Computer Forensics Systems Different Booting

Question :

Discuss these in terms of their relevance and volatility that impact how carefully, or quickly, the data from these areas needs to be retrieved. Include, at a minimum, data found in the MBR, registry, and swap file (pagefile).

How does the boot process differ between Unix, Macintosh, and Windows systems? Why is it important to a forensic investigator to understand how these systems differ when booting?

Answer :

Answer1

The data of interest to a forensic investigator would reside in running processes, network connections, process IDs, open network sockets, hard disk, DLL’s loaded for each process, and more of Linux System. 

Linux system is an open-source operating system. It could be installed on a supercomputer, personal computer, servers, etc. It has several file systems such as ext3 and ext4. With the help of the file system, the operating system could find a way to data on the hard disk. The file system also helps in identifying how hard drive as well as device stores forensic data. These file systems are also the place where the data of interest to a forensic investigator would reside. The technique of data, as well as file recovery for these file systems, includes data carving, data hiding, as well as slack space (Wang et al., 2016). The key feature of OS forensic is memory forensic that incorporates Linux memory, swapping, virtual memory, and memory extraction. The following tools could be used for digital forensic investigation; Forensic Toolkit for Linux, Helix, as well as Volatility. 

Answer2 

There is a significant difference between validation and verification based on the role of the specification. Validation can be defined as the process of analyzing and identifying whether the specification captures the needs of the client or not. On the other hand, verification can be defined as a process of analyzing and identifying that the software of a system meets the specification. Verification includes all those activities that are associated with producing high-quality software such as inspection, specification analysis, testing, design analysis, etc. It is a relatively objective process compared to validation because validation is used to make subjective assessments (Gräbner, 2018). Validation and verification play a very important role in providing relevant and valid evidence in the court of law. 

Answer3

Windows operating system is a software that has been designed in order to facilitate communication between the system and hardware to perform several operational tasks. The Windows operating system can store log records. It consists of file management that provides the user to store the data as well as a memory management structure. The features of the Windows operating system help the user or the investigator to perform their job with the help of forensic techniques (Irshad et al., 2019). The file system in the Windows operating system provides all stored data in the storage disk up to the root. The Windows operating system is also linked to browsers, emails, etc. It also maintains a file called recycle bin that works as temporary storage for deleted files or documents or items. It also contains a registry that maintains a database. The database consists of a key-value pair that provides the necessary information to the investigator in the form of pieces. With the help of various browsers, the Windows operating system can also help in retrieving history.

Answer4

The following are the steps of booting process in windows; 

• It goes through BIOS. 

• Then it goes through POST. 

• Further, it goes through the boot loader process.

• After that, it passes through the kernel process.

• Then it goes through the supporting file. 

The following are the steps of booting process in Linux;

• It also goes through BIOS. 

• Then it goes through POST. 

• After that, it goes through a boot loader process such as LiLo or GRUB process. 

• Then it goes through the kernel INIT process. 

• Then it goes through the supporting file. 

The following are the steps of booting process in Mac;

• It does not go through BIOS. 

• But it goes through POST. 

• Then it goes through the boot loader process.

• After that, it goes through kernel mach_init, launchd process. 

• Then it runs and goes through the supporting file. 

Importance 

The above-mentioned information is necessary for an investigator. The booting paradigm significantly differs for the three important operating systems such as Windows, Linux, as well as Mac. The booting process is the very first process that is executed by the operating system. Only after the booting process, any other processes can be performed. It is important to know the booting process in all operating systems from the security point of view in the field of computer forensic (Lee & Yoo, 2017). It will allow the investigator to carry out the investigation effectively. 

Answer5

The email header contains crucial routing information about the email an individual receives. The header of an email typically includes the detail of the subject of the email as well as the sender and receiver information along with the servers it has gone through on its way to the recipient. With the help of the header of the email, an investigator can easily find the IP address of the sender, internet service provider, location, and email client. Such information can be used to investigate the legitimacy of a suspicious email. Analyzing the header of an email can also help in identifying header spoofing which is one of the strong indications to identify an email sent with malicious content (Elisavet et al., 2016). There are several tools that could be used by an investigator to investigate an email. One of the key tools to investigate an email is Digital Forensic Framework. It is open-source software that is used by investigators in order to collect, preserve, as well as reveal digital evidence without compromising data and system.

Answer6

There are several challenges associated with performing a forensic investigation on a mobile device. In order to examine mobile devices successfully requires special knowledge as well as skills of mobile forensic experts. The first and foremost challenge associated with performing a forensic investigation on a mobile device is a platform. Mobile devices include several devices such as Tablets, Smartphones, Smartwatches, Drones, Navigation devices, etc. Dealing with different devices is one of the significant challenges for mobile forensic examiner because the examiner should be aware of the specialties of each device in order to extract data effectively. The second challenge is to identify the manufacturer the mobile devices. It sounds easy but possesses significant challenges for the investigator as there are hundreds of manufacturers and each manufacturer introduces an average of 15 versions of mobile devices every year (Indu et al., 2018). The third challenge is the connectors. In order to connect a mobile device successfully, the expert must select the appropriate plug. The next step is to identify the appropriate driver in order to establish a connection to the computer. It is also a challenge for the expert. Cellebrite Touch is a well-known as well as complete evidence extraction device that is widely used in a forensic investigation on a mobile device. 

