This study addresses how differences between operating systems—specifically Windows and Linux—in file systems, encryption mechanisms, and tool compatibility significantly impact the reliability and integrity of digital forensics. The authors systematically evaluate the effectiveness of disk and memory forensic techniques across NTFS/FAT and ext4/XFS environments, employing tools such as FTK Imager, Autopsy/Sleuth Kit, Volatility, LiME, and dd. They propose platform-specific forensic strategies, identify optimal tool combinations for each OS, and expose limitations of current approaches in encrypted and anti-forensic scenarios. The research further demonstrates that memory forensics plays a critical complementary role in cross-platform evidence preservation, providing an empirical foundation for developing reproducible, high-fidelity forensic workflows.

The reliability of cyber forensic evidence acquisition is strongly influenced by the underlying operating systems, Windows, macOS, and Linux - due to inherent variations in file system structures, encryption protocols, and forensic tool compatibility. Disk forensics, one of the most widely used techniques in digital investigations, faces distinct obstacles on each platform. Windows, with its predominantly NTFS and FAT file systems, typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit. However, encryption features frequently pose challenges to evidence acquisition. Conversely, Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency, yet the transient nature of log retention often complicates forensic analysis. In instances where anti-forensic strategies such as encryption and compression render traditional disk forensics insufficient, memory forensics becomes crucial. While memory forensic methodologies demonstrate robustness across Windows and Linux platforms forms through frameworks like Volatility, platform-specific difficulties persist. Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition; nevertheless, live memory acquisition on Linux can still present challenges. This research systematically assesses both disk and memory forensic acquisition techniques across samples representing Windows and Linux systems. By identifying effective combinations of forensic tools and configurations tailored to each operating system, the study aims to improve the accuracy and reliability of evidence collection. It further evaluates current forensic tools and highlights a persistent gap: consistently assuring forensic input reliability and footprint integrity.