Chapter 10: Forensic Examination of Windows Systems

Previous page
Table of content
Next page

Overview

In addition to being familiar with the tools and techniques for acquiring and examining digital evidence from a computer running Microsoft Windows, digtal investigators should develop a familiarity with the underlying operating systems, files systems, and applications.

Understanding file systems helps appreciate how information is arranged, giving insight into where it can be hidden on a Windows system and how it can be recovered and analyzed. An understanding of Windows NT accounts, file access controls, and general security is also necessary to answer questions like: Who had access to the system and files it contained? Was it possible for an outsider to gain unauthorized access to the system from the Internet? Similarly, it is necessary to understand components such as Active Directory to locate and interpret digital evidence relating to systems that are part of a Windows 2000 domain.

Digital investigators must also keep abreast with new developments in this area such as ".NET" framework. The ".NET" framework can be thought of as an operating system within an operating system. It is an execution environment, similar in concept to Java, that is designed to run on post-Windows 95 operating systems (Windows 98/ME/NT/2000/XP) and provide a common environment for programs. This enables programmers to write applications in their preferred language (e.g. Visual Basic, C ++, Perl) and compile them for the ".NET" environment, providing greater flexibility and functionality. A program compiled and linked to run in the ".NET" Framework environment has a new EXE or DLL format that can only be executed on a system that contains the framework. The ".NET" framework is optimized for network activities and enhances the capabilities of the operating system it is running on - making it easier to develop network applications.

Given the variety of Windows operating systems and applications, it is not possible to describe or even identify every possible source of information that might be useful in an investigation. Furthermore, each case is different, requiring digital investigators to explore and research components. The following sections provide examples of important aspects of Windows systems with the expectation that the reader will carefully consider each area more closely to find new ways to extract information from them using the techniques covered in the previous chapter.



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Java for RPG Programmers, 2nd Edition
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy