Operating Systems as Potential Source of Digital Evidences

Performing a comprehensive digital forensic examination requires full understandings of computer operating system (OS). Operating system refers to “a program that manages all the applications in a computer” (University of Maryland University College, 2012). OS manages the hardware resources, enables executions of commands, acts as an interface between hard ware and software, controls the security of the system and allows sharing of resources and files in the network. The paper discusses different operating systems as a source of digital forensic evidences. Each section of digital evidence source discusses filing systems, tools and techniques helpful forensic examiners, and challenges faced by investigator. The final section provides comparisons of each source of evidence in terms of network intrusion, malware installation and Insider file deletion.

Digital Evidences in Windows

The following section discusses Windows Operating System (OS) as a source of data for digital forensic investigation. Over the past three decades Windows dominated the computer market with its applications in personal computers, Web browsers and big enterprise hardware and software. After its first release of Windows 1.0 in 1985, numerous different versions of Microsoft Windows have been developed, from older versions such as Windows 9x, NT, ME and 2000 to the new versions like Windows XP, Windows Vista, 7, Windows Server 2003 or 2008. The latest versions are widely used in home, corporate and government environment (Pittman & Shaver, 2009). Forensic examiner need to full understand Operating Systems (OS), file systems and various tools needed to conduct thorough forensic analysis.

FAT and NTFS file systems

Analyzing the file systems, examining how directories and folders are structured, and how data is stored in a computer hard drive helps the digital forensic examiner learn about the location of a certain file. The Windows operating system contains a number of locations that can act as a rich source of evidence. Windows operating systems utilizes four different types of file systems. These are FAT12, FAT16, FAT32, and NTFS ().In the FAT file system (File Allocation Table) data is stored in disks in cluster forms which are divided into multiple sectors. A cluster is composed of one or more sectors. And a sector is a minimum size that can be written to or read from a disc and is usually 512 bytes (University of Maryland University College, 2012). A variety of digital forensic tools help the investigator analyses the FAT to reveal the root directory, FAT folders and data clusters of a hard drive. Viewing the FAT, the investigator can identify a file in a folder, the cluster (s) it holds, and clusters a file starts and ends. FAT also helps the investigator identify the subdirectories that contain file information such as attributes, names, dates, sizes, and the first cluster of each file on the system. However, the FAT file system has some shortcomings such as inadequate security, lack of backup systems, and lesser storage and poor data management (Pittman & Shaver, 2009). As a result, modern Window systems are using NTFS, a more efficient file system.

NTFS (New Technology File System) is an alternate to FAT file systems. The current version of NTFS has been utilized in Windows XP and later OS releases. From the digital forensic perspective, understanding the difference between FAT and NTFS is very important in terms of following features: data storage, data security, file size and file naming convention (University of Maryland University College, 2012). NTFS uses a data structure called the Master File Table (MFT) instead of a file allocation table. MFT contains one record for all files on an NTFS volume, including one for itself, each with file identifier number (Casey, 2011).  This makes access and organization of data more efficient. Moreover, the MFT field also helps the forensic examiner in data backup and recovering deleting data. It also an improved security feature, an access control list (ACL) that governs read-write-execute access to Windows files and folders.

While FAT uses only end of file, EOF, markers to specify a file's size, NTFS uses EOF markers as well as Valid Data Length (VDL) to determine a file's logical size, the true length of the data as it’s stored in the hard disk.  As a result an uninitialized space is created where data can be stored. An investigator can recover the data in uninitialized space even if there have been attempts to delete the data. NTFS’ important characteristics, data backup and deleted-data recovery makes it a preferred file system in Windows OS for the examiner.

