Answer the below using attached document labeled Unit1_assignment2.  The required readings are attached as well.

1. Identify the three main types of computer software that were discussed in your unit lesson. Within the three main categories, give examples of each and a brief explanation of each. Each explanation/description category must be answered with at least 100 words. You must cite your sources within your answers.

  3 types 

MAIN TYPES OF COMPUTER SOFTWARE

EXAMPLES

EXPLANATION/

DESCRIPTION

 

 

 

2. Write a 150-word essay on the importance of operating systems (OSs). Locate at least one article in the CSU Online Library and one article from an Internet search. You may also use the required readings to support your essay. You must cite your sources within your essay.

References

Importance of operations systems type in computers Forensics

ÇAKIR, H., & KILIÇ, M. S. (2015). Importance of Operating Systems Type in Computer Forensics. International Journal of Information Security & Cybercrime, 4(2), 9–20. https://doi-org.libraryresources.columbiasouthern.edu/10.19107/IJISC.2015.02.013. 

Identify three mobile OSs and three personal computer OSs. Explain advantages and disadvantages of each one. Describe each OS. The total wording for each OS description/advantages/disadvantages should be no less than 100 words. You must cite your sources.

   

OPERATING SYSTEMS

DESCRIPTION

ADVANTAGES

DISADVANTAGES

 
1.

 
2.

 
3.

 
4.

 
5.

 
6.

References

1.

Identify the three main types of computer software that were discussed in your unit lesson. Within the three main categories, give examples of each and a brief explanation of each. Each explanation/description category must be answered with at least 100 words. You must cite your sources within your answers.

MAIN TYPES OF COMPUTER SOFTWARE	EXAMPLES	EXPLANATION/ DESCRIPTION

2.

Write a 150-word essay on the importance of operating systems (OSs). Locate at least one article in the CSU Online Library and one article from an Internet search. You may also use the required readings to support your essay. You must cite your sources within your essay.

References

Importance of operations systems type in computers Forensics

ÇAKIR, H., & KILIÇ, M. S. (2015). Importance of Operating Systems Type in Computer Forensics. International Journal of Information Security & Cybercrime, 4(2), 9–20. https://doi-org.libraryresources.columbiasouthern.edu/10.19107/IJISC.201

5.

02.01

3.

Identify three mobile OSs and three personal computer OSs. Explain advantages and disadvantages of each one. Describe each OS. The total wording for each OS description/advantages/disadvantages should be no less than 100 words. You must cite your sources.

OPERATING SYSTEMS	DESCRIPTION	ADVANTAGES	DISADVANTAGES
1.
2.
3.
4.
5.
6.

References

SectionI – Advances in Information Security Research

9

Importance of Operating Systems Type in
Computer Forensics

Hüseyin ÇAKIR, Mehmet Serkan KILIÇ
IT Institute, Gazi University, Ankara, Turkey

hcakir@gazi.edu.tr, mserkanklc@hotmail.com

Abstract
This article works on determining the effect of operating systems on Computer

forensic especially in nowadays that the need for Computer forensic is increasing due to
the increase in cybercrimes. Suited to the purpose of the study and methods of interview,
15 people with minimum of 4 years of experience in informatics have been interviewed,
in addition, the reports of court experts from cases which are continuing in Ankara
administration of Justice and domestic and foreign sources have been analyzed
technically. With the outcome of the analysis, it has been observed that the studies and
investigations are prepared according to an operating system, software or a certain
device because of the commercial concerns or habits, for this reason it appears that it
would be helpful to make an academic study in; sessions, workshops, seminars about
gathering electronic evidences. Article studies the identification of differences and
similarities between the operating systems and its effects on forensic studies with 5
headings and subheadings. According to the study, non-existence of a standard
Computer forensic process and the need for different specialties are discovered, for this
reason it is assessed that the Computer forensic experts need to specialize in sub-
specializations especially related to operating systems.

Index terms: computer forensic, cybercrimes, electronic evidence, evidence
collection, operating systems

1. Introduction

Computer forensics is a systematic

research with the purpose of documenting the
evidence on what is happening on the
computer media and who is responsible for it
[1]. With the light of this discipline, struggled
on crime and criminals and innocent people
(without any connection to crime) are
protected.

Works related to computer forensics,
involves the laboratory studies during the
process of introduction of the electronic
evidences taken from the crime scene to the
court [2]. It is not possible to make a full list

of the evidences that can be found in the crime
scene. It is likely to encounter different types
of evidences related to the suspects’ financial
status, social status and their interests towards
technology. Although it is found that media,
used from computers vary in every aspect of
life according to place of use and purpose,
they all share one major commonality and it is
using an operating system. The general idea of
the computer forensics studies is; to analyze
the operating system and detect deleted data,
used programs and executed functions on
computer media. This is highlights the
importance of the type of operating systems
used and its structure.

