This document discusses Windows forensics and provides details on the Windows boot sequence. It describes the six phases of the Windows boot process: 1) Power-On Self Test, 2) Initial Startup, 3) Boot Loader, 4) Hardware Detection and Configuration, 5) Kernel Loading, and 6) User Logon. Key Windows data structures like the NTFS file system, Windows Registry, and Windows Event Log are also summarized. The document outlines where forensic analysts can find artifacts of user activities on a Windows system, such as in volatile memory, hidden files, slack space, and the Windows Search index.
Forensic artifacts in modern linux systemsGol D Roger
This document provides an overview of a workshop on forensic artifacts in modern Linux systems. It will cover topics such as partitions and filesystems, boot loaders, the Linux file system layout, systemd configuration for services and scheduled tasks, installed software and packages, log files and the systemd journal. The workshop format will involve both presentations and demonstrations of analyzing disk images and artifacts. It is aimed at forensic investigators and showing what can be discovered from compromised, criminal, or seized Linux systems.
This document discusses file system management in operating systems. It covers file concepts including data types, attributes, and structures. It also describes directory structures from single-level to tree and graph structures. Additionally, it discusses access methods, file system mounting, file sharing, and protection. Key topics include file operations, sequential and direct access, tree-structured directories with absolute and relative path names, mount points, and access control lists with read/write/execute permissions for owners, groups and the public.
This document discusses various aspects of file system implementation in operating systems. It covers file system structures, directory implementation methods, allocation techniques like contiguous, linked and indexed allocation, free space management using bitmaps and linked lists, performance optimization using caching, and recovery methods like journaling. It also describes network file systems like NFS, which allow remote access to files across networked machines in a transparent manner using client-server architecture and remote procedure calls.
Linux is a free, open-source operating system based on UNIX with a modular kernel. It uses processes, threads, virtual memory, and files systems. Device drivers allow access to hardware via the block I/O system. Interprocess communication includes signals, pipes, shared memory, and semaphores. Security features authentication via PAM and access controls permissions via user and group IDs.
This document summarizes key concepts from Chapter 11 of the textbook "Operating System Concepts - 9th Edition" by Silberschatz, Galvin and Gagne. It discusses file systems, including file concepts, attributes, operations, access methods, directory structures, and disk structures. It describes different types of file organizations like sequential, direct, and indexed access and different file system types like general purpose, temporary, and special purpose file systems used in Solaris. It also covers operations on directories like searching, creating, deleting files and file directory organization methods.
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
A walkthrough of the code structure used in the linux kernel to implement pipes and FIFOs.
This was presented to a Senior level class at the Indian Institute of Technology, Roorkee.
This document summarizes key aspects of file system implementation discussed in Chapter 11. It describes the layered structure of file systems, with device drivers, the basic file system, file organization module, and logical file system layers. It also discusses important on-disk and in-memory file system structures like the boot block, superblock, file control blocks, and in-memory structures like the mount table. Common allocation methods like contiguous and linked allocation are explained. Directory implementation as linked lists or hash tables is covered as well.
The document discusses Linux file systems. It provides an overview of Linux file system types including network file systems like NFS and SMB, and disk file systems like ext2, ext3, FAT32, and NTFS. It describes the physical structure of file systems on disk including the boot block, super block, inode list, and block list. It also summarizes the features and maximum sizes of different file system standards like ext2, ext3, ext4, ReiserFS, XFS, and JFS.
Forensic artifacts in modern linux systemsGol D Roger
This document provides an overview of a workshop on forensic artifacts in modern Linux systems. It will cover topics such as partitions and filesystems, boot loaders, the Linux file system layout, systemd configuration for services and scheduled tasks, installed software and packages, log files and the systemd journal. The workshop format will involve both presentations and demonstrations of analyzing disk images and artifacts. It is aimed at forensic investigators and showing what can be discovered from compromised, criminal, or seized Linux systems.
This document discusses file system management in operating systems. It covers file concepts including data types, attributes, and structures. It also describes directory structures from single-level to tree and graph structures. Additionally, it discusses access methods, file system mounting, file sharing, and protection. Key topics include file operations, sequential and direct access, tree-structured directories with absolute and relative path names, mount points, and access control lists with read/write/execute permissions for owners, groups and the public.
This document discusses various aspects of file system implementation in operating systems. It covers file system structures, directory implementation methods, allocation techniques like contiguous, linked and indexed allocation, free space management using bitmaps and linked lists, performance optimization using caching, and recovery methods like journaling. It also describes network file systems like NFS, which allow remote access to files across networked machines in a transparent manner using client-server architecture and remote procedure calls.
Linux is a free, open-source operating system based on UNIX with a modular kernel. It uses processes, threads, virtual memory, and files systems. Device drivers allow access to hardware via the block I/O system. Interprocess communication includes signals, pipes, shared memory, and semaphores. Security features authentication via PAM and access controls permissions via user and group IDs.
This document summarizes key concepts from Chapter 11 of the textbook "Operating System Concepts - 9th Edition" by Silberschatz, Galvin and Gagne. It discusses file systems, including file concepts, attributes, operations, access methods, directory structures, and disk structures. It describes different types of file organizations like sequential, direct, and indexed access and different file system types like general purpose, temporary, and special purpose file systems used in Solaris. It also covers operations on directories like searching, creating, deleting files and file directory organization methods.
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
A walkthrough of the code structure used in the linux kernel to implement pipes and FIFOs.
This was presented to a Senior level class at the Indian Institute of Technology, Roorkee.
This document summarizes key aspects of file system implementation discussed in Chapter 11. It describes the layered structure of file systems, with device drivers, the basic file system, file organization module, and logical file system layers. It also discusses important on-disk and in-memory file system structures like the boot block, superblock, file control blocks, and in-memory structures like the mount table. Common allocation methods like contiguous and linked allocation are explained. Directory implementation as linked lists or hash tables is covered as well.
The document discusses Linux file systems. It provides an overview of Linux file system types including network file systems like NFS and SMB, and disk file systems like ext2, ext3, FAT32, and NTFS. It describes the physical structure of file systems on disk including the boot block, super block, inode list, and block list. It also summarizes the features and maximum sizes of different file system standards like ext2, ext3, ext4, ReiserFS, XFS, and JFS.
