Disk Structure, And Forensic Searching Evidence in MS-Dos EAST UNIVERSITY OF PUERTO RICO SCHOOL OF BUSINESS CAROLINA PUERTO RICO DISK STRUCTURE, AND FORENSIC SEARCHING EVIDENCE IN MS-DOS Author: Rommel Salas MBA in Management Security Information 2015 Disk Structure, And Forensic Searching Evidence in MS-Dos Table of Contents Abstract ........................................................................................................................................... 3 Introduction ..................................................................................................................................... 4 The First Operating System based in Command Line Interface ..................................................... 5 MS-DOS Version’s in the market (Support, 2003) ..................................................................... 6 The CLI Operating System and Storage Device ............................................................................. 8 DOS Commands and Forensic Importance................................................................................... 10 The use of commands and syntax ............................................................................................. 11 Formatting legend ..................................................................................................................... 12 Comparison between MS-DOS and Linux ............................................................................... 12 Partition Structure in MS-DOS ................................................................................................. 13 FAT32 Features ............................................................................................................................ 16 FAT32 Compatibility Considerations ........................................................................................... 17 FAT32 Performance .................................................................................................................. 17 Dual-Boot Computers ............................................................................................................... 17 Creating FAT32 Drives................................................................................................................. 18 Different between FAT32 and NTFS ........................................................................................ 18 Convert from FAT, FAT32 to NTFS ........................................................................................ 18 Bibliography ................................................................................................................................. 24 Disk Structure, And Forensic Searching Evidence in MS-Dos Abstract If we start from the concept: “Forensic Computer is the science of extracting data so that it can be presented as evidence in a court of law” (Albert J. Marcella, 2007), in the process of extraction is important the recovery, examination and analysis of digital evidence; the recovery should be logical and physical starting from the identification of the type of partition, the identification of hidden drives. In the above process “investigation and examination”, the using of tools to recover deleted information that is related to the case is necessary, These tools must be standardized for proper information security, each disk drives a record of the data in each cluster, when a file is deleted, the reference to that file is removed from the record but the data is not actually delete from the disk (Casey, 2003). In all storages devices, external and internal the data will remain on the disk indefinitely, even when a deleted file is overwritten if the new file does not take up the entire cluster, for this reason a portion of the old file might remain in the slack space. When collecting the entire contents of a computer, a bitstream copy copies what is in slack space and unallocated space, whereas a regular copy does not, bistream copy duplicates everything in a cluster. (Casey, 2003) According to (Schweitzer, 2003) the proper forensic analysis the first step is to collect computer evidence, image is one of the first procedure to be carried out after the contents of the computer’s memory have been copied and preserved, the imaging process is nondestructive to the data and some cases not require the operating system. Disk Structure, And Forensic Searching Evidence in MS-Dos Introduction For long time the traditional forensic professional use the more various techniques for collecting, examining and analysis of evidence in the crime scene, now with the cyberspace and the use of electronic devices the development of techniques and tools are important in the management of electronic evidence. To understand the context, it is important to look for your beginning, the sequence and the pattern used in the commands, your structure and development with the versions and changes made. The use of operating systems on devices that store, analyze and process information allows us to have relevant information about location of information, type of information, date and time of creation and modification, according to 2012 Annual Report of Microsoft