Forensic Cop Journal 1(2) 2009-Similarities and Differences Between Ubuntu and Windows on Forensic Applications

Forensic Cop Journal Volume 1(2), Oct 2009 http://forensiccop.blogspot.com

1

Similarities and Differences between Ubuntu and Windows on Forensic Applications

by Muhammad Nuh Al-Azhar, CHFI

MSc in Forensic Informatics from the University of Strathclyde, UK Forensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.

Introduction

In dealing with computer crime, the forensic investigators are faced to volatile digital evidence which must be discovered as soon as possible because sooner it can be recovered, better the criminal investigators handle the case, even it can make the duty of the investigators become easy to locate and catch the perpetrators. There are many ways to carry out forensic investigation on cases of computer crime. Although there is a bunch of various different techniques for this purpose, essentially they have same goal, namely to recover the digital evidence, and then serve it for court.

There are two conditions in which the forensic investigators often deal with; they are forensic analysis under Microsoft Windows and under Linux OS such as Ubuntu. In this case, Ms Windows and Ubuntu have their own advantages and disadvantages regarding with computer forensic examination. In some extent, they have similarities, but in the other cases, they also have differences. This journal will describe the topic about “similarities and differences between Ubuntu and Ms Windows on forensic applications”. The descriptions also include practical samples of forensic tools in order to support the opinion.

Research Preparation

In order to run this research on the track, I make some experiments based on my experience in investigating the case of computer crime by setting up 4 GB flash disk as experimental object. I configure it to be 3 partitions by using Partition Editor application from Ubuntu. The first partition is FAT32 with the size of 1000 Mbyte in which I install Helix Forensics by using USB Startup Creator from Intrepid so that it becomes bootable flash disk to run Helix Forensics live, then I also put some files which have different file extensions such as pdf, doc, odt, ppt, jpg, odp and so on in different folders, some of these files are then deleted. The first partition becomes one of the objects of experiments. To be more focus on analysing, I limit the similarities in 5 points of view and differences in 3 points of view.

Similarities

Based on the explanations supported by experience and some experiments performed, there are at least 5 points of similarities between Ubuntu and Ms Windows regarding with forensic analysis. They are:

1. Forensic Imaging

2. Registry Analysis


2

3. EXIF Metadata Analysis

4. Internet Explorer Analysis

5. Unallocated Clusters Recovery

Below is the description of each similarity.

Forensic Imaging

This is the first thing to do in performing forensic analysis to the hard drive evidence. If this is not handled appropriately, so the next phases of forensic examination will be weak, even it can be refused by court; therefore to pay more attention on this phase is a compulsory for forensic investigators. As it is very crucial, so there is a strict rule on forensic imaging, namely 'make an image with a bit stream copy'. It can be physical image from hard drive to hard drive or from hard drive to image file.

During imaging process, the forensic investigators have to be able to ensure that there is nothing changed either in the hard drive or image file. To process this, the investigators can use hash value checking such as md5 by comparing the md5 value between hard drive evidence and image file or cloned hard drive. If this is match, it means the forensic imaging has worked well; otherwise it fails and cannot be accepted for next examination phases.

Ms Windows and Ubuntu have similarities on this point of view. Under Ubuntu, the forensic investigators can select what device or partition they would like to image by using 'fdisk -l' command, then perform imaging to the selected device or partition by using 'dcfldd' command. After imaging process finishes, they have to verify md5 hash value between the source and the target to ensure that there is nothing changed during imaging process.

Figure 1 The use of 'fdisk -l' command to ensure about devices and partitions attached to the machine


3

Figure 2 The use of 'dcfldd' to perform imaging and 'md5sum' to gain md5 hash value

From the experiment which is described by the figures above, it was obtained that the md5 hash value of partition 1 is 0171fbb2536ccd6c5fe6607743c9de17. This value is same as the md5 value of partition1.dd. It means the imaging process can be accepted for forensic purpose.