1.Introduction
2.OS Structures
3.Process
4.Threads
5.CPU Scheduling
6.Process Synchronization
7.Dead Locks
8.Memory Management
9.Virtual Memory
10.File system Interface
11.File system implementation
12.Mass Storage System
13.IO Systems
14.Protection
15.Security
16.Distributed System Structure
17.Distributed File System
18.Distributed Co Ordination
19.Real Time System
20.Multimedia Systems
21.Linux
22.Windows
This document provides an overview of the Linux file system including:
1. It defines the main directories and contents according to the Filesystem Hierarchy Standard (FHS) with the root directory being "/" and possible multiple partitions and filesystems.
2. It describes the different types of files like ordinary files, directories, and special files as well as file permissions for reading, writing, and executing files and directories.
3. It explains how to change file permissions using the chmod command and navigate the file system using commands like pwd, cd, and ls including examples of using options, wildcards and navigation.
Quontra Solutions offers Job oriented Linux online training with updated technologies. For more info about our Linux online training contact us directly. We are providing Linux online training to all students throughout worldwide by real time faculties. Our Linux training strengthens your skills and knowledge which will helps you to gain a competitive advantage in starting your career. Outclasses will help you to gain knowledge on real time scenario. It will be most use full to boost up your career.
Our training sessions are designed in such a way that all the students can be convenient with the training schedules and course timings.
Along with Training, we also conduct several mock interviews along with Job Placement Assistance. Attend Free Demo before joining the class.
Our Features:
• Real world projects to get practical based experience
• Online tests to explore the resource learning
• Experienced certified trainers as instructors
• One to one personalized training with desktop access
• Case studies and state of art library to access study material
• Resume build assistance to win in interviews
Contact us:
Simson Andrew
Email: info@quontrasolutions.com
web: www.quontrasolutions.com
The document discusses the structure and implementation of file systems. It describes the layered design of file systems, with the physical devices at the lowest level and the logical file system at the highest level. It also outlines several important on-disk data structures used by file systems, including the boot control block, volume control block, and directory structure. These structures store information needed to boot an operating system, manage disk space and blocks, and organize the directory structure and file metadata.
The document discusses the structure and management of processes in an operating system. It describes the different states a process can be in like running, ready, sleeping, etc. and the transitions between states. It explains the layout of a process in memory including text, data, and stack regions. It discusses how the kernel saves and restores the context of a process during context switches, interrupts, and system calls. It also summarizes how the kernel manipulates a process's address space through operations on regions like allocating, attaching, changing size, loading, duplicating, and freeing regions.
Windows 2000 is a 32-bit preemptive multitasking operating system developed by Microsoft for Intel microprocessors. It uses a micro-kernel architecture and supports features like security, extensibility, international support, and compatibility with legacy applications. The system has a layered architecture with modules like the kernel, executive, and various environmental subsystems that emulate other operating systems. It provides features like virtual memory management, process and thread scheduling, security, and networking support through protocols like SMB and TCP/IP.
Sysfs is a virtual filesystem in Linux that exports information about kernel objects, such as devices and modules, to userspace. It allows user processes to view and manipulate these objects. When sysfs is initialized, it registers itself with the kernel's virtual filesystem and automatically mounts itself to provide this interface. The sysfs hierarchy mirrors the organization of kernel objects, with directories, files, and symlinks representing objects, attributes, and relationships.
Internal representation of file chapter 4 Sowmya JyothiSowmya Jyothi
The document discusses the internal representation of files in Unix-like operating systems. It covers the following key points:
- Inodes store metadata about files, including file type, permissions, size, and locations of data blocks. Disk inodes are stored on disk while in-core inodes are read into memory.
- The superblock stores metadata about the entire file system, including the number of free blocks and inodes.
- Regular files store data in direct, indirect, double-indirect, and triple-indirect blocks referenced by the inode. Directories are represented as files containing name-inode pair entries.
- Other file types include pipes, block devices, and character devices. Pipes use
This chapter discusses file systems and their interfaces. It covers key concepts like files, directories, access methods, mounting file systems, file sharing, and protection. Directories provide structure and organization for files on a file system using tree or graph structures. File systems support operations like creating/deleting files, searching directories, and opening/closing files. They also implement features like file sharing across networks and access control using permissions.
Unix uses processes to run programs and operating system functions. There are two types of processes - system processes which execute OS code and user processes which execute user programs. Processes can be in different states like running, ready, blocked etc. The kernel manages processes using data structures like process table entry and user area. Important process management operations include forking to create new processes, wait/exit for process termination, and signals for inter-process communication.
The document discusses various debugging techniques for the Linux kernel including:
1. Enabling debugging configuration options like CONFIG_DEBUG_KERNEL and CONFIG_DEBUG_SLAB.
2. Using printk statements with different log levels for debugging.
3. Querying information from /proc and using ioctl calls.
4. Tools like strace, gdb, kdb, and Kgdb can help debug system faults, catch flaws in code, and set breakpoints.
5. Tracing tools like LTT allow tracing of kernel events and timing information.
The document discusses various concepts related to files in a UNIX system. It defines files as building blocks of an operating system and describes the different types of files like regular files, directory files, device files, FIFO files, etc. It explains key concepts like inodes, file attributes, directory structure, hard links and symbolic links. The document provides detailed information about each file type and how they are represented and used in a UNIX file system.
This document discusses various concepts related to file input/output (I/O) in Linux system programming. It covers opening, reading from, writing to, closing, seeking within, and truncating files using system calls like open(), read(), write(), close(), lseek(), ftruncate(). It also discusses related topics like file descriptors, blocking vs non-blocking I/O, synchronized I/O, direct I/O, and positional reads/writes.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
Linux System Programming - Advanced File I/OYourHelper1
The document discusses various advanced file I/O techniques in Linux, including scatter/gather I/O, epoll, memory-mapped I/O, file advice, asynchronous I/O, I/O schedulers, and the deadline and anticipatory I/O schedulers. Scatter/gather I/O allows reading from or writing to multiple buffers in one operation. Epoll improves on poll() and select() by only requiring monitored file descriptors, improving performance. Memory mapping maps files directly into memory, allowing file I/O via memory operations. File advice provides hints to the kernel on intended file usage to optimize I/O. Asynchronous I/O allows non-blocking I/O. I/O sched
The document discusses the key components and functions of the Unix system kernel. It describes the kernel as managing system resources like CPUs, memory and I/O devices. The major components are the process control subsystem, file subsystem, and hardware control. The kernel handles process management, device management, file management and provides services like virtual memory and networking. It uses a scheduler to allocate CPU time to processes based on their state and priority level.