Corporation (Corporation, Devices With End-User Services, 2012), Windows have over 1.3 billion end- users around the world. Thirty two years ago, on July 27 1981, (Anthony, 2011) Microsoft bought the rights for QDOS (Quick and Dirty Operating System) from Seattle Computer Products (SCP) for $25,000. QDOS, otherwise known as 86-DOS, was designed by SCP to run on the Intel 8086 processor, and was originally thrown together in just two months for a 0.1 release in 1980. Meanwhile, IBM had planned on powering its upcoming Personal Computer with an Intel 8086-compatible version of CP/M, which was the standard OS for Intel 8080 and other 8-bit architectures at the time, but a deal could not be struck with CP/M’s developer, Digital Research. IBM then approached Microsoft, which already had a few years of experience under its belt with M-DOS, BASIC, and other important tools — and as you can probably tell from the landscape of the computer world today, the IBM/Microsoft partnership worked out rather well indeed. For this reason IBM released its Personal Computer in August 1981 running version 1.14 of SCP’s QDOS — but a few months later Microsoft produced MS-DOS 1.24, (Anthony, 2011) which then became the standard IBM PC operating system. In March 1983, both MS-DOS 2.0 and the IBM PC/XT were released. The rest, as they say, is history. MS-DOS 3.0 followed in 1984 (alongside the IBM PC/AT), and MS-DOS 4.0 with a mouse-powered, menu-driven interface arrived in 1989. It’s around this point that IBM’s PC operating system, PC-DOS, began to diverge from MS-DOS — and of course, come 1990, Microsoft released Windows 3.0, which Disk Structure, And Forensic Searching Evidence in MS-Dos would change Microsoft’s focus forever. It’s also around this time that developers start to feel the pinch of the 640KB conventional memory limit imposed by IBM’s original hardware specifications. The First Operating System based in Command Line Interface The beginning of the fascinating world of personal computers with IBM PC, in August 1981, it came complete with a 16-bit operating system from Microsoft, MS-DOS 1.0. This was Microsoft's first operating system, and it also became the first widely used operating system for the IBM PC and its clones. MS-DOS, the acronym for Microsoft Disk Operating System, is an operating system with a command-line interface1 used on personal computers. The MS-DOS is a set of internal and external commands that aim to interpret the orders the user to computer, this interpreter in the beginning was based on text format (command lines), or known as command-line interface. MS-DOS 1.0 was a renamed version of QDOS (Quick and Dirty Operating System), which Microsoft bought from a Seattle company, appropriately named Seattle Computer Products, in July 1981. QDOS had been developed as a clone of the CP/M eight-bit operating system in order to provide compatibility with the popular business applications of the day such as WordStar and dBase. CP/M (Control Program for Microcomputers) was written by Gary Kildall of Digital Research several years earlier and had become the first operating system for microcomputers in general use. QDOS was written by Tim Paterson, a Seattle Computer Products employee, for the new Intel 16-bit 8086 CPU (central processing unit, one of the first personal computer processors), and the first version was shipped in August, 1980. Although it was completed in a mere six weeks, QDOS was sufficiently different from CP/M to be considered legal. Paterson was later hired by Microsoft. 1 Is a set of internal and external commands that aim to interpret the orders the user to computer based in text format or command lines. Disk Structure, And Forensic Searching Evidence in MS-Dos MS-DOS Version’s in the market (Support, 2003) Microsoft MS-DOS 1.0 Microsoft MS-DOS 1.14 Microsoft MS-DOS 1.24 Microsoft MS-DOS 2.0 Microsoft MS-DOS 3.1 Microsoft MS-DOS 3.2 Standard Edition Microsoft MS-DOS 3.21 Standard Edition Microsoft MS-DOS 3.3 Standard Edition Microsoft MS-DOS 3.3a Microsoft MS-DOS 4.0 Standard Edition Microsoft MS-DOS 4.01 Standard Edition Microsoft MS-DOS 5.0 Standard Edition Microsoft MS-DOS 5.0a Microsoft MS-DOS 6.0 Standard Edition Microsoft MS-DOS 6.2 Standard Edition Microsoft MS-DOS 6.21 Standard Edition Microsoft MS-DOS 6.22 Standard Edition Microsoft MS-DOS 7.0 Standard Edition Microsoft MS-DOS 7.1 Standard Edition You type MS-DOS commands using a command prompt window to end your MS-DOS session, type exit in the command prompt window at the blinking cursor, also called command Disk Structure, And Forensic Searching Evidence in MS-Dos prompt2 the start of the root directory where the commands are executed, is important to consider that the execution can be done from anywhere in the unit (directory or subdirectory). The MS-DOS mode is a shell3 in which the MS-DOS environment, DOS Shell is a file manager that came in MS-DOS and PC-DOS from version 4.0 through 6.0. It was intended as an alternative to COMMAND.COM. (Corporation, MS-DOS Overview, 2013) is emulated in 32-bit systems, such as Windows. MS-DOS-based programs can run with Windows and might create a program information file (PIF) which appears as a shortcut on your desktop. The