First Steps, Lasting Impact: Platform-Aware Forensics for the Next Generation of Analysts

The reliability of cyber forensic evidence acquisition is strongly influenced by the underlying operating systems, Windows, macOS, and Linux - due to inherent variations in file system structures, encryption protocols, and forensic tool compatibility. Disk forensics, one of the most widely used techniques in digital investigations, faces distinct obstacles on each platform. Windows, with its predominantly NTFS and FAT file systems, typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit. However, encryption features frequently pose challenges to evidence acquisition. Conversely, Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency, yet the transient nature of log retention often complicates forensic analysis. In instances where anti-forensic strategies such as encryption and compression render traditional disk forensics insufficient, memory forensics becomes crucial. While memory forensic methodologies demonstrate robustness across Windows and Linux platforms forms through frameworks like Volatility, platform-specific difficulties persist. Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition; nevertheless, live memory acquisition on Linux can still present challenges. This research systematically assesses both disk and memory forensic acquisition techniques across samples representing Windows and Linux systems. By identifying effective combinations of forensic tools and configurations tailored to each operating system, the study aims to improve the accuracy and reliability of evidence collection. It further evaluates current forensic tools and highlights a persistent gap: consistently assuring forensic input reliability and footprint integrity.

💡 Research Summary

The paper presents a systematic evaluation of disk and memory forensic acquisition techniques across Windows and Linux platforms, emphasizing the impact of operating‑system specific file systems, encryption schemes, and tool compatibility on evidence reliability. After outlining the structural differences between NTFS/FAT (Windows), APFS (macOS) and ext4/XFS (Linux), the authors note that while Windows benefits from mature commercial tools such as FTK Imager and Autopsy/Sleuth Kit, built‑in encryption (BitLocker, EFS) often blocks direct imaging. Linux, by contrast, offers transparent file systems but suffers from volatile log retention policies and a fragmented ecosystem of memory acquisition utilities.

Methodologically, the study builds four virtual machines (Windows 11, Windows 10, Ubuntu 24, Ubuntu 20) on identical hardware (Intel i5‑7200U, 4 GB/8 GB RAM, 80 GB storage) using VMware and VirtualBox. Realistic user activity (browsing, file handling, media playback) is simulated to create a baseline environment. A total of 32 case studies are crafted, each injecting malicious samples—Trojan families (CrossRAT, veryfun.exe, etc.) and ransomware families (Cerber, CryptoLocker, WannaCry, etc.)—in three infection intensities (single, double, triple) across four stages (C0‑C3).

Acquisition follows a two‑pronged approach: disk images are captured with FTK Imager on Windows and with the dd command on Linux; memory dumps are taken with FTK Imager’s capture function on Windows and with LiME on Linux. Every acquisition is repeated under both 4 GB and 8 GB RAM configurations, and SHA‑256 hashes are recorded to guarantee integrity.

The analysis phase employs FTK Imager, Autopsy, Sleuth Kit, and the Volatility framework to assess (1) evidence completeness—whether encrypted files, registry keys, and in‑memory process structures are recovered—and (2) operational efficiency—collection time, system load, and failure rates. Results show that BitLocker‑protected Windows systems cannot be examined via disk images alone; the only viable path to decrypt files is to extract the recovery key from a memory dump. Linux’s LiME requires kernel‑specific module recompilation, and on newer kernels (≥5.19) module loading is restricted, making raw dd‑based memory capture a practical fallback.

Malware‑specific findings reveal that Trojans tend to hide via process injection and root‑kit techniques, making them more visible in memory than on disk, yet they still leave registry or startup artifacts detectable by disk forensics. Ransomware, by design, creates extensive file‑system changes and stores encryption keys temporarily in RAM; consequently, memory analysis dramatically improves key recovery and file de‑cryption success.

A critical observation is that current forensic tools lack true “platform awareness.” Most commercial products are Windows‑centric; Linux and macOS support is limited or delayed, especially after major OS releases. Volatility’s plugin architecture requires manual profile generation for newer kernels, adding operational overhead. The authors argue that this gap leads to potential evidence loss and challenges admissibility.

To address these issues, the paper proposes a “Platform‑Aware Forensic Framework” comprising: (1) automatic OS detection and mapping of file‑system/memory structures, (2) dynamic assessment of encryption status with integrated key‑extraction modules, (3) automated hash‑based integrity verification, (4) comprehensive acquisition logging and chain‑of‑custody recording, and (5) unified cross‑platform timeline reconstruction. By standardizing these steps, investigators can maintain evidence integrity across heterogeneous environments and satisfy legal admissibility requirements.

In conclusion, the study delivers an empirical comparison of disk and memory acquisition on Windows and Linux, highlights the limitations of existing tools, and offers a concrete, standardized workflow that can guide the next generation of forensic analysts toward more reliable, platform‑agnostic investigations.