Windows Forensics Tools and Techniques

In order to extract evidences from windows file system, file-system traces have been widely used. Whenever a user initiates actions in a system, date-time stamps are placed on a file system. And file-system traces provide vital information by easily identifying those date-time stamps. Log files as part of the newest version of Windows provide useful forensic information. Log files associate the user with date, time and action in a system (user attribution). In addition to the windows file system traces and Log files various features of windows are utilized in recovering and analyses of forensic evidences. Tools from Microsoft itself (and third party tools) are used to decode password protected and encrypted files and recover data from suspect’s drive. The Windows Registry contains valuable information to the forensic investigator. The Registry provides various pieces of information relating to OS, installed applications, and user access information, their settings and the privileges the users have to the applications and networks (Mee, Tryfonas & Sutherland, 2006). A forensic program, REgGen, is used for the analyses of the registry files stored on windows devices.

Besides of using the features in Windows, various propriety and open source software tools are used for the collection and analyses of digital evidences on window-based systems. Helix runs on Windows as a standard application and used to collect digital evidences in live or active systems. Pstools suites provide a variety of detailed information of windows systems, remotely and locally. For instance, Pslist displays process, CPU, and memory information or thread statistics for all processes that are presently running on the system. While Psfile shows files opened remotely, PsLogList dump event log records.

Challenges in Windows Forensics

Forensic examiner faces several challenges in Windows environment. One of challenge will be the Encrypted File System (EFS), and products like Microsoft Passport assist in providing increased security for the Windows environment. However, they can make the job of the forensic analyst more difficult. Finding information from Windows file slack and Ram slack needs a lot of efforts by the examiner as they conceal vital evidences such as files, e-mail, user names and passwords (Wiles & Reyes, 2007). The absence of comprehensive single source for digital evidences from Window file systems to Internet Explorer is a great challenge for corporate investigators. As a result, they have to put back together information from different sources and apply UNIX techniques to the Windows environment

Digital Evidences in Macintosh

Apple’s Macintosh systems are not as popular as Windows systems in the forensic community. However, due to MacOS user friendliness and quick access to file and applications, the Macintosh systems are becoming widely used and needed the attention of forensic examiners.  Since its inception in 1984, various versions of Macintosh computer developed with its Mac OS X systems.

The File Systems in MacOS

Two types of hierarchal file systems (HFS) are used on MacOS, namely, HFS and HFS Plus (improved version). Unlike Windows OS which uses file allocation table, Mac uses catalog and overflow files. The catalog tree is a database of the folders and files on a Mac hard drive. The catalog files collect information such as date-time stamps (date of create, modified, accessed and backup) on each file and folder. The catalog file records are stored in a B-tree, a simple database for searches (Casey, 2011). While HFS supports 16-bit processing, the improved version HFS+ supports 32-bit processing. In addition, HF Plus applies journaling, helpful for fast recovery in case of power outage or a crash.

Mac Forensic Tools and Techniques

Various tools and techniques assist the forensic investigator in examining digital evidences in Mac. Mac File-system traces provides useful information in understanding date-stamp behavior on the MacOS 9 and MacOS X. Browsers such as Safari, Mozilla Firefox and Opera are used to trace network activities such as internet traces, Web activity, e-mail activities and network-storage information. Mac’s Web caches and plist are also helpful recovering information about users’ incoming and outgoing emails and accessed web servers.  Furthermore, tools like Norton utilities and Prosoft Data Rescue can be used to recover deleted files from Macs system (Kokocinski, A. (2009).

Forensic software, Macintosh Forensic Suite, with a collection of 26 modules, provides the investigator with various tools and utilities (Wiles & Reyes, 2007). For instance, one of the modules in the suite, Directory Scan utility allows the investigator to look all the files and folders on a Macintosh volume. Another tool in the suite, HeaderBuilder, makes changing headers easy and shows MD5 Hashes quickly. Another tool called PhantomSearch allows capturing all the invisible files of a volume.   