graphical user interface, GUI4 is known as a computer program which acts as the user interface, using a set of images and graphic objects to represent information and actions available in the interface. Its main use is to provide a simple visual environment to allow communication with the operating system of a machine or computer, many operating systems uses GUI platform, Windows, Linux, Mac, Android etc. Microsoft initially kept the IBM deal a secret from Seattle Computer Products. And in what was to become another extremely fortuitous move, Bill Gates, the not uncontroversial cofounder of Microsoft, persuaded IBM to let his company retain marketing rights for the operating system separately from the IBM PC project. Is important to consider that in the beginning Microsoft renamed it PC-DOS (the IBM version) and MS-DOS (the Microsoft version) The two versions were initially nearly identical, but they eventually diverged. The acronym DOS was not new even then. It had originally been used by IBM in the 1960s in the name of an operating system (i.e., DOS/360) for its System/360 computer. At that time the use of disks for storing the operating system and data was considered cutting edge technology. MS-DOS soared in popularity with the surge in the PC market. Revenue from its sales fueled Microsoft's phenomenal growth, and MS-DOS was the key to company's rapid emergence 2 It is used to identify the unit; cursor allows us to execute the commands. Is a file manager comes in some versions of MS-DOS, used to manage files, directories and subdirectories. 4 Is the graphical user interface composed of icons which are graphical representations of program and tools. 3 Disk Structure, And Forensic Searching Evidence in MS-Dos as the dominant firm in the software industry. This product continued to be the largest single contributor to Microsoft's income well after it had become more famous for Windows. The CLI Operating System and Storage Device Subsequent versions of MS-DOS featured improved performance and additional functions, not a few of which were copied from other operating systems. For example, version 1.25, released in 1982, added support for double-sided disks, thereby eliminating the need to manually turn the disks over to access the reverse side. At this time of storage devices was the floppy disk of 5.25 who identified as drive A and Hard Disk who identified as drive C, although this does not change evolves for other type of storage device with more capacities and other technologies. The concept of Drive5 (C, A, D etc.) is to identify the storage and use of information. In version 2.0, released the next year, added support for directories6 this means the directory structure is usually hierarchical, branched or "tree", although in some cases could be flat. In some file systems file names are structured, with special syntax for filename extensions and version numbers. In others, the file names7 are simply strings of text and metadata of each file are housed separately, the extension of files names designates the type of file (Example: .doc, .pdf, .jpg. etc.), for IBM's then huge 10MB hard disk drive (HDD) and for 360KB, 5.25-inch floppy disks. This was followed by version 2.11 later in the same year, which added support for foreign and extended characters. Version 3.0, launched in 1984, added support for 1.2MB floppy disks and 32MB HDDs. This was soon followed by version 3.1, which added support for networks. To better understand the concepts of storage is important to know the information units: (Morlupi, 2012) 1. Bit: acquires value 1 or 0 in the binary number system. 2. Byte: unit of information consisting of 8 bits. 3. Kbyte: 1 kbyte of data consists of 1024 bytes 5 Identifies the storage device in the PC, laptop, server or PC Station. Is a folders in the file system structure which to store computer files. 7 Base name of information structure, saved in different format. 6 Disk Structure, And Forensic Searching Evidence in MS-Dos 4. MByte: 1 Mbyte of data consists of 1024 Kbytes. 5. GByte: 1 GByte of data consists of 1024 Mbytes. 6. TByte: 1 TByte of data consists of 1024 GBytes. Additions and improvements in subsequent versions included support for multiple HDD partitions, for disk compression and for larger partitions as well as an improved disk-checking utility, enhanced memory management, a disk defragmenter and an improved text editor. A hard disk partition8 is a logical division in a storage unit (such as a hard drive or flash drive), in which houses and organize files using a file system. Different partitioning schemes for distribution on a disk partition. The most popular and widespread are MBR (Master Boot Record) and GPT (GUID Partition Table). The partitions to hold data must have a file system. The unallocated space on a disk is not a partition, so you cannot have a file system. There are multiple file systems with different capacities: as FAT, NTFS, FAT32, EXT2, EXT3, EXT4, Btrfs, FedFS, ReiserFS, Reiser4 or others. File systems9 or files, is at structured information stored in a storage unit (typically a hard disk of a computer), which will then be displayed either textual or graphically using a file manager. Most operating systems handle its own file system. In hierarchical file systems, usually stated the precise location of a file with a text string called "path”10. The nomenclature for routes varies slightly from system to system, but generally maintains the same structure. A route is given by a succession of names of directories and subdirectories, arranged hierarchically from left to right and separated by a special character that is usually a slash ('/') or backslash ('\') and may end in the name a file present in the directory specified last branch. 