This document provides a quick reference for Linux system calls. It lists 51 system calls along with their function number, name, description, and source code location in the Linux kernel. System calls provide an interface for programs to request services from the Linux kernel, such as opening files, reading/writing files, creating processes, and more. They are invoked using the syscall() function or libc wrapper functions.
The presentation aims towards imparting the concept of PIPES and the mechanism they follow.
REFERENCES :
Operating System 8th Edition
by : Abraham Silberschatz
Chapter 1 Introduction to Operating System ConceptsMeenalJabde
The document provides an overview of operating systems including:
- The definition of an operating system as a program that controls hardware and acts as an interface between users and computers.
- The key functions of operating systems including providing convenience, efficiency, and ability to evolve.
- Concepts such as processes, process states, process control blocks, and system calls. It describes what they are and their purpose.
- A brief history of operating systems from first to fourth generation systems.
- The main types of operating systems including batch, time-sharing, distributed, network, and real-time operating systems.
- Common services offered by most operating systems such as user interface, program execution, file
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, the OS kernel, and start-up scripts. The administrator should understand this boot process as well as how to modify the boot sequence, select alternate devices, and properly shut down the system.
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, and OS kernel initialization. It also covers modifying the boot process, selecting alternate boot devices, different boot loaders, and proper system shutdown procedures.
1.Introduction
2.OS Structures
3.Process
4.Threads
5.CPU Scheduling
6.Process Synchronization
7.Dead Locks
8.Memory Management
9.Virtual Memory
10.File system Interface
11.File system implementation
12.Mass Storage System
13.IO Systems
14.Protection
15.Security
16.Distributed System Structure
17.Distributed File System
18.Distributed Co Ordination
19.Real Time System
20.Multimedia Systems
21.Linux
22.Windows
This document provides an overview of the Linux file system including:
1. It defines the main directories and contents according to the Filesystem Hierarchy Standard (FHS) with the root directory being "/" and possible multiple partitions and filesystems.
2. It describes the different types of files like ordinary files, directories, and special files as well as file permissions for reading, writing, and executing files and directories.
3. It explains how to change file permissions using the chmod command and navigate the file system using commands like pwd, cd, and ls including examples of using options, wildcards and navigation.
Quontra Solutions offers Job oriented Linux online training with updated technologies. For more info about our Linux online training contact us directly. We are providing Linux online training to all students throughout worldwide by real time faculties. Our Linux training strengthens your skills and knowledge which will helps you to gain a competitive advantage in starting your career. Outclasses will help you to gain knowledge on real time scenario. It will be most use full to boost up your career.
Our training sessions are designed in such a way that all the students can be convenient with the training schedules and course timings.
Along with Training, we also conduct several mock interviews along with Job Placement Assistance. Attend Free Demo before joining the class.
Our Features:
• Real world projects to get practical based experience
• Online tests to explore the resource learning
• Experienced certified trainers as instructors
• One to one personalized training with desktop access
• Case studies and state of art library to access study material
• Resume build assistance to win in interviews
Contact us:
Simson Andrew
Email: info@quontrasolutions.com
web: www.quontrasolutions.com
The document discusses the structure and implementation of file systems. It describes the layered design of file systems, with the physical devices at the lowest level and the logical file system at the highest level. It also outlines several important on-disk data structures used by file systems, including the boot control block, volume control block, and directory structure. These structures store information needed to boot an operating system, manage disk space and blocks, and organize the directory structure and file metadata.
The document discusses the structure and management of processes in an operating system. It describes the different states a process can be in like running, ready, sleeping, etc. and the transitions between states. It explains the layout of a process in memory including text, data, and stack regions. It discusses how the kernel saves and restores the context of a process during context switches, interrupts, and system calls. It also summarizes how the kernel manipulates a process's address space through operations on regions like allocating, attaching, changing size, loading, duplicating, and freeing regions.
Windows 2000 is a 32-bit preemptive multitasking operating system developed by Microsoft for Intel microprocessors. It uses a micro-kernel architecture and supports features like security, extensibility, international support, and compatibility with legacy applications. The system has a layered architecture with modules like the kernel, executive, and various environmental subsystems that emulate other operating systems. It provides features like virtual memory management, process and thread scheduling, security, and networking support through protocols like SMB and TCP/IP.
Sysfs is a virtual filesystem in Linux that exports information about kernel objects, such as devices and modules, to userspace. It allows user processes to view and manipulate these objects. When sysfs is initialized, it registers itself with the kernel's virtual filesystem and automatically mounts itself to provide this interface. The sysfs hierarchy mirrors the organization of kernel objects, with directories, files, and symlinks representing objects, attributes, and relationships.
Internal representation of file chapter 4 Sowmya JyothiSowmya Jyothi
The document discusses the internal representation of files in Unix-like operating systems. It covers the following key points:
- Inodes store metadata about files, including file type, permissions, size, and locations of data blocks. Disk inodes are stored on disk while in-core inodes are read into memory.
- The superblock stores metadata about the entire file system, including the number of free blocks and inodes.
- Regular files store data in direct, indirect, double-indirect, and triple-indirect blocks referenced by the inode. Directories are represented as files containing name-inode pair entries.
- Other file types include pipes, block devices, and character devices. Pipes use
This chapter discusses file systems and their interfaces. It covers key concepts like files, directories, access methods, mounting file systems, file sharing, and protection. Directories provide structure and organization for files on a file system using tree or graph structures. File systems support operations like creating/deleting files, searching directories, and opening/closing files. They also implement features like file sharing across networks and access control using permissions.
Unix uses processes to run programs and operating system functions. There are two types of processes - system processes which execute OS code and user processes which execute user programs. Processes can be in different states like running, ready, blocked etc. The kernel manages processes using data structures like process table entry and user area. Important process management operations include forking to create new processes, wait/exit for process termination, and signals for inter-process communication.
The document discusses various debugging techniques for the Linux kernel including:
1. Enabling debugging configuration options like CONFIG_DEBUG_KERNEL and CONFIG_DEBUG_SLAB.
2. Using printk statements with different log levels for debugging.
3. Querying information from /proc and using ioctl calls.
4. Tools like strace, gdb, kdb, and Kgdb can help debug system faults, catch flaws in code, and set breakpoints.
5. Tracing tools like LTT allow tracing of kernel events and timing information.
The document discusses various concepts related to files in a UNIX system. It defines files as building blocks of an operating system and describes the different types of files like regular files, directory files, device files, FIFO files, etc. It explains key concepts like inodes, file attributes, directory structure, hard links and symbolic links. The document provides detailed information about each file type and how they are represented and used in a UNIX file system.
