Windows vs Linux Artifacts

Windows uses a Registry to store system, software, and user settings. What does Linux use to store this type of information? Does Linux or Windows provide more evidence (artifacts) from a forensic analysis perspective? Please explain.

According to (Imam, 2017), Linux holds many file systems of the ext family, including ext2, ext3, and ext4. Linux can provide an empirical evidence if the Linux-embedded machine is recovered from a crime scene. In this case, forensic investigators should analyze the following folders and directories.
/etc    [%SystemRoot%/System32/config]
This contains system configurations directory that holds separate configuration files for each application.
/var/log
This directory contains application logs and security logs. They are kept for 4-5 weeks.
/home/$USER
This directory holds user data and configuration information.
/etc/passwd
This directory has user account information.
Including /etc/shadow, /etc/hosts, /etc/sysconfig, /etc/syslog.conf

Windows provided more evidence due the fact that it provides or has more choices to use the computer like the types of software’s it supports and browsers then also Windows can have many user accounts with administrative privileges, Linux OS have only one administrative account. That account is called root. This root account has complete control of the system hence most activities can be traced back to the a particular user.

References:
Imam, F. (2017). Operating System Forensics. Retrieved 2 June 2020, from https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/operating-system-forensics/#gref 

Comments

Popular posts from this blog

Chain of Custody - OJ Simpson case

File Carving or Data Carving

Legal Issues with Social Networking