Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
6Activity
0 of .
Results for:
No results containing your search query
P. 1
Forensic Cop Journal 1(2) 2009-Similarities and Differences Between Ubuntu and Windows on Forensic Applications

Forensic Cop Journal 1(2) 2009-Similarities and Differences Between Ubuntu and Windows on Forensic Applications

Ratings: (0)|Views: 1,041|Likes:
This journal describes about similarities and differences between Ubuntu and Ms Windows on forensic applications. The aim of this journal is to broaden the view of forensic investigators on how to deal with forensic examination on digital evidence properly.
This journal describes about similarities and differences between Ubuntu and Ms Windows on forensic applications. The aim of this journal is to broaden the view of forensic investigators on how to deal with forensic examination on digital evidence properly.

More info:

Published by: Muhammad Nuh Al-Azhar on Oct 02, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/28/2010

pdf

text

original

 
Forensic Cop Journal Volume 1(2), Oct 2009
 
http://forensiccop.blogspot.com1
Similarities and Differences between Ubuntu and Windows onForensic Applications
by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UKForensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.
 
Introduction
In dealing with computer crime, the forensic investigators are faced to volatile digitalevidence which must be discovered as soon as possible because sooner it can be recovered,better the criminal investigators handle the case, even it can make the duty of theinvestigators become easy to locate and catch the perpetrators. There are many ways tocarry out forensic investigation on cases of computer crime. Although there is a bunch of various different techniques for this purpose, essentially they have same goal, namely torecover the digital evidence, and then serve it for court.There are two conditions in which the forensic investigators often deal with; they areforensic analysis under Microsoft Windows and under Linux OS such as Ubuntu. In this case,Ms Windows and Ubuntu have their own advantages and disadvantages regarding withcomputer forensic examination. In some extent, they have similarities, but in the othercases, they also have differences. This journal
will describe the topic about “
similarities anddifferences between Ubuntu and Ms Windows on forensic applications
. The descriptionsalso include practical samples of forensic tools in order to support the opinion.
Research Preparation
In order to run this research on the track, I make some experiments based on my experiencein investigating the case of computer crime by setting up 4 GB flash disk as experimentalobject. I configure it to be 3 partitions by using Partition Editor application from Ubuntu. Thefirst partition is FAT32 with the size of 1000 Mbyte in which I install Helix Forensics by usingUSB Startup Creator from Intrepid so that it becomes bootable flash disk to run HelixForensics live, then I also put some files which have different file extensions such as pdf, doc,odt, ppt, jpg, odp and so on in different folders, some of these files are then deleted. Thefirst partition becomes one of the objects of experiments. To be more focus on analysing, Ilimit the similarities in 5 points of view and differences in 3 points of view.
Similarities
Based on the explanations supported by experience and some experiments performed,there are at least 5 points of similarities between Ubuntu and Ms Windows regarding withforensic analysis. They are:1.
 
Forensic Imaging2.
 
Registry Analysis
 
Forensic Cop Journal Volume 1(2), Oct 2009
 
http://forensiccop.blogspot.com2
3.
 
EXIF Metadata Analysis4.
 
Internet Explorer Analysis5.
 
Unallocated Clusters RecoveryBelow is the description of each similarity.
Forensic Imaging 
This is the first thing to do in performing forensic analysis to the hard drive evidence. If thisis not handled appropriately, so the next phases of forensic examination will be weak, evenit can be refused by court; therefore to pay more attention on this phase is a compulsory forforensic investigators. As it is very crucial, so there is a strict rule on forensic imaging,namely 'make an image with a bit stream copy'. It can be physical image from hard drive tohard drive or from hard drive to image file.During imaging process, the forensic investigators have to be able to ensure that there isnothing changed either in the hard drive or image file. To process this, the investigators canuse hash value checking such as md5 by comparing the md5 value between hard driveevidence and image file or cloned hard drive. If this is match, it means the forensic imaginghas worked well; otherwise it fails and cannot be accepted for next examination phases.Ms Windows and Ubuntu have similarities on this point of view. Under Ubuntu, the forensicinvestigators can select what device or partition they would like to image by using 'fdisk -l'command, then perform imaging to the selected device or partition by using 'dcfldd'command. After imaging process finishes, they have to verify md5 hash value between thesource and the target to ensure that there is nothing changed during imaging process.
Figure 1The use of 'fdisk -l' command to ensure about devices and partitions attached to the machine
 
Forensic Cop Journal Volume 1(2), Oct 2009
 
http://forensiccop.blogspot.com3
Figure 2The use of 'dcfldd' to perform imaging and 'md5sum' to gain md5 hash value
From the experiment which is described by the figures above, it was obtained that the md5hash value of partition 1 is 0171fbb2536ccd6c5fe6607743c9de17. This value is same as themd5 value of partition1.dd. It means the imaging process can be accepted for forensicpurpose.Under Ms Windows, FTK Imager from AccessData was run in order to perform imaging tothe same partition1. There are three choices offered by FTK Imager for forensic investigatorsin making an image, namely Raw (dd), SMART and E01. In this case, Raw (dd) is moreappropriate to image partition1. FTK Imager also provided a window to fulfil themiscellaneous about the case such as case number, evidence number, investigator nameand so on. These data do not influence the imaging process and the value of md5 hash.
Figure 3FTK Imager showing a number of partitions from the experimental flashdisk 
After the imaging process finishes, FTK Imager runs verifying process to gain md5 hash valueof the image and compare it to the md5 hash value of the source. From the experimentusing FTK Imager above, the md5 hash value of the source (drive) of partition1 is0171fbb2536ccd6c5fe6607743c9de17 is same as the md5 hash value of the image.

Activity (6)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
ramonb3 liked this
elite liked this
limajader liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->