TABLE OF CONTENTS In this chapter we introduce the reader to both Windows and Linux-based forensic tools. Although it is likely that you will have personal preferences, a thorough understanding of the strengths and weaknesses of each type of system will aid you in understanding both of them and also provide you with a wealth of additional tools.
By limiting the choices to a single operating system you are severely restricting your options. As such the best choice is to become familiar with the complete range of options available and this means gaining an understanding of both Windows and Linux.
Often, the most fruitful process for gathering evidence involves the use of both Windows and Linux-based tools. There are a number of Windows tools that enable the collection of data from live systems. Many Linux-based tools, on the other hand, provide a depth of analysis rarely found in any Windows-based tool. The combination of both Windows and Linux allows for the introduction of the strengths of both tool sets while removing many of the weaknesses.
The first section of this chapter is designed to introduce the reader to the forensic process under Windows. Even the most diehard Linux enthusiast will occasionally come across a live Windows system. Rather than shutting the system down, a large amount of volatile evidence may be collected on a live system. The section objectives include:
Locating and gathering volatile evidence on a Windows host
Investigating Windows file slack for evidence
Interpreting the...