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/20

15

10

Hidden in every intelligent device and
computer system is the software that controls
processing, manages resources and
communicates with peripherals such as
display, screens, disk, computer networks and
printers [3]. Operating systems vary not only
based on price, performance and application
improvement, they are also different in the
means of data keeping, saving and reading.

It has been observed in a literature
research about classification and detection of
digital data (electronic data) that mostly, the
detection and classification are developed for
one certain device type (personal computer,
mobile phone, PDA etc.), one certain
operating system (Windows NT, Windows
XP, Unix, Linux etc.) or one certain purpose
(data saving, computer forensics, computer
network, computer based data analysis, code
breaking etc.) [4]. As a result of updating and
modifying technology, computer media with
different operating systems are involved in
crime and they are gathering data via these
media. However studies related to the subject
show the investigations are only in a single
direction towards one device or one operating
system.

The study aim is find an answer the
question of “What are the effects of operating
system types on the computer forensics
investigations?” Reason to work with this
context is to keep the process of computer
forensics as a whole and prove the effects of
different operating systems on computer
forensics investigations.

Base data to the study are these:
– In the national thesis databank of

YOK, last 50 theses (M.S.) and
dissertations (Ph.D.) related to either
computer forensics or cybercrime

– Expert witness reports about 3 court
cases located in Administration of
Justice in Ankara

– Notes from interview with 15 public
and private sector employees who has
a minimum of 4 years of experience in
computer forensics

Because of the numerous type of computer
media exist and place of usage and purpose
are different, there is large quantity of
operating systems and version is exist. While
analyzing the operating systems in accordance
with the objective of the study, Windows 7,
Windows XP, Mac OS X and Ubuntu 9.0 is
selected to analyze. Thus, unmentioned of
other PC operating systems, server operating
systems and mobile operating systems is the
limits of the study.

2. Analyzing the operating systems in

respect of their usage rate

It is a hard matter to know which operating

systems the end users prefer, for this reason
instead of making a general study on the
subject, data from a statistical service from
Roxr Software Ltd. called Clicky Web
Analytics was used. Clicky tracks and saves
information such as the visitor count (total and
individual), browser information, operating
system information, Country / State
information, the time spent on the website and
source code for visiting the website from
443.553 websites daily.

According to the data of Clicky Web
Analytics; the rate of Windows operating
system usage around the worldwide is %84.4,
Macintosh operating system is %14.4 and
Linux operating system is %1.2. Relative
information is given in Table 1.

Table 1. Operating systems usage rates (%)

Countries
Linux

Operating

System

Macintosh
Operating

System

Windows
Operating

System
U.S.A. 0,9 20,9 78,2
Iran 0,5 1,2 98,3
Japan 1,4 20,8 77,8
Canada 1,0 21,6 77,4
Norway 6,5 20,3 73,2
Russia 1,9 4,8 93,3
Romania 2,8 5,5 91,7
Turkey 0,4 2,4 97,2
World
Average

1,2 14,4 84,4

Section I – Advances in Information Security Research

11

When we analyze the end users’
preferences in operating systems we see that;
Windows Operating System is the most
preferred operating system worldwide. Until
June 2011, XP was the most commonly used
operating system, after that date it left its place
to Windows 7. Today, %52 of the Windows
users prefer using Windows 7, %34 prefer
Windows 8.x, %15 prefer Windows 10, %8
prefer Windows XP, %2 prefer Windows Vista
and %5 prefer other Windows versions
(Windows Server 2003, Windows Server
2008, Windows Me…) Windows Vista was
marketed throughout the world on 30 January
2007 however couldn’t get a full score by end
users and extensively criticized, for this
reason many Windows users in the world
continued to use Windows XP or directly
passed to Windows 7, Windows 8 or Windows
10.

From the countries with high GNP rates to
the countries that criticize USA, Windows OS
is the most preferred operating system and
Windows 7 is the most popular version.

In light of the gathered data, experts of
computer forensics are encountering mostly
Windows 7 and Windows XP, in addition to
this, the order of other operating systems
encountered is; Windows Vista, Mac OS X
and Linux operating systems.

A participant who was interviewed about
the frequency of encountering different
operating systems said that:

“The matter that I’m having the most
difficulty is, besides the windows analysis, I
can’t find domestic data. English sources can
be quite hard. We needed Mac/Linux analyses
in 4 cases and spent much time to prepare the
report…”

It is expected from computer forensics
experts to have a good grasp on Windows OS
forensics analyses because encounter it
frequently. Other operating systems usage is
approximately %15.