Under Ms Windows, FTK Imager from AccessData was run in order to perform imaging to the same partition1. There are three choices offered by FTK Imager for forensic investigators in making an image, namely Raw (dd), SMART and E01. In this case, Raw (dd) is more appropriate to image partition1. FTK Imager also provided a window to fulfil the miscellaneous about the case such as case number, evidence number, investigator name and so on. These data do not influence the imaging process and the value of md5 hash.

Figure 3 FTK Imager showing a number of partitions from the experimental flashdisk

After the imaging process finishes, FTK Imager runs verifying process to gain md5 hash value of the image and compare it to the md5 hash value of the source. From the experiment using FTK Imager above, the md5 hash value of the source (drive) of partition1 is 0171fbb2536ccd6c5fe6607743c9de17 is same as the md5 hash value of the image.


4

Figure 4 FTK Imager verifies hash value between drive and image by using MD5 and SHA1

The md5 hash value obtained from dcfldd under Ubuntu 8.10 and FTK Imager under Windows XP are the same. It means that there is similarity in forensic imaging process between Ubuntu 8.10 and Windows XP; therefore it depends on forensic investigators which way they prefer to perform.

Registry Analysis

Registry under Ms Windows OS stores much important information such as users and applications installed in a machine or USB drives which ever attached into a machine, therefore it becomes one of targets for forensic investigators to search.

In this experiment, it is used the registry viewer applications running under Ubuntu with the object is the registry from my experimental machine running dual booting. Under Ubuntu, cp command was run to copy 5 registry files from an experimental forensic image which was taken from a Windows machine:

/WINDOWS/system32/config/SAM

/WINDOWS/system32/config/SECURITY

/WINDOWS/system32/config/software

/WINDOWS/system32/config/system

/Documents\and\Settings/UserXP/NTUSER.DAT

After that regviewer application was carried out to analyse these files.

From /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names, it was obtained the list of users namely Administrator, Guest, HelpAssistant, SUPPORT_388945a0 and UserXP.


5

Figure 5 /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names shows the list of user accounts.

From /HKEY_LOCAL_MACHINE/ntuser.dat/Software and /HKEY_LOCAL_ MACHINE/SOFTWARE, it was gained the list of company along with their software which are installed into the target machine such as AccessData with FTK and FTK Imager, Adobe with Acrobat Reader, America Online, BitComet and so on.

Figure 6 /HKEY_LOCAL_MACHINE/ntuser.dat/Software shows the list of software installed

From /HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/USBSTOR, It was found the list of storage devices with their unique entry which ever attached to the USB port in the experimental machine such as SanDisk-Cruzer, Fujitsu, Generic and so on.


6

Figure 7 /HEKY_LOCAL_MACHINE/ControlSet002/Enum/USBSTOR shows the list of storage media which was ever attached to the machine

Under Windows XP, it was used the Alien Registry Viewer application from LastBit to analyse the five registry files above. Actually there are many registry viewer applications running under Windows XP but most of them are not stand alone applications so that they cannot be used to analyse registry files copied from another machine.

When running this application, there is a window requesting users to enter the source path where the registry files exist. After analysing the registry files, the result gained was same as the result from registry viewer of Ubuntu 8.10 such as the list of users, the list of software installed and the list of USB storage devices which was ever attached.

Picture no. 8 The list of USB storage device attached to the machine such as SanDisk, Fujitsu and so on

Based on the above result, registry analysis under Ubuntu and Ms Windows by using different applications with same registry files has similarities on the process and result.


7

EXIF Metadata Analysis

EXIF which stands for Exchangeable Image File Format is the image file format specification with the addition of metadata tags for JPEG, TIFF Rev. 6.0 and RIFF WAV file formats. The specific metadata tags cover data and time information, camera settings, picture thumbnail and description and copyright information.

This EXIF metadata information is important and it is often used to identify the originality of an image. The jpg files can be manipulated by using picture editor applications such as Adobe Photoshop but it can give impact to the EXIF metadata which also follows to be changed such as X and Y resolution, time stamps, picture editor software and so on, therefore the technique to recover the EXIF information from jpg file is often used by forensic investigators in dealing with the case of fake picture.

For this experiment, there are 2 jpg files to be analysed in order to gain the EXIF metadata by using the exiftool command under Ubuntu. These files are original jpg file and fake jpg file. The fake jpg file was manipulated from the original jpg file.