This document discusses various concepts related to file input/output (I/O) in Linux system programming. It covers opening, reading from, writing to, closing, seeking within, and truncating files using system calls like open(), read(), write(), close(), lseek(), ftruncate(). It also discusses related topics like file descriptors, blocking vs non-blocking I/O, synchronized I/O, direct I/O, and positional reads/writes.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
Linux System Programming - Advanced File I/OYourHelper1
The document discusses various advanced file I/O techniques in Linux, including scatter/gather I/O, epoll, memory-mapped I/O, file advice, asynchronous I/O, I/O schedulers, and the deadline and anticipatory I/O schedulers. Scatter/gather I/O allows reading from or writing to multiple buffers in one operation. Epoll improves on poll() and select() by only requiring monitored file descriptors, improving performance. Memory mapping maps files directly into memory, allowing file I/O via memory operations. File advice provides hints to the kernel on intended file usage to optimize I/O. Asynchronous I/O allows non-blocking I/O. I/O sched
The document discusses the key components and functions of the Unix system kernel. It describes the kernel as managing system resources like CPUs, memory and I/O devices. The major components are the process control subsystem, file subsystem, and hardware control. The kernel handles process management, device management, file management and provides services like virtual memory and networking. It uses a scheduler to allocate CPU time to processes based on their state and priority level.
This document provides a quick reference for Linux system calls. It lists 51 system calls along with their function number, name, description, and source code location in the Linux kernel. System calls provide an interface for programs to request services from the Linux kernel, such as opening files, reading/writing files, creating processes, and more. They are invoked using the syscall() function or libc wrapper functions.
The presentation aims towards imparting the concept of PIPES and the mechanism they follow.
REFERENCES :
Operating System 8th Edition
by : Abraham Silberschatz
Chapter 1 Introduction to Operating System ConceptsMeenalJabde
The document provides an overview of operating systems including:
- The definition of an operating system as a program that controls hardware and acts as an interface between users and computers.
- The key functions of operating systems including providing convenience, efficiency, and ability to evolve.
- Concepts such as processes, process states, process control blocks, and system calls. It describes what they are and their purpose.
- A brief history of operating systems from first to fourth generation systems.
- The main types of operating systems including batch, time-sharing, distributed, network, and real-time operating systems.
- Common services offered by most operating systems such as user interface, program execution, file
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, the OS kernel, and start-up scripts. The administrator should understand this boot process as well as how to modify the boot sequence, select alternate devices, and properly shut down the system.
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, and OS kernel initialization. It also covers modifying the boot process, selecting alternate boot devices, different boot loaders, and proper system shutdown procedures.
The document describes a procedure for using batch scripting and common tools to identify intrusions on a Microsoft Windows system. The script generates trending data by checking for unusual processes, services, accounts, files and connections. It analyzes the operating system version, registry entries, scheduled tasks, event logs and more. The final summary is a sample batch script that automates running various commands to collect security-related data and output it to log files for administrator review.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
This document discusses various topics in digital and computer forensics. It introduces computer forensics and some key concepts like evidence of every action and absence of evidence can be evidence. It then discusses extracting information from Windows memory like login credentials, processes, and registry keys. Specific tools used for memory and registry analysis are also mentioned. Finally, it discusses network forensic processes like capturing traffic, analyzing logs and devices, and tools used for network traffic analysis.
This document discusses processes and process scheduling algorithms. It defines what processes are, the four events that cause process creation, the five process states, and the four conditions for process termination. It then provides a comparative table between the process hierarchies in Unix, Linux, and Windows operating systems. Several examples are given, including running processes on a computer and disabling Windows animations. Finally, it discusses concepts related to process communication, synchronization, and scheduling, including critical regions, mutual exclusion, semaphores, and scheduling algorithms like shortest job first and multilevel queue.
An operating system is system software that manages computer hardware resources and provides an interface between users and hardware. It performs key functions like process management, memory management, file management, device management, and security. Operating systems can be batch, multiprogramming, time-sharing, real-time, or network oriented depending on their design and purpose. Common examples include Windows, Linux, macOS, and UNIX variants.
Amr Chap 08 Operating Systems & Utility Programssharing notes123
System software consists of operating systems and utility programs. Operating systems control computer hardware resources and are divided into stand-alone, server, and embedded categories. The boot process starts when a computer powers on, involving the BIOS performing POST to check components, then the operating system loads files and the desktop. Utility programs allow maintenance tasks like file management, uninstalling programs, and backing up files.
Modern Personal ComputerBoot up ProcessThe boot up process i.docxraju957290
Modern Personal Computer
Boot up Process
The boot up process is necessary for Windows as the hardware does not know where the Operating system is stored. There has to be a simple yet powerful program which loads the kernel in the main memory and executes it. This program in Windows is known as the Bootstrap Loader.
The Windows boot up process comprises of the following procedures:
· The Power-On Self-Test Phase:
Firstly a self-test is performed by the power supply to ensure that the volume and current levels are correct before the Power Good signal is sent to the processor. As soon as this stage is cleared, the microprocessor triggers the BIOS to perform a series of operations.
· BIOS ROM Phase:
BIOS first carry out the P.O.S.T that performs and verifies all initial hardware checks. After this, the hardware' firmware will individually carry out its own diagnostic test such as S.M.A.R.T.
The system will now attempt to determine the sequence of devices to load based on the settings stored in the BIOS to start the operating system. It will start by reading from the first boot up device which usually is the Floppy disk. If the floppy drive does not contain a diskette, it bypasses the first boot up device and detects the second device, which is usually the hard disk. It'll then start by reading the boot code instructions located in the master boot record and copies all execution into the memory when the instructions are validated and no errors are found.
· Boot Loader Phase
Control is then passed on to the partition loader code which accesses the partition table to identify the primary partition, extended partitions and active partition which is needed to determine the file system and locate the operating system loader file which will call upon the boot.ini file which is located at the root directory to determine the location and entries of the operating system boot partition. At this point in time, the boot up menu is displayed on the screen to allow you to select an operating system to start.
NTLDR will pass all information from the Windows registry and Boot.ini file into the next phase.
· Operating System Configuration Phase
Next step is to load the kernel, hardware abstraction layer and registry information.
