Cos psa 413
Download
1 / 57

413 - PowerPoint PPT Presentation


  • 266 Views
  • Updated On :

COS/PSA 413. Day 3. Agenda. Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next class Lab Recap and After Action Report Begin Discussion on Working with Windows and DOS Systems Chapter 3 in 1e and Chapter 7 in 2e. Lab 1 Recap.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '413' - Jeffrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Agenda l.jpg
Agenda

  • Questions?

  • Assignment 1 due

  • Lab Write-ups (project 2-1 and 2-2) due next class

  • Lab Recap and After Action Report

  • Begin Discussion on Working with Windows and DOS Systems

    • Chapter 3 in 1e and Chapter 7 in 2e

Guide to Computer Forensics and Investigations, 2e


Lab 1 recap l.jpg
Lab 1 Recap

  • Always know what are going to do before you sit down at the forensics workstations

    • Methodical not “hack and slash”

    • Requires reading and prior prep

  • Learn DOS

    • Most forensics work is down at low levels (not GUI)

    • http://www.glue.umd.edu/~nsw/ench250/dostutor.htm

  • Have part of the lab report started before the lab

    • Know what it is you are looking for

Guide to Computer Forensics and Investigations, 2e


Guide to computer forensics and investigations l.jpg

Guide to Computer Forensics and Investigations

Chapter 3

Working with Windows and DOS Systems


Objectives l.jpg
Objectives

  • Understand file systems

  • Explore Microsoft file structures

  • Examine New Technology File System (NTFS) disks

Guide to Computer Forensics and Investigations, 2e


Objectives continued l.jpg
Objectives (continued)

  • Understand the Windows Registry

  • Understand Microsoft boot tasks

  • Understand MS-DOS startup tasks

Guide to Computer Forensics and Investigations, 2e


Understanding file systems l.jpg
Understanding File Systems

  • Understand how OSs work and store files

  • CompTIA A+ certification

  • File system

    • Road map to data on a disk

    • Determines how data is stored on disk

  • Become familiar with file systems

Guide to Computer Forensics and Investigations, 2e


Understanding the boot sequence l.jpg
Understanding the Boot Sequence

  • Avoid data contamination or modification

  • Complementary Metal Oxide Semiconductor (CMOS)

    • Stores system configuration, data, and time

  • BIOS

    • Performs input/output at hardware level

Guide to Computer Forensics and Investigations, 2e


Understanding the boot sequence continued l.jpg
Understanding the Boot Sequence (continued)

  • Make sure computer boots from a floppy disk

    • Modify CMOS

    • Accessing CMOS depends on the BIOS

      • Delete key

      • Ctrl+Alt+Insert

      • Ctrl+A

      • Ctrl+F1

      • F2

      • F12

Guide to Computer Forensics and Investigations, 2e


Understanding the boot sequence continued10 l.jpg
Understanding the Boot Sequence (continued)

Guide to Computer Forensics and Investigations, 2e


Understanding disk drives l.jpg
Understanding Disk Drives

  • Composed of one or more platters

  • Elements of a disk:

    • Geometry

    • Head

    • Tracks

    • Cylinders

    • Sectors

Guide to Computer Forensics and Investigations, 2e


Understanding disk drives continued l.jpg
Understanding Disk Drives (continued)

Guide to Computer Forensics and Investigations, 2e


Understanding disk drives continued13 l.jpg
Understanding Disk Drives (continued)

  • Cylinder, head, sector (CHS) calculation

    • 512 bytes per sector

    • Tracks contain sectors

    • Number of bytes on a disk

      • Cylinders (platters) x Heads (tracks) x sectors

  • First track is track 0

    • So if a disc list 79 tracks (like a floppy) does, it has 80 tracks

Guide to Computer Forensics and Investigations, 2e



Understanding disk drives continued15 l.jpg
Understanding Disk Drives (continued)

  • Zoned bit recording (ZBR)

    • Platter’s inner tracks are smaller than outer tracks

    • Group tracks by zone

  • Track density

    • Space between each track

  • Areal density

    • Number of bits on one square inch of a platter

Guide to Computer Forensics and Investigations, 2e


Exploring microsoft file structures l.jpg
Exploring Microsoft File Structures

  • Need to understand

    • FAT

    • NTFS

  • Sectors are grouped on clusters

    • Storage allocation units of at least 512 bytes

    • Minimize read and write overhead

  • Clusters are referred to as logical addresses

  • Sectors are referred to as physical addresses

Guide to Computer Forensics and Investigations, 2e


Disk partitions l.jpg
Disk Partitions

  • Logical drive

  • Hidden partitions or voids

    • Large, unused gaps between partitions

    • Also known as partition gaps

    • Can hide data

  • Use a disk editor to change partitions table

    • Norton Disk Edit

    • WinHex, Hex Workshop

    • http://www.x-ways.net/winhex/index-m.html

Guide to Computer Forensics and Investigations, 2e


Disk partitions continued l.jpg
Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e


