Digital Evidence on Windows Systems
October 29, 2016
Categorised in: Computer Forensic & Cyber Applications
Powerful commercial forensic tools have been developed to facilitate the forensic examination of Windows systems.
In addition to being familiar with the tools and techniques for acquiring and examining digital evidence from a computer running Microsoft Windows, digital investigators should develop a familiarity with the underlying operating systems, files systems, and applications.
Individuals who attempt to dabble in digital forensics without this underlying knowledge risk making fundamental mistakes that harm not only the case at hand but also the forensic discipline as a whole.
Understanding file systems helps appreciate how information is arranged, giving insight into where it can be hidden on a Windows system and how it can be recovered and analyzed.
An understanding of user accounts, file access controls, and general security on Windows operating systems is also necessary to answer questions like the following:
- Who had access to the system and files it contained?
- Was it possible for an outsider to gain unauthorized access to the system from the Internet?
- Similarly, it is necessary to understand components such as Active Directory to locate and interpret digital evidence relating to systems that are part of a Windows domain.
When performing a functional reconstruction of a system or application to gain a better understanding of associated digital evidence, it is often desirable to perform empirical testing.
For instance, when investigating a computer intrusion, it may be useful to analyze a malicious program (e.g., SubSeven) to see what sorts of evidence it leaves behind on a system.
When investigating an online casino, it can be useful to understand more about the inner workings of any gambling programs they distribute to ensure that they do not disclose
the investigator’s identity or expose the computer in a dangerous manner.
The three primary approaches to analyzing a program are to (a) examine the source code, (b) view the program in compiled form, and (c) run the program in a test environment.
DIGITAL EVIDENCE ON MOBILE DEVICES