Forensic Cop Journal Volume 1(2), Oct 2009

http://forensiccop.blogspot.com

Similarities and Differences between Ubuntu and Windows on

Forensic Applications
by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UK
Forensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.

Introduction
In dealing with computer crime, the forensic investigators are faced to volatile digital
evidence which must be discovered as soon as possible because sooner it can be recovered,
better the criminal investigators handle the case, even it can make the duty of the
investigators become easy to locate and catch the perpetrators. There are many ways to
carry out forensic investigation on cases of computer crime. Although there is a bunch of
various different techniques for this purpose, essentially they have same goal, namely to
recover the digital evidence, and then serve it for court.
There are two conditions in which the forensic investigators often deal with; they are
forensic analysis under Microsoft Windows and under Linux OS such as Ubuntu. In this case,
Ms Windows and Ubuntu have their own advantages and disadvantages regarding with
computer forensic examination. In some extent, they have similarities, but in the other
cases, they also have differences. This journal will describe the topic about “similarities and
differences between Ubuntu and Ms Windows on forensic applications”. The descriptions
also include practical samples of forensic tools in order to support the opinion.

Research Preparation
In order to run this research on the track, I make some experiments based on my experience
in investigating the case of computer crime by setting up 4 GB flash disk as experimental
object. I configure it to be 3 partitions by using Partition Editor application from Ubuntu. The
first partition is FAT32 with the size of 1000 Mbyte in which I install Helix Forensics by using
USB Startup Creator from Intrepid so that it becomes bootable flash disk to run Helix
Forensics live, then I also put some files which have different file extensions such as pdf, doc,
odt, ppt, jpg, odp and so on in different folders, some of these files are then deleted. The
first partition becomes one of the objects of experiments. To be more focus on analysing, I
limit the similarities in 5 points of view and differences in 3 points of view.

Similarities
Based on the explanations supported by experience and some experiments performed,
there are at least 5 points of similarities between Ubuntu and Ms Windows regarding with
forensic analysis. They are:
1. Forensic Imaging
2. Registry Analysis

1
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

3. EXIF Metadata Analysis

4. Internet Explorer Analysis
5. Unallocated Clusters Recovery
Below is the description of each similarity.

Forensic Imaging

This is the first thing to do in performing forensic analysis to the hard drive evidence. If this
is not handled appropriately, so the next phases of forensic examination will be weak, even
it can be refused by court; therefore to pay more attention on this phase is a compulsory for
forensic investigators. As it is very crucial, so there is a strict rule on forensic imaging,
namely 'make an image with a bit stream copy'. It can be physical image from hard drive to
hard drive or from hard drive to image file.

During imaging process, the forensic investigators have to be able to ensure that there is
nothing changed either in the hard drive or image file. To process this, the investigators can
use hash value checking such as md5 by comparing the md5 value between hard drive
evidence and image file or cloned hard drive. If this is match, it means the forensic imaging
has worked well; otherwise it fails and cannot be accepted for next examination phases.

Ms Windows and Ubuntu have similarities on this point of view. Under Ubuntu, the forensic
investigators can select what device or partition they would like to image by using 'fdisk -l'
command, then perform imaging to the selected device or partition by using 'dcfldd'
command. After imaging process finishes, they have to verify md5 hash value between the
source and the target to ensure that there is nothing changed during imaging process.

Figure 1
The use of 'fdisk -l' command to ensure about devices and partitions attached to the machine

2
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 2
The use of 'dcfldd' to perform imaging and 'md5sum' to gain md5 hash value

From the experiment which is described by the figures above, it was obtained that the md5
hash value of partition 1 is 0171fbb2536ccd6c5fe6607743c9de17. This value is same as the
md5 value of partition1.dd. It means the imaging process can be accepted for forensic
purpose.
Under Ms Windows, FTK Imager from AccessData was run in order to perform imaging to
the same partition1. There are three choices offered by FTK Imager for forensic investigators
in making an image, namely Raw (dd), SMART and E01. In this case, Raw (dd) is more
appropriate to image partition1. FTK Imager also provided a window to fulfil the
miscellaneous about the case such as case number, evidence number, investigator name
and so on. These data do not influence the imaging process and the value of md5 hash.