Since the documents related to computer
forensics are largely made of publications
from trading items, these publications are
prepared specially for a certain security

resolution, software brand or an operating
system because of the commercial concerns
[4]. So, countries must be take into account
the usage rate of operating system type and
version and prepare necessary documents.

Related to this matter, another participant
has a claim that:

“Besides from Windows, I have never
analyzed any other operating systems but I
don’t believe there would be a huge difference,
after all, they all work with the same idea.
Anyhow it would be possible to have an
analysis and gather evidences…”

With the special education to be given to
computer forensics experts, it should be made
that they will be aware of the usage rate of
operating systems, frequency of encountering
a forensic case and have basic knowledge on
the differences between them.

Also, for the computer forensics experts,
education and continually updating notes
should be prepared regarding the analysis of
Windows, Macintosh and Linux in this order.

1.1. Comparison on supported file
systems
File system is the base structure that

allows the data to be held systematically, it is
formed of sectors getting together as a result
of shaping the computer media [5]. In the
analysis to be made on a hard disk, file system
in the computer media is as important as the
operating system.

When the 10 widespread file systems are
analyzed, it is observed that Linux operating
system supports ext2/ext3,
FAT16/FAT32/HFS, HFS+, LTFS, Joliet, ISO
9660, NTFS, BRFS and UDF file systems.

When shortly examined, Linux operating
system supports 9, Macintosh operating
system supports 7 and Windows operating
system supports 5 file systems. Related
information is given in Table 2.

Table 2. Supported file systems
File System Linux

OS
Macinto
sh OS

Windo
ws OS

ext2/ext3 YES NO NO

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/2015

12

FAT16/FAT32

YES YES YES

HFS/HFS+ YES YES NO

LTFS YES YES NO
MFS NO YES NO

Joliet (CDFS) YES YES YES

ISO 9660 YES YES YES
NTFS

YES NO YES

BFS YES NO NO
UDF YES YES YES

TOTAL 9/10 7/10 5/10

Version information related to operating

system and the detection of the held file
system information are one of the digital
evidences needs to be gathered in the process
of computer forensics. Additionally, as part of
informatics system, discovering the file
systems regarding the CD, DVD, hard disk,
external disk, floppy disk, external DVD
drive, memory stick, memory card which can
be used with the purpose of saving the data
and/or moving it [4].

Each file system has a different way of
keeping the data on the hard disk. When the
status of 10 different file systems being
supported by the operating system are studied,
many file systems are observed to be
supported, for this reason, it is considered to
require more effort and knowledge to analyze
a computer with Linux operating system than
Windows and Macintosh operating systems.

Related to the matter, an interviewed
participant had expressed this:

“… we most certainly state the name,
version and file system of the operating system
in our reports. This remains continuous as
printed.”

Studied court case number 3 shows the
court expert’s report and it provides this
information related to computer media as
meta-information:

– …..
– EnCase Version
– System Version
– File Sytem
– Write Blocked
– Compressed

– Total Size
– Total Sectors
Computer forensics report is the view of

an expert to be given to those associated with
the evolution about computer technology.
Prepared reports include the operating system
and file system types to the court just as it is
stated in the computer forensics report
analysis of the interviewed people.
Furthermore, taking the whole inspected
computer media into consideration and in case
of detecting incoherence in the file systems,
having it present in the report provides great
help with the lightening of the case.

Another interviewed participant stated his
memory regarding an operating system:

“The most important experience about
operating systems in my case is a friend of
mine, a very observant police officer to find a
USB with ext2 format. The computer it was
taken from had Windows XP and he noticed it.
Later on, he asked the suspect of the where
bounds of his Linux Computer and this led the
suspect to be very shocked and eventually
admit.”

It is highly possible to create the link
between the computer media found in the
crime scene and the file systems that the
operating systems support. For instance,
finding a portable memory device with ext2 or
ext3 file system near a computer with
Windows operating system points the
existence of a secondary operating system.
Ext2/ext3 file system is not supported by
Windows operating system and this indicates
the device could not be used with that
computer.

1.2. Comparison on Metadata
The importance of the metadata

information is most obvious when the need to
link evidences reasonably arise, however it is
observed the metadata can be dissimilar
because every operating system has different
file systems.

Of all the 6 categories of analyzed
metadata information, only one of them; File
Date is recorded on all operating systems. File

Section I – Advances in Information Security Research

13

ownership and ACL information are not
recorded on Windows XP and File creation
time are not recorded on Linux operating
systems.

