Linux vs. Windows

by

Linux vs. Windows
Computer forensics is a new emerging field that involves certain tools and special skills that seek to acquire, examine and document electronic evidence with the purpose of proving a criminal activity. At its most basic level computer forensics involves ‘analysis of information contained within and/or created with a computer system, typically in the interest of figuring out what happened, when it happened, how it happened and who was involved (New york). Computer forensics is described by Warren and Heiser as ‘the preservation, identification, extraction, interpretation and documentation of computer evidence. (Warren and Heiser, 2001, p.2)
In any forensic analysis we deal with three types of data, namely
A). Active data- this is the data that exists in the hard drive and it is one we can see.
b). Archival Data- this is data that has been backed up and stored.
c).Latent Data- this is data that has been already lost, example data that has been deleted or partially overwritten. (New york)
For any forensic investigation, three main steps are involved. Any modifications will vary according to the investigator or the given scenario.
These 3 steps are:
1) The Acquisition process – this basically involves copying the contents of a hard drive to another hard drive which is usually called the bit-stream backup (Bui, Enyeart, Luong, 2003, pg5) This is because ideally a forensic investigation is not done on the suspect’s hard drive. Instead the contents are copied bit by bit in order to retrieve all the contents of the hard drive including the other unusual spaces such as unallocated data (example deleted files), swap space, “bad” sectors and slack space.
2) Authentication- this process primarily is done to ensure that the evidence retrieved has not been altered during the process of acquisition. The significance of this process is because any changes present in the evidence renders it inadmissible in a court of law. Investigators authenticate the hard drive evidence by generating something called a checksum of the contents of the hard drive (Bui, Enyeart, Luong, 2003, pg6). A checksum is almost the equivalent of a fingerprint when it comes to electronic data; this is because no two hard drives with different data can have the same checksum. Algorithms most commonly used to generate these checksums are MD5 and SHA. However some tools use a combination of algorithms such as CRC (cyclic redundancy check) with MD5 in order to achieve a higher quality of authentication.
Does the Type of Operating System Affect the Process at all?
YES, it does.
Is it easier to perform a computer forensic investigation if the suspect’s computer is a Linux or UNIX system instead of Windows? Consider all flavors of the Operating systems.
It is easier to perform a forensic investigation on the UNIX system as opposed to the Windows system. The following illustrates this.
3) Analysis- this is the process that involves uncovering evidence of wrongdoing that can be used to incriminate a suspect and it is probably the most bulky in terms of work load. Analysis of data is conducted differently on different operating systems. For the purpose of the essay question we shall focus on the NTFS, a file system used in Windows NT and Windows 2000 and above for a the Windows system.
Forensic analysis of UNIX systems and Windows system bare certain similarities that make the approaches somewhat similar. For example when searching for deleted data, the analysis involves looking into the same kind of spaces like the unallocated space, file slack and swap space. This is because there some specific areas of the file structures where one can draw similarities, take the file slack for example; it is the space between the end of a file and the end of the cluster in Windows and can be examined for remnants of deleted files and attributes. These clusters in windows are the equivalent of blocks in UNIX systems.
However, these similarities only go so far before they start to differ.
The differences are what make UNIX systems easier to carryout forensic analysis than on Windows system.

For example, File deletion in UNIX system involves marking the directory entry for that file as unused, thus resulting in a disconnect of the file name with the actual data and attributes. Because of Unix good file system locality, the deleted file data and attributes remain for longer periods of time such as hundreds of days on a heavily used system. Unix file systems avoid fragmentation as much as possible thus achieving good file locality, which allows the deleted file data and attributes to remain for much longer. This is different when compared to windows’ NTFS which overwrites the MFT record making it difficult to recover useful information. The only exception to this is when there were no new records created, thus attributes of files marked for deletion can be recovered and even possible the actual data obtained. This makes it easier to recover such files in a Unix system than a windows system. (Bui, Enyeart, Luong, 2003)
Another advantage of carrying out Forensic investigations in Unix systems is that everything in a Unix system is a file. Therefore, any transactions done within the system will leave evidence of that transaction having occurred because the MAC times for the associated files will be altered. Thus, it can be used to prove that a suspect was aware of the existence of a file and its contents by using the MAC times.
Another added advantage of performing a forensic investigation on Unix system is that Unix systems have the added advantage of using special Unix tools that aid in the search for certain patterns among the contents of the disk. Also Unix forensics toolkits aid enormously in the examination of Unix systems.

References
1. Sonia Bui, Michelle Enyeart & Jenghuei Luong (2003), Issues in Computer Forensics
Available at
http://www.google.com/search?q=Forensics+Investigation.pdf+by+Sonia+Bui&hl=en&ie=UTF-8&tbm=
(Last accessed, 18th April, 2013)
2. Computer Forensic on Windows Operating System (2006)
Computer Forensics.
Available at
http://www.computerforensics1.com/computer-forensic-windows.html
(Last accessed, 19th April, 2013)
3. Waqas Pitafi, Computer Forensic Investigation on Linux or Unix Systems and It’s Effects, inno8Tech.
Available at
http://www.inno8.net/blog/computer-forensic-investigation-linux-unix-systems-effects/
(Last accessed, 18th April, 2013)
4. New York Computer Forensic Service, About Forensic.
Available at
http://www.newyorkcomputerforensics.com/learn/forensics-process.php
(Last accessed, 18th April, 2013)

Latest Assignments


All Rights Reserved.
Disclaimer: for assistance purposes only. These custom papers should be used with proper reference.
Terms and Conditions | Privacy Policy