Thanks…
I not want problem…
I find some references information …
If you know where I can find information about data extraction in windows and linux….
This sounds suspiciously like a classroom assignment! wink
All kidding aside, there is no good answer that would fit into a format such as this. Brian Carrier's book does a good job of discussing file system differences, including differences in the ability to recover data but remember that Linux supports a variety of file systems (Windows, natively, less so), so no one text can be expected to be complete and acccurate.
There are differences in account controls and permissions, which can impact any conclusions that you might draw as to who lasted edited a file.
There are differences in what is logged, the granularity of logging information, where it is located.
A good deal of information regarding Windows artefacts must be discovered via experimentation because they are undocumented. Microsoft attempts to hide low level implementation information from developers because they want to be free to change the implementation without breaking legacy programs.
Plus there are differences between what would be considered user space and system space handling of applications and application data unique to both systems.
"Extracting forensic data" is a broad term. Data is data. Whether it has significance to a particular case depends upon the features of the case. "Forensic" in any such context is nothing more than a qualifier which notes that the method by which the information was captured was reliable, repeatable and explainable. There are few, if any, artefacts which jump up and say "Hey, I'm a forensic artefact" when you are examining either a Linux or Windows systems.
To make a long story short, someone asking this kind of question is either trying to decide if they have what it takes to be a forensic examiner, or they're trying to decide if the person to whom they have posed the question is.
The answers that you seek are in the literature, Lotus Blossom, not here.
You know it's a homework assignment, why even answer it?
Sean thank for answer…
I looking information in File System Analysis by Brian Carrier's book.
Thank a lot…
Fore
I not want that answer my question… Just looking for sources of information
You know it's a homework assignment, why even answer it?
Because everyone was a student at one time and could use someone pointing in the right direction sometimes to help give direction in the vast and overwhelming world of computer forensics?
You know it's a homework assignment, why even answer it?
Because everyone was a student at one time and could use someone pointing in the right direction sometimes to help give direction in the vast and overwhelming world of computer forensics?
Which is something I agree with to a point. However I hate to see verbatim test questions asked without a shred of original input from the student.
I always try to jump in to help on any post that starts with the question and what the student has looked at, Googled, tried, whatever. But just posting the question with nothing else… Then I am not as inclined to post.
Everyone seems to jump on HC when he posts the "what have you Googled?" responses, however I can also say that when I first started posting here, he and others gave me the swift kick to the side of the head jumpstart that was needed when the synapses locked. However I would never consider wasting anyone's time by making them post things I had already looked at or tried and not bothered to tell them as part of my question.
Now I agree that many of us can be a bit dismissive about these posts or give some rather caustic answers that are really not helpful; and I really wish I had a politically correct/sensitive canned response asking the student or stumped examiner to "show their work" as my professors used to say, unfortunately after years of seeing just a question (and often the same question semester after semester) without the work posted it is hard to come up with a good response.
I would be all for a FF approved response to people that post without "showing their work".
You know it's a homework assignment, why even answer it?
I tried not to answer the question, but rather, to point out some of the things which need to be considered in answering the question.
I wasn't being tongue in cheek but I was trying to point out that any answer is far more complicated than what this forum was intended to address.