After this is completed, the control is passed over to the DOS based program which collects and configures all installed hardware devices such as the video adapters and communication ports.
It searches for hardware profiles information and load the essential software drivers to control the hardware devices.
· Security & Logon Phase
Lastly, Ntoskrnl.exe will start up Winlogon.exe which triggers the Lsass.exe or Local Security Administration which is the logon dialog interface that prompts you to select your user profile and verifies your necessary credentials before you are transferred to the Windows desktop.
Scheduling Strategies:
· Windows has 6 process classes with 7 priorities within each class
· Process Classes included:
1. Idle
2. ...
This document discusses operating systems and computer security. It defines operating systems as software that coordinates activities between computer hardware resources. It describes common operating system functions like booting up a computer, managing memory, running programs, and connecting to networks. The document also discusses types of operating systems like DOS, Windows, and Linux. It notes that computer security is important to protect private information exchanged over the internet from hackers.
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
Interoperability refers to the ability of diverse systems and organizations to work together. Key points about file systems include: FAT stores file information in a file allocation table, FAT32 supports smaller clusters and larger volumes than FAT, and NTFS provides advanced features like permissions, encryption, and compression. A hub is a common connection point that copies packets to all ports so all network segments can see traffic. TCP/IP is the set of protocols used for the Internet and similar networks. DHCP dynamically assigns IP addresses and related information to clients to reduce administration workload. Server logs contain error information that can help trace and fix problems. Network documentation should include information about capacity planning and security.
This document discusses the functions of operating systems. It describes how operating systems allow for multi-user, multi-processor, and multi-tasking capabilities. The document then outlines the step-by-step booting process from BIOS to user authentication. It also summarizes key operating system functions like performance monitoring, networking, security administration, and providing a user interface. Finally, it introduces several common system utility programs used for file management, virus protection, disk cleanup, and system maintenance.
This document provides an overview of the Windows Registry, including its structure, key locations, and the types of digital evidence that can be recovered from analyzing the Registry. It discusses how the Registry stores system configuration information, user preferences, installed programs, and other digital artifacts. Specific tools are also mentioned for parsing Registry keys and values, such as RegRipper and Registry Explorer.
Unified Logs contain valuable information for creating a forensic timeline from macOS artifacts. Specifically:
1. Unified Logs record program execution history and volume mount history with timestamps, filling gaps not captured by other artifacts.
2. Keywords can be used to filter Unified Logs, retrieving events related to specific processes, senders, subsystems, and categories.
3. Events like program launches, volume mounts, and login/logout activities provide context for the timeline. Timestamps pinpoint when activities occurred.
4. While mac_apt analyzes artifacts, it does not fully leverage Unified Logs' message content. Directly investigating UnifiedLogs.db yields more precise timelines than commercial tools
Configuring startup and troubleshooting startup issueselboob2025
The document discusses configuring startup settings and troubleshooting startup issues in Windows 7. It describes the normal startup sequence, including the POST, initial startup, Windows Boot Manager, Windows Boot Loader, kernel loading, and logon phases. It also covers important startup files, how to configure startup settings using tools like the Startup and Recovery dialog box and System Configuration tool, and how to use built-in diagnostics like Reliability Monitor, Event Viewer, and Windows Memory Diagnostics to troubleshoot issues.
Seizing Electronic Evidence & Best Practices – Secret ServiceGol D Roger
This document provides guidance on properly seizing electronic evidence from a crime scene. It emphasizes the importance of planning, documenting every step with photos and logs, and separating hardware from networks to preserve volatile data. Key steps include: securing the location, photographing everything in detail before collection, using tags and logs to maintain a chain of custody, and being aware of potential legal liabilities from disrupting business data. The goal is to collect all potential digital evidence while ensuring its integrity and admissibility in court.
Cybercrimeandforensic 120828021931-phpapp02Gol D Roger
This case study describes a large-scale international cybercrime gang that was busted in Chennai, India. The gang was involved in hacking ATMs using stolen credit card numbers and PINs acquired through phishing. A key member of the gang, Deepak Prem Manwani, was arrested in Chennai while hacking an ATM there. An investigation revealed that the gang had set up fake websites to phish credit card details and PINs from millions of subscribers. They then sold this stolen data to people like Manwani, who used it to hack ATMs. Manwani had hacked ATMs in Mumbai as well. The FBI was already investigating the gang based on complaints from victims in the US. Man
This document discusses network forensics and provides an overview of the deep web. It begins by reviewing the surface web and how search engines index its contents. It then explains that the deep web consists of content that is not indexed by traditional search engines, including dynamic web pages, unlinked pages, private sites requiring login, and sites with crawling restrictions. Reasons content may not be found include limitations of web crawlers as well as restrictions set by site owners or search engines themselves.
This document provides an overview of email forensics techniques and tools used in network forensics investigations. It discusses the typical architecture of email systems and protocols like SMTP, POP, and IMAP. Key points covered include email headers, the information contained in Received headers, and how an email travels from sender to recipient through various mail servers. Spoofing emails is also briefly explained. The document aims to introduce investigators to analyzing email evidence at different layers of the network and tools needed for forensic analysis of email messages and server logs.
Windows logon password – get windows logon password using wdigest in memory d...Gol D Roger
This document discusses extracting Windows logon passwords from memory dumps. It begins by explaining how passwords were traditionally extracted from files like SAM and SECURITY using NTLM hashes. It then describes how Mimikatz can extract plaintext passwords using the Windows authentication package Wdigest. The document details the process Mimikatz uses on live systems and shows how to replicate this on a memory dump - finding the processes, dumping relevant DLLs like Wdigest and Lsasrv, and using structures and functions to decrypt passwords stored in memory.
This document discusses HTTP and HTTPS protocols. It provides information on web servers, HTTP requests and responses, status codes, headers, methods, and SSL/TLS encryption. The key points are:
- HTTP is an application layer protocol for distributed, collaborative hypermedia information systems. It uses a request-response protocol to transfer data between clients and servers.
- HTTP requests consist of a start line with method, URI and version, followed by headers and an optional message body. Common methods are GET, POST, PUT, DELETE.
- HTTP responses contain a start line with status code and reason, followed by headers and an optional message body. Status codes indicate success, redirection, client or server errors.
