Sunday, 13 September 2009

Brief Description on Similarites and Differences in Forensic Applications between Ubuntu and Windows

The investigators can perform forensics analysis either under Ubuntu 8.10 or under Windows XP in dealing with the case of computer crime. At certain extent, both operating systems have many similarities so that the forensics investigators do not need to be confused in deciding what operating system suitable for carrying out a particular analysis. 

Based on the explanations supported by experience and some experiments performed , there are at least 5 points of similarities between Ubuntu 8.10 and Windows XP regarding with forensics analysis. They are :
 1.    Forensics Imaging explained in the post of Experiment 11
 2.    Registry Analysis described in the Experiment 12
 3.    File Metadata Analysis, consisting of
        a)    Magic Number Analysis and
        b)    EXIF Information Analysis discussed in the Experiment 10
 4.    Internet Explorer Analysis explained in the Experiment 13
 5.    Unallocated Clusters Recovery discussed in the Experiment 14
Besides similarities, there are also differences between Ubuntu 8.10 and Windows XP related to forensics analysis. At certain extent, these differences brings Ubuntu 8.10 to be more flexible, while at the other extent, it takes Windows XP to be more familiar and much easier to operate. 

Based on the descriptions, experiments and experience, there are at least 3 differences between Ubuntu 8.10 and Windows XP on forensics analysis, namely :
 1.    Commercial versus Freeware
         a)    Cost of Applications

The big differences between Ubuntu 8.10 and Windows XP on forensics analysis is the cost of applications in which they are mostly commercial under Windows XP but they are mostly freeware under Ubuntu 8.10, therefore to carry out forensics analysis under Windows XP needs a great amount of money to buy some forensic tools, on the other side the investigators performing forensics analysis under Ubuntu 8.10 do not need to purchase forensic tools because they are open source with communities support.

For instance, according to and on 17 December 2008, below is the price list of some famous forensics tools under Microsoft Windows :
•    The price of EnCase Forensic Version 6 from Guidance Software is US$ 3,600 for corporate standard and US$ 2,850 for government / law enforcement
•    The price of Forensic Toolkit (FTK) 2.0 from AccessData is US$ 3,835
•    The price of X-Ways Forensics from X-Ways Software Technology AG is EUR 685.90 for 1 license with 1 year update maintenance
On the other hands, there is no price at all for mostly forensics tools under Ubuntu 8.10 or Linux such as Autopsy with Sleuthkit, dcfldd, exiftool, pasco, regviewer, Ghex, foremost, Py-Flag, AIR, md5deep, ntfsprogs and so on.

         b)    User Interface

All forensics tools under Ms Windows XP use Graphical User Interface (GUI) so that it makes the forensics investigators as the users become much easier in operating the applications in order to obtain the best result of examination. The expensive price gives the easiness for the users in using the tools through GUI.
On the other side, most forensics tools under Ubuntu 8.10 or Linux are based on command console, so that the forensics investigators have to understand the use of command line in running them such as dcfldd, exiftool, foremost, md5sum and so on, but there are also GUI-based forensics tools such as Autopsy, regviewer, Py-Flag, AIR and so on. These GUI-based tools are actually originated from command line tools too such as AIR originated from dcfldd for forensics imaging, Autopsy originated from The Sleuthkit commands and so on.

 2.    Blocks Imaging explained in the Experiment 9
 3.    The Bridge of Wine discussed in the Experiment 15

No comments:

Post a Comment