Volume 6, Issue 8, August – 2021 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Computer Forensics:
Data Recovery Perspective over Windows and Unix
Kaustubh Aggarwal* , Dr. Shravan Kumar Garg**
*M.TECH Scholar, CSE department, S.I.T.E, Swami Vivekanand Subharti University, Meerut, India **Professor, CSE
department, S.I.T.E, Swami Vivekanand Subharti University, Meerut, India

Abstract:- Now a days, illegal access to computer A. Computer Forensic technology

systems are increasing rapidly, that’s why need of SANS article gives an overview of the following
computer security has been increased. It gave birth to definition[1]: Computer forensics makes use of software and
the need of Computer Forensics to get the evidences of tools, according to some pre-defined procedures,
those attacks. Analyzing the digital evidences on comprehensive examination of computer systems to extract
Windows and Unix platform is presented in this paper. and protect computer-related crime evidence. Computer
Various methodology used by digital hackers to wipe out forensics investigation should follow certain measures to
the information in e – storage media and its guarantee the validness, extensiveness and objectivity of the
corresponding ways of recover taken by the forensic proof to the greatest degree. Computer Evidence has the
experts are being discussed in this paper. accompanying attributes in contrast with the traditional
evidence:
I. INTRODUCTION (i) Computer evidence is extremely vulnerable, perishable
and précised.
Due to rapid development in information technology, (ii) The evidence is intensively hidden.
computer became a powerful mechanism as it brings (iii) Multimedia based computer evidences.
convenience not only for common people but also for (iv) The evidence is collected swiftly, easily stored and
criminals. Comparing traditional and digital evidence, occupies less room. Also, it is effortlessly transported
digital evidence has differed properties. Extraction of and can be repeated.
evidences in the form of data from computer system has
now raised new provocations to laws and information The division of computer forensics is into two types –
technology. The term “Computer forensics” was introduced static and dynamic forensic evidences, it is according to the
in IACIS (International Association of Computer trait of forensic evidence. Static evidence remains in the
Specialists), the first International Conference held in 1991. hard disk or any other storage media, known to be later
For the first time, it was the main theme at the annual evidence. After any invasion, the system is analyzed using
meeting of 13th session of International FIRST (Forum of different technologies and methodologies to acquire
Incident Response and Security Teams) held in 2001. evidences of the attack. To obtain evidence, running system
Afterwards, Computer forensics became the hot topic for or networks are being detected. Dynamic analysis is
research. This paper incorporate following – (a) computer processed in case of intrusion detection, honey pot and trap
forensics (b) Forensic analysis on Windows (c) Forensic technology. The real time digital data is obtained after such
analysis on Unix. The definition of Computer forensics can analysis.
be expressed as the discipline that amalgamates computer
science and elements of evidence that are extracted from B. Course of Action of Computer Forensics
computer for further court proceedings. The term essential A four step process is being followed for Computer
suggests procedure on a principal level; like the tiny Forensics –
components of the medium or the pieces and bytes of an
individual area. The term uncover alludes to the introduction  Acquisition:
of some part of evidence not accessible through basic Getting the access of the computer either physically or
perception. remotely and mapping the networks and external storage
devices from the system.
II. COMPUTER FORENSICS
 Authentication:
The definition of Computer forensics can be expressed While acquiring evidences, it has to be taken care of
as the discipline that amalgamates computer science and that the evidence should not be modified. Or, we can say
elements of evidence that are extracted from computer, that, authentication ensures that the evidence has not been
networks, storage devices, wireless communications in such modified throughout the investigation. If the evidence is
a way that it proves to be evidences in the court proceedings. altered, then it is not accepted by the court of law.
Investigators authenticate the evidence by the generation of
checksum. This checksum is usually generated using most
commonly used algorithm – MD5, SHA.

