Cos413day3

Guide to Computer Forensics and Investigations, 2e2
AgendaAgenda
• Questions?
• Assignment 1 due
• Lab Write-ups (project 2-1 and 2-2) due next class
• Lab Recap and After Action Report
• Begin Discussion on Working with Windows and
DOS Systems
– Chapter 3 in 1e and Chapter 7 in 2e

Lab 1 RecapLab 1 Recap
• Always know what are going to do before you sit
down at the forensics workstations
– Methodical not “hack and slash”
– Requires reading and prior prep
• Learn DOS
– Most forensics work is down at low levels (not GUI)
– http://www.glue.umd.edu/~nsw/ench250/dostutor.htm
• Have part of the lab report started before the lab
– Know what it is you are looking for

Guide to ComputerGuide to Computer
Forensics andForensics and
InvestigationsInvestigations
Chapter 3
Working with Windows
and DOS Systems

ObjectivesObjectives
• Understand file systems
• Explore Microsoft file structures
• Examine New Technology File System (NTFS)
disks

Objectives (continued)Objectives (continued)
• Understand the Windows Registry
• Understand Microsoft boot tasks
• Understand MS-DOS startup tasks

Understanding File SystemsUnderstanding File Systems
• Understand how OSs work and store files
• CompTIA A+ certification
• File system
– Road map to data on a disk
– Determines how data is stored on disk
• Become familiar with file systems

Understanding the Boot SequenceUnderstanding the Boot Sequence
• Avoid data contamination or modification
• Complementary Metal Oxide Semiconductor
(CMOS)
– Stores system configuration, data, and time
• BIOS
– Performs input/output at hardware level

(continued)(continued)
• Make sure computer boots from a floppy disk
– Modify CMOS
– Accessing CMOS depends on the BIOS
• Delete key
• Ctrl+Alt+Insert
• Ctrl+A
• Ctrl+F1
• F2
• F12

Understanding Disk DrivesUnderstanding Disk Drives
• Composed of one or more platters
• Elements of a disk:
– Geometry
– Head
– Tracks
– Cylinders
– Sectors

Understanding Disk Drives (continued)Understanding Disk Drives (continued)

• Cylinder, head, sector (CHS) calculation
– 512 bytes per sector
– Tracks contain sectors
– Number of bytes on a disk
• Cylinders (platters) x Heads (tracks) x sectors
• First track is track 0
– So if a disc list 79 tracks (like a floppy) does, it has
80 tracks

• Zoned bit recording (ZBR)
– Platter’s inner tracks are smaller than outer tracks
– Group tracks by zone
• Track density
– Space between each track
• Areal density
– Number of bits on one square inch of a platter

Exploring Microsoft File StructuresExploring Microsoft File Structures
• Need to understand
– FAT
– NTFS
• Sectors are grouped on clusters
– Storage allocation units of at least 512 bytes
– Minimize read and write overhead
• Clusters are referred to as logical addresses
• Sectors are referred to as physical addresses

Disk PartitionsDisk Partitions
• Logical drive
• Hidden partitions or voids
– Large, unused gaps between partitions
– Also known as partition gaps
– Can hide data
• Use a disk editor to change partitions table
– Norton Disk Edit
– WinHex, Hex Workshop
– http://www.x-ways.net/winhex/index-m.html

Disk Partitions (continued)Disk Partitions (continued)

• Disk editor additional functions
– Identify OS on an unknown disk
– Identify file types

Master Boot RecordMaster Boot Record
• Stores information about partitions
– Location
– Size
– Others
• Software can replace master boot record (MBR)
– PartitionMagic
– LILO
– Can interfere with forensics tasks
– Use more than one tool

Examining FAT DisksExamining FAT Disks
• FAT was originally developed for floppy disks
– Filenames, directory names, date and time stamps,
starting cluster, attributes
• Typically written to the outermost track
• Evolution
– FAT12
– FAT16
– FAT32

Examining FAT Disks (continued)Examining FAT Disks (continued)

• Drive slack
– Unused space on a cluster
– RAM slack
• Can contain logon IDs and passwords
• Common on older systems
– File slack
• Bytes not used on the sector by the file
• FAT16 unintentionally reduced fragmentation

• Cluster chaining
– File clusters are together (when possible)
• Produces fragmentation
• Tools
– Norton DiskEdit
– DriveSpy’s Chain Fat Entry (CFE) command
• Rebuilding broken chains can be difficult

Deleting FAT FilesDeleting FAT Files
• Filename in FAT database starts with HEX E5
• FAT chain for that file is set to zero
• Free disk space is incremented
• Actual data remains on disk
• Can be recovered with computer forensics tools

Examining NTFS DisksExamining NTFS Disks
• First introduced with Windows NT
• Spin off HPFS
– From IBM O/S 2
• Provides improvements over FAT file systems
– Stores more information about a file
• Microsoft’s move toward a journaling file system
– Keep track of transactions
– Can be rolled back

