Digital forensics

Computer forensics: Operating system forensics [updated 2019]

A computer’s Operating System (OS) is the collection of software that interfaces with computer hardware and controls the functioning of its pieces, such as the hard disk, processor, memory, and many other components. Forensic investigation on an OS can be performed because it is responsible for file management, memory management, logging, user management, and many other relevant details.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

The forensic examiner must understand OSs, file systems, and numerous tools required to perform a thorough forensic examination of the suspected machine. Modern OSs track a good deal of information that could become artifacts of evidentiary value on the eve of forensic examination.

What is Operating system forensics?

Definition: Operating System Forensics is the process of retrieving useful information from the Operating System (OS) of the computer or mobile device in question. The aim of collecting this information is to acquire empirical evidence against the perpetrator.

Overview: The understanding of an OS and its file system is necessary to recover data for computer investigations. The file system provides an operating system with a roadmap to data on the hard disk. The file system also identifies how hard drive stores data. There are many file systems introduced for different operating systems, such as FAT, exFAT, and NTFS for Windows Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs. Data and file recovery techniques for these file systems include data carving, slack space, and data hiding. Another important aspect of OS forensics is memory forensics, which incorporates virtual memory, Windows memory, Linux memory, Mac OS memory, memory extraction, and swap spaces. OS forensics also involves web browsing artifacts, such as messaging and email artifacts. Some indispensable aspects of OS forensics are discussed in subsequent sections.

What are the types of Operating systems?

The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.

Windows

Windows is a widely used OS designed by Microsoft. The file systems used by Windows include FAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing the following important locations of the Windows:

• Recycle Bin: This holds files that have been discarded by the user. When a user deletes files, a copy of them is stored in recycle bin. This process is called “Soft Deletion.” Recovering files from recycle bin can be a good source of evidence.
• Registry: Windows Registry holds a database of values and keys that give useful pieces of information to forensic analysts. For example, see the table below that provides registry keys and associated files that encompasses user activities on the system.
• Thumbs.db Files: These have images’ thumbnails that can provide relevant information.
• Browser History: Every Web Browser generates history files that contain significant information. Microsoft Windows Explorer is the default web browser for Windows OSs. However, some other supported browsers are Opera, Mozilla Firefox, Google Chrome, and Apple Safari.
• Print Spooling: This process occurs when a computer prints files in a Windows environment. When a user sends a print command from a computer to the printer, the print spooling process creates a “print job” to some files that remain in the queue unless the print operation is completed successfully. Moreover, the printer configuration is required to be set in either EMF mode or RAW mode. In a RAW mode, the print job merely provides a straight graphic dump of itself, whereas with an EMF mode, the graphics are converted into the EMF image format (Microsoft Enhanced Metafile). These EMF files can be indispensable and can provide an empirical evidence for forensic purposes. The path to EMF files is:For Windows NT and 2000: Winntsystem32spoolprintersFor Windows XP/2003/Vista/2008/7/8/10: Windowssystem32spoolprintersOS forensic tools can automatically detect the path; there is no need to define it manually.            

A Real-world scenario involving print job artifacts

A love triangle of three Russian students led to a high-profile murder of one of them. A female defendant stalked her former lover for a couple of months in order to kill his new girlfriend. Once a day, she found the right moment and drove to her boyfriend’s apartment where his new girlfriend was alone. She murdered the girl and tried not to leave any evidence behind to assist the investigation process. However, she used used her computer extensively in the plotting of the crime, a fact that later provided strong material evidence during the entire process of her trail. For example, she made three printouts for directions from her home to her boyfriend’s apartment.

The forensic examiners took her computer into custody and recovered the spool files (or EME files) from her computer. Among one of the three pages within spool files provide substantial evidence against her (defendant). The footer at the bottom of the page incorporates the defendant’s address and her former lover’s address, including the date and time when the print job was performed. This evidence later proved to be a final nail in her coffin.

Linux

Linux is an open source, Unix-like, and elegantly designed operating system that is compatible with personal computers, supercomputers, servers, mobile devices, netbooks, and laptops. Unlike other OSs, Linux holds many file systems of the ext family, including ext2, ext3, and ext4. Linux can provide an empirical evidence if the Linux-embedded machine is recovered from a crime scene. In this case, forensic investigators should analyze the following folders and directories.

/etc    [%SystemRoot%/System32/config]

This contains system configurations directory that holds separate configuration files for each application.

/var/log

This directory contains application logs and security logs. They are kept for 4-5 weeks.

/home/$USER

This directory holds user data and configuration information.

/etc/passwd

This directory has user account information.