This document outlines the knowledge required to pass the Information Technology Engineers Examination in Japan. It is organized into 9 major categories covering topics such as corporate strategy, business strategy, system strategy, development technology, project management, and basic computer science theory. Each major category contains multiple middle categories that further break down the knowledge into specific items. For each item, the document provides a goal statement describing what should be learned and descriptions with sample terms and examples. The purpose is to guide examinees in their preparation and provide instructional guidelines for companies and schools.
The document announces a two-day event to introduce new features of Windows Server 2012 R2 and System Center 2012 R2. It provides an agenda that will cover topics like server virtualization, networking, storage, server management/automation, access/information protection, and virtual desktop infrastructure. The document encourages attendees to download hands-on labs and previews of the new products and register for a related online training course in July.
The document provides guidance on using the Windows Forensic Environment (WinFE) for forensic imaging, data collection, triage/previewing, and analysis. It discusses how WinFE allows examining Windows systems using familiar Windows tools in a forensically sound manner. The document also covers building WinFE using the command line or WinBuilder and its advantages over other bootable forensic environments for certain scenarios like remote data collection and surreptitious on-site data acquisition.
10 things group policy preferences does betterGol D Roger
Group Policy Preferences can be used to configure many common administrative tasks without scripting. Preferences provide a graphical user interface for settings like drive mappings, power options, folder options, Internet Explorer settings, regional settings, file/folder creation, shortcut creation, printer deployment, and scheduled tasks. Preferences support item-level targeting to filter settings based on user or computer criteria. Green underlining indicates settings that will be applied, while red means they will be ignored.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
2. Summary
2015/16CSF - Nuno Santos2
} Windows forensics
} Windows boot sequence
} Relevant Windows data structures
} Artifacts of user activities
3. Remember were we are
2015/16CSF - Nuno Santos3
1. Storage stack
forensics
2. Operating system
forensics
Hardware CPU RAM I/O
Software
Application
Operating System
Application Application
4. Importance of operating system forensics
2015/16CSF - Nuno Santos4
} Ultimately, in a forensic examination,
we’re investigating the actions of a person
} Almost every event or action on a system
is the result of a user either doing
something (or not doing something)
} Many of such events introduce changes to
the system state that are supervised by
the operating system (OS)
} OS forensics helps understand how system
changes correlate to events resulting from
the actions of somebody in the real world
1) action
2) OS state change!
3) OS
forensics
5. Operating systems we will be focusing on
2015/16CSF - Nuno Santos5
} Desktop platforms: Windows
} Server platforms: Linux
} Mobile platforms: Android
Today!
We will learn methods and
techniques to help us extract and
interpret data of investigative
value from computers running
Windows operating system
6. Windows versions
2015/16CSF - Nuno Santos6
} There are many versions of windows out there
} Some of the older versions are outdated and are no
longer used:
} Windows 9x, NT, ME, 2000
} In home, corporate, and government environments it’s far
more likely to find newer versions
} >= Windows XP
} We will cover the newer recent versions of Windows,
focusing on their common features
8. Windows startup: Why relevant for forensics?
2015/16CSF - Nuno Santos8
1. Interrupt the boot process to view and document the
CMOS configuration
2. Explain which files were altered in the startup process
} E.g., if an evidentiary system was accidentally booted, demonstrate
that no user-created files were modified
3. Determine which version of the OS was running and when
was installed
4. Examine the startup process for signs of tampering
} E.g., important when investigating malware
9. Motivation example: From the case files
2015/16CSF - Nuno Santos9
A recent examination of a server and analysis of its web logs confirmed
that the system had indeed been compromised.The logs provided a
suspicious IP address, the operating system used in the compromise
(Windows XP), and the suspect’s web browser.The IP address led
investigators to an ISP, and eventually to a suspect in the intrusion.
However, the suspect denied all involvement in the compromise and
stated that this computer was running Windows 98 (as has always been
the case).This was of course discouraging news for investigators, who
were sure they had their man.
Investigators began forensics examination of the suspect’s computer A
search of the hard drive revealed a deleted boot.ini file that appeared
to have been deleted mere days after the compromise of the web server,
clearly showing that Windows XP Professional had been installed
on the system, thereby punching a hole in the suspect’s story
10. Startup in Windows NT and later
2015/16CSF - Nuno Santos10
} All NTFS computers perform the following steps when
the computer is turned on:
1. Power-on self test (POST)
2. Initial startup
3. Boot loader
4. Hardware detection and configuration
5. Kernel loading
6. User logon
Windows-specific code
11. Phase 1: Power-On Self Test (POST)
2015/16CSF - Nuno Santos11
1. Power supply performs self-test
2. CPU loads the ROM BIOS code
3. ROM BIOS performs a basic test of central hardware
4. BIOS checks adapters requiring own ROM BIOS routines
5. ROM BIOS checks if this is a cold boot or a warm boot
} Cold boot (startup from a powered-down state): a full POST
} Warm boot (restart of a system that is already on): the memory
test portion of the POST is switched off
6. POST tests the video card and video memory, and
displays configuration information or any errors
7. BIOS reads configuration information stored in CMOS
12. Phase 2: Initial startup
2015/16CSF - Nuno Santos12
} The BIOS examines the disk for a master boot record (MBR)
} With a valid MBR loaded into memory, the BIOS transfers
control of the boot process to the partition loader code
13. Phase 3: Boot loader
2015/16CSF - Nuno Santos13
} The NTLDR system file controls loading of Windows
1. Initial boot-loader phase:
} NTLDR switches the CPU to protected mode and turns memory paging on
} Loads file system drivers to allow file loading from various file systems
2. Operating system selection:
} If BOOT.INI exists and contains entries multiple OS, NTLDR stops booting,
displays a menu of choices, and waits the user to make a selection
} user can press F8 to display various boot options (e.g., “Safe Mode”)
An example of a boot.ini file:
