In my experience, whether UNIX is friendlier as a platform for forensic investigation depends on how one configures a Windows system, because there are POSIX and Open Source frameworks available. But as a target, it seems pretty well accepted that UNIX is easier to analyze (Casey, 2004, 11.8). While it isn't terribly difficult to add functionality to Windows that makes it capable of the same type of application behavior as UNIX it is considerably more so to modify the core architecture of the operating system itself to achieve the openness and transparency.

As I understand them, the design philosophies of Windows and UNIX have been, are, and probably always will be very different (Fulton, 2009) (Murphy, 2004). Microsoft is primarily concerned with selling software (Microsoft, 2005). The original unices were tightly integrated with their hardware platforms (The Open Group, 2003) and generally licensed from Bell Labs to sell that hardware. So it does seem readily apparent that these heritages of the operating systems would lead to widely divergent standards of usability and visibility.

Most users might say that 'out of the box' Windows is the easier operating system to use. This gap will narrow as Linux distributions like Ubuntu try to make Linux a user-friendly operating system and as Windows evolves more sophisticated internal architecture and/or exposes more of it to user configuration, but it isn't likely to disappear. The fact remains that Microsoft makes a consumer oriented operating system while unices are just interfaces between humans and hardware. So for actual 'friendliness' it is possible to argue that Windows is more focused on this aspect. However, for forensics applications the interface is secondary. So without POSIX or Open Source there may be aspects of the application/operating system/hardware stack that are simply not known. Again, one might argue that this isn't 'unfriendly'. But I would submit that it does present a serious issue. Luckily it is one that is easily addressed today with such features as 'UNIX Services for Windows' and frameworks such as Cygwin.

These same issues are not so surmountable when analyzing Windows as the forensic target. While it is possible to get huge amounts of information from the system in my experience not even Microsoft engineers can tell one what it all means. Whether this is due to lack of information or protection of intellectual property is irrelevant. The outcome is the same and it is problematic.

Casey, E. (2004) Digital Evidence and Computer Crime – Forensic Science, Computers and The Internet, 2nd edition. New York: Academic Press

Fulton, S.M. III (2009) Russinovich on MinWin, the new core of Windows [Online]. Available from: (Accessed: 4 July, 2010)

Microsoft (2005) Our Business Model [Online]. Available from: (Accessed: 4 July, 2010)

Murphy, P. (2004) What Differentiates Linux from Windows? [Online]. Available from: (Accessed: 4 July, 2010)