Challenges in Mac Forensics

One of the challenges in Mac digital evidence is creating a bitstream copy of a hard drive. One common approach of copying a hard drive from a mac system is to remove it and connect it to another computer. It’s also possible to boot Macintosh using CD-ROM booting. However, hard drives should be disconnected from the system first in order to avoid accidental alteration of date-time stamps (Kokocinski, 2009).  Another challenge in Mac is data recovery. Due to the complex nature of the b-tree structure of the catalog, deleted file names do not remain in the file system for long.as a result, it will be difficult to recover the file names and associated date-time stamps even using forensic tools like EnCase and FTK.  Tools like Norton utilities and Disk Warrior, or ProSoft Data Rescue are helpful in file recovery. Some files in MacOS are stored in binary format and difficult to read. For the Macintosh systems there is a need for more forensic examination and researches.

Digital Evidences in UNIX

UNIX started as a free OS in three decades ago. Different types of UNIX developed since then, both proprietary version (Sun Solaris, IBM’s AIX) and free versions (Linux, FreeBSD and OpenBSD). UNIX is so powerful that it allows access of several users and multiple programs simultaneously in one computer. Not only is an important sources of digital evidences, UNIX also an excellent plat form for forensic examination. Any digital forensics laboratory has at least one Linux environment either native or running through a virtual machine product such as VMware (Steel, 2006). In contrast to the GUI system found in Windows, UNIX uses command-line functions for execution of instructions.

File Systems in UNIX

The popular file systems are UFS (UNIX File System), Reiser, ext1, and ext2 (Extended File Systems 2and3). They have much simpler directories, containing only a list of file names and their associated inode (index node).  This simple file structure coupled with the command-line functions make it easier for the forensic examiners to trace the location of file names from the root directory to the inode and to individual data blocks or groups. The library card catalog is analogous to the UNIX file system (Atheide & Casey, 2009).

As in Windows, UNIX systems allow certain users root access, provided users (and examiner) have full administrative privileges. Understanding of file allocation and deletion in UNIX is very important for the examiner. Both the OS and the file system determine how files are deleted. In the case of ext2, when file is deleted the inode is returned to the free-inode list of the super block. Contents are not cleared. On the other hand, in ext3, first inode contents are cleared and then the inode is returned to the free-inode list. This makes file recovery easier in ext2 and more difficult in ext3.

Linux/Unix Forensic Techniques and Tools

Linux has several important features assisting digital acquisition and examinations. To make a bitstream copy of the source hard drive, examiners often use Helix, a freeware tool. The mainstay of acquiring digital evidence in UNIX is the use of the /dd command, to create a copy of a hard drive.

Data can be recovered using File Carving feature of UNIX, by carving files from any evidence object, unallocated space or a swap file. Another approach to recover deleted file is to search for inodes and recover the associated data using icat (Atheide & Casey, 2009). Reviewing log Files is so helpful in UNUX and provides important information such as commands used activities and system changes useful for reconstructing events and tracking down offenders. File system traces analyses is very useful as any activity can make an impression on UNIX system. For instance, remnants such as spool files from printing, temp files from applications, date-time stamp and user ids from other systems provide more picture of what is occurring in the system.

UNIX was specifically designed with networking in mind and Internet traces analyses are rich sources of evidences for the examiner. Web browsers such as Mozilla Firefox store and provide information on Web browsing. UNIX system generally stores e-mails under the home directory of each user, making them easier to access for the examiner.  As UNIX systems are configure to store, log and print user data on remote systems, network traces are easily found and are valuable information leading to further digital evidences.  

Tools like The Coroner’s Toolkit (TCT) are mainly designed to help in forensic examinations are executed in most UNUX/Linux Operating Systems. The Coroner’s Toolkit has a collection of applications and is one the most frequently used toolkit by forensic examiners (Wiles & Reyes, 2007). Moreover, tools like Sleuth Kit and SMART provide a GUI (graphical user interface) simplifying the examination process in UNIX.