Figure 3
FTK Imager showing a number of partitions from the experimental flashdisk

After the imaging process finishes, FTK Imager runs verifying process to gain md5 hash value
of the image and compare it to the md5 hash value of the source. From the experiment
using FTK Imager above, the md5 hash value of the source (drive) of partition1 is
0171fbb2536ccd6c5fe6607743c9de17 is same as the md5 hash value of the image.

3
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 4
FTK Imager verifies hash value between drive and image by using MD5 and SHA1

The md5 hash value obtained from dcfldd under Ubuntu 8.10 and FTK Imager under
Windows XP are the same. It means that there is similarity in forensic imaging process
between Ubuntu 8.10 and Windows XP; therefore it depends on forensic investigators
which way they prefer to perform.

Registry Analysis

Registry under Ms Windows OS stores much important information such as users and
applications installed in a machine or USB drives which ever attached into a machine,
therefore it becomes one of targets for forensic investigators to search.

In this experiment, it is used the registry viewer applications running under Ubuntu with the
object is the registry from my experimental machine running dual booting. Under Ubuntu,
cp command was run to copy 5 registry files from an experimental forensic image which was
taken from a Windows machine:

/WINDOWS/system32/config/SAM

/WINDOWS/system32/config/SECURITY

/WINDOWS/system32/config/software

/WINDOWS/system32/config/system

/Documents\and\Settings/UserXP/NTUSER.DAT

After that regviewer application was carried out to analyse these files.

From /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names, it was obtained the

list of users namely Administrator, Guest, HelpAssistant, SUPPORT_388945a0 and UserXP.

4
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 5
/HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names shows the list of user
accounts.

From /HKEY_LOCAL_MACHINE/ntuser.dat/Software and /HKEY_LOCAL_

MACHINE/SOFTWARE, it was gained the list of company along with their software which are
installed into the target machine such as AccessData with FTK and FTK Imager, Adobe with
Acrobat Reader, America Online, BitComet and so on.

Figure 6
/HKEY_LOCAL_MACHINE/ntuser.dat/Software shows the list of software installed

From /HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/USBSTOR, It was found the

list of storage devices with their unique entry which ever attached to the USB port in the
experimental machine such as SanDisk-Cruzer, Fujitsu, Generic and so on.

5
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 7
/HEKY_LOCAL_MACHINE/ControlSet002/Enum/USBSTOR shows the list of storage media
which was ever attached to the machine

Under Windows XP, it was used the Alien Registry Viewer application from LastBit to analyse
the five registry files above. Actually there are many registry viewer applications running
under Windows XP but most of them are not stand alone applications so that they cannot be
used to analyse registry files copied from another machine.
When running this application, there is a window requesting users to enter the source path
where the registry files exist. After analysing the registry files, the result gained was same as
the result from registry viewer of Ubuntu 8.10 such as the list of users, the list of software
installed and the list of USB storage devices which was ever attached.

Picture no. 8
The list of USB storage device attached to the machine such as SanDisk, Fujitsu and so on

Based on the above result, registry analysis under Ubuntu and Ms Windows by using
different applications with same registry files has similarities on the process and result.

6
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

EXIF Metadata Analysis

EXIF which stands for Exchangeable Image File Format is the image file format specification
with the addition of metadata tags for JPEG, TIFF Rev. 6.0 and RIFF WAV file formats. The
specific metadata tags cover data and time information, camera settings, picture thumbnail
and description and copyright information.
This EXIF metadata information is important and it is often used to identify the originality of
an image. The jpg files can be manipulated by using picture editor applications such as
Adobe Photoshop but it can give impact to the EXIF metadata which also follows to be
changed such as X and Y resolution, time stamps, picture editor software and so on,
therefore the technique to recover the EXIF information from jpg file is often used by
forensic investigators in dealing with the case of fake picture.
For this experiment, there are 2 jpg files to be analysed in order to gain the EXIF metadata
by using the exiftool command under Ubuntu. These files are original jpg file and fake jpg
file. The fake jpg file was manipulated from the original jpg file.
Under Ubuntu, the exiftool was run through command console on the first jpg file, then it
gave the EXIF information as follows: (i.e. see figure 9)
File Modification Date/Time: 2008 : 02 : 16 08 : 46 : 38
X Resolution: 72
Y Resolution: 72
Resolution Unit: inches
Exif Version: 0210
Thumbnail Offset: 274
Thumbnail Length: 2185
Encoding Process: Baseline DCT, Huffman coding
Image Size: 640 x 480