Answer7

Steganography can be defined as a practice of concealing a message, video, file, or image in other files, messages, videos, or images. The information is encoded in other similar looking innocent files such as image files, video files, etc.

It is used by attackers or criminals to communicate with their partners about critical information about their plans. It also helps them to identify all networks that are under surveillance of police or intelligence agencies. They can use steganography to communicate secretly with their partners (Tao et al., 2018). They can encode the message in a simple image and hence the filtering system cannot detect the message because the system will consider it an image file. 

There are various tools that could be used to detect steganography such as Steganabara, Stegbeak, StegCraker, etc. 

Answer8

Volatile data can be defined as the data that is stored in volatile memory such as RAM. Volatile data should be considered to be a part of the digital forensic process. It helps in providing important as well as crucial information that could not be acquired by the traditional forensic process. Following traditional forensic processes could not help in identifying and analyzing the current state of the system, open ports, username as well as password, running processes, recently established connection, anti-forensic activities, traces of malware, unencrypted data as well as keys (Memaripour et al., 2020). But volatility would certainly help in identifying and analyzing such information that is crucial to conduct a forensic investigation.

Recovering the most volatile data

Mobile devices such as smartphones contain information to help in collecting evidence or to allow more informed decisions to be made. From the internal memory of the mobile devices, such information can be retrieved. There are several tools that could also be used to recover the most volatile data.

Answer9 

There are various challenges that could be faced by an investigator if he or she investigates a crime when data exists on a cloud service such as AWS. Data breaches are one of the most challenging threats that would be faced by the investigators if data exists on cloud services. Apart from this, in traditional forensic, the investigator has full access to the system as well as the process to investigate based on the requirement. But in the case, if data exists on cloud services such as AWS, the investigator could not access the system and the process because both the system and the process are beyond the access of the investigator (Peng et al., 2018). Deficiency of handling big data, distributed architecture, as well as lack of forensic tools and services are the key challenges of cloud services and hence the investigator must deal with these challenges. 

Answer10

a. The following potential digital evidence would help in resolving the case. The investigator should collect data on online communication from the app or site where they communicated. The investigator should also collect information from individuals who can provide information leading to the arrest of the criminal. Apart from this, digital evidence such as videos, images, audios, etc. can also help the investigator to solve the case. The IP address of the system should also be collected from the system from which he is logging.

b. Apart from the above information, the investigator should also look for phone call time, as well as the location of the phone call. Such information can be collected from the service provider and it will significantly help in solving the case by catching the kidnapper. 

References 

Elisavet, C., Romaios, B., Nikolaos, K., George, K., & Andreas, A. (2016). Email forensic tools: A roadmap to email header analysis through a cybercrime use case. Journal of Polish Safety and Reliability Association, 7(1), 21-28.

Gräbner, C. (2018). How to relate models to reality? An epistemological framework for the validation and verification of computational models. Journal of Artificial Societies and Social Simulation, 21(3).

Indu, I., Anand, P. R., & Bhaskar, V. (2018). Identity and access management in the cloud environment: Mechanisms and challenges. Engineering science and technology, an international journal, 21(4), 574-588.

Irshad, A., Maurya, R., Dutta, M. K., Burget, R., & Uher, V. (2019, July). Feature Optimization for Run-Time Analysis of Malware in Windows Operating System using Machine Learning Approach. In 2019 42nd International Conference on Telecommunications and Signal Processing (TSP) (pp. 255-260). IEEE.

Lee, Y., & Yoo, S. (2017). Secure Boot+ Measured Boot: Guaranteeing the Integrity of the Linux Booting Process. KIISE Transactions on Computing Practices, 23(8), 504-509.

Memaripour, A., Izraelevitz, J., & Swanson, S. (2020, March). Pronto: Easy and Fast Persistence for Volatile Data Structures. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 789-806).

Peng, L., Dhaini, A. R., & Ho, P. H. (2018). Toward integrated Cloud–Fog networks for efficient IoT provisioning: Key challenges and solutions. Future Generation Computer Systems, 88, 606-613.

Tao, J., Li, S., Zhang, X., & Wang, Z. (2018). Towards robust image steganography. IEEE Transactions on Circuits and Systems for Video Technology, 29(2), 594-600.

Wang, H., Chen, Z., Xiao, G., & Zheng, Z. (2016). The network of networks in the Linux operating system. Physica A: Statistical Mechanics and its Applications, 447, 520-526.