Challenges in UNIX Forensics

One of main challenges for the digital investigator is dealing with password protection and encryption. Attempt to break encryptions within UNUX systems is rarely effective, especially for strong encryptions. Attempts require significant time and effort as well as taking advantages of weaknesses in the implementation of the encryption program. To crack passwords, we need tools like Crack and jack the Ripper can be used to attempt guessing password entries in UNIX. Proper collection and examination of digital evidences needs familiarity of any computer system. The complexity and existence of a large number of UNIX systems calls for special trainings and education of the examiners in the UNIX administration (all aspect of the UNIX system) and security features. Being prevalent in the internet, UNIX systems are vulnerable to network-borne attacks, especially to Advanced Pertinent Threats (APTs), a cybercrime focusing more on espionage (University of Maryland University College, 2012). The continuous emergence of new malwares and the lack of robust detection and prevention systems in UNIX environment call for the need of malware analyses as part of digital forensic examination.

Digital Evidences in Mobile Devices OS

Mobile devices such as cell phones and smart phones have become an integral part of peoples’ daily lives. And their popularity is increasing the digital world. These devices are also being used in facilitating crimes or otherwise being involved whenever crime occur. As a result, they are becoming sources of digital evidences. Valuable Personal information like as pictures, e-mails, addresses and other useful data such as specific time where individual were and with whom they contacting can be collected from those devices.

There are various types of mobiles and smartphones made by several manufactures. And each kind of smartphone and mobile device has a different operating system. The standard operating systems for portable devices include iPhone’s iOS, Palm OS and Palm webOS, Nokia’s Symbian, Window’s propriety OS developed by Microsoft and Android’s open source OS developed by Google. While few devices (iphone and Blackberry) centralize distribution of software, most other portable devices allow and encourage independent applications on their platform. From the forensic examiners view point these all complicates the tasks of forensic analyses. And he need and efforts for developing tools and techniques of forensic examination have been growing. 

Forensic Analysis Tools for Mobile Devices

Despite the growing challenge, there are a growing number of commercial forensic tools that provide evidence acquisition and analysis capabilities for these devices. These include UFUD, MicroSystemation XRY, LogicubeCellDEK and MOBILedit! Forensic Software (University of Maryland University College, 2012). Cellebrite's Universal Forensic Extraction Device (UFED) is used to extract evidences physically from the devices using cables and USB memory sticks. MicroSystemation XRY acquires forensic information logically via infrared technology, Bluetooth and USB. LogicubeCellDEK allows only logical data acquisition but with capability of identifying the type of devices based on brand name, model number, dimensions. The forensic software MOBILedit! Uses cables to extract physical forensic data from the device and it generate forensic report.

 Challenges in Mobile Devices Forensics

The speedy way in which these mobile devices come, go, and grow presents unique challenges for the forensic examiner. By the time forensic collection and analysis procedures become available for many of these devices, the devices may have been out of date or evolved into a completely different architecture (Brown, 2010). Mobile devices unique characteristics such as overall design, their size and specific components pose challenges to investigators during every phase of the computer forensics process. More important, the existence of various operating systems poses challenges to forensic tools and examiners in extracting digital evidences. Mobile devices systems are a challenging source of evidence because the data on them is volatile and different tools are needed to process different devices. Finally, limited current forensic tools and training in the area are of mobile forensics need more attention.

Prioritization of Digital Evidences terms of usefulness

Network Intrusion

A network intrusion can be any use of a network that compromises its stability or the security of information which is stored in a computer connected to the network. It maybe any attempt to gaining unauthorized access to file or privileges. It maybe any effort to destabilize the system as a whole or unauthorized use of software. While intrusion detection help detect attacks, network forensic involves “discovering and retrieving evidential information in a networked environment about a crime in such a way as to make it admissible to court” (Vacca, 2009). Network forensic uses log files to determine when users logged on, which URL user accessed and how they logged into the network. It also tries to determine what tracks or new file are left behind. Network forensics requires not only making a forensic image of a compromised drive, but also an image containing for applications used (Nelson et al, 2010). Live acquisitions are especially useful in when dealing with network intrusions. I believe Mac computer systems used by suspects are most useful in network forensic evidence, next being Unix OS followed by Mobile devices OS and Windows OS.