Disk partitions continued19 l.jpg
Disk Partitions (continued)

  • Disk editor additional functions

    • Identify OS on an unknown disk

    • Identify file types

Guide to Computer Forensics and Investigations, 2e


Disk partitions continued20 l.jpg
Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e



Disk partitions continued22 l.jpg
Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e



Master boot record l.jpg
Master Boot Record

  • Stores information about partitions

    • Location

    • Size

    • Others

  • Software can replace master boot record (MBR)

    • PartitionMagic

    • LILO

    • Can interfere with forensics tasks

    • Use more than one tool

Guide to Computer Forensics and Investigations, 2e


Examining fat disks l.jpg
Examining FAT Disks

  • FAT was originally developed for floppy disks

    • Filenames, directory names, date and time stamps, starting cluster, attributes

  • Typically written to the outermost track

  • Evolution

    • FAT12

    • FAT16

    • FAT32

Guide to Computer Forensics and Investigations, 2e


Examining fat disks continued l.jpg
Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e


Examining fat disks continued27 l.jpg
Examining FAT Disks (continued)

  • Drive slack

    • Unused space on a cluster

    • RAM slack

      • Can contain logon IDs and passwords

      • Common on older systems

    • File slack

      • Bytes not used on the sector by the file

  • FAT16 unintentionally reduced fragmentation

Guide to Computer Forensics and Investigations, 2e


Examining fat disks continued28 l.jpg
Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e


Examining fat disks continued29 l.jpg
Examining FAT Disks (continued)

  • Cluster chaining

    • File clusters are together (when possible)

  • Produces fragmentation

  • Tools

    • Norton DiskEdit

    • DriveSpy’s Chain Fat Entry (CFE) command

  • Rebuilding broken chains can be difficult

Guide to Computer Forensics and Investigations, 2e


Examining fat disks continued30 l.jpg
Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e



Deleting fat files l.jpg
Deleting FAT Files

  • Filename in FAT database starts with HEX E5

  • FAT chain for that file is set to zero

  • Free disk space is incremented

  • Actual data remains on disk

  • Can be recovered with computer forensics tools

Guide to Computer Forensics and Investigations, 2e


Examining ntfs disks l.jpg
Examining NTFS Disks

  • First introduced with Windows NT

  • Spin off HPFS

    • From IBM O/S 2

  • Provides improvements over FAT file systems

    • Stores more information about a file

  • Microsoft’s move toward a journaling file system

    • Keep track of transactions

    • Can be rolled back

Guide to Computer Forensics and Investigations, 2e


Examining ntfs disks continued l.jpg
Examining NTFS Disks (continued)

  • Partition Boot Sector starts at sector 0

  • Master File Table (MFT)

    • First file on disk

    • Contains information about all files on disk (meta-data)

  • Reduces slack space

  • NTFS uses Unicode

    • UTF-8, UTF-16, UTF-32

Guide to Computer Forensics and Investigations, 2e


Examining ntfs disks continued35 l.jpg
Examining NTFS Disks (continued)

Guide to Computer Forensics and Investigations, 2e


Ntfs file attributes l.jpg
NTFS File Attributes

  • All files and folders have attributes

  • Resident attributes

    • Stored in the MFT

  • Nonresident attributes

    • Everything that can be stored on the MFT

  • Uses inodes for nonresident attributes

  • Logical and virtual cluster numbers

    • LCN and VCN

Guide to Computer Forensics and Investigations, 2e


Ntfs data streams l.jpg
NTFS Data Streams

  • Data can be appended to a file when examining a disk

    • Can obscure valuable evidentiary data

  • Additional data attribute of a file

  • Allow files be associated with different applications

Guide to Computer Forensics and Investigations, 2e


Ntfs compressed files l.jpg
NTFS Compressed Files

  • Improve data storage

    • Compression similar to FAT DriveSpace 3

  • File, folders, or an entire volume can be compressed

  • Transparent when working with Windows XP, 2000, or NT

  • Need to decompress it when analyzing

    • Advanced tools do it automatically

Guide to Computer Forensics and Investigations, 2e


Ntfs encrypted file system efs l.jpg
NTFS Encrypted File System (EFS)

  • Introduced with Windows 2000

  • Implements a public key/private key encryption method

  • Recovery certificate

    • Recovery mechanisms in case of a problem

  • Works for local workstations or remote servers

Guide to Computer Forensics and Investigations, 2e


Deleting ntfs files l.jpg
Deleting NTFS Files

  • Similar to FAT

  • NTFS is more efficient than FAT

    • Reclaiming deleted space

    • Deleted files are overwritten more quickly

Guide to Computer Forensics and Investigations, 2e


Understanding the windows registry l.jpg
Understanding the Windows Registry

  • Database that stores:

