Answer To: PART 1Computer Forensic; Different tools for different systems Different operating systems function...
David answered on Dec 27 2021
Part 1 : Computer Forensic : Different Tools for different systems
Part 1: Computer Forensic: Different Tools for different systems
Forensic tools for Windows, Mac OS and UNIX
Introduction
With the increment in cyber-attacks, there has been a steep rise is criminal activities such as Computer frauds, Ransomware, Data theft/ Data loss etc. All these activities can be detected through Computer Forensics. It is a dynamic field which is an amalgamation of computer science and law enforcement which involves investigative and analytical techniques that can be used to extract and preserve crucial evidential information from computing devices such as laptops, tablets, mobile phones etc. in the most suitable way which can be presented in the court of law as a legal evidence (US-CERT, 2008).
Tools used by Windows, Mac OS and UNIX
At the very onset, there is one thing that requires clarity that is Linux is a UNIX clone developed by Linus Torvalds. Also, it is of grave necessity to mention that Mac OS X or other latest variants such as macOS High Sierra developed by Apple Inc. is a graphical form of UNIX Operating system.
As it is a well known fact that all of these Operating Systems are quite different from each other, the digital forensic tools used for investigative and analytical purpose will also work differently under these environments.
Wide variety of tools is used in these different environments such as:
· Access Data Forensic Toolkit (FTK) (which is used for data carving, password recovery, registry viewer, query searching, imager etc.)
· Helix (for password recovery, imager, scanning pictures, file recovery, protected storage viewer, cookie viewer etc.)
· Sleuth Kit (creates timeline of file activity, sorts files based on file type, performs extension checking etc.)
· WinHex (for encryption, disk editing, data recovery, disk cloning, drive and disk wiper, etc.)
· Log Parser (for viewing event log, registry & retrieving information)
· Paraben demo (for cell phone forensics & email investigation).
Encryption and Decryption tools which can be used are:
· Cain Abel (for password recovery in Windows),
· SAMinside(for password recovery in Windows),
· John the Ripper (for password recovery in Windows and Linux)
· Camouflage (for digital steganography) (Chi et. al, 2009).
Popular set of suites for Forensics such as Encase, FTK and XWays only support Windows, but now other tools such as Autopsy and BlackLight Forensics have now offering versions for the OS X (a Macintosh variant) (Martin D. M., 2017). On the other hand, UNIX uses Belkasoft Evidence Center, PALADIN 4.0, Autopsy, DEFT, KALI LINUX and many more as forensic tool. Still, Windows remains the most preferred platform for these forensic tools because of many reasons such as ease of use because of its learning curve, graphical interface, most widely used OS, compatibility issues etc.( Román et. al, 2016). But before reaching at any conclusions it is good practice to consider all the pros and cons from the perspective of a forensic investigator.
Pros and Cons of carrying out Forensic Investigation on different platforms
UNIX is quite a professional environment which has a command line access and one has to learn many commands before working in UNIX, which gives Windows the popularity of ease of use because of its graphical interface.
Windows environment on the other hand has very meager set of utilities when it comes to forensic analysis, which comprises of MS-Config; which can be used to track system events. Windows does not offer much support to the forensic investigator if the investigator has to fully rely on this operating system only, but if bundled with a forensic tool such as FTK or Winhex, then by using these tools it provides a friendly environment for analytical purpose even to non professional users with appealing graphical user interface.
In case of forensic investigation, UNIX has an in-built special command set which gives an edge to the forensic investigator over Windows but of course the investigator must be well-versed with the UNIX commands as it provides full details of user events with Date-Time stamp...