Under Ubuntu, the exiftool was run through command console on the first jpg file, then it gave the EXIF information as follows: (i.e. see figure 9)

File Modification Date/Time: 2008 : 02 : 16 08 : 46 : 38 X Resolution: 72 Y Resolution: 72 Resolution Unit: inches Exif Version: 0210 Thumbnail Offset: 274 Thumbnail Length: 2185 Encoding Process: Baseline DCT, Huffman coding Image Size: 640 x 480

Figure 9 The exiftool gives the EXIF information such as File Modification Date/Time, X Resolution, Y Resolution, Exif Version and so on.

Then this EXIF information will be analysed and compared to the EXIF information of the second jpg file in order to decide the originality of a picture file. From the second jpg file, the exiftool displays the EXIF information as follows: (i.e. see figure 10)


8

File Modification Date/Time: 2008 : 02 : 16 09 : 36 : 46 X Resolution: 524 Y Resolution: 524 Resolution Unit: inches Software: Adobe Photoshop 7.0 Exif Version: 0210 Thumbnail Offset: 372 Thumbnail Length: 3825 Encoding Process: Baseline DCT, Huffman coding Image Size: 320 x 238

Figure 10 The exiftool displays the EXIF information of fake jpg file containing Software, RGB Tone Reproduction Curve and so on

By analysing the EXIF information of both files above, the forensic investigators can draw a conclusion that the second jpg picture is fake because the EXIF information tells about the software of Adobe Photoshop which was used to manipulate the picture including RGB Tone Reproduction Curve information and so on. There are also differences on File Modification Time, X Resolution, Y Resolution, Thumbnail Offset, Thumbnail Length and Image Size between the original and the fake.

Under Ms Windows machine, IEXIF-Professional from Opanda was run to carry out the same forensic analysis to these jpg files in order to obtain the EXIF information and decide the originality of an image.

From the original jpg file, it was found the EXIF information such as Date/Time, X Resolution, Y Resolution, Resolution Unit, Exif Version, Thumbnail Offset, Thumbnail Length, Encoding Process and Image Size which have same value with the EXIF analysis above using exiftool under Ubuntu.


9

Figure 11 Opanda IEXIF displays the EXIF information of the original jpg file which is same as the EXIF information performed by exiftool

From the fake jpg file, the Opanda EXIF shows the EXIF informations which is same as what the exiftool of Ubuntu performed such as Date/Time, X Resolution, Y Resolution, Resolution Unit, Software, Exif Version, Thumbnail Offset, Thumbnail Length, Encoding Process and Image Size.

From these experiments on EXIF Metadata Analysis above, it can be concluded that the EXIF recovery / viewer applications under Ubuntu and Ms Windows produce same result. This findings show the similarities between Ubuntu and Ms Windows on EXIF Metadata Analysis.

Internet Explorer Analysis

The most computer users in the world use Microsoft Windows as their operating system especially Windows XP because most applications either commercial or freeware are compatible with it. Based on this, the forensic investigators have to consider it because the most frequent evidence come from Windows XP machine including the evidence of Internet Explorer which is default installation from Microsoft. The Internet Explorer is often used by the users for browsing the internet, accessing emails and so on.

In this experiment, it was carried out the analysis of Internet Explorer traces under Ubuntu in order to get the activity history of Internet Explorer. The tools used are pasco command. For this experiment, the directory of 'Local Settings' containing temporary internet files such as index.dat from experimental machine was copied for the object of examination, after that the command of 'pasco index.dat > IEAnalysis.txt' was run, then the result of this command is IEAnalysis.txt file. If the investigators open this file using vi command, so it will display the content irregularly therefore they have to use spreadsheet applications such as OpenOffice Spreadsheet, Gnumeric Spreadsheet and so on, so that they can analyse the use of Internet Explorer easily with more details.