IJISRT21AUG146 www.ijisrt.com 11
Volume 6, Issue 8, August – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
 Analysis: A. Window based forensic analysis
Analysis of evidences is the most tedious step in the Windows is the most extensively used operating
investigation of computer forensics. It is that phase of system despite of being unreliable and crashing propensity.
investigation where all the crimes are unfolded by the In order to execute a fruitful investigation, investigators
investigator. must know about Windows and its behavior. Knowledge of
file allocation and deletion is needed for the recovery of
 Evaluation: data. Our centre of attention is on the file system used in
The recovered information is being determined so that Windows 2000 and above for this paper. NTFS stores
it can be used against the suspect for the prosecution in attributes of files and folders in a system file called the
court. Master File Table or MFT[4]. For a Forensic analyst, most
interesting trait of MFT is – filename, MAC times (date and
III. ORIGIN OF DIGITAL EVIDENCE time of last modification, access and creation of a file) and
the location of data. Apart from folders, index entries are the
Digital evidence is sourced from the targeted system additional attributes which attracts the interest of the
host and network data. The crucial information extracted forensic analyst. These are the entries in MFT of files for the
from the host is as follows: particular folder and if information of folder is not in present
 System log files then it can be found in an index buffer (outside MFT, an
 Data and program files unallocated space to hold index entries). Data written on the
 Swap files disk by NTFS is in whole chunks known to be Clusters. To
 Temp files maintain a track of cluster allocation on the disk, system file
 Free disk space and system buffers $BITMAP is being used by NTFS. Single bit is used to
indicate for the allocation of the file in the $BITMAP file.
Information obtained from network data is as follows: Following the trend of $BITMAP file, after the allocation of
bit a record is created and in MFT record an index entry is
 Firewall Logs
being created. Clusters are being used to keep the track
 Intrusion Detection System logs record of that file and it must be affixed in MFT records.
 Network communication link records After the deletion of a file, the $BITMAP file is set to zero
 Information on network devices and MFT record is also marked as deleted. But, if the
deleted file marks the last entry of MFT record, then it
IV. FORENSIC ANALYSIS remains visible and can be recoverable. Creation of a new
record makes the NTFS to overwrite the deleted MFT
The collection and analysis of data is the foremost part records. If no new records have been created in the MFT,
of any investigation. By this, we can get the accusing the records marked for deletion are not overwritten and
evidence. Forensic analysis is executed on a copy instead of useful file attributes and possibly data (if it fit in the record)
the suspect’s computer. It is done to prevent damaging and can be recovered as well [4]. Even after the records are
alteration of data on the hard drive of suspect’s system. The overwritten in MFT, recovery of the file deleted is
data of hard drive is copied to another one and is used for attainable. Some residues must have left in the clusters if the
further investigation. Images or copies are extracted by file data is large. As the forensic analyst is having
copying bit by bit from the suspected hard drive to the other wholesome data of suspect’s hard drive, using hex editor or
storage device. This process of copying is and containing some other forensic tool, analyst can search for the data.
images is known as bit- stream backup. Copying data bit by Examination of allocated renamed file with the deleted on in
bit is done to ensure that whole content is copied. Otherwise, the unallocated space can be done by the forensic analyst by
unallocated data (such as deleted files), swap space, bad their comparison. If the files compared are found to be same,
sectors, and slack space will not be copied [2]. A goldmine then it will act a proof against the suspect. Using MAC
of evidence may be potentially held in these unusual spaces times, it will be helpful in proving that suspect had the
on the hard drive [3]. The main facet of forensic analysis is knowledge of the file. Inspection of Recycle Bin can also be
to track the hacking activities, recovery of data shared using executed by the forensic analyst as it contain the files
internet and data recovery from target machine. In this deleted by the user. File moved to Recycle Bin holds the
paper, our main highlight is on the data recovery from target record that when was it created, when was it modified and
system. Following are the techniques that can be used for the destination from where is it deleted. Such information is
destroying data – helpful in proving suspect’s guilt. And, if the user deletes
 Damaging the disk in such a way that it can’t be used the file from Recycle Bin then its information is stored in
again. INFO file. Deleted INFO file can be inspected if it’s not
 Deletion of data. overwritten. File slack is another area of disk from where
 Superimposing the data making it unrecoverable. deleted data can be retrieved. Space between end of a file
 Demagnetizing the drive making it of no use. and the cluster where it is resided can be termed as file
slack. Apart from this, if RAM is not empty, then OS write
Analyzing data on Windows and UNIX is quite down the data in a different place known as Swap Space. It
different. So, it’s presented separately. is the space where residues of recently deleted files can be
found. Investigation of cached files which are formed during
internet access on Internet Explorer can also be executed by

