Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology



Similar documents
Computer Forensics Principles and Practices

EnCase 7 - Basic + Intermediate Topics

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Forensics on the Windows Platform, Part Two

RECOVERING FROM SHAMOON

Chapter 12 File Management. Roadmap

Chapter 12 File Management

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Linux Kernel Architecture

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Course Title: Computer Forensic Specialist: Data and Image Files

Design and Implementation of a Live-analysis Digital Forensic System

Incident Response and Computer Forensics

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

HW 07: Ch 12 Investigating Windows

Multiprogramming. IT 3123 Hardware and Software Concepts. Program Dispatching. Multiprogramming. Program Dispatching. Program Dispatching

CHAPTER 17: File Management

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Operating Systems Forensics

MSc Computer Security and Forensics. Examinations for / Semester 1

Chapter 12 File Management

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

What is Digital Forensics?

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

EXPLORING LINUX KERNEL: THE EASY WAY!

Significance of Hash Value Generation in Digital Forensic: A Case Study

Course Syllabus - IST 454 Computer and Cyber Forensics General Course Information

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

File Systems Management and Examples

Computer Forensic Analysis in a Virtual Environment

TELE 301 Lecture 7: Linux/Unix file

Mobile Labs Plugin for IBM Urban Code Deploy

Introduction to Operating Systems

CYBER FORENSICS (W/LAB) Course Syllabus

Microsoft Vista: Serious Challenges for Digital Investigations

IT Essentials v4.1 LI Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI Windows OS directory structures

introducing COMPUTER ANTI FORENSIC TECHNIQUES

Determining VHD s in Windows 7 Dustin Hurlbut

Computer Forensics using Open Source Tools

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Create!form Folder Monitor. Technical Note April 1, 2008

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Where is computer forensics used?

CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS

BackTrack Hard Drive Installation

CDFE Certified Digital Forensics Examiner (CFED Replacement)

Windows 7: Current Events in the World of Windows Forensics

Technology in Action. Alan Evans Kendall Martin Mary Anne Poatsy. Eleventh Edition. Copyright 2015 Pearson Education, Inc.

Operating Systems. Design and Implementation. Andrew S. Tanenbaum Melanie Rieback Arno Bakker. Vrije Universiteit Amsterdam

Outline. Operating Systems Design and Implementation. Chap 1 - Overview. What is an OS? 28/10/2014. Introduction

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

EnCase v7 Essential Training. Sherif Eldeeb

Digital Forensics Tutorials Acquiring an Image with FTK Imager

CRM Knowledge Base. Contents

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

User Manual for Data Backups

NetBackup Backup, Archive, and Restore Getting Started Guide

Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:

VERITAS NetBackup 6.0

IN this paper we examine the application of the virtual

Computer Forensics as an Integral Component of the Information Security Enterprise

Symantec NetBackup Backup, Archive, and Restore Getting Started Guide. Release 7.5

Computer Forensic Capabilities

Direct Storage Access Using NetApp SnapDrive. Installation & Administration Guide

Hands-On How-To Computer Forensics Training

Creating and Managing Shared Folders

XFS File System and File Recovery Tools

Networking Lab - Vista Public Network Sharing

VIVIDESK Desktops can be accessed with a Macintosh Computer by one of two methods:

COMPUTER FORENSIC Ibrahim Khoury, Eralda Caushaj

Three Linux Security Basics

Backup Exec 2010: Archiving Options

1/5/2013. Technology in Action

1! Registry. Windows System Artifacts. Understanding the Windows Registry. Organization of the Windows Registry. Windows Registry Viewer

Digital Forensic Techniques

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Analysis of Evidence in Cloud Storage Client Applications on the Windows Platform

Linux in Law Enforcement

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Recovering Data from Windows Systems by Using Linux

Unix/Linux Forensics 1

File-system Intrusion Detection by preserving MAC DTS: A Loadable Kernel Module based approach for LINUX Kernel 2.6.x

A Survey on Mobile Forensic for Android Smartphones

Domain Controller Failover When Using Active Directory

EC-Council Ethical Hacking and Countermeasures

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Managing Macintosh OS-X with Novell ZCM 11.2 Lecture

The BackTrack Successor

A Practical Approach for Evidence Gathering in Windows Environment

Transcription:

Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology

Abstract Windows and Linux are the most common operating systems used on personal computers. There are many different versions and editions for both operating systems. Basic differences for those two operating systems influence existing special tools for computer forensics. Knowing the basics of operating system and choosing the right toll is crucial for any computer forensics investigation. This paper will try to name the basic differences, tools and techniques used in both Windows and Linux Forensics. I will not go in detail about the operating systems themselves assuming that the reader knows the basics. Otherwise, it would take much more material than this paper. Keywords: Windows Forensics, Linux Forensics, Operating System, File System.