Nevertheless, file deletion time is recorded
only on Linux and Last Archive time is
recorded only on Macintosh operating
systems.

According to this, the metadata
information was analyzed as 6 categories and
2 of them are recorded on Windows XP, 4 of
them are recorded on Linux and Windows 7
and 5 of these categories are recorded on
Macintosh operating systems. Related
comparison information is given in Table 3.

Table 3. Metadata information types

Metadata
Info.

Linux
OS

Mac
OS X

Win.
XP OS

Win. 7
OS

ext2/
ext3

HFS/
HFS+

FAT16/
FAT32

NTFS

File Author
Info

YES YES NO YES

File
Creation
Time

NO YES YES YES

File
Change
Time

YES YES YES YES

Last
Archive
Time

NO YES NO NO

Access
Control
List

YES YES NO YES

File Del.
Time

YES NO NO NO

TOTAL 4/6 5/6 2/6 4/6

The next step to take after gathering digital
evidences is to combine all the evidences and
link them reasonably in the meantime. Until
the definite and absolute evidences are
gathered which will conclude to a result,
linking the evidences and the correlation will
continue in loop and more evidences will be
gathered in the process [6].

Metadata information is utilized to create
a link between the gathered evidences and to
come up with reasonable outcomes related to
the matter.

Metadata describes a document and it
holds information such as where the file
contents are located, size of the file, last
writing date (or access date), access control
information etc. Example of the data structure
of these information can be given as, directory
input for FAT file system, MFT input for
NTFS file system and inode structures for
UFS, Ext2 and Ext3 file systems [7].

Metadata contains various information
based on file type. For instance, it shows the
information of the username for MS Office
file and for the image file; it shows the
information regarding the machine which
took the photo. Metadata mentioned here
however, is the information recorded by the
operating system (actually the file system
installed on operating system) regardless of
any file types.

Finding the contents of all the data located
in file system of the operating system and
identification (metadata) is one of the
necessary digital evidences that needs to be
gathered in the computer forensics process
[4].

A participant calls attention to a matter
related to metadata:

“… Knowing the operating system and its
features makes the job of analyzing person
easier. For instance, in an analysis of a file
which is directly deleted without visiting the
recycling bin, file created date is shown as
deletion date. This is actually because of the
analyzing program. It looks for the deletion
time in FAT32 or NTFS but since it cannot find
it, it pastes the create date on the column.
Windows operating system does not even
record the deletion date, so this finding is
caused by the lack of information.”

Related to the analysis of metadata under
6 categories; file ownership information and
ACL information are not kept in Windows XP
operating systems, thus it is not possible to
make a statement about the ownership of a file
or accessibility of users in Windows XP
operating system with FAT32 file system.

File Creation Time is recorded by all
operating systems except for Linux operating

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/2015

14

system. For this reason, in an analysis of a
computer with Linux operating system, it is
not possible to gather the information related
to the date of file created with file system.
Only in case the file is saved by the program
it belongs to.

When it comes to File Deletion Time, the
situation is exactly the otherwise. If a file is
deleted without being sent to the recycling bin
first, it isn’t possible to find the information
on Windows and Macintosh operating
systems. However Linux operating system
allows for this information to be gathered.

The last comparison about metadata is
Last Archive Time to be kept only on
Macintosh operating systems. The time of a
file archived can be discovered with a feature
of HFS+ file system.

1.3. Comparison on Main Directory
Structures
Operating systems execute the file writing,

reading according to their own specific
systematic. It is understood from the
interviews that in the detection of operating
system, directory structure was of use.

With the analyses made by computer
forensics programs, hidden folders and
system files are observed to be listed as a
whole under a main directory, moreover the
user directory located in the main directory
shows different logons and different files
belonging to them. Similarly, programs
directory features the installed programs on
the computer.

Each operating system completes its
function by keeping data in their own
systematic ways. Difference of main
directories would negatively affect the case to
be investigated by computer forensics experts
but it also provides useful information.

The most obvious disadvantage of
dissimilar directory systems is; not knowing
what type of data are located in the directory
containing the user files and other directories.
On the other hand, the computer forensics
expert who knows main directory structure of
the computer will be able to detect the

operating system of the computer image.
Furthermore, they will be able to comment on
whether the image is damaged or not with the
integrity of the data located there.

An interviewed applicant describes his
experience about main directory structure:

“… Out of habit, if we find other than the
drivers we used to see in the computer image,
such as C, D in Windows; we used to type
“Linux” in our reports. Later on, we noticed
the Macs have similar driver structures
(directory structure) to Linux.”