10

Figure 12

The result of pasco command is displayed regularly using spreadsheet application

From pasco command, it was found the list of Internet Explorer activities with time stamps (modified and access), file name and http headers of websites which had ever been visited by the user. Below is some of the websites:

http://www.liputan6.com, http://www.forensicfocus.com, http://www.jsfce.com, http://certified-computer-examiner.com, http://www.utica.edu, http://en.wikipedia.org and so on which were clicked by the user on 17 December 2008 from 7.35am till 8am.

Under Ms Windows, TotalRecall was run then the result showed the activities history of Internet Explorer, namely URL addresses visited by the user including modification time, access time, file name and http headers. These data is same as what pasco command produced above such as http://www.liputan6.com, http://www.forensicfocus.com, http://www.jsfce.com, http://certified-computer-examiner.com, http://www.utica.edu, http://en.wikipedia.org and so on with their access time on 17 December 2008 from 7.35am till 8am.

Picture no. 15 TotalRecall under Windows XP displays same result with pasco command in analysing Internet Explorer activities

http://www.liputan6.com/

http://www.forensicfocus.com/

http://www.jsfce.com/

http://certified-computer-examiner.com/

http://www.utica.edu/

http://en.wikipedia.org/


11

From the experiments above on Internet Explorer history analysis, the examination results show that forensic analysis performed under Ubuntu 8.10 and Windows XP has similarities with same result including the details of website visited such as access time, http headers and so on.

Unallocated Clusters Recovery

One request which is often asked to the forensic investigators is deleted files recovery in order to obtain more evidence related to the case. When a file is deleted, the clusters being occupied by the file will be marked by the OS as 'unallocated' in the file allocation table. It means the clusters can be used by the OS to store a new file which will then overwrite the deleted files. As long as the unallocated clusters are not occupied by another files yet, so the deleted files can be recovered perfectly, otherwise the deleted files cannot be recovered but there is still possibility to gain the partial data of deleted files as 'slack' which is started from the end of file to the end of cluster.

For this reason, the experiments using Autopsy running under Ubuntu was performed in order to carry out unallocated sectors recovery. The object of this experiment is deleted files in the image file of partition1.dd from previous experiment I performed on forensic imaging. After running 'sudo autopsy' command and typing 'http://localhost:9999/autopsy' in the Firefox internet browser and entering the input data such as case name, host name, image location and so on, it is displayed the Autopsy window containing choices for forensic investigators to perform such as file analysis, keyword search, file type, image details, metadata and data unit. In my point of view, the Autopsy is one of powerful forensic tools I know.

Through file analysis, in the 'c:\ExperimentMaterials\Documents' directory, it was found some deleted files including written date, accessed date, created date, size and metadata. The deleted files are 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa EnCase Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensic in Todays World.pdf' and so on. It was also found the deleted picture files in the directory 'c:\ExperimentMaterials\Pictures'.

Figure 16 Through Autopsy, the deleted files can be recovered including time stamps and metadata


12

The experiment results above is the same as the results obtained when running Forensic Toolkit (FTK) which is one of my favourite forensic tools for the purpose of deleted files recovery.

Under Ms Windows, FTK was run, then after entering the input data such as investigator name, case number, add evidence and so on, the FTK displayed a window containing the details of partition1.dd such as encrypted files, deleted files, emails, documents, spreadsheeet, graphics, slack/free space and so on. The FTK can also display in tree like Windows Explorer so that the investigators become easy in analysing files or folders.

Picture no. 17 The FTK shows deleted files from partition1.dd image file including their time stamps

From the deleted tabs, it was found that there are some deleted files either on documents or pictures such as 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa EnCase Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensic in Todays World.pdf' and so on including their time stamps. These deleted files can also be displayed in hex, text or native format.

Analysing the result of the experiments above, there is a similarity on forensic analysis of unallocated clusters recovery between Ubuntu and Ms Windows in which they produce same result for deleted files which can also be extracted or exported to be saved for further analysis.

Differences

Besides similarities, there are also differences between Ubuntu and Ms Windows related to forensic analysis. At certain extent, these differences bring Ubuntu to be more flexible, while at the other extent, it takes Windows XP to be more familiar and much easier to operate.