Figure 9
The exiftool gives the EXIF information such as File Modification Date/Time, X Resolution, Y
Resolution, Exif Version and so on.

Then this EXIF information will be analysed and compared to the EXIF information of the
second jpg file in order to decide the originality of a picture file. From the second jpg file,
the exiftool displays the EXIF information as follows: (i.e. see figure 10)

7
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

File Modification Date/Time: 2008 : 02 : 16 09 : 36 : 46

X Resolution: 524
Y Resolution: 524
Resolution Unit: inches
Software: Adobe Photoshop 7.0
Exif Version: 0210
Thumbnail Offset: 372
Thumbnail Length: 3825
Encoding Process: Baseline DCT, Huffman coding
Image Size: 320 x 238

Figure 10
The exiftool displays the EXIF information of fake jpg file containing Software, RGB Tone
Reproduction Curve and so on

By analysing the EXIF information of both files above, the forensic investigators can draw a
conclusion that the second jpg picture is fake because the EXIF information tells about the
software of Adobe Photoshop which was used to manipulate the picture including RGB Tone
Reproduction Curve information and so on. There are also differences on File Modification
Time, X Resolution, Y Resolution, Thumbnail Offset, Thumbnail Length and Image Size
between the original and the fake.
Under Ms Windows machine, IEXIF-Professional from Opanda was run to carry out the same
forensic analysis to these jpg files in order to obtain the EXIF information and decide the
originality of an image.
From the original jpg file, it was found the EXIF information such as Date/Time, X Resolution,
Y Resolution, Resolution Unit, Exif Version, Thumbnail Offset, Thumbnail Length, Encoding
Process and Image Size which have same value with the EXIF analysis above using exiftool
under Ubuntu.

8
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 11
Opanda IEXIF displays the EXIF information of the original jpg file which is same as the EXIF
information performed by exiftool

From the fake jpg file, the Opanda EXIF shows the EXIF informations which is same as what
the exiftool of Ubuntu performed such as Date/Time, X Resolution, Y Resolution, Resolution
Unit, Software, Exif Version, Thumbnail Offset, Thumbnail Length, Encoding Process and
Image Size.
From these experiments on EXIF Metadata Analysis above, it can be concluded that the EXIF
recovery / viewer applications under Ubuntu and Ms Windows produce same result. This
findings show the similarities between Ubuntu and Ms Windows on EXIF Metadata Analysis.

Internet Explorer Analysis

The most computer users in the world use Microsoft Windows as their operating system
especially Windows XP because most applications either commercial or freeware are
compatible with it. Based on this, the forensic investigators have to consider it because the
most frequent evidence come from Windows XP machine including the evidence of Internet
Explorer which is default installation from Microsoft. The Internet Explorer is often used by
the users for browsing the internet, accessing emails and so on.

In this experiment, it was carried out the analysis of Internet Explorer traces under Ubuntu
in order to get the activity history of Internet Explorer. The tools used are pasco command.
For this experiment, the directory of 'Local Settings' containing temporary internet files such
as index.dat from experimental machine was copied for the object of examination, after
that the command of 'pasco index.dat > IEAnalysis.txt' was run, then the result of this
command is IEAnalysis.txt file. If the investigators open this file using vi command, so it will
display the content irregularly therefore they have to use spreadsheet applications such as
OpenOffice Spreadsheet, Gnumeric Spreadsheet and so on, so that they can analyse the use
of Internet Explorer easily with more details.