In the analyses performed with computer
forensics programs, hidden folders and
system files are listed under the main
directory completely. Each operating system
has different main directory structure, for this
reason main directory structure can be useful
to determine the operating system of the
analyzed computer image.

An applicant shares this information about
the process of analysis and inspection:

“The first location I check in my analysis
is the user folder in computer. Important
organizational files are often saved here…”

Defined user identities (accounts) and
finding files in defined users’ recycling bin,
are the digital evidences need to be gathered
in process of computer forensics. Located in
the main directory, analysis of the user
directory allows access to office, picture,
music and other files of the user. During the
arrest, taking the image and to quickly assess
the process of preliminary examination, it is
necessary to examine the user directory with
high priority.

User names located in home directory in
Linux operating systems are not located in
Macintosh operating systems’ main directory.
In Windows XP operating system, active
logins are located in main directory but other
user names are located in Documents and
Settings directory. In Windows 7 operating
system, user names are located in the Users
directory. Cognizing main directory structure
of the computer and user directories allows
the determination of the different logins and
files regarding these logins.

Section I – Advances in Information Security Research
15

3. Analysis of operating systems in
respect of their analyzability by
computer forensics software

With technology advancing, many
computer forensics procedures that are done
by the computer forensics programmers are
easily processed automatically. For instance,
information regarding the last used date of the
computer, hard disk information, user
information and such basic information can be
gathered with EnCase software without the
need of any other third party software.

Operating system of the computer, affects
the computer forensics software which would
be used in analysis. For this reason,
information related to the 10 most commonly
used computer forensics software and about
the operating systems they support are given
in Table 4.

Table 4. Computer forensics software

analyzability
Computer
Forensics
Software

Linux
OS

Macintosh
OS

Window
s OS

EnCase YES YES YES

FTK YES YES YES

Mac Marshal NO YES NO
Mac
Forensics Lab

YES YES YES

OSForensics NO NO YES
ProDiscover
Forensics

YES NO YES

P2
Commander

YES YES YES

Second Look YES NO NO
Autopsy
(Sleuth Kit)

YES NO YES

X-Ways YES YES YES

TOTAL 8/10 6/10 8/10

When the computer forensics software are

studied for comparison, it is observed that
they try to support all 3 operating systems.
While there are 8 available computer forensics
software able to operate on Windows and
Linux operating systems, there are 6 software

that can operate on Macintosh operating
system, nonetheless, Mac Marshal; especially
designed for Macintosh operating system and
Second Look; designed for Linux are
available.

Computer forensics experts have the need
of using software that will allow them to speed
up their file analysis [1]. Thereby, special
programs with functionality have been
discovered. Their function is to gather related
data related to computer forensics studies and
their analysis [8].

An expert’s report from the court case 2
indicates this information:

“The analysis on the hard disk have been
conducted without harming its integrity by
removing the write protection in order the take
the image of the hard disk with a digital
evidence analysis program called Forensic
Toolkit 3.1, accepted as a standard
worldwide…”

According to the expert’s report from the
court case number 3, preliminary information
regarding computer media is given:

– …
– Acquisition MD5
– Verification MD5
– GUID
– EnCase Version
– System Version
– …
EnCase, FTK and X-Ways computer

forensics software, widely preferred in our
country can analyze computers with Linux,
Macintosh and Windows operating systems.
Thereby, it can be observed that MacForen-
sicsLab and MacMarshal computer forensics
software are compatible with Macintosh
operating systems and Secondly Look and
Autopsy computer forensics software are
compatible with Linux operating systems.

Occasionally, during the process of
computer forensics analyses, need of using
other software for the same computer arises.
Computer forensics software do not differ in
the means of performance and speed however
it is beneficial to gather different data with
different software on operating systems

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/2015

16

especially Linux and Macintosh to compare
the results.

A participant delivers a warning related to
computer analysis:

“One of the first rules of analyzing a
computer is to determine the operating system
of the analyzed computer. By doing this,
analysis can start with the correct software. If
the approach focuses on letting the software
do the entire job, a lot of data may not be
gathered at all.”

Before the study of computer forensics, in
order to create an operation plan some matters
must be taken as groundwork such as; type of
case, computer forensics expert count and
qualification, physical attributes of the device
to be analyzed and estimated time of analysis
[4]. In addition to these, using the correct
software on the operating system in analysis
must be taken into consideration.

