The reliability of cyber forensic evidence acquisition is strongly influenced by the underlying operating systems, Windows, macOS, and Linux - due to inherent variations in file system structures, encryption protocols, and forensic tool compatibility. Disk forensics, one of the most widely used techniques in digital investigations, faces distinct obstacles on each platform. Windows, with its predominantly NTFS and FAT file systems, typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit. However, encryption features frequently pose challenges to evidence acquisition. Conversely, Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency, yet the transient nature of log retention often complicates forensic analysis. In instances where anti-forensic strategies such as encryption and compression render traditional disk forensics insufficient, memory forensics becomes crucial. While memory forensic methodologies demonstrate robustness across Windows and Linux platforms forms through frameworks like Volatility, platform-specific difficulties persist. Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition; nevertheless, live memory acquisition on Linux can still present challenges. This research systematically assesses both disk and memory forensic acquisition techniques across samples representing Windows and Linux systems. By identifying effective combinations of forensic tools and configurations tailored to each operating system, the study aims to improve the accuracy and reliability of evidence collection. It further evaluates current forensic tools and highlights a persistent gap: consistently assuring forensic input reliability and footprint integrity.

翻译：网络取证证据获取的可靠性深受底层操作系统（Windows、macOS 和 Linux）的影响，这源于文件系统结构、加密协议和取证工具兼容性等方面固有的差异。磁盘取证作为数字调查中最广泛应用的技术之一，在各平台上均面临独特的障碍。Windows 系统主要采用 NTFS 和 FAT 文件系统，通常可通过 FTK Imager 和 Autopsy/Sleuth Kit 等成熟工具实现可靠的磁盘镜像与分析，但其加密功能常给证据获取带来挑战。相反，依赖 ext4 和 XFS 等文件系统的 Linux 环境通常提供更高的透明度，然而日志保留的临时性往往使取证分析复杂化。当加密和压缩等反取证策略使传统磁盘取证不足时，内存取证变得至关重要。尽管内存取证方法（如通过 Volatility 框架）在 Windows 和 Linux 平台上展现出鲁棒性，但平台特定的困难依然存在。Linux 系统的内存分析得益于 LiME、快照工具及 dd 等内存获取工具，然而其实时内存获取仍可能面临挑战。本研究系统评估了代表 Windows 和 Linux 系统的样本上的磁盘与内存取证获取技术。通过识别针对各操作系统定制的取证工具与配置的有效组合，本研究旨在提高证据收集的准确性与可靠性。研究进一步评估了当前取证工具，并指出了一个持续存在的缺口：如何始终确保取证输入的可靠性与足迹完整性。