0% found this document useful (0 votes)
7 views7 pages

Forensics LEC 3

Digital forensics

Uploaded by

friaz6683
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
7 views7 pages

Forensics LEC 3

Digital forensics

Uploaded by

friaz6683
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Forensics and

Operating Systems
Lecture # 3
Windows Systems

• Most popular OS and therefore, occurs more frequently in


forensic examinations.
• It supports two types of primary file systems.
• FAT (File Allocation Table) and NTFS (New Technology File
System).
FAT vs NTFS
FAT NTFS
• File structure is simplest and • NTFS is also most popular system
totally supported by the family of of Microsoft OS.
Microsoft OS i.e. MS-DOS and • Its popularity comes from its
Windows. features of ACL on file objects and
• It can be FAT16, FAT32 and exFAT. having built-in file compression
• For e.g. for FAT16, the cluster size mechanisms.
ranges from 512 bytes to 64KB. • Master file table (MFT) is the
• If the investigator is conducting richest source of information
the analysis via Linux system, he required by an investigator when
can save the collected information working with NTFS file system.
to access them easily from a
windows system later on.
• Still this system suffer from
security issues.
Challenges of Windows acquisition
tools
When using windows OS, they can
easily corrupt the evidence drive,
investigators must apply well-tested
write-blocking hardware devices to
protect them.
Challenges/ Some windows forensic tools face
Drawbacks several challenges when trying to
acquire data from protected areas of
HDD.
There are some legal and ethical issues
in some countries of how to use the
write-blocking devices for the data
acquisition process.
Linux File System
Linux also became the most popular OS.

Different variants of Linux OS. Most of them


share a common standard Linux file system,
directory structure, system artifacts and user
Linux File activity.
system
Most current Linux file systems use the Ext4
file system and older systems used Ext3 and
Ext2.

The Ext file system has two main components.


Superblock and group descriptor table.
EXT4, XFS and BTRFS and Linux File
systems
Validating Data Acquisitions
• One important part of computer forensics is to validate the digital evidence.
• Forensic hash is a standard approach that is commonly used for this validation.
• It is a form of a checksum.
• In the context of digital forensics, a forensic hash is the process of applying a
mathematical function to the acquired data to produce a unique hash value.
• Number of forensic tools with built-in hashing capabilities are available nowadays.
• The hashing algorithms are available as standalone programs or are integrated
into other 3rd party tools.
• Windows system has built-in an MD5 hashing tool and 3rd party programs exist
such as Breakpoint software Hex workshop or X-Ways WinHex.
• Commercial forensic kits also come up with built-in validation techniques such as
FTK, ProDiscover, and EnCase.

You might also like