9
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 12
The result of pasco command is displayed regularly using spreadsheet application

From pasco command, it was found the list of Internet Explorer activities with time stamps
(modified and access), file name and http headers of websites which had ever been visited
by the user. Below is some of the websites:
http://www.liputan6.com, http://www.forensicfocus.com, http://www.jsfce.com,
http://certified-computer-examiner.com, http://www.utica.edu, http://en.wikipedia.org
and so on which were clicked by the user on 17 December 2008 from 7.35am till 8am.
Under Ms Windows, TotalRecall was run then the result showed the activities history of
Internet Explorer, namely URL addresses visited by the user including modification time,
access time, file name and http headers. These data is same as what pasco command
produced above such as http://www.liputan6.com, http://www.forensicfocus.com,
http://www.jsfce.com, http://certified-computer-examiner.com, http://www.utica.edu,
http://en.wikipedia.org and so on with their access time on 17 December 2008 from 7.35am
till 8am.

Picture no. 15
TotalRecall under Windows XP displays same result with pasco command in analysing Internet
Explorer activities

10
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

From the experiments above on Internet Explorer history analysis, the examination results
show that forensic analysis performed under Ubuntu 8.10 and Windows XP has similarities
with same result including the details of website visited such as access time, http headers
and so on.

Unallocated Clusters Recovery

One request which is often asked to the forensic investigators is deleted files recovery in
order to obtain more evidence related to the case. When a file is deleted, the clusters being
occupied by the file will be marked by the OS as 'unallocated' in the file allocation table. It
means the clusters can be used by the OS to store a new file which will then overwrite the
deleted files. As long as the unallocated clusters are not occupied by another files yet, so the
deleted files can be recovered perfectly, otherwise the deleted files cannot be recovered
but there is still possibility to gain the partial data of deleted files as 'slack' which is started
from the end of file to the end of cluster.
For this reason, the experiments using Autopsy running under Ubuntu was performed in
order to carry out unallocated sectors recovery. The object of this experiment is deleted
files in the image file of partition1.dd from previous experiment I performed on forensic
imaging. After running 'sudo autopsy' command and typing 'http://localhost:9999/autopsy'
in the Firefox internet browser and entering the input data such as case name, host name,
image location and so on, it is displayed the Autopsy window containing choices for forensic
investigators to perform such as file analysis, keyword search, file type, image details,
metadata and data unit. In my point of view, the Autopsy is one of powerful forensic tools I
know.
Through file analysis, in the 'c:\ExperimentMaterials\Documents' directory, it was found
some deleted files including written date, accessed date, created date, size and metadata.
The deleted files are 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa
EnCase Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensic in Todays World.pdf' and so
on. It was also found the deleted picture files in the directory
'c:\ExperimentMaterials\Pictures'.

Figure 16
Through Autopsy, the deleted files can be recovered including time stamps and metadata

11
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

The experiment results above is the same as the results obtained when running Forensic
Toolkit (FTK) which is one of my favourite forensic tools for the purpose of deleted files
recovery.
Under Ms Windows, FTK was run, then after entering the input data such as investigator
name, case number, add evidence and so on, the FTK displayed a window containing the
details of partition1.dd such as encrypted files, deleted files, emails, documents,
spreadsheeet, graphics, slack/free space and so on. The FTK can also display in tree like
Windows Explorer so that the investigators become easy in analysing files or folders.

Picture no. 17
The FTK shows deleted files from partition1.dd image file including their time stamps

From the deleted tabs, it was found that there are some deleted files either on documents
or pictures such as 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa EnCase
Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensic in Todays World.pdf' and so on
including their time stamps. These deleted files can also be displayed in hex, text or native
format.
Analysing the result of the experiments above, there is a similarity on forensic analysis of
unallocated clusters recovery between Ubuntu and Ms Windows in which they produce
same result for deleted files which can also be extracted or exported to be saved for further
analysis.

Differences
Besides similarities, there are also differences between Ubuntu and Ms Windows related to
forensic analysis. At certain extent, these differences bring Ubuntu to be more flexible,
while at the other extent, it takes Windows XP to be more familiar and much easier to
operate.
Based on the descriptions, experiments and experience, there are at least 3 differences
between Ubuntu and Ms Windows on forensic analysis, namely:

12
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

1. Commercial versus Freeware

a. Cost of Applications
b. User Interface
2. Blocks Imaging explained
3. The Bridge of Wine
Below is the description of each difference.

