The problem still remains that you need to examine what you imaged. This is where high-end machines come into play. I can run numerous grep statements and finish within a few hours. Five years ago that would have taken all night."

The Alternative OS

Security threats are prevalent in every computer network, but what about those networks employing a less standard OS such as Linux or UNIX? How much crime is occurring and how can the IT administrator investigate successfully?

Dave answers, "People are people. If they want to steal or do something illegal, then they will find a way. The security threats are present in any OS/network. The problem becomes worse the more people know about the network. Generally, everyone knows Windows and how to make things happen with it. If a particular criminal isn't fluent in *nix then they'll most likely move on to a different target."

What are the major differences in investigating UNIX OS as opposed to MS OS?


"File systems basically work in the same manner. So the OS driving the file system is the major hurdle. A lot of forensic "experts" are dismayed when they have to investigate a UNIX box. Basically it comes down to a lack of training. Different OS's create different files which can be used by the forensic examiner. For instance, /var/log/messages is a good source in Linux, and WINNTsystem23LogFilesW3SVC1 is a good source in Windows," says Dave.

The customization of scripts is another challenge for UNIX administrators. I spoke with Jon Bair, Director of Professional Training at Guidance Software, about the issues a UNIX administrator faces in trying to customize scripts that run auto forensic-audits of their network.

Jon states, "In many cases, UNIX administrators are responsible for managing various types of systems at once and not all of these systems may be running the necessary components to allow the use of one script to effectively audit their infrastructure, let alone audit these systems in a forensically sound or trustworthy manner. What if during their audit he/she stumbles across a system that was being used in illegal activity; the very actions of their script may have just altered valuable data that may have proven important upon later investigation. What if their script requires specific files such as binaries or libraries to be present on the system they are auditing, but do not exist? Even worse, what if they are calling local system binaries from their script in order to gather data, but the binaries they are calling have been "trojaned" and do not produce true data?"

Peripheral and Large Scale Forensics

Then there is the subject of utilizing computer forensics to investigate PDA's and cell phones. Both can be investigated utilizing computer forensic methodologies. The question arises as to their differences from the PC's OS.