IJISRT21AUG146 www.ijisrt.com 12
Volume 6, Issue 8, August – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
the analyst. These files are stored as Index.DAT containing tracks. To represent the blocks of data as text files or
the information of URL, last accessed by the suspect. binaries, TCT has a tool known as Lazarus. Using this tool,
Another source from where evidence can be extracted is the investigator checks the file by requesting keywords in the
NTFS $LOGFILE. All the transactions that are carried out form of regular expressions. The forensic toolkits are
on the NTFS are recorded in $LOGFILE. In this paper, the extensively used in examination of Unix OS.
sources mentioned from where the investigator can collect
evidences are just some of them. D. Recovery tools used in Unix OS
 The Coroner’s Tool Kit –
B. Recovery tools used in Windows OS The term ‘Coroner’s’ meant the government official
 Drivespy – who executes post mortem of the dead body after crime.
Drivespy is built to improve the forensic analysis over Similarly, The Coroner's Toolkit is a set of tools for post-
DOS. It includes A built in Sector (and Cluster) Hex Viewer mortem analysis of a Unix system [5]. It is designed and
which can be used to examine DOS and Non-DOS partitions developed to locate the data that is not visible normally.
[2].
 The Slueth Kit –
 Encase – The Slueth Kit (TSK) can be used in both Windows
For analyzing digital media, a forensic tool was and Unix based operating system. It is a library and
developed named as Encase. For investigating civil crimes, collection of tools to be used in investigation of any crime in
network related crimes and many more, encase is used. This both Windows and Unix platform. The Slueth Kit’s tools
software is designed for acquisition, recovery of data and allow us to examine the layout of disks and other media [5].
file parsing. To operate this, distinctive training is required. It is helpful in locating and extracting the partitions so that
the evidences can be collected.
 Ilook –
This software is designed to acquire and analyze the V. CONCLUSION
digital media for the forensic analysis. It works with
unallocated and allocated files by providing them to the In today’s era, as the technology is getting smarter,
investigator and also, analyzing the compressed files. digital thieves are also getting smarter. It’s very important to
protect our private information from such people. That’s
C. Unix based Forensic Analysis why it is necessary for everyone to know about the computer
Executing an investigation over Unix operating system forensics. Through this paper, we have given a basic
is quite similar to the Windows one. The investigator just overview of Computer Forensics which will be helpful for
needs to know the allocation and deletion of files done in those who are undertaking such investigations. Our main
Unix. The content and attributes of file that are potentially motto for the compilation of this paper was to bring the
hidden is found and how to access them, is to be known by different perspectives of Computer Forensics into the
the forensic analyst. Different behavior of Unix operating limelight, but it’s not a complete description, just an
system provides the analyst with differentiated approach. overview.
Viewing files in Unix is distinct in comparison to the
Windows operating system. Concept of Index Nodes REFERENCES
(Inodes) is utilized by Unix for the presentation of files.
Pointers are present in each inode which is very useful for [1]. http//www.sans.Org/inforsecFAQ/incident/forensics.ht
the investigator. These pointers include owner ID, MAC ml.
status, number of directories referring to file, permissions to [2]. Palwinder Singh, Amarbir Singh “Computer
read, write, execute and file size too. It should be kept in Forensics: An Analysis on Windows and Unix from
mind that filename is not there with the inode. In fact, along data recovery perspective”, IRJET, [cited April 2016]
with location of the file, the file name is saved in a directory [3]. Warren G. Kruse II and Jay G. Heiser. Computer
like structure. In Unix file system, data allocation is into forensics: Incident Response Essentials. Addison
fixed size of pieces known as blocks. Just like Windows, file Wesley, Boston 2001, p. 2.
slacks are also found in Unix because every file can’t be [4]. Bob Sheldon. .Forensic Analysis of Windows
fitted into blocks. Residues can be investigated in the file Systems, from Handbook of Computer Crime
slack as executed in the Windows OS. When a file is deleted investigation:Forensic Tools and Techniques, 137-
in Unix system, the directory entry marks the file name as 139
unused which results in detachment of the file name with the [5]. Wietse Venema, “File recovery
actual one. Most widely used software for forensic Techniques”,Dr.Dobb’s Journal, december 2000.
investigation of Unix system is ‘The Coroner’s Toolkit’. [cited may 21,2003]
One of it’s tool called as Unrm is extensively used for
restoring the files which have been deleted by the user. Each
file attribute is very crucial in the investigation process as it
has the MAC times. By analyzing the MAC times of files,
each and every transaction can be investigated. Moreover,
analysts must remember that users or hackers can modify
the MAC times of the file to hide the information of their

IJISRT21AUG146 www.ijisrt.com 13