Mac vs Windows pt.1

 Source: http://www.computer-­‐forensics.net/

Windows

Forensic analysis can include, but is not limited to some of the following areas.

• Deleted File Recovery - An INFO 2 record is created by Windows and tracks files deleted by the operating system into the recycle bin.  When the recycle bin is emptied, the INFO2 record is reset.  Using carving tools, these deleted INFO2 records can be recovered.
• Unallocated Space - Unallocated space is the unused portion of the computer.  When a file is deleted, only the pointers to the file are removed and the data resides in unallocated space until it is over written.  Unallocated space can be keyword searched and data carved.
• Data Carving - Each file has a header (beginning) and a footer (end).  A data carve utility searches for the header and then tries to find a matching footer.  When the carve is successful, a file is recovered and is readable.  Data carving is not always successful.
• Data Wiping - Data wiping is the act of intentionally over-writing data to prevent recovery.   Data wiping utilities will sometimes leave remnants that can be search for.  The unallocated space can also be reviewed.  If a hard drive has been wiped, then no data should exist in the unallocated space.
• Link Files - Link Files are shortcuts to other files.  Link files can be examined to determine if certain files were access and when.  Link files are also good indicator of external media being attached to the computer, such as a USB thumb drive.
• Attached USB Devices - The registry files and setupapi.log file can be checked and often times it can be determined when a USB device was first plugged in.
• Date / Time - Windows tracks the creation date (when the file first landed on the media), the last access date (when the file was last view or accessed by another program), and last modified or written date (last time changes were made).   Using these dates and times, the examiner can build a timeline of the use of the computer.
• Metadata - Metadata, both system and program specific metadata can be reviewed.  System metadata (see Date / Time) is created by the operating system for each file on the system.  Program specific metadata can include such things as last 10 authors, last printed, or camera specific data.
• Email - Email programs stored the individual emails in a container (database) and computer forensics will create separate emails from the database into individual email that can be keyword searched and reviewed.
• Email (web based) - Web based email can be review by keyword searching and reviewing the HTML code (web pages) from the Internet cache.
• Internet History - Windows track Internet Explorer and other browser activity.  This is done to improve performance, but can also be very useful in civil litigation.  Internet Histories are created from the active history files (index.dat).  Forensic software can also be used to carve for Internet history files from unallocated space.
• Windows Registry - The windows registry can be reviewed for user specific settings and other information such as Internet searches completed.
• Virus / Malware - using anti-virus tools each hard drive can be scan for viruses or Malware and reports created.
• MD5 Comparison - An MD5 calculation (mathematical algorithm of the contents of a file or device) is created and known files can then be compared against the client data to filter out known system files or to identify known suspect files.
• Signature Analysis - Signature analysis uses the same header information as the data carve utility.  Signature analysis is used to find files that the user might have changed the name or file extension for in order to hide the file.  By reviewing the file signature (header) it can be determine what type or file or what program was used to create the file.
• File Listing - A complete file listing can be created of the entire device or media the includes the file location, file name and system metadata.
• Keyword Searching - Keyword searching is used to review both active and unallocated space for specific keywords that will help find the relevant documents.  CCF works with our clients to develop good keywords and searching strategies.
• Document Review - Each document can be review for relevant content.
• Graphic File Review - each graphic (picture) cab be reviewed depending on the nature of the case.  A cursory review is often done to search for tiff files (pictures) that come from fax machines.  These files are not keyword searchable and by manually reviewing the graphics can be located.

Macintosh

One important difference with the Mac relates to “secure empty trash."  When this method is used the files are wiped from the drive and cannot be recovered with any forensic tool. 

Forensic analysis of a Macintosh has several very distinct differences.  For the technically inclined, following is a partial list of the differences.

• OSX is Linux based and when a file is deleted is often not recoverable.
• OSX does not create INFO2 records that record when a file was deleted.
• OSX does have unallocated space, but it contains far less useable data due to the way files are deleted.
• OSX has a built in wiping (erasing) utility that effective destroys any chance of recovering the data.
• OSX does not create temporary link files (pointers to files that were opened).
• OSX uses Alias files are intentionally created by the user.
• OSX does not record what devices were attached to the Macintosh computer, except when the computer is running and the device is attached.
• OSX does track system dates and times, but only Created and Modified.
• OSX records a sequential File ID each time a file is created or written to the volume on the hard drive.
• OSX Mail and third party Email clients cannot be processed into the standard forensic or EDD tools and has to be extracted from the drive and then converted to a standard format before it can be processed.
• OSX stores the Internet cache in one contiguous file and is limited compared to the PC Internet cache.
• OSX stores user data primarily in the “user folder” for a particular user.  This is configurable by the user.
• OSX stores configuration data in multiple files and locations unlike the PC based Windows registry.
• OSX is relatively Malware and Virus free.