Based on the descriptions, experiments and experience, there are at least 3 differences between Ubuntu and Ms Windows on forensic analysis, namely:


13

1. Commercial versus Freeware

a. Cost of Applications

b. User Interface

2. Blocks Imaging explained

3. The Bridge of Wine

Below is the description of each difference.

Commercial versus Freeware

Cost of Applications

The big differences between Ubuntu and Ms Windows on forensic analysis is the cost of applications in which they are mostly commercial under Ms Windows but they are mostly freeware under Ubuntu, therefore to carry out forensic analysis under Ms Windows needs a great amount of money to buy some forensic tools, on the other side the investigators performing forensic analysis under Ubuntu do not need to purchase forensic tools because they are open source and mostly freeware with communities support.

For instance, according to http://www.digitalintelligence.com on 2 October 2009, below is the price list of some famous forensic tools under Microsoft Windows:

The price of EnCase Forensic Version 6 from Guidance Software is US$ 3,600 for corporate standard and US$ 2,850 for government / law enforcement

The price of Forensic Toolkit (FTK) 2.0 from AccessData is US$ 3,835

The price of Paraben’s Device Seizure used for analysing mobile phone is US$ 1,040

On the other hands, there is no price at all for mostly forensic tools under Ubuntu such as The Sleuthkit, Autopsy as GUI version of Sleuthkit, dcfldd, exiftool, pasco, regviewer, Ghex, foremost, Py-Flag, AIR, md5deep, ntfsprogs and so on.

User Interface

All forensic tools under Ms Windows apply Graphical User Interface (GUI) so that it makes the forensic investigators as the users become much easier in operating the applications in order to obtain the best result of examination. The expensive price gives the easiness for the users in using the tools through GUI.

On the other side, most forensic tools under Ubuntu or Linux are based on command console, so that the forensic investigators have to understand the use of command line in running them such as dcfldd, exiftool, foremost, md5sum and so on, but there are also GUI-based forensic tools such as Autopsy, regviewer, Py-Flag, AIR and so on. These GUI-based tools are actually originated from command line tools too such as AIR originated from dcfldd for forensic imaging, Autopsy originated from The Sleuthkit commands and so on.


14

Blocks Imaging

Forensically Sound Blocks Imaging is a small thing but it makes a significant difference between Ubuntu and Ms Windows on partial imaging of digital evidence such as hard drive, flash disk and so on. Partial imaging means the forensic investigators do not need to image the whole hard drive, but they can select what blocks to be imaged so that this option is expected to be able to speed up the process of examination.

The forensic investigators can utilize dcfldd command to organize it. For instance, to obtain only the first 572 Mbyte of the first partition of 4 GB experimental flash disk used at the previous experiment, the investigators can run this command:

dcfldd if=/dev/sdb1 of=partition1a.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1aHash.md5 bs=146484 count=4096

Through the command above, the partition1a.dd image file was produced with the number of blocks was 4096.

Figure 18 dcfldd command is used to image the first 572 Mbyte of 4 GB flash disk

With dcfldd, the forensic investigators can also set up the forensic imaging as they want, for instance from the 4 GB experimental flash disk above consisting 3 partitions, the investigators can image the combination of full of partition 1 with 1 GB in size and half of partition 2 with 1 GB in size by running this command :

dcfldd if=/dev/sdb of=partition1and2.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1and2Hash.md5 bs=366210 count=4096


15

Figure 19 dcfldd command is used to image the first 1430 Mbyte of 4 GB flash disk

From this command, the image file of partition1and2.dd will have 1430 Mbyte in size with 4096 blocks. These blocks above will be examined for further analysis, so that the investigators can economize their time in imaging and analysis. As far as I know and experience, this techniques might not be found in forensic imaging tools running under Ms Windows such as FTK Imager and EnCase. In my point of view, the technique of blocks imaging on Ubuntu brings dcfldd command to be better and more flexible than imaging tools running under Ms Windows.

The Bridge of Wine

One of amazing tools under Ubuntu is Wine. Through this application the forensic investigators can run some Windows XP applications properly under Ubuntu machine, otherwise there is no such application under Windows XP.

