Operating System Forensics

#computer forensics #forensics toolkit #digital forensics #forensics visualization #forensics training #memory forensics #forensics tools #forensics experts #computer investigations #systems forensics #forensics specialist #forensic investigation #digital evidence #data capture #learning computer

Figure 1 Operating system forensics

https://www.osforensics.com/ 1

Operating system forensics is the process of extracting useful information from the operating system (OS) of a PC or mobile device under investigation.
Computer Forensics is also used as part of data recovery processes, for gathering data from crashed servers, failed disks, operating system (OS) reformats, or other situations in which the system has stopped working unexpectedly. In both civil and criminal justice systems, computer forensics helps to ensure that digital evidence presented in judicial cases is accurate. Digital forensics is a process for preserving, identifying, extracting, and documenting digital evidence that may be used in court.

Fig. 2 OS Security This Photo by Unknown Author is licensed under CC BY

Registry Recon is a computer forensics tool used for extracting, recovering, and analysing Registry data from a Windows operating system. Memory Forensics tools are used to capture or analyse the computers volatile storage memory (RAM). They are frequently used in incident response situations to retain evidence in memory that would be lost if a system were to shut down, as well as quickly detect hidden malware by directly inspecting an operating system and other running software within the memory. PALADIN provides over 100 tools useful in investigating any piece of malware. Linux Live CD offers a lot of helpful tools for acquiring digital forensics. Forensics experts utilize the Forensics Toolkit for collecting evidence from the Linux operating system.

With a forensics stochastic approach, the computer is analysed from inside the operating system, as long as the computer or device is running, using the systems tools in the computer. The forensics examiner needs to know about operating systems, file systems, and various tools required for performing an aggressive forensic investigation on a suspected computer. Understanding an OS and its file systems is essential for recovering data to use in computer investigations. Operating Systems Forensics takes you through critical components of investigation and OS functions, including file systems, data recovery, memory forensics, system configuration, Internet access, cloud computing, traceable artifacts, executable layouts, malware, and registry files.

In this section, we discuss some open-source tools available to perform operating system forensics. There are four data capture methods available for operating system forensics, which can be performed for either static or live capture. Sleuth Kit (+Autopsy) is a Windows-based utility that makes it easier to conduct forensics on a computer system. Businesses also use Computer Forensics to monitor the relevant information related to system or network breach, which can be used for the identification and prosecution of cyberattacks. Learning Computer Forensics by Jungwoo Ryoo Computer forensics is used to search for legitimate evidence on computers, mobile devices, or data storage units. A qualified digital forensics specialist knows where to look and what tools to use to access the evidence behind the criminal’s crimes. Volatility Framework is one of the best tools for forensics visualization, which helps to verify a systems running state using data found in the RAM.

Figure 3 Volatility framework

https://pentesttools.net/volatility-work 1

Data Acquisition Methods For Operating System Forensics

#data capture #digital evidence #digital forensics #data acquisition #forensic data #evidence acquisition #forensics capture #forensic copies #forensic image #forensic tools #data replication #digital acquisition #acquisition technique #forensic cell phone #acquisition methods

This article highlights various techniques and tools for acquiring forensic cell phone data, as well as the methods used for their application to mobile digital forensics. Forensic data acquisition is defined as creating forensic copies in order to extract the usable information stored on the digital device using different tools of mobile forensics. Data Acquisition in Digital Forensics covers all procedures involved in gathering digital evidence, including the copying and replication of evidence from any electronic source. Logical data acquisition is extracting the user’s data from the cell phone using forensic tools without touching the devices filesystem. Depending on the data type and digital device, a data acquisition technique is selected.

There are various types of data acquisition methods including disk-to-disk logical files, disk-to-disk replication, file or folder sparse data replication, and disk-to-image files.

1) Disk-to-image file: Depending on the questioned operating system, a forensic investigator may create one or more copies of a drive. These approaches employ the utilisation of iLookIX, X-Ways, FTK, EnCase, or ProDiscover as the tools.

