Toriality's Blog

COMPUTER FORENSICS - 09

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 09 SOURCES: INFOSECINSTITUTE.COM

OPERATING SYSTEM FORENSICS

INTRODUCTION

A computer's Operating System (OS) is the collection of software that interfaces with computer hardware and controls the functioning of its pieces, such as the hard disk, processor, memory and many other components. Forensic investigation on an OS can be performed because it is responsible for file managment, memory managment, logging, user managment and many other relevant details.
The forensic examiner must uunderstand OSs, file systems and numerous tools required to perform a thorough forensic examination of the suspected machine. Modern OSs track a good deal of information that could become artifacts of evidentiary value on the eve of forensic examination.

WHAT IS OPERATING SYSTEM FORENSICS?

DEFINITION:
Operating System Forensics is the process of retrieving useful information from the OS of the computer or mobile device in question. The aim of collecting this information is to acquire empirical evidence against the perpretator. 
    
OVERVIEW:
The undestanding of an OS and its file system is necessary to recover data for computer investigations. The file system provides an operating system with a roadmap to data on the hard disk. The file system also identifies how hard drive stores data. There are many file systems introduced for different operating systems, such as FAT, exFAT and NTFS for Windows Operating Systems and Ext2fs or Ext3fs for Linux OS. Data and file recovery techniques for these file systems include data carving, slack space and data hiding. Another important aspect of OS forensics is memory forensics, which incorporates virtual memory, Windows memory, Linux memory, Mac OS memory, memory extraction and swap spaces. OS forensics also involves web browsing artifacts such aas messaging and email artifacts.

TYPES OF OPERATING SYSTEMS (OS):

The most popular OSs are:
WINDOWS: 
    
    Windows is a widely used OS designed by Microsoft. The file systems used by Windows include FAT, exFAT, NTFS and ReFS. Investigators can search out evidence by analyzing the following imporant locations of the Windows.
    
    RECYCLE BIN:
    
        This holds files that have been discarded by the user. When a user deletes files, a copy of them is stored in the Recycle Bin. This proccess is called "Soft Deletion". Recoreving files from recycle bin can be a good source of evidence.
        
    REGISTRY:
    
        Windows Registry holds a database of values and keys that give useful pieces of information to forensic analysts. For example, see the table below that provides registry keys and assoeciated files that encompasses user activities on the system:
        
        https://mk0resourcesinfm536w.
        kinstacdn.com/wp-content/uploads/1-132.png
        
    THUMBS.DB FILES:
    
        These have images' thumbnails that can provide relevant information.
        
    BROWSER HISTORY:
    
        Every Web Browser generates history files that contain significant information. Microsoft Windows Explorer is the default web browser for Windows OSs. However, some other supported browsers are Opera, Mozilla Firefox, Google Chrome and Apple Safari.
        
    PRINT SPOOLING:
    
        This process occurs when a computer prints files in a Windows environment. When a user sends a print command from a computer to the print, the print spooling process creates a "print job" to some fiels that remain in the queue unless the print operation is completed successfully. Moreover, the printer configuration is required to be set in either EMF mode or RAW mode. In a RAW mode, the print job merely provides a straight graphic dump of itself, whereas with EMF mode, the graphics are converted into the EMF image format (Microsoft Enhanced Metafile). These EMF files can be indispensable and can provide an empirical evidence for forensic puproses. The path to EMF files is:
        
            Windows\System32\spool\printers
            
        A REAL-WORLD SCENARIO INVOLVING PRINT JOB ARTIFACTS:
        
            A love triangle of three Russian students led to a high-profile murder of one of them. A female defendant stalked her former lover for a couple of months in order to kill his new girlfriend. Once a day, she found the right moment and drove tto her boyfriend's apartment, where his new girlfriend was alone. She murdered the girl and tried not to leave any evidence behind to assist the investigation process. However, she used her computer extensively in the plotting of the crime, a fact that later provided strong material evidence during the entire process of her trail. For example, she made three printouts for directions from her home to her boyfriend's apartment.
            
            The forensic examiners took her computer into custody and recovered the spool files (or EME files) from her computer. Among one of the three pages within spool files provide substantial evidence against her (defendant). The footer at the bottom of the page incorporates the defendant's address and her former lover's address, including the date and time when the print job was performed. This evidence later proved to be a final nail in her coffin.
            
LINUX:
Linux is an open source, Unix-like and elegantly designed operating system that is compatible with personal computers, supercomputers, servers, mobile devices, netbooks and laptops. Unlike other OSs, Linux holds many file systems of the ext family, including ext2, ext3 and ext4. Linux can provide an empirical evidence if the Linux-embedded machine is recovered from a crime scene, In this case, forensic investigators should analyze the following folders and directiories: 
    
        /etc [%SystemRoot%/System32/config
        
    This contains system configurations directory that holds separate configurations fiels for each applications.
    
        /var/log
        
    This directiory contains applicaitons logs and security logs. They are kept for 4-5 weeks.
    
        /home/$USER
        
    This directory holds user data and configuration inforamtion.
    
        /etc/passwd
        
    This directory has user account information
    
MAC OS X
    
    Mac OS X is the UNIX-based operating system that contains a Mach 3 microkernel and a FreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlying archtecture is UNIX-like.
    
    Mac OS X offers a novel technique to create a forensic duplicate. To do so, the perpetrator's computer should be placed into a "Target Disk Mode". Using this mode, the forensic examiner creates a forensic duplicate of the perpretator's hard disk with the help of a Firewire cable connection between the two PCs.
    
IOS
Apple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for all the Apple's mobile devices, such as iPhone, iPod Touch and iPad. An iOS embedded device retrieved from a crime scene can be a rich source of empirical evidence. 
    
ANDROID
    
    Android is a Google's open-source platform designed for mobiel devices. It is widely used as the mobile operating system in the handsets industry. The Android operating system runs on a Linux-based kernel which supports core functions, such as power managment, network infrastructure and device drivers. Android's Software Development Kit (SDK) contains a very significatn tool for generic and forensic purposes, namely Android Debug Bridge (ADB). ADB employs a USB connection between a computer and a mobile device.

USEFUL TOOLS:

CUCKOO SANDBOX:
This tools is mainly designed to perform analysis on malware. Cuckoo Sandbox takes snapshots of virtual machines so that the investigator can compare the state of the system before and after the attack of malware. Since malware mostly attack Windows OS, Windows virtual machines are used for this puprose. 
    
FORENSIC TOOLKIT FOR LINUX:
Forensic specialists use a fornesic toolkit to collect evidence from a Linux operating system. The toolkit comprises many tools such as Dmesg, Insmod, NetstatArprout, Hunter O. DateCat, P-Cat and NC. 
    
HELIX:
Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux Kernel, hardware detections and many other applications. Helix CD also offers some tools for Windows Forensics such as: 
    
        - Asterisk Logger
        - Registry Viewer
        - Screen Capture
        - File recovery
        - Rootkit Revealer
        - MD5 Generator
        - Command Shell
        - Security Reports
        - IE Cookies viewer
        - Mozilla Cookies Viewer
        
X-WAYS FORENSICS
It offers a forensics work environemnt with some remarkable features such as: 
    
        - Disk imaging and cloning, including DOS
        - Compatible with UDF, CDFS, ext2, ext3, NTFS, FAT
        - Views and dumps the virtual memory of running processes and physical RAM
        - Gather inter-patition space, free space and slack space
        - Mass hash calculations for files
        - Ensures data authenticity with write protection feature
        - Automated files, signature check and much more.