Mac OS X

Mac OS X is the UNIX-based operating system that contains a Mach 3 microkernel and a FreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlying architecture is UNIX-like.

Mac OS X offers a novel technique to create a forensic duplicate. To do so, the perpetrator’s computer should be placed into a “Target Disk Mode.” Using this mode, the forensic examiner creates a forensic duplicate of perpetrator’s hard disk with the help of a Firewire cable connection between the two PCs.

iOS

Apple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for all of Apple’s mobile devices, such as iPhone, iPod Touch, and iPad. An iOS embedded device retrieved from a crime scene can be a rich source of empirical evidence.

Android

Android is a Google’s open-source platform designed for mobile devices. It is widely used as the mobile operating system in the handsets industry. The Android operating system runs on a Linux-based kernel which supports core functions, such as power management, network infrastructure, and device drivers. Android’s Software Development Kit (SDK) contains a very significant tool for generic and forensic purposes, namely Android Debug Bridge (ADB). ADB employs a USB connection between a computer and a mobile device.

What are the examination steps in operating system forensics?

There are five basic steps necessary for the study of Operating System forensics. These five steps are listed below:

1. Policies and Procedure Development
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting

Data acquisition methods for operating system forensics

There are four Data Acquisition methods for Operating System forensics that can be performed on both Static Acquisition and Live Acquisition. These methods are:

Disk-to-image file: A forensic examiner can make a one or more than one copy of a drive under the operating system in question. The tools used for these methods are iLookIX, X-Ways, FTK, EnCase, or ProDiscover.

Disk-to-disk copy: This works best when the disk-to-image method is not possible. Tools for this approach include SnapCopy, EnCase, or SafeBack.

Disk-to-data file: This method creates a disk-to-data or disk-to-disk file.

The Sparse copy of a file: This is a preferable method if time is limited and the disk has a large volume of data storage.

For both Linux and Windows Operating Systems, write-blocking utilities with Graphical User Interface (GUI) tools must be used in to gain access to modify the files. A Linux Live CD offers many helpful tools for digital forensics acquisition.

Data analysis for operating system forensics

Forensic examiners perform data analysis to examine artifacts left by perpetrators, hackers, viruses, and spyware. They scan deleted entries, swap or page files, spool files, and RAM during this process. These collected artifacts can provide a wealth of information with regard to how malicious actors tried to cover their tracks and what they were doing to a system. For example, recall the above love triangle of Russian students. The female defendant’s print artifacts helped the forensic examiners to prove her culpability in the murder.

What tools are most useful when conducting operating system forensics?

Many tools can be used to perform data analysis on different Operating Systems. The most common tools are described below.

Cuckoo Sandbox

This tool is mainly designed to perform analysis on malware. Cuckoo Sandbox takes snapshots of virtual machines so that the investigator can compare the state of the system before and after the attack of malware. Since malware mostly attacks Windows OS, Windows virtual machines are used for this purpose. Figure 1 demonstrates malware’s behavior on a network.

Forensic toolkit for Linux

Forensic specialists use a forensic toolkit to collect evidence from a Linux Operating System. The toolkit comprises many tools such as Dmesg, Insmod, NetstatArproute, Hunter.O, DateCat, P-cat, and NC.

Table 1 shows the number of commands that the investigators can use to collect information from the compromised system embedded with Linux Operating System.

Helix

Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux kernel, hardware detections, and many other applications.

Helix CD also offers some tools for Windows Forensics, such as:

• Asterisk Logger
• Registry Viewer
• Screen Capture
• File Recovery
• Rootkit Revealer
• MD5 Generator
• Command Shell
• Security Reports
• IE Cookies Viewer
• Mozilla Cookies Viewer

Figure 2 shows a screenshot from Helix.

X-Ways forensics

X-Ways Forensics offers a forensics work environment with some remarkable features, such as:

• Disk imaging and cloning, including under Disk Operating System (DOS)
• Compatible with UDF, CDFS, ext2, ext3, NTFS, and FAT
• Views and dumps the virtual memory of running processes and physical RAM
• Gathers inter-partition space, free space, and slack space
• Mass hash calculations for files
• Ensures data authenticity with write protection feature
• Automated files, signature check, and much more

Figure 3 shows the interface of an X-Ways Forensics.

Computer forensics boot camp courses

Did you find this article helpful? Are you an aspiring Certified Computer Forensics Examiner (CCFE) candidate, in the market for a computer forensics training class? InfoSec Institute offers a uniquely designed Authorized Computer Forensics Boot Camp Course for the students of the CCFE examination. You can join this course to get a professional CCFE certification.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

InfoSec Resources also offers thousands of articles on a variety of security topics