Examining NTFS Disks (continued)Examining NTFS Disks (continued)
• Partition Boot Sector starts at sector 0
• Master File Table (MFT)
– First file on disk
– Contains information about all files on disk
(meta-data)
• Reduces slack space
• NTFS uses Unicode
– UTF-8, UTF-16, UTF-32

Examining NTFS Disks (continued)Examining NTFS Disks (continued)

NTFS File AttributesNTFS File Attributes
• All files and folders have attributes
• Resident attributes
– Stored in the MFT
• Nonresident attributes
– Everything that can be stored on the MFT
• Uses inodes for nonresident attributes
• Logical and virtual cluster numbers
– LCN and VCN

NTFS Data StreamsNTFS Data Streams
• Data can be appended to a file when examining a
disk
– Can obscure valuable evidentiary data
• Additional data attribute of a file
• Allow files be associated with different applications

NTFS Compressed FilesNTFS Compressed Files
• Improve data storage
– Compression similar to FAT DriveSpace 3
• File, folders, or an entire volume can be
compressed
• Transparent when working with Windows XP, 2000,
or NT
• Need to decompress it when analyzing
– Advanced tools do it automatically

NTFS Encrypted File System (EFS)NTFS Encrypted File System (EFS)
• Introduced with Windows 2000
• Implements a public key/private key encryption
method
• Recovery certificate
– Recovery mechanisms in case of a problem
• Works for local workstations or remote servers

Deleting NTFS FilesDeleting NTFS Files
• Similar to FAT
• NTFS is more efficient than FAT
– Reclaiming deleted space
– Deleted files are overwritten more quickly

Understanding the Windows RegistryUnderstanding the Windows Registry
• Database that stores:
– Hardware and software configuration
– User preferences (user names and passwords)
– Setup information
• Use Regedit command for Windows 9x
• Use Regedt32 command for Windows XP and
2000
• FTK Registry Viewer

• Windows 9x Registry
– User.dat
– System.dat
• Windows 2000 and XP Registry
– WinntSystem32Config
– WindowsSystem32Config
– System, SAM, Security, Software, and NTUser.dat

Understanding Microsoft Boot TasksUnderstanding Microsoft Boot Tasks
• Prevent damaging digital evidence
• OSs alter files when computer starts up

Windows XP, 2000 and NT StartupWindows XP, 2000 and NT Startup
• Steps:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon

Startup Files for Windows XPStartup Files for Windows XP
• Files used during boot process:
– NTLDR
– Boot.ini
– BootSec.dos
– NTDetect.com
– NTBootdd.sys
– Ntoskrnl.exe
– Hal.dll
– Device drivers

Windows XP System FilesWindows XP System Files

Windows 9x and Me StartupWindows 9x and Me Startup
• Windows Me cannot boot to a true MS-DOS mode
• Windows 9x OSs have two modes
– DOS protected-mode interface (DPMI)
• Command prompt from boot menu
– Protected-mode GUI
• Dos shell in windows
• Startup files
– Io.sys
– Msdos.sys
– Command.com

Windows 9x and Me StartupWindows 9x and Me Startup

Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task
• Io.sys
– Loaded after the ROM bootstrap
– Finds the disk drive
– Provides basic input/output services
• Msdos.sys
– Loaded after Io.sys
– Actual kernel for MS-DOS
– Looks for Config.sys

Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task
• Msdos.sys (continued)
– Loads Command.com
– Loads Autoexec.bat
• Config.sys
– Commands run only at system startup
• Autoexec.bat
– Customized setting for MS-DOS
– Define default path and environmental variables

Other Disk Operating SystemsOther Disk Operating Systems
• Control Program for Microprocessors (CP/M)
• Digital Research Operating System (DR-DOS)
• Personal Computer Disk Operating System (PC-
DOS)
– Developed by IBM

DOS Commands and Batch FilesDOS Commands and Batch Files
• Batch files
– Fixed sequence of DOS commands
– Ideal for repetitive tasks
• Batch files work like a single command
• MS-DOS supports parameter passing and
conditional execution
– Can pass up to 10 parameters

SummarySummary
• FAT
– FAT12, FAT16, and FAT32
• Windows Registry keeps hardware and software
configuration and preferences
• CHS calculation
• NTFS
• Look for hidden information on file, RAM, and drive
slack

Summary (continued)Summary (continued)
• NTFS uses Unicode to store information
• Hexadecimal codes identify OSs and file types
• NTFS uses inodes to link file attribute records
– Resident and nonresident
• NTFS compressed files
• NTFS encrypted files (EFS)

Cos413day3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to Cos413day3

Similar to Cos413day3 (20)

Recently uploaded

Recently uploaded (20)

Cos413day3