Commercial versus Freeware

Cost of Applications
The big differences between Ubuntu and Ms Windows on forensic analysis is the cost of
applications in which they are mostly commercial under Ms Windows but they are mostly
freeware under Ubuntu, therefore to carry out forensic analysis under Ms Windows needs a
great amount of money to buy some forensic tools, on the other side the investigators
performing forensic analysis under Ubuntu do not need to purchase forensic tools because
they are open source and mostly freeware with communities support.

For instance, according to http://www.digitalintelligence.com on 2 October 2009, below is

the price list of some famous forensic tools under Microsoft Windows:
 The price of EnCase Forensic Version 6 from Guidance Software is US$ 3,600 for
corporate standard and US$ 2,850 for government / law enforcement
 The price of Forensic Toolkit (FTK) 2.0 from AccessData is US$ 3,835
 The price of Paraben’s Device Seizure used for analysing mobile phone is US$ 1,040

On the other hands, there is no price at all for mostly forensic tools under Ubuntu such as
The Sleuthkit, Autopsy as GUI version of Sleuthkit, dcfldd, exiftool, pasco, regviewer, Ghex,
foremost, Py-Flag, AIR, md5deep, ntfsprogs and so on.

User Interface
All forensic tools under Ms Windows apply Graphical User Interface (GUI) so that it makes
the forensic investigators as the users become much easier in operating the applications in
order to obtain the best result of examination. The expensive price gives the easiness for
the users in using the tools through GUI.
On the other side, most forensic tools under Ubuntu or Linux are based on command
console, so that the forensic investigators have to understand the use of command line in
running them such as dcfldd, exiftool, foremost, md5sum and so on, but there are also GUI-
based forensic tools such as Autopsy, regviewer, Py-Flag, AIR and so on. These GUI-based
tools are actually originated from command line tools too such as AIR originated from dcfldd
for forensic imaging, Autopsy originated from The Sleuthkit commands and so on.

13
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Blocks Imaging
Forensically Sound Blocks Imaging is a small thing but it makes a significant difference
between Ubuntu and Ms Windows on partial imaging of digital evidence such as hard drive,
flash disk and so on. Partial imaging means the forensic investigators do not need to image
the whole hard drive, but they can select what blocks to be imaged so that this option is
expected to be able to speed up the process of examination.
The forensic investigators can utilize dcfldd command to organize it. For instance, to obtain
only the first 572 Mbyte of the first partition of 4 GB experimental flash disk used at the
previous experiment, the investigators can run this command:
dcfldd if=/dev/sdb1 of=partition1a.dd conv=notrunc,noerror,sync hashwindow=512
hashlog=Partition1aHash.md5 bs=146484 count=4096
Through the command above, the partition1a.dd image file was produced with the number
of blocks was 4096.

Figure 18
dcfldd command is used to image the first 572 Mbyte of 4 GB flash disk

With dcfldd, the forensic investigators can also set up the forensic imaging as they want, for
instance from the 4 GB experimental flash disk above consisting 3 partitions, the
investigators can image the combination of full of partition 1 with 1 GB in size and half of
partition 2 with 1 GB in size by running this command :
dcfldd if=/dev/sdb of=partition1and2.dd conv=notrunc,noerror,sync hashwindow=512
hashlog=Partition1and2Hash.md5 bs=366210 count=4096

14
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

Figure 19
dcfldd command is used to image the first 1430 Mbyte of 4 GB flash disk

From this command, the image file of partition1and2.dd will have 1430 Mbyte in size with
4096 blocks. These blocks above will be examined for further analysis, so that the
investigators can economize their time in imaging and analysis. As far as I know and
experience, this techniques might not be found in forensic imaging tools running under Ms
Windows such as FTK Imager and EnCase. In my point of view, the technique of blocks
imaging on Ubuntu brings dcfldd command to be better and more flexible than imaging
tools running under Ms Windows.