14. Phase 3: Boot loader (cont.)
2015/16CSF - Nuno Santos14
} Boot menu example: User can select from various boot options
by pressing F8 during the boot process (same for >=Win XP)
15. Phase 4: Hardware detection and configuration
2015/16CSF - Nuno Santos15
1. NTLDR locates and loads the DOS-based
NTDETECT.COM program to perform hardware detection
2. If multiple hardware profile, NTLDR will stop at this point
and display the Hardware Profiles/Configuration
Recovery menu
3. After the user selects a hardware configuration, NTLDR
begins loading the XP kernel (NTOSKRNL.EXE)
16. Phase 5: Kernel loading
2015/16CSF - Nuno Santos16
1. NTOSKRNL goes through two phases in its boot process:
} Phase 0: The hardware abstraction layer (HAL) is loaded (hal.dll)
and called to prepare the interrupt controller
} Phase 1: All executive subsystems are reinitialized (e.g., cache
manager, process manager, I/O manager)
2. I/O Manager starts loading all the system driver files
3. Win32k.sys switches the screen into graphics mode
4. Services subsystem starts services marked as Auto Start
5. Once all devices and services are started, the boot is
deemed successful, and this configuration is saved as the
last known good configuration
17. Phase 6: User logon
2015/16CSF - Nuno Santos17
} The WINLOGON.EXE file starts the logon process
} Login manager responsible for all login and logout procedures
} The Local Security Authority (LSASS.EXE) process displays
the logon dialog box
18. Contamination concerns with Windows XP
2015/16CSF - Nuno Santos18
} When you start a Windows XP NTFS workstation, several
files are accessed immediately
} The last access date and time stamp for the files change to the
current date and time
} May destroy any potential evidence
} E.g., that shows when a Windows workstation was last used
} Determining which files are changed upon startup and
shutdown can be done using some forensic tools
} http://forensicswiki.org/wiki/Files_changed_at_boot:Windows_XP
20. Relevant Windows data structures
2015/16CSF - Nuno Santos20
} NTFS (covered in previous classes)
} Windows Registry
} Windows Event Log
21. Windows Registry
2015/16CSF - Nuno Santos21
} The Registry is the heart and soul of Windows OSes
and a wealth of information can be recovered:
} System configuration
} Devices on the system
} User names
} Personal settings and browser preferences
} Web browsing activity
} Files opened
} Programs executed
} Passwords
22. Registry’s official definition
2015/16CSF - Nuno Santos22
} Microsoft defines the Registry thus:
“A central hierarchical database used in Microsoft
Windows 9x, Windows CE, Windows NT, and
Windows 2000 used to store information necessary to
configure the system for one or more users,
applications and hardware devices.”
https://support.microsoft.com/en-us/kb/256986
23. Registry access activity
2015/16CSF - Nuno Santos23
} Virtually everything done in Windows refers to or is recorded
into the Registry
} The RegMon program can be used to display registry activity in real time
} Registry access barely remains idle: the registry is referenced in
one way or another with every action taken by the user
24. Registry history
2015/16CSF - Nuno Santos24
} Learning the registry’s history helps understand its structure
} The Registry was first introduced with Windows 95
} The Registry replaces configuration files used in MSDOS:
} config.sys: to load device drivers and the
} autoexec.bat: to run startup programs and set env variables
} It also replaces initialization (.ini) files introduced in Win 3.0
} win.ini and system.ini store user settings and OS parameters
25. Problems overcome by the Registry
2015/16CSF - Nuno Santos25
} Proliferation of INI files
} Slow access
} No standards
} Fragmented
26. Structure of the Windows Registry
2015/16CSF - Nuno Santos26
} The Registry can be seen as a unified file system
27. Registry hives
2015/16CSF - Nuno Santos27
} A hive is a logical group of keys, subkeys, and values
in the registry that has a set of supporting files
containing backups of its data
} Each time a new user logs on, a new hive is created for
that user with a separate file for the user profile
} User's app settings, desktop, environment, network
connections, and printers
} User profile hives are located under the HKEY_USERS key
} 'HKEY’ is an abbreviation for Handle to a Key
28. Root key functions
2015/16CSF - Nuno Santos28
} HKEY_LOCAL_MACHINE (HKLM)
} Contains system-wide hardware settings and configuration information
(e.g., list of drives mounted on the system)
} HKEY_USERS (HKU)
} Contains the root of all user profiles that exist on the system
} HKEY_CLASSES_ROOT (HKCR)
} Ensures the correct program opens when executed in Windows Explorer
} HKEY_CURRENT_USER (HKCU)
} Contains the profile (settings) of the user who is currently logged in
} HKEY_CURRENT_CONFIG (HCU)
} Information about the HW profile used by the computer during start up
“real”; others are
shortcuts
29. Hive’s supporting files
2015/16CSF - Nuno Santos29
} Hives have sets of supporting files
} Most of them located in: %SystemRoot%System32Config
} These files are updated each time a user logs on
Registry hive Supporting files
HKEY_CURRENT_CONFIG
System, System.alt, System.log, System.sav
HKEY_CURRENT_USER
Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINESAM
Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINESecurity
Security, Security.log, Security.sav
HKEY_LOCAL_MACHINESoftware
Software, Software.log, Software.sav
HKEY_LOCAL_MACHINESystem
System, System.alt, System.log, System.sav
30. Some important hives
2015/16CSF - Nuno Santos30
Filename Location Content
ntuser.dat
ach user has an
individual user.dat file in
windowsprofilesuser
account
Documents and Settings
user account
Protected storage area for
user
Most Recently Used (MRU)
files
User preference settings
Default Windowssystem32config System settings
SAM Windowssystem32config User account management
and security settings
Security Windowssystem32config Security settings
Software Windowssystem32config All installed programs and
their settings
System Windowssystem32config System settings
32. Relevant Windows data structures
2015/16CSF - Nuno Santos32
} NTFS (covered in previous classes)
} Windows Registry
} Windows Event Log
33. Windows Event Log
2015/16CSF - Nuno Santos33
} Whenever an event, such as a user logging on or off,
occurs, the operating system logs the event
} An event can be any occurrence that the OS or a program
wants to keep track of or alert the user about
} Windows has a centralized log service to allow apps and
OS to report events that have taken place
} Application (example: Database message)
} System (example: driver failure)
} Security (example: Logon attempt, file access)
34. Structure of the Event Log
2015/16CSF - Nuno Santos34
} The Event Log can be seen using a specific system tool
36. Example of detailed event tracking
2015/16CSF - Nuno Santos36
} Detailed Event tracking can include the following events:
} #528 – Successful Login (The user authenticate to the system)
} #592 – A new process has been created (application is launched)
} #560 – Object Open (a file is requested)
} #567 – Object Access (the file is modified and saved)
} #564 – Object Deleted
} #562 – Handle Closed (the file has been closed)
} #593 – A Process Has Exited (the application was terminated)
38. Where to find information about user activities
2015/16CSF - Nuno Santos38
} Volatile information
} Open network connections
} Running processes
} …
} Non-volatile information
} Hidden files
} Slack space
} Swap files
} Index.dat files
} Hidden ADS
} Windows Search index
} Unallocated clusters
} Unused partitions
} Hidden partitions
} Registry settings
} Windows event logs
} …
Underlined: covered
when we discussed
file system forensics
39. Artifacts of user activities
2015/16CSF - Nuno Santos39
} Volatile information
} Registry information
} More non-volatile information
40. System time & logged-on users
2015/16CSF - Nuno Santos40
} System time
} Logged-on users
} determine who is logged on to the system: locally or remotely
41. Open files
2015/16CSF - Nuno Santos41
} If users logged into a system remotely, investigators
should also see what files they have open, if any
42. Open network connections
2015/16CSF - Nuno Santos42
} Netstat allows a user to collect information regarding
network connections on a Windows system
43. More volatile information
2015/16CSF - Nuno Santos43
} Process information
} Discover what processes are running on a potentially compromised
system
} Process-to-port mapping
} When there is a network connection open, find out which process is
responsible for and using that connection
} Network status
} Is the system connected or not? Collect NIC information
} Clipboard contents
} Something a user copies to the clipboard on a Monday may still be
there on Thursday
} Command history
} To recover the command history (if an attacker clears the screen)
44. Artifacts of user activities
2015/16CSF - Nuno Santos44
} Volatile information
} Registry information
} More non-volatile information
45. MRU lists
2015/16CSF - Nuno Santos45
} MRU ('most recently used’) lists contain entries made due to specific
actions performed by the user
} There’s numerous MRU lists located throughout various Registry keys
RunMRU:When a
user types a
command into the
'Run' box via the
Start menu, the
entry is added to
this Registry key
46. MRU lists: Another example
2015/16CSF - Nuno Santos46
} BagMRU: contains information of last visited folders
48. UserAssist
2015/16CSF - Nuno Santos48
} UserAssist key: indicate last accessed system objects
} E.g., Control Panel applets, shortcut files, programs, etc.
} HCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
49. UserAssist (cont.)
2015/16CSF - Nuno Santos49
} We can gain a better understanding of what types of files or
applications have been accessed on a particular system, e.g.:
} The decoded value shows a potential amount of information:
} name of user profile - 'Cpt. Krunch' - from which the .exe was executed
} researching 'p2ktools.exe', it is used for managing Motorola cell phones
} user has p2ktools folder in parent directory called 'Razor programs’
} tells both location and indicator that the suspect has a Motorola Razor cell phone
50. Autorun locations
2015/16CSF - Nuno Santos50
} Registry keys that launch programs or apps during boot
} E.g., in a system intrusion, autorun locations could reveal the
installation of a trojan backdoor
} List of common autorun locations:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindows
NTCurrentVersionWindowsRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
(ProfilePath)Start
MenuProgramsStartup
51. USB devices
2015/16CSF - Nuno Santos51
} Anytime a device is connected to the Universal Serial Bus (USB),
drivers are queried and the device's information is stored into
the Registry (i.e., thumb drives)
52. USB devices: Case study
2015/16CSF - Nuno Santos52
1. Department manager alleges that individual copied confidential
information on DVD.
2. No DVD burner was issued or found.
3. Laptop was analyzed.
4. Found USB device entry in registry:
PLEXTOR DVDR PX-708A
5. Found software key for Nero - Burning ROM in registry
6.Therefore, looked for and found Nero compilation files (.nrc). Found
other compilation files, including ISO image files.
7. Image files contained DVD-format and AVI format versions of
copyrighted movies.
Conclusion: No evidence that company information was burned to disk.
However, laptop was used to burn copyrighted material and employee
had lied.
54. Application-specific information (cont.)
2015/16CSF - Nuno Santos54
} From previous example, an examiner could conclude:
} the user possibly has a gmail and hotmail email address
} engages in online banking at tdbanknorth
} is interested in digital forensic websites
} perhaps go to college at Champlain
} has been researching apartments in the area
} …
55. More Registry artifacts
2015/16CSF - Nuno Santos55
} System information
} Computer name, OS version, last
shutdown time
} Time zone information
} important for establishing a
timeline of activity on the system
} Wireless SSIDs
} list of service set identifiers
(SSIDs) to which it has connected
} Shares
} Remotely shared resources, e.g.,
disk volumes (can be hidden)
} Audit policy
} Indicates types of events
recorded in the Event Log
} Mounted devices
} Information about devices and
volumes mounted on NTFS
} Users
} account creation time, names,
last login time, last failed login
attempt, account expiration, etc.
} …
56. More Registry artifacts
2015/16CSF - Nuno Santos56
} System information
} Computer name, OS version, last
shutdown time
} Time zone information
} important for establishing a
timeline of activity on the system
} Wireless SSIDs
} list of service set identifiers
(SSIDs) to which it has connected
} Shares
} Remotely shared resources, e.g.,
disk volumes (can be hidden)
} Audit policy
} Indicates types of events
recorded in the Event Log
} Mounted devices
} Information about devices and
volumes mounted on NTFS
} Users
} account creation time, names,
last login time, last failed login
attempt, account expiration, etc.
} …
Homework
Locate the Registry keys where
this information can be found.
57. Artifacts of user activities
2015/16CSF - Nuno Santos57
} Volatile information
} Registry potpourri
} More non-volatile information
58. Recycle Bin
2015/16CSF - Nuno Santos58
} The Recycle Bin allows user to retrieve and restore files
that have been deleted
} The user’s deleted file is placed within the file under a
subdirectory named with the user’s security ID, e.g.,
} C:RECYCLERS-1-5-21-1454471165-630328440-725345543-1003
59. Interesting files
2015/16CSF - Nuno Santos59
} Link files
} .LNK files: shortcuts that point to another file or folder
} May indicate the user opened a file; contains file’s details
} Prefetch files
} .PF files are a specialized file type, to speed up the running of programs
} Contains info about the last time the program was executed
} Installed programs
} Thumbnail cache files
} thumbs.db: thumb cache of files browsed in the Thumbnails view
} Printer files
} Contain information about printing jobs
} Pagefile.sys and Hiberfil.sys
} The swap file and the file for storing RAM contents upon hybernation
60. Conclusions
2015/16CSF - Nuno Santos60
} Windows is the most widely available operating system on
desktop platforms
} Due to its central role in setting up and supervising the
system, Windows maintains valuable data structures for
forensic investigators: the Registry, and the Event Log
} By analyzing these and over volatile / non-volatile pieces
of information, investigators can gather a wealth of
information about user activities on the computer