuming that the reader knows the basics. Otherwise, it would take much more material than this paper. Keywords: Windows Forensics, Linux Forensics, Operating System, File System.

3 Determining the Operating System Computer Forensics is a discipline concerned with the examination of the computer systems that are involved in the criminal activity, either as a target of the crime, or a tool for committing the crime. One of the very first issues in every computer forensics investigation is determining the Operating System (OS) on a suspect s computer. That is crucial because, if the OS is known, searching for, and finding the incriminating information and data, can be better organized and prepared, and therefore easier. Different OS s have different characteristics that influence certain specific steps in extracting and analyzing data. In some cases, Computer Forensics Investigator would ask for assistance if the OS found on the suspect s computer is not the one he is most comfortable with. That is seen with examining the Linux Os, because it requires good knowledge of the system commands. Most of the examination is done in Command Line Interface (CLI), while in Windows is done using the Graphic User Interface (GUI). Linux and Windows OS have differences that make investigation impossible, and, for data, dangerous, if the OS is not properly determined. Assuming the OS is not an option (Burdach). Basic Differences The biggest differences between Windows and Linux OS are different approaches to system and data files, and user accounts (Volonino, p. 254). For Computer Forensics, this is very important, because connection between data and user has huge impact on evidence found during the investigation.

4 While Windows can have many user accounts with administrative privileges, Linux OS have only one administrative account. That account is called root. This root account has complete control of the system. Administrative users are users that have access to the root account. In order to connect the user with the administrative action performed, logging is essential. Also, in Windows one user can access one application, while in Linux several users can access one application. In both Operating Systems file system is hierarchical, but as Volonino states, another significant difference is that, in Linux, everything including devices, partitions, and folders, is seen as a unified file system. This is important difference for the examination. Devices and physical structure of hard drive are listed in /dev directory (p. 254). Linux hard drive structure consists of: Inodes, Superblock, Data block, and Dentry (Nelson, p. 134) File management system for two OS s is different. Windows could have FAT (with its variations) or NTFS file system, while Linux could have EXT (with its variations) file system. But Linux can accommodate many different file systems by enabling VFS (virtual file system) within the kernel itself. (p. 255). This gives an option to have multiple partitions on the hard drive with both OS installed. In this case files can be accessed from any OS! There are two types of data files to review in Windows OS: user data, and system data and artifacts. User files are added to the system through the installation of the applications, or user creation. In other words, they are created by user, directly or indirectly. Examples are user profiles, program files, temporary files, special application-level files (ex. Internet history). System data and artifacts are files that are generated by the OS itself, log files, temporary files,

5 etc. Examples are metadata, system registry, event logs, swap files, printer spool, recycle bin (Volonino, p. 237). Both OS assign permissions for files, but the way of determining those permissions are different. In Linux, these permissions can be viewed by running the ls l command on a directory or on a particular file. Windows File permissions are found in Security tab of Properties section of My Computer, and are kept in Registry. Since in Linux OS everything is considered file, thing are a bit different. Files of interest for the investigation are configuration files and system logs. They are: /etc/passwd /etc/shadow /etc/hosts /etc/sysconfig /etc/syslog.conf Both OS place deleted files in a folder from which they can be recovered. Windows has Recycle Bin, and most Linux versions have Trash function. But Trash folder contains deleted files of the particular user! (Grundy) In Windows Computer Forensics write blocker is device that is a must during the examination of the suspect s hard drive. It allows gathering the data without writing anything on the hard drive. Linux enables to manually select to mount file system as read-only (Bunting, p. 154). This should be done carefully, because any mistake can alter the data important for investigation. So examining hard drive from Linux OS can be done without the Write Blocker. It is interesting to know that tools can be used to examine any of the OS s, regardless of the nature of the tools. Linux tool (Helix) can be used to examine Windows system.

6 Conclusion The most important thing to do is to determine the Operating System you will work on. Not only that makes the investigation easier, but guessing the OS installed, or assuming which one is, can jeopardize the investigation, and probably end your carrier as Computer Forensic Investigator. Know that any system can be on any machine. Differences that are not mentioned in the paper are in price, but research is done to find the differences and similarities in forensic approach, assuming that all tools are available or accessible. Determining the OS is important, but tools used for investigation could be based on any OS, Linux or Windows.

7 Works Cited Bunting, S. (2008) EnCase Computer Forensics The Official EnCE: EnCase Certified Examiner Study Guide. Indianapolis, IN: Wiley Publishing, Inc. Burdach, M. (2004). Forensic Analysis of a Live Linux System. Retrieved from Grundy, B. J. (2008) The Law Enforcement and Forensics Examiner s Introduction to Linux A Practitioner s Guide to Linux as a Computer Forensics Platform. Retrieved from Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2004) Guide to Computer Forensics and Investigations. Boston, MA: Thomson Course Technology. Volonino, L., Anzaldua, R., & Godwin, J. (2007) Computer Forensics: principles and practices. Upper Saddle River, NJ: Pearson Education, Inc.