The Bridge of Wine

One of amazing tools under Ubuntu is Wine. Through this application the forensic
investigators can run some Windows XP applications properly under Ubuntu machine,
otherwise there is no such application under Windows XP.
Through Wine, Ms Office Password Recovery from Elcomsoft can be installed into Ubuntu
machine. This application is often used by the forensic investigators to recover password
from Ms Office files. Actually this Password Recovery application can only run under
Windows XP, it cannot run under Ubuntu machine, but through Wine, it becomes possible.

Figure 20
Ms Office Password Recovery application of Ms Windows can run under Ubuntu through Wine

15
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

For this experiment, an Ms Word file was set up with password protection for opening file.
Through Wine, the Password Recovery tool is run under Ubuntu to recover the password.
The result produced was excellent in which the password can be recovered successfully.

Figure 21
Ms Office password recovery application running under Ubuntu shows the results of password
recovery.

At certain extent, Wine application shows the advantage of Ubuntu in dealing with forensic
analysis by running some forensic tools of Ms Windows under Ubuntu machine.

Conclusion
The investigators can perform forensic analysis either under Ubuntu or Ms Windows in
dealing with the case of computer crime. At certain extent, both operating systems have
many similarities so that the forensic investigators do not need to be confused in deciding
what operating system suitable for carrying out a particular analysis. Based on the
descriptions above, there are at least 5 points of similarities between Ubuntu and Ms
Windows XP regarding with forensic analysis, namely:
1. Forensic Imaging
2. Registry Analysis
3. EXIF Metadata Analysis
4. Internet Explorer History Analysis
5. Unallocated Clusters Recovery
Besides similarities, there are also differences between Ubuntu and Ms Windows related to
forensic analysis. At certain extent, these differences bring Ubuntu to be more flexible, while
at the other extent, it takes Ms Windows to be more familiar and much easier to operate.
Based on the descriptions above, there are at least 3 differences between Ubuntu and Ms
Windows on forensic analysis, namely:

16
Forensic Cop Journal Volume 1(2), Oct 2009
http://forensiccop.blogspot.com

1. Commercial versus Freeware

a) Cost of Applications
b) User Interface
2. Blocks Imaging
3. The Bridge of Wine

Bibliography
Anson, S. and Bunting, S. (2007). Mastering Windows Network Forensics and Investigation.
Indianapolis: Wiley Publishing, Inc.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the
Internet. 2nd edition. London: Elsevier Academic Press.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Digital Intelligence. (2009). Encase Forensic Version 6. Available:
http://www.digitalintelligence.com/software/guidancesoftware/encase/. Last
accessed 2 October 2009.
Digital Intelligence. (2009). Forensic Toolkit 2.0. Available:
http://www.digitalintelligence.com/software/accessdata/forensictoolkit2/. Last
accessed 2 October 2009.
Digital Intelligence. (2009). Device Seizure. Available:
http://www.digitalintelligence.com/software/parabenforensictools/deviceseizure/.
Last accessed 2 October 2009.
Elcomsoft. (2009). Advanced Office Password Recovery. Available:
http://www.elcomsoft.com/aopr.html. Last accessed 2 October 2009.
Ferguson, I. (2008). Lab Session Guidance of CS 936: Media Imaging. Glasgow: CIS
Department of University of Strathclyde.
Ferguson, I. (2008). Lab Session Guidance of CS 936: Physical Searching. Glasgow: CIS
Department of University of Strathclyde.
Ferguson, I. (2008). Lab Session Guidance of CS 936: Registry Examination. Glasgow: CIS
Department of University of Strathclyde.
Janusware. (2009). Total Recall. Available: http://www.janusware.com/fetch.php?page=212.
Last accessed 2 October 2009.
Last Bit. (2009). Alien Registry Viewer. Available: http://lastbit.com/arv. Last accessed 2
October 2009.
Opanda. (2009). IEXIF for Win98/Me/2000/XP. Available: http://www.opanda.com/en/iexif.
Last accessed 2 October 2009.
Weir, G. and Smeed, D. (2008). Lab Session Guidance of CS 935: Forensics Analysis using
Vinetto, Pasco and Mork.pl. Glasgow: CIS Department of University of Strathclyde.

17