Forensics and

Operating Systems
Lecture # 3
 Windows Systems

• Most popular OS and therefore, occurs more frequently in

forensic examinations.
• It supports two types of primary file systems.
• FAT (File Allocation Table) and NTFS (New Technology File
System).
 FAT vs NTFS
FAT
• File structure is simplest and
totally supported by the family of
Microsoft OS i.e. MS-DOS and
Windows.
• It can be FAT16, FAT32 and exFAT.
• For e.g. for FAT16, the cluster size
ranges from 512 bytes to 64KB.
• If the investigator is conducting
the analysis via Linux system, he
can save the collected information
to access them easily from a
windows system later on.
• Still this system suffer from
security issues.
NTFS
• NTFS is also most popular system
of Microsoft OS.
• Its popularity comes from its
features of ACL on file objects and
having built-in file compression
mechanisms.
• Master file table (MFT) is the
richest source of information
required by an investigator when
working with NTFS file system.
Challenges of Windows acquisition
tools
When using windows OS, they can
easily corrupt the evidence drive,
investigators must apply well-tested
write-blocking hardware devices to
protect them.
Challenges/ Some windows forensic tools face
Drawbacks several challenges when trying to
acquire data from protected areas of
HDD.
There are some legal and ethical issues
in some countries of how to use the
write-blocking devices for the data
acquisition process.
 Linux File System
Linux also became the most popular OS.

Different variants of Linux OS. Most of them

share a common standard Linux file system,
directory structure, system artifacts and user
Linux File activity.
system
Most current Linux file systems use the Ext4
file system and older systems used Ext3 and
Ext2.

The Ext file system has two main components.

Superblock and group descriptor table.
EXT4, XFS and BTRFS and Linux File
systems
 Validating Data Acquisitions
• One important part of computer forensics is to validate the digital evidence.
• Forensic hash is a standard approach that is commonly used for this validation.
• It is a form of a checksum.
• In the context of digital forensics, a forensic hash is the process of applying a
mathematical function to the acquired data to produce a unique hash value.
• Number of forensic tools with built-in hashing capabilities are available nowadays.
• The hashing algorithms are available as standalone programs or are integrated
into other 3rd party tools.
• Windows system has built-in an MD5 hashing tool and 3rd party programs exist
such as Breakpoint software Hex workshop or X-Ways WinHex.
• Commercial forensic kits also come up with built-in validation techniques such as
FTK, ProDiscover, and EnCase.