2) When the disk-to-image approach cannot be used, disk-to-disk copy is the best option. For this strategy, you can use SnapCopy, EnCase, or SafeBack.

3) Disk-to-data or disk-to-disk files are created using this technique.

4) If time is of the essence and the disc has a big amount of data storage, the minimal version of a record is the preferred approach.

To obtain access to the files and make modifications, write-blocking programmes with GUI tools must be used on both Windows and Linux os's. Gathering evidence from larger drives is time-consuming, so researchers employ the logical or sparse data capture replication methods when time is limited. Investigators encounter similar problems in trying to obtain data from older drives and creating disk-to-disk copying in bits of an original disk or diskette. Volatile data may be lost during system shutdown. The reason behind this is to minimize any form of data loss or alteration. In summary, real-time capture allows the acquisition of dynamic data, but it can also affect data. In case of post mortem acquisition, the evidence is collected from storage media in the disabled system. If a single acquisition becomes corrupted, another is available for analysis.

Logical capture only captures the particular files that are relevant to a case, or a particular file type. A sparse capture is similar, but it also collects bits of data that are unallocated (deleted); only use this technique when you do not need to explore your whole disk. With digital forensics capture, you typically have only one shot at collecting data correctly. If you handle your acquisitions poorly, you run the risk of not only damaging your investigation, but most critically, you may end up corrupting the very data you would be using as evidence. You should also consider documenting your seizure and capture of the digital evidence. The methods for digital evidence Acquisition digital evidence is also dependent on the fact that a device is turned off or on. In this article, it is explained what are the methods used for data acquisition, as well as explained the methods that are used constantly during the course of the legal investigations.

Figure 4. Data Acquisition in Digital Forensics

Data Acquisition in Digital Forensics involves producing a forensic image of a digital device including a CD-ROM, a hard disk, removable disk, smart phone, thumb drive, gaming console, servers, and other computing technologies which may contain electronic data.

Logical data acquisition may be considered a full-fledged representation of data stored on an actual flash memory device of mobile or other storage devices, but the image files are created by the use of forensic tools such as Encase, etc. Most proprietary formats and AFFs keep metadata of acquired data within an image file. This intensive course on Digital Acquisition and Data Management will give both first responders and investigators the specialized skills needed to properly react, identify, collect, and retain data from a wide variety of storage devices and repositories, while assuring that evidence integrity is unimpeachable.

The world of cybercrime is constantly evolving and so are the tools used for conducting OS forensics. These tools aid the forensic investigator by providing an analysis environment that is similar to the actual operating system being analysed. The following tools are most commonly used in OS forensics: - Cuckoo Sandbox, Helix, X-Ways Forensics - three popular tools for conducting OS forensics.

1) Cuckoo Sandbox:- This tool is a free open-source sandbox where you can run suspicious files to see if they contain malware or not. It can also be used to analyse suspicious network traffic. It is compatible with Windows, Mac OS X and Linux.

Figure 5. Cuckoo sandbox

https://cuckoo.readthedocs.io/en/0.3/usa 1

2) Helix:- Helix is an advanced malware analysis and incident response platform that supports both Windows and Linux operating systems. It provides access to Linux kernel, hardware detections, and other applications. Helix CD also offers some tools for Windows Forensics, such as:- Asterisk Logger, Registry Viewer, Screen Capture, File Recovery, Rootkit Revealer, MD5 Generator, Command Shell, Security Reports, IE Cookies Viewer & Mozilla Cookies Viewer

Figure 6. Helix framework

https://www.threatprotectworks.com/Helix 1

3) X-Ways Forensics: - This tool helps forensic investigators with data extraction, hash verification, and analysis of evidence found on seized computers. It can be used on both physical and virtual machines, as well as on mobile devices such as iOS or Android phones or tablets.