Another participant makes a metaphor
related to the subject:

“Analyzing a computer is like buttoning a
shirt. Deciding on which software will be used
for analysis is the first button and if the first
one is buttoned wrong it may lead the entire
analysis to a false result…”

With the technology advancing, a lot of
procedures are done automatically by the
computer forensics software and for this
reason computer forensics experts are
expected to use all the functions of the
software efficiently and know the data type
that can be gathered.

If the computer forensics expert knows
what to look for and uses searching programs
(Search function of the computer forensics
software) it proves useful for the analysis-
time cost [9].

A good computer forensics software must
compose a file and directory catalogue for all
the computer media as well as supporting
FAT12, FAT 16, FAT32, exFAT, TFAT, NTFS,
Ext2, Ext3, Ext4, CDFS/ISO9660/Joliet,
HFS, HFS+/HFSJ/HFSX, ReiserFS, Reiser4,
UDF file systems [10].

4. Assessment of operating systems
type in respect of computer forensics
experts

In terms of criminal procedure, expert is

the person who reveals the traces and tracks
for evidences related to the case or it is the
person who analyzes the collected
information [11]. Computer forensics experts
however, know many methods to discover,
reveal, repair the damaged data and save the
protected data located in the computer
systems [12]. Electronic data are easily
modified or changed because of their
structure, thus it is necessary to have certain
processes and procedures with standards in
the analyses of the evidences [13].

Today, the computer media are increasing
in diversity, communication methods via
internet are changing, and informatics
systems are becoming widespread, thus a
superior level of information is obligatory
especially for an active struggle against
cybercrimes.

An interviewed applicant expresses his
memory about lack of information:

“In one of the analyses we did, we couldn’t
gather any data from a laptop with Linux
operating system. We wrote the image was
either broken or coded on the report, but that
analysis just didn’t feel right…”

Expert report from court case number 3:
“The hard disk image with serial code was

taken as 2 images, Raw image (dd) and smart
image (e01) however, since the operating
system was Linux no analysis were conducted
but information related to operating system
was gathered and screen was simultaneously
shared…”

Not conducting any research or analysis
because of the operating system indicates the
results of not having sufficient information, in
this respect, lack of enough computer
forensics experts brings another matter in
hand; capability of current experts.

The experts obtain their certificates only
through theoretical tests and that creates
question marks about qualification. Similarly,

Section I – Advances in Information Security Research

17

a computer engineer working on computer
software is obviously not qualified as an
expert on crimes committed on computer
network or internet which requires experience
and expertise in system administration [11].

A certificate should not be considered
enough to assign a person as expert. Certain
number of requirements must be made and an
objective regulation regarding this matter is
needed [14].

In USA, certain people are given
accreditation in order to use special programs
about computer informatics. In consequence,
not only having the license to use the program,
but also the training personnel who will use
that program is necessary [15].

Some criminals, especially forensics
criminals (cybercriminals) are over certain
cultural and IQ levels, they are also called
“white-collar crime” and when this is taken
into consideration, the known methods shortly
become obsolete. This proves the necessity of
the technical personnel to constantly renew
and update their training [16].

In order to have the Computer forensics
expert or court expert title, expertise regarding
the process of trial is required as well as
computer forensics and as for choosing the
experts, standards and sub-specializations
must be set. These must be made in an
environment where the court (judge, advocate
and prosecutor), enforcements officers,
chambers, organizations and manufacturer
company attorneys can assemble. Training
programs with the designated standards
should determine the sub-specializations and
computer forensics experts. In this context,
areas of expertise for the computer forensics
experts can be specified like this:

– Expertise in The Analysis of Windows
Operating System;

– Expertise in The Analysis of Linux
Operating System;

– Expertise in The Analysis of
Macintosh Operating System;

– Expertise in Mobile Device Analysis;
– Expertise in Server Analysis;

– Expertise in Analysis of Wireless and
Cable Network;

– Encoding and Decoding Expertise;
– Expertise in Identification of

Malicious Software.
Governments should make

investigations in selection of computer
forensics expertise, training and inspection
just as it makes investigations by following
the developments in technology and speeding
up the trials.

During the process of gathering the
evidences and their analyses, not following
the principles and procedures causes the
evidence to be shadowed and rejected by the
court authorities [17]. For this reason,
Computer forensics studies must be done by
units equipped with high technology and these
units must consist of trained and expert
personnel with advanced skill and knowledge
[18].

Result of study shows the need for variant
technical knowledge on different operating
systems and many computer forensics
experts’ lack of knowledge especially on
Linux operating systems.

5. Conclusion

Judge needs evidence to solve a
controversy whether it is law or criminal
procedure. Judgment of the evidence is a
matter of procedural law just as gathering the
evidence is of technical.

This technical matter of discovering the
electronic evidences is in the field of
computer forensics. In addition to this,
computer forensics studies need to be
undertaken as the process of systematic
analyses on computer media, not as gathering
absolute evidence and presenting it.

Computer forensics studies is a field
which requires extensive technical
knowledge, expertise and cautious works as
this field is needed in almost all cases of
cybercrimes committed in different ways and
methods.

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/2015

18

Although the judges and prosecutors show
great importance and care in the evaluation of
electronic evidences, the duty of the computer
forensics experts (especially law-enforcement
officers) who discover, lay the first hand and
report the evidences are equally important.

Computer informatics is not a field fully
completed both in our country and the others.
This field which serves the justice to be served
and it renews itself according to technical
developments and looks for the solutions to
varying needs.

With the increasing cybercrimes and need
of computer forensics works, this study
approaches the computer forensics process as
a whole and attempts to evaluate the effects of
dissimilar operating systems on the process.
This matter was studied in accordance of both
technical and global standards and not rated
juristically.

When the doctorate and master degree
theses in YÖK national databank and studies
made of computer forensics and/or
cybercrimes evaluated; the judicial part is
taken into consideration predominantly.
Technical works however, are prepared
according to a certain device, software or
operating system because of commercial
concerns and habits.

The effects of operating systems on the
computer forensics studies have been
analyzed in light of 50 national theses
analyzed in this context, interview with 15
people with a minimum of 4 years of
experience in computer forensics field and
court expert reports from 3 ongoing cases in
Ankara administration of Justice.

The publications (books, articles, training
notes…) which computer forensics experts
have great grasp are largely based on
Windows operating system and this can be
explained with the %97.2 usage rate in
Turkey. It is observed that the experts and
publications regarding the Macintosh
operating system are insufficient and the rate
of usage of Macintosh operating system in our
country is %2.4.

As a result of the study, it is discovered
that knowing the importance of which
operating systems support dissimilar file
systems especially on portable storages
provides assistance to the speed of the
computer forensics process. Another result
shows the gatherable metadata will not be
standard in case it is copied to another
operating system.

When we take a look at the 10 most
commonly used computer forensics software
worldwide, 7 of them are compatible for use
on Windows operating system. Using
Windows operating system on the computers
that will be used for computer forensics
process will prove to be advantageous.
Another result is that the most preferred
computer forensics software in our country;
EnCase, FTK and X-Ways are only
compatible with Windows operating system.

One of the very important issues in
computer forensics studies is the similar data
found in computer media with different
operating systems and it isn’t possible to
gather the data with standard computer
forensics software. For this reason, using third
party programs will prove useful especially
for the analyses of logs and records.

When we study the most commonly used
10 computer forensics software worldwide,
we observe they are trying to support all 3
operating systems. Primarily, EnCase and
FTK and 3 more other software are capable of
analyzing all 3 operating systems. In
accordance, it has been discovered that they
are especially designed for Linux and
Macintosh operating systems.

In order to provide evidences of the crimes
committed, and protect the innocent people
with no relation to crime whatsoever, it is
important for computer forensics experts to be
well equipped and informed. For this reason,
sub-specialization fields must be designated
and experts must intervene to the computer
media with their own expertise on the matter.

Certification programs with practice and
master and graduate level trainings must be
provided to satisfy the need of the computer

Section I – Advances in Information Security Research

19

forensics experts regarding the matters of
system networks, operating systems,
decoding and electronic communication of
Macintosh and Linux operating systems;
especially of the mobile devices.

In addition, certification programs must be
made by establishing sub-specializations for

computer forensics experts and qualified
personnel must be trained with the result of
these certification programs. In accordance
with this, Experts must take an exam
consecutively with certain intervals (like
every 2 years) and their knowledge must be
tested with the new developments.

References:

[1]. D.S. Jadhav and S.K. Patil, The Study Of Computer Investigation Methods:

Computer Forensics, The International Journal Of Advanced Research In
Technology, Vol. 2, Issue.1, pp. 9-17, 2012.

[2]. A. Ho and S. Li, Forensic Authentication of Digital Audio and Video Files” in
Handbook of Digital Forensics of Multimedia Data and Devices, Chichester, UK:
John Wiley IEEE Press, 2015, pp.133-184.

[3]. D. Comer, “Introduction and Overview” in Operating System Design: The Xinu
Approach, 2th ed. NW: CRC Press, 2015, pp. 3-15.

[4]. M.İ. Öztürk, Bilişim Cihazlarındaki Sayısal Delillerin Tespiti ve
Değerlendirilmesinde İş Akış Modelleri (Models Of Flowchart For Detecting And
Evaluating Digital Evidences in IT Equipments), M.S. thesis, Health Sci. Inst.,
Ankara Univ., Ankara, Turkey, 2007.

[5]. B. Carrier, File System Forensic Analysis, 5th ed. NJ: Pearson Education Inc, 2007.
[6]. Y. Uzunay, “Bilgisayar Ağlarına Yönelik Adli Bilişim” (Computer Forensics

Intended for Computer Network) in Computer Forensics Workshop, İzmir Institute
of Technology, İzmir, Turkey, 2005.

[7]. AccessData, Windows OS Forensics Training Notes, unpublished.
[8]. W.G. Kruse and J.G. Heiser, Computer Forensics – Incident Response Essentials,

14th ed. IN: Pearson Education Inc, 2010.
[9]. M.K. Rogers, J. Goldman, R. Mislan, T. Wedge and S. Debrota Steve, Computer

Forensics Field Triage Process Model, Journal of Digital Forensics, Security and
Law, Vol.1 No.2, pp.9-38, 2006.

[10]. T. Henkoğlu, Adli Bilişim, Dijital Delillerin Elde Edilmesi ve Analizi, 1st ed.
Ankara: Pusula Yayıncılık, Turkey, 2011.

[11]. M.B. Eryılmaz, Ceza Muhakemesi Hukuku Dersleri, 1st ed. Ankara: Polis
Akademisi Yayınları, Turkey, 2012.

[12]. D.S. Thomas and K.A. Forcht, Legal Methods of Using Computer forensics
Techniques For Computer Crime Analysis and Investigation, Issues in Information
Systems Journal, Vol.5 No:2, pp.692-698, 2004.

[13]. B. Nelson, A. Phillips and C. Steuar, “Expert Testimony in Digital Investigations”
in Guide to Computer Forensics and Investigations, 5th ed. USA: Cengage
Learning, 2015, pp. 535-567.

[14]. Adalet Bakanlığı, “Çalıştay Raporu”, Yargılamada Bilirkişilik Müessesesi
Çalıştayı, (Workshop Of Expert Witnesses at Trial), Hakimevi, Ankara, Turkey,
2010.

International Journal of Information Security and Cybercrime Vol. 4 Issue 2/2015

20

[15]. Y. Çiçek, “Bilirkişi Raporlarının Hazırlanması”, Kamulaştırma Bilirkişiliği Eğitimi
Programı (Expert Witnesses at Expropriation Training Program),TMMOB Harita
ve Kadastro Mühendisleri Odası, Ankara, Turkey, 2008.

[16]. A. Karagülmez, Bilişim Suçlarında Delil Toplamayı Etkileyen Başlıca Konular, 2.
Polis Bilişim Sempozyumu (2nd Police IT Symposium), Sheraton Hotel, Ankara,
Turkey, 2005.

[17]. H. Çakır and E. Sert, “Bilişim Suçları ve Delillendirme Süreci”, Örgütlü Suçlar ve
Yeni Trendler. Uluslararası Terörizm ve Sınıraşan Suçlar Sempozyumu
(International Terrorism and Transnational Crime Symposium), Antalya, Turkey,
2010.

[18]. V. Bıçak, Suç Muhakemesi Hukuku, 1st ed. Ankara: Seçkin Yayınevi, Turkey, 2011.

Copyright of International Journal of Information Security & Cybercrime is the property of
Romanian Association for Information Security Assurance and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder’s express
written permission. However, users may print, download, or email articles for individual use.

Index/Document.iwa

Index/ViewState-20497.iwa

Index/CalculationEngine-20361.iwa

Index/AnnotationAuthorStorage-20360.iwa

Index/DocumentStylesheet.iwa

Index/DocumentMetadata.iwa

Index/Metadata.iwa

Metadata/Properties.plist

Metadata/DocumentIdentifier
6C04C922-537E-41A2-83E9-E007B6D83C0B

Metadata/BuildVersionHistory.plist

Template: Blank (4.2)
M8.2.1-6529-2

preview

preview-micro

preview-web

Index/Document.iwa

Index/ViewState-21232.iwa

Index/CalculationEngine-20361.iwa

Index/AnnotationAuthorStorage-20360.iwa

Index/DocumentStylesheet.iwa

Index/DocumentMetadata.iwa

Index/Metadata.iwa

Metadata/Properties.plist

Metadata/DocumentIdentifier
7D5A7114-D85B-400B-95E7-31F289B52E19

Metadata/BuildVersionHistory.plist

Template: Blank (4.2)
M8.2.1-6529-2

preview

preview-micro

preview-web