Investigating Windows systems with Linux

Comparatively Simple

With the addition of a couple of extra packages, the Windows world is wide open to an investigator running Linux. If you need more of this good thing, take a look at the free forensic tools by Foundstone [14]. These tools give investigators the ability to restore cookies, long-gone entries from the Windows trash can, and many other things.

Experienced Linux users might find the shell approach refreshing, but some users will prefer to avoid the complex command-line syntax. The learning curve for Linux newcomers will likely be steeper for open source tools compared with more expensive commercial products. The winner in the usability stakes has to be the fully automated Ophcrack Live CD, which removes the need for users to type pesky shell commands and displays the local user's Windows passwords shortly after booting.

When we tested this on an XP system (SP2), the CD took just 280 seconds to discover the credentials of the five user accounts (which included up to 14 characters; see Figure 5). The live Linux version on the CD includes just the tables for alphanumeric passwords without non-standard characters. If you want more, you will have to invest in the commercial Rainbow Tables.

The Author

Hans-Peter Merkel has been an active member of the open source forensics community for many years. He trains criminal investigators in Germany and Tanzania, and he is one of the founders of Freioss and Linux4afrika.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • OCFA

    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

  • Caine

    Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.

  • Guymager: Forensic Backup

    If malware has taken root on a system, you need a way to safeguard the evidence. Guymager helps you create verified disk images.

  • Memory Analysis

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

comments powered by Disqus

Direct Download

Read full article as PDF:

Investigating_Windows_Systems.pdf (1.47 MB)