Download Comparing and Contrasting Windows and Linux Forensics Zlatko

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
Document related concepts

File Allocation Table wikipedia , lookup

File locking wikipedia , lookup

Disk formatting wikipedia , lookup

Computer file wikipedia , lookup

Transcript 
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
Comparing and Contrasting Windows and Linux Forensics
Zlatko Jovanovic
International Academy of Design and Technology
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
Abstract
Windows and Linux are the most common operating systems used on personal
computers. There are many different versions and editions for both operating systems. Basic
differences for those two operating systems influence existing special tools for computer
forensics. Knowing the basics of operating system and choosing the right toll is crucial for any
computer forensics investigation. This paper will try to name the basic differences, tools and
techniques used in both Windows and Linux Forensics. I will not go in detail about the operating
systems themselves assuming that the reader knows the basics. Otherwise, it would take much
more material than this paper.
Keywords: Windows Forensics, Linux Forensics, Operating System, File System.
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
Determining the Operating System
Computer Forensics is a discipline concerned with the examination of the computer
systems that are involved in the criminal activity, either as a target of the crime, or a tool for
committing the crime. One of the very first issues in every computer forensics investigation is
determining the Operating System (OS) on a suspect’s computer. That is crucial because, if the
OS is known, searching for, and finding the incriminating information and data, can be better
organized and prepared, and therefore easier. Different OS’s have different characteristics that
influence certain specific steps in extracting and analyzing data. In some cases, Computer
Forensics Investigator would ask for assistance if the OS found on the suspect’s computer is not
the one he is most comfortable with. That is seen with examining the Linux Os, because it
requires good knowledge of the system commands. Most of the examination is done in
Command Line Interface (CLI), while in Windows is done using the Graphic User Interface
(GUI).
Linux and Windows OS have differences that make investigation impossible, and, for
data, dangerous, if the OS is not properly determined. Assuming the OS is not an option
(Burdach).
Basic Differences
The biggest differences between Windows and Linux OS are different approaches to
system and data files, and user accounts (Volonino, p. 254). For Computer Forensics, this is very
important, because connection between data and user has huge impact on evidence found during
the investigation.
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
While Windows can have many user accounts with administrative privileges, Linux OS
have only one administrative account. That account is called root. This root account has
complete control of the system. Administrative users are users that have access to the root
account. In order to connect the user with the administrative action performed, logging is
essential. Also, in Windows one user can access one application, while in Linux several users
can access one application.
In both Operating Systems file system is hierarchical, but as Volonino states, another
significant difference is that, in Linux, everything including devices, partitions, and folders, is
seen as a unified file system. This is important difference for the examination. Devices and
physical structure of hard drive are listed in /dev directory (p. 254). Linux hard drive structure
consists of: Inodes, Superblock, Data block, and Dentry (Nelson, p. 134)
File management system for two OS’s is different. Windows could have FAT (with its
variations) or NTFS file system, while Linux could have EXT (with its variations) file system.
But “Linux can accommodate many different file systems by enabling VFS (virtual file system)
within the kernel itself.” (p. 255). This gives an option to have multiple partitions on the hard
drive with both OS installed. In this case files can be accessed from any OS!
There are two types of data files to review in Windows OS: user data, and system data
and artifacts. User files are added to the system through the installation of the applications, or
user creation. In other words, they are created by user, directly or indirectly. Examples are user
profiles, program files, temporary files, special application-level files (ex. Internet history).
System data and artifacts are files that are generated by the OS itself, log files, temporary files,
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
etc. Examples are metadata, system registry, event logs, swap files, printer spool, recycle bin
(Volonino, p. 237).
Both OS assign permissions for files, but the way of determining those permissions are
different. In Linux, these permissions can be viewed by running the ls l command on a directory
or on a particular file. Windows File permissions are found in Security tab of Properties section
of My Computer, and are kept in Registry.
Since in Linux OS everything is considered file, thing are a bit different. Files of interest
for the investigation are configuration files and system logs. They are:
/etc/passwd
/etc/shadow
/etc/sysconfig
/etc/syslog.conf
/etc/hosts
Both OS place deleted files in a folder from which they can be recovered. Windows has
Recycle Bin, and most Linux versions have Trash function. But Trash folder contains deleted
files of the particular user! (Grundy)
In Windows Computer Forensics write blocker is device that is “a must” during the
examination of the suspect’s hard drive. It allows gathering the data without writing anything on
the hard drive. Linux enables to manually select to mount file system as read-only (Bunting, p.
154). This should be done carefully, because any mistake can alter the data important for
investigation. So examining hard drive from Linux OS can be done without the Write Blocker.
It is interesting to know that tools can be used to examine any of the OS’s, regardless of
the nature of the tools. Linux tool (Helix) can be used to examine Windows system.
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
Conclusion
The most important thing to do is to determine the Operating System you will work on.
Not only that makes the investigation easier, but guessing the OS installed, or assuming which
one is, can jeopardize the investigation, and probably end your carrier as Computer Forensic
Investigator. Know that any system can be on any machine.
Differences that are not mentioned in the paper are in price, but research is done to find
the differences and similarities in forensic approach, assuming that all tools are available or
accessible.
Determining the OS is important, but tools used for investigation could be based on any
OS, Linux or Windows.
Zlatko Jovanovic
[email protected]
http://www.bulleproof.com
Works Cited
Bunting, S. (2008) EnCase Computer Forensics – The Official EnCE: EnCase Certified
Examiner Study Guide. Indianapolis, IN: Wiley Publishing, Inc.
Burdach, M. (2004). Forensic Analysis of a Live Linux System. Retrieved from
http://www.symantec.com/connect/articles/forensic-analysis-live-linux-system-pt-1
Grundy, B. J. (2008) The Law Enforcement and Forensics Examiner’s Introduction to Linux – A
Practitioner’s Guide to Linux as a Computer Forensics Platform. Retrieved from
http://www.linuxleo.com/Docs/linuxintro-LEFE-3.78.pdf
Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2004) Guide to Computer Forensics and
Investigations. Boston, MA: Thomson Course Technology.
Volonino, L., Anzaldua, R., & Godwin, J. (2007) Computer Forensics: principles and practices.
Upper Saddle River, NJ: Pearson Education, Inc.
Related documents
DEREE COLLEGE SYLLABUS FOR: ITC 2293 OPERATING
DEREE COLLEGE SYLLABUS FOR: ITC 2293 OPERATING
FORENSICS Computer Forensics
FORENSICS Computer Forensics
Operating Systems Autumn 2003
Operating Systems Autumn 2003
操作系统
操作系统
Operating System Research Worksheet
Operating System Research Worksheet
Linux+ Guide to Linux Certification
Linux+ Guide to Linux Certification
Introduction to Forensics
Introduction to Forensics
Project #1 - Source Code analysis
Project #1 - Source Code analysis
Answers to Even-numbered Exercises
Answers to Even-numbered Exercises
Document
Document
HW 4- LC4 Introducing the Internet and the Web - ICT-IAT
HW 4- LC4 Introducing the Internet and the Web - ICT-IAT
Chapter 1 Introduction
Chapter 1 Introduction