Elsevier

Digital Investigation

Volume 1, Issue 3, September 2004, Pages 197-212
Digital Investigation

Forensic analysis of Windows hosts using UNIX-based tools

https://doi.org/10.1016/j.diin.2004.07.004Get rights and content

Section snippets

Intro

Many forensic examiners are introduced to UNIX-based forensic utilities when faced with investigating a UNIX-like operating system for the first time. They will use these utilities for this very specific task, because in many cases these tools are the only ones for the given job. For example, at the time of this writing, given a FreeBSD 5.x file system, the author's only choice is to use The Coroner's Toolkit running on FreeBSD 5.x! However, many of the same tools examiners use for the

Windows file system support

ASRData's SMART is a commercial Linux-based forensics suite which boasts very fast media imaging capability, support for several image compression formats (including the Expert Witness format used by Guidance Software's EnCase), the ability to recover deleted files from several supported file systems, and the ability to mount split image files. SMART supports 11 file systems natively, and features enhanced capabilities when dealing with FAT and NTFS volumes.

Brian Carrier's Autopsy is a free,

Deleted file recovery

The recovery of deleted files is one of the most critical aspects of the evidence collection phase of any forensic examination. Accurately and entirely recreating the structure of deleted files can make or break many cases. Unfortunately, in many instances, deleted file recovery is more “black magic” than science. In some cases, it is the nature of how the file system works which prevents 100% accuracy in recovery. In other cases, wrongly implementing a tool (or using a tool which wrongly

Unallocated space

Closely related to recovering deleted files (and often just as important if not more so) is the process of collecting and processing all other unallocated space – namely file slack and “true” unallocated space. While rebuilding meaningful file constructs out of this space on a volume is often impossible, important data can often be gleaned from these areas. Both tools allow for the extraction of unallocated space to some degree, although the extraction performed by SMART is far more granular

Keyword searching

Keyword searching can often provide valuable leads or other clues that would have been overlooked via other examination methods. As simple and trivial as it may seem, keyword searching is not as easy as it once was, and understanding the capabilities and limitations of the tools you are using is an imperative part of the forensics process.

SMART can perform keyword searches at two levels. First, at the file name level, string matches or regular expressions can be used to perform some basic data

Other features & room for improvement

Both SMART and the SleuthKit have fantastic feature sets that compliment each other nicely. Likewise, each has some irritating quirks or shortcomings that could be improved upon. Strong points shared by both are the ability to create and easily use custom hash sets to reduce the amount of irrelevant data the examiner must sift through. The logging of actions taken by the examiner (and in the case of Autopsy, by the tool itself) is extensive and comes in handy on the off chance that I forget to

Windows file examination

In the following section I will give a brief overview of some of the capabilities and usage of the tools available to forensics examiners using Linux to examine files specific to Windows targets, including the Recycle Bin, Internet Explorer history & cookies, Outlook and Outlook Express email, and the Windows registry.

Before I begin I'd like to take a brief moment to recognize the value of performing a routine virus scan of a target volume before beginning an examination. Since we do live in

Readpst & readoe

Outlook and Outlook Express are the email clients that a forensic examiner is most likely to encounter in the course of investigation, so it is fortunate that we have some Linux-based tools that can process the file formats used by these programs.

LibPST is a library for parsing Outlook PST files. It is bundled with a reference implementation named “readpst” which reads PST input and produces a number of specifiable output formats. The most useful of these formats are standard UNIX mbox format

Processing Windows registry hives

Windows registry keys are often of supreme evidentiary value – TypedURLs can show intent, Most Recently Used listings can demonstrate illegitimate access, and so on. Historically, the registry has been an extremely mysterious place, even from a native Windows host. All of the knowledge put into Linux-based registry tools has been garnered from reverse engineering the registry hives, and as such these tools are fairly limited. Currently, there exists one functional tool for viewing of registry

First page preview

First page preview
Click to open first page preview

References (16)

  • ASRData's SMART

  • Brian Carrier's Autopsy

  • Carrier

    Open source forensics tools

  • Clam Antivirus

  • foremost

  • F-Prot

  • Galleta documentation

  • grepmail

There are more references available in the full text version of this article.

Cited by (7)

  • Automated Windows event log forensics

    2007, Digital Investigation
    Citation Excerpt :

    This is in part the motivation for using native platform support that is addressed by breadth of features available in native Windows tools, including LogParser, for extracting and correlating such attributes. Altheide's (2004) survey of related tools for analysis on UNIX concludes that “One notable exception is the lack of a Linux-based Windows EVT viewer”. There remains a significant number of native Windows tools relevant to both event log analysis and other artifacts that are either able to parse artifacts in more detail or parse a wider range of artifacts.

  • Network forensics: Privacy and security

    2021, Network Forensics: Privacy and Security
  • Improving the detection and validation of inland revenue numbers

    2015, Australian Digital Forensics Conference, ADF 2015
  • Comparison between file carving from disk drive and disk image in open source environment

    2014, International Conference on Computing and Communication Technologies, ICCCT 2014
  • Automated Windows event log forensics

    2007, DFRWS 2007 Annual Conference
  • A term project for a course on computer forensics

    2006, ACM Journal on Educational Resources in Computing
View all citing articles on Scopus
View full text