    • Hardware and software configuration

    • User preferences (user names and passwords)

    • Setup information

  • Use Regedit command for Windows 9x

  • Use Regedt32 command for Windows XP and 2000

  • FTK Registry Viewer

Guide to Computer Forensics and Investigations, 2e


Understanding the windows registry continued l.jpg
Understanding the Windows Registry (continued)

  • Windows 9x Registry

    • User.dat

    • System.dat

  • Windows 2000 and XP Registry

    • \Winnt\System32\Config

    • \Windows\System32\Config

    • System, SAM, Security, Software, and NTUser.dat

Guide to Computer Forensics and Investigations, 2e


Understanding the windows registry continued43 l.jpg
Understanding the Windows Registry (continued)

Guide to Computer Forensics and Investigations, 2e


Understanding microsoft boot tasks l.jpg
Understanding Microsoft Boot Tasks

  • Prevent damaging digital evidence

  • OSs alter files when computer starts up

Guide to Computer Forensics and Investigations, 2e


Windows xp 2000 and nt startup l.jpg
Windows XP, 2000 and NT Startup

  • Steps:

    • Power-on self test (POST)

    • Initial startup

    • Boot loader

    • Hardware detection and configuration

    • Kernel loading

    • User logon

Guide to Computer Forensics and Investigations, 2e


Startup files for windows xp l.jpg
Startup Files for Windows XP

  • Files used during boot process:

    • NTLDR

    • Boot.ini

    • BootSec.dos

    • NTDetect.com

    • NTBootdd.sys

    • Ntoskrnl.exe

    • Hal.dll

    • Device drivers

Guide to Computer Forensics and Investigations, 2e


Windows xp system files l.jpg
Windows XP System Files

Guide to Computer Forensics and Investigations, 2e


Windows 9x and me startup l.jpg
Windows 9x and Me Startup

  • Windows Me cannot boot to a true MS-DOS mode

  • Windows 9x OSs have two modes

    • DOS protected-mode interface (DPMI)

      • Command prompt from boot menu

    • Protected-mode GUI

      • Dos shell in windows

  • Startup files

    • Io.sys

    • Msdos.sys

    • Command.com

Guide to Computer Forensics and Investigations, 2e


Windows 9x and me startup continued l.jpg
Windows 9x and Me Startup (continued)

Guide to Computer Forensics and Investigations, 2e


Understanding ms dos startup task l.jpg
Understanding MS-DOS Startup Task

  • Io.sys

    • Loaded after the ROM bootstrap

    • Finds the disk drive

    • Provides basic input/output services

  • Msdos.sys

    • Loaded after Io.sys

    • Actual kernel for MS-DOS

    • Looks for Config.sys

Guide to Computer Forensics and Investigations, 2e


Understanding ms dos startup task continued l.jpg
Understanding MS-DOS Startup Task (continued)

  • Msdos.sys (continued)

    • Loads Command.com

    • Loads Autoexec.bat

  • Config.sys

    • Commands run only at system startup

  • Autoexec.bat

    • Customized setting for MS-DOS

    • Define default path and environmental variables

Guide to Computer Forensics and Investigations, 2e


Other disk operating systems l.jpg
Other Disk Operating Systems

  • Control Program for Microprocessors (CP/M)

  • Digital Research Operating System (DR-DOS)

  • Personal Computer Disk Operating System (PC-DOS)

    • Developed by IBM

Guide to Computer Forensics and Investigations, 2e


Dos commands and batch files l.jpg
DOS Commands and Batch Files

  • Batch files

    • Fixed sequence of DOS commands

    • Ideal for repetitive tasks

  • Batch files work like a single command

  • MS-DOS supports parameter passing and conditional execution

    • Can pass up to 10 parameters

Guide to Computer Forensics and Investigations, 2e


Dos commands and batch files continued l.jpg
DOS Commands and Batch Files (continued)

Guide to Computer Forensics and Investigations, 2e


Dos commands and batch files continued55 l.jpg
DOS Commands and Batch Files (continued)

Guide to Computer Forensics and Investigations, 2e


Summary l.jpg
Summary

  • FAT

    • FAT12, FAT16, and FAT32

  • Windows Registry keeps hardware and software configuration and preferences

  • CHS calculation

  • NTFS

  • Look for hidden information on file, RAM, and drive slack

Guide to Computer Forensics and Investigations, 2e


Summary continued l.jpg
Summary (continued)

  • NTFS uses Unicode to store information

  • Hexadecimal codes identify OSs and file types

  • NTFS uses inodes to link file attribute records

    • Resident and nonresident

  • NTFS compressed files

  • NTFS encrypted files (EFS)

Guide to Computer Forensics and Investigations, 2e


ad