Determining the Operating System Computer Forensics is a discipline concerned with the examination of the computer systems that are involved in the criminal activity, either as a target of the crime, or a tool for committing the crime. One of the very first issues in every computer forensics investigation is determining the Operating System (OS) on a suspect s computer. That is crucial because, if the OS is known, searching for, and finding the incriminating information and data, can be better organized and prepared, and therefore easier. Different OS s have different characteristics that influence certain specific steps in extracting and analyzing data. In some cases, Computer Forensics Investigator would ask for assistance if the OS found on the suspect s computer is not the one he is most comfortable with. That is seen with examining the Linux Os, because it requires good knowledge of the system commands. Most of the examination is done in Command Line Interface (CLI), while in Windows is done using the Graphic User Interface (GUI). Linux and Windows OS have differences that make investigation impossible, and, for data, dangerous, if the OS is not properly determined. Assuming the OS is not an option (Burdach). Basic Differences The biggest differences between Windows and Linux OS are different approaches to system and data files, and user accounts (Volonino, p. 254). For Computer Forensics, this is very important, because connection between data and user has huge impact on evidence found during the investigation.

While Windows can have many user accounts with administrative privileges, Linux OS have only one administrative account. That account is called root. This root account has complete control of the system. Administrative users are users that have access to the root account. In order to connect the user with the administrative action performed, logging is essential. Also, in Windows one user can access one application, while in Linux several users can access one application. In both Operating Systems file system is hierarchical, but as Volonino states, another significant difference is that, in Linux, everything including devices, partitions, and folders, is seen as a unified file system. This is important difference for the examination. Devices and physical structure of hard drive are listed in /dev directory (p. 254). Linux hard drive structure consists of: Inodes, Superblock, Data block, and Dentry (Nelson, p. 134) File management system for two OS s is different. Windows could have FAT (with its variations) or NTFS file system, while Linux could have EXT (with its variations) file system. But Linux can accommodate many different file systems by enabling VFS (virtual file system) within the kernel itself. (p. 255). This gives an option to have multiple partitions on the hard drive with both OS installed. In this case files can be accessed from any OS! There are two types of data files to review in Windows OS: user data, and system data and artifacts. User files are added to the system through the installation of the applications, or user creation. In other words, they are created by user, directly or indirectly. Examples are user profiles, program files, temporary files, special application-level files (ex. Internet history). System data and artifacts are files that are generated by the OS itself, log files, temporary files,

etc. Examples are metadata, system registry, event logs, swap files, printer spool, recycle bin (Volonino, p. 237). Both OS assign permissions for files, but the way of determining those permissions are different. In Linux, these permissions can be viewed by running the ls l command on a directory or on a particular file. Windows File permissions are found in Security tab of Properties section of My Computer, and are kept in Registry. Since in Linux OS everything is considered file, thing are a bit different. Files of interest for the investigation are configuration files and system logs. They are: /etc/passwd /etc/shadow /etc/hosts /etc/sysconfig /etc/syslog.conf Both OS place deleted files in a folder from which they can be recovered. Windows has Recycle Bin, and most Linux versions have Trash function. But Trash folder contains deleted files of the particular user! (Grundy) In Windows Computer Forensics write blocker is device that is a must during the examination of the suspect s hard drive. It allows gathering the data without writing anything on the hard drive. Linux enables to manually select to mount file system as read-only (Bunting, p. 154). This should be done carefully, because any mistake can alter the data important for investigation. So examining hard drive from Linux OS can be done without the Write Blocker. It is interesting to know that tools can be used to examine any of the OS s, regardless of the nature of the tools. Linux tool (Helix) can be used to examine Windows system.

Conclusion The most important thing to do is to determine the Operating System you will work on. Not only that makes the investigation easier, but guessing the OS installed, or assuming which one is, can jeopardize the investigation, and probably end your carrier as Computer Forensic Investigator. Know that any system can be on any machine. Differences that are not mentioned in the paper are in price, but research is done to find the differences and similarities in forensic approach, assuming that all tools are available or accessible. Determining the OS is important, but tools used for investigation could be based on any OS, Linux or Windows.

Works Cited Bunting, S. (2008) EnCase Computer Forensics The Official EnCE: EnCase Certified Examiner Study Guide. Indianapolis, IN: Wiley Publishing, Inc. Burdach, M. (2004). Forensic Analysis of a Live Linux System. Retrieved from http://www.symantec.com/connect/articles/forensic-analysis-live-linux-system-pt-1 Grundy, B. J. (2008) The Law Enforcement and Forensics Examiner s Introduction to Linux A Practitioner s Guide to Linux as a Computer Forensics Platform. Retrieved from http://www.linuxleo.com/docs/linuxintro-lefe-3.78.pdf Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2004) Guide to Computer Forensics and Investigations. Boston, MA: Thomson Course Technology. Volonino, L., Anzaldua, R., & Godwin, J. (2007) Computer Forensics: principles and practices. Upper Saddle River, NJ: Pearson Education, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information