Sources of digital evidences	Network Intrusion	Malware Installation	Insider file deletion
Windows OS	3rd	2nd	1st
Macintosh OS	1st	3rd	2nd
UNIX OS	2nd	1st	3rd
Mobile Devices OS	3rd	4th	4th

Table: Prioritization of Digital Evidences in Terms of Usage

Malware Installation

The absence of robust malware detection systems in Linux/UNIX system make it vulnerable for new and more sophisticated malware.  UNIX systems are also susceptible to network-borne attacks like APTs. That makes UNIX OS the most useful digital evidence source in terms of malware installation. Windows systems are also the most widely used systems and often attacked. Windows OS is the next useful source of digital evidence followed by MacOS and Mobile OS.

Insider file deletion

Computer forensic deals with the task of recovering data that users have deleted or hidden so that the recovered data may be used as evidence. The investigator searches the storage media and if they find data, he put the pieces together to produce evidences. In data recovery, Windows OS with its capability of data registry, log file and date-stamp is the most useful. UNIX OS is very useful followed by UNIX OS and Mobile Devices OS.

 

 

 

Conclusions

Digital investigator will encounter different computer operating systems as sources of digital evidences. An in depth understanding of computer Operating system (OS) helps a digital forensic investigator understand the basic function of the device and dig more into the data to be examined. The paper discussed four different Operating Systems as potential source of digital evidences – Windows, Mac, Unix OS and Mobile device’s OS. While Windows OS dominated the computer market and the forensic environment, the user friendly nature of MacOS increasing its uses and getting attention of investigators. UNIX OS is not only becoming an important sources of digital evidence, but also an excellent platform of forensic examination. Inbuilt features like file system, logs and file system-traces help the investigator recover hidden or deleted data. Despite continuous challenges, several forensic tools and technique are being used in the acquisition and examination of digital evidences. The existence of enormous type of OS, uniqueness in design, and volatile nature of their data makes mobile devices the most challenging sources of digital evidences.

 

 

References:

 

Atheide, C. & Casey, E. (2009). UNIX forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation (pp. 301-351). Burlington, MA: Elsevier Academic Press.

Brown, C. L. (2010). Computer evidence: collection and preservation, second edition.  Retrieved from  http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=33937

Casey, E. & Turnbull, B. (2011). Digital Evidence on Mobile Devices. In Digital evidence and computer

                crime: Forensic science, computers, and the Internet (3rd ed.)retrieved from

                http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf

Kokocinski, A. (2009). Macintosh forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation (pp. 353-382). Burlington, MA: Elsevier Academic Press.

Mee, V., Tryfonas, T., & Sutherland, I. (2006). The Windows Registry as a forensic artifact:

                Illustrating evidence collection for Internet usage. Digital Investigation, 3(3), 166-173. Retrieved from www.elsevier.com/locate/diin.

Pittman, R. D. & Shaver, D. (2009). Windows forensic analysis. In E. Casey (Ed.), Handbook of digital

                forensics and investigation (pp. 209-300). Burlington, MA: Elsevier Academic Press.

Steel, C. (2006). Windows forensics: the field guide for corporate computer investigations. Retrieved

from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=17106.

University of Maryland University College. (2012). Forensic analyses of Operating Systems, Module 6.    Retrieved from http://tychousa11.umuc.edu/CSEC650/1202/9040/class.nsf/Menu?OpenFrameSet&Login

Vacca (ed), J. R. (2009). Computer and information security handbook. Retrieved from

                http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=32165.

Wiles, J. & Reyes, A. (2007). The best damn cybercrime and digital forensics book period. Retrieved from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=25452.