Home > Operating System

The operating system plays an important role in the computer forensics and acts as an interface between the user and the machine. There are various operating systems and is mandatory for all computer forensics experts to have the knowledge and better understanding of the operating system. The operating system internals play a vital role in evidence tracking.

The operating system user interface design should be familiar. The forensics expert should be capable of analyzing the evidence from a technical view. The history of the logs that is stored in the hard disk needs to be studied in detail. It is also possible that there more than one operating systems are installed on the same hard disk. In this case the history log files of the other operating system cannot be tracked.

The forensics professional should be able to track logs from all the operating systems installed in the same computer. It is an unknown priory that which operating system was used for committing the crime. If the file systems of all the operating systems are different then it will again be more difficult for the forensic professional to track the changes. Hence a software tool that can provide the help can be used.

It is advisable to take the image of the entire hard disk drive. A complete directory listing can be scanned and can be made to include the file names, time stamps, data stamps and the folder structure. The installed operating system can also be used for the purpose of efficiently tracking the changes made to the system. The basic principle is that the monitor the time stamps of the crime committed and find out who all used the system at that time.

The files play and important role in the determination of the evidence. The user files that are created can be examined by utilizing the tools like the hex viewers and decryptions. The user files may include most of the files like the text documents, spread sheets, email files, sound media files, data base files, financial transaction files etc.

The files specific to the operating system like the boot files and the registry files etc should also be examined in detail. The boot files provide the information details of the boot loader and the date and time stamps etc. The registry files are the most important ones. They are used for maintaining the information of the changes to the operating system.

These files can provide maximum evidence and have huge potential for the collection of evidence. But at the same time the tampering of the registry files could lead to irreparable damage to the operating system. It may also cause logical corruptions to the operating system. In the case of any corruption the data recovery software process should be initiated. There are other files in the operating system like the swap files and the cache files that may also provide some vital clues.

The easiest way and the files that are examined first are the history files or the log files. The installed applications should also be considered for tracking evidence. The history of the document and the spreadsheets can also lead to information of evidence. The operating system design and functioning should be priory known.

Related Information:

Find software and applications helpful in data recovery for unbootable hard drive

Find out ways where data recovery from terabyte raid is possible

Best possible methods to restore a deleted junk email folder

Freeware tools for Digital photo memory card recovery of deleted photos, click here for more details.

Where can I find undelete freeware?

More Information
General Information
Hardware
Privacy
Network Forensic Tool
File System
Data Security
Data Analysis
Data Encryption
Data Remanance
Defense Establishment
Networking
Internet Forensic
Data Security
Crime Investigation
Services
Incident Response Systems
Physical Damage
Cyber Crime
Privacy
Impact
Log File Recovery
Advance Partition Recovery
Intrusion Detection System
Data Encryption
Ethics

Related Information
Data Recovery Tools
SCSI RAID
DLT Tape Drives
Business Performance
Software Industry