Through Wine, Ms Office Password Recovery from Elcomsoft can be installed into Ubuntu machine. This application is often used by the forensic investigators to recover password from Ms Office files. Actually this Password Recovery application can only run under Windows XP, it cannot run under Ubuntu machine, but through Wine, it becomes possible.

Figure 20 Ms Office Password Recovery application of Ms Windows can run under Ubuntu through Wine


16

For this experiment, an Ms Word file was set up with password protection for opening file. Through Wine, the Password Recovery tool is run under Ubuntu to recover the password. The result produced was excellent in which the password can be recovered successfully.

Figure 21 Ms Office password recovery application running under Ubuntu shows the results of password recovery.

At certain extent, Wine application shows the advantage of Ubuntu in dealing with forensic analysis by running some forensic tools of Ms Windows under Ubuntu machine.

Conclusion

The investigators can perform forensic analysis either under Ubuntu or Ms Windows in dealing with the case of computer crime. At certain extent, both operating systems have many similarities so that the forensic investigators do not need to be confused in deciding what operating system suitable for carrying out a particular analysis. Based on the descriptions above, there are at least 5 points of similarities between Ubuntu and Ms Windows XP regarding with forensic analysis, namely:

1. Forensic Imaging

2. Registry Analysis

3. EXIF Metadata Analysis

4. Internet Explorer History Analysis

5. Unallocated Clusters Recovery

Besides similarities, there are also differences between Ubuntu and Ms Windows related to forensic analysis. At certain extent, these differences bring Ubuntu to be more flexible, while at the other extent, it takes Ms Windows to be more familiar and much easier to operate. Based on the descriptions above, there are at least 3 differences between Ubuntu and Ms Windows on forensic analysis, namely:


17

1. Commercial versus Freeware

a) Cost of Applications

b) User Interface

2. Blocks Imaging

3. The Bridge of Wine

Bibliography

Anson, S. and Bunting, S. (2007). Mastering Windows Network Forensics and Investigation. Indianapolis: Wiley Publishing, Inc.

Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd edition. London: Elsevier Academic Press.

Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.

Digital Intelligence. (2009). Encase Forensic Version 6. Available: http://www.digitalintelligence.com/software/guidancesoftware/encase/. Last accessed 2 October 2009.

Digital Intelligence. (2009). Forensic Toolkit 2.0. Available: http://www.digitalintelligence.com/software/accessdata/forensictoolkit2/. Last accessed 2 October 2009.

Digital Intelligence. (2009). Device Seizure. Available: http://www.digitalintelligence.com/software/parabenforensictools/deviceseizure/. Last accessed 2 October 2009.

Elcomsoft. (2009). Advanced Office Password Recovery. Available: http://www.elcomsoft.com/aopr.html. Last accessed 2 October 2009.

Ferguson, I. (2008). Lab Session Guidance of CS 936: Media Imaging. Glasgow: CIS Department of University of Strathclyde.

Ferguson, I. (2008). Lab Session Guidance of CS 936: Physical Searching. Glasgow: CIS Department of University of Strathclyde.

Ferguson, I. (2008). Lab Session Guidance of CS 936: Registry Examination. Glasgow: CIS Department of University of Strathclyde.

Janusware. (2009). Total Recall. Available: http://www.janusware.com/fetch.php?page=212. Last accessed 2 October 2009.

Last Bit. (2009). Alien Registry Viewer. Available: http://lastbit.com/arv. Last accessed 2 October 2009.

Opanda. (2009). IEXIF for Win98/Me/2000/XP. Available: http://www.opanda.com/en/iexif. Last accessed 2 October 2009.

Weir, G. and Smeed, D. (2008). Lab Session Guidance of CS 935: Forensics Analysis using Vinetto, Pasco and Mork.pl. Glasgow: CIS Department of University of Strathclyde.

http://www.digitalintelligence.com/software/guidancesoftware/encase/

http://www.digitalintelligence.com/software/accessdata/forensictoolkit2/

http://www.digitalintelligence.com/software/parabenforensictools/deviceseizure/

http://www.elcomsoft.com/aopr.html

http://www.janusware.com/fetch.php?page=212

http://lastbit.com/arv

http://www.opanda.com/en/iexif