Investigating Windows systems with Linux

Window Kit

© Max, Fotolia

Author(s): , Author(s):

A forensics expert explains how to extract interesting details from a confiscated Windows hard disk using standard Linux tools.

Criminals, intruders, and corporate saboteurs leave data behind on the hard disks of any computers they visit. Many of these computers are Windows systems, but you don't need Windows to extract valuable forensic information from a Windows hard disk. In this article, I will describe some simple techniques for getting forensic data from a Windows disk using Linux.

Before starting any forensic analysis, it is important to create a copy of the storage medium you will be investigating, either as a 1:1 copy or as an image or collection of images. You can copy the medium as a raw image (with dd) or use a format such as Expert Witness Format (EWF).

EWF is a proprietary format developed by Guidance Software [1] that is also supported by the X-Ways [2] commercial forensic tool. EWF images are compressed and thus are far smaller than raw images.

[...]

Read full article as PDF:

Investigating_Windows_Systems.pdf (1.47 MB)

Related content

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Investigating_Windows_Systems.pdf (1.47 MB)

Tag Cloud

Android Bruce Byfield Gnome KDE Kernel Linux Linux Pro Magazine Open Source Projects Red Hat Ubuntu events foss free software google

News