8 A hard disk partition is a logical division in a storage unit, in which are housed and organize files using a file system. 9 Structure of information stored in a storage unit, then be represented either textual or graphically using a file manager. 10 The path route points to the exact location of a file or directory, Absolute paths point to the location of a file or directory from the root directory of the file system; Relative paths point to the location of a file or directory from the current position in the operating system file system. Disk Structure, And Forensic Searching Evidence in MS-Dos The final major version was 7.0, which was released in 1995 as part of Microsoft Windows 95. It featured close integration with that operating system, including support for long filenames and the removal of numerous utilities, some of which were on the Windows 95 CDROM, in this case use other partitions called UDF (Universal Disc Format) Universal Disc Format for its acronym in English, which can add files and folders and is why it is used by most packet-writing software, known as programs recording optical drives. This file system is mandatory units (DVD) but also supported on some (CD). It was revised in 1997 with version 7.1, which added support for the FAT32 file system on HDDs. Although many of the features were copied from UNIX, MS-DOS was never able to come anywhere close to UNIX in terms of performance or features. For example, MS-DOS never became a serious multi-user or multitasking operating system (both of which were core features of UNIX right from the start) in spite of attempts to retrofit these capabilities. Multitasking is the ability for a computer to run two or more programs simultaneously. DOS Commands and Forensic Importance At present most computers use Microsoft windows, Mac OS and Linux, in these three cases the use of command line is important therefore not has been removed, under the command line We can only hide files using the respective command, in GUI mode we have more options, hence managing files in command line is more reliable. The examination of files, identification is much more accurate using the command line interface, often we will find problems booting, the command F8 will allow us to access the command line of Windows, in the case of Linux all versions allow us to have to CLI or GUI. The importance of the command line in the electronic crime investigation is the ability and identify of the information recorded, although there are problems in the Windows GUI, always be able access the information in the storage device. In the process of forensic investigation, the command line we will provide important information in different areas of the investigation: a) Networking Disk Structure, And Forensic Searching Evidence in MS-Dos b) Directory Structure c) Storage Device Information d) User Information e) File Information Some of the most common commands (Project., 2004) are as follows (corresponding commands on Unix-like operating systems are shown in parenthesis) at the same time are commands of great importance: Command Description Linux -----------------------------------------------------------------DIR Lists directory contents (ls) CD Changes the current directory (cd) COPY Copies a file (cp) DE Delete a file (rm) EDIT Starts an editor to create or edit plain text file (vi, vim, ed) FORMAT Formats a disk to accept DOS files (mformat) HELP Displays information about a command (man, info) MD Creates a new directory (mkdir) RD Removes a directory (rmdir) REN Renames a file (mv) TYPE Displays contents of a file on the screen (more, cat) ECHO Is a command to print text on the screen. It is used in the terminal operating systems like Unix, Linux, or MS-DOS. (Echo) CLS Simply clears the screen. (clear) FDISK Install a hard disk, created, displayed or deleted partitions. The use of commands and syntax In the process according (Microsoft, Command-line reference A-Z, 2013)of use the MSDOS command the syntax11 is very important, all commands have (order) the syntax appears in the order in which you must type a command and any parameters that follow it. For example the command xcopy 11 Are the arguments used for commands. Disk Structure, And Forensic Searching Evidence in MS-Dos xcopy Source [Destination] [/w] [/p] [/c] [/v] [/q] [/f] [/l] [/g] [/d[:mm-dd-yyyy]] [/u] [/i] [/s [/e]] [/t] [/k] [/r] [/h] [{/a|/m}] [/n] [/o] [/x] [/exclude:file1[+[file2]][+[file3]] [{/y|/-y}] [/z] The following table explains how to interpret the different text formats. Formatting legend Format Italic Bold Meaning Information that the user must supply Elements that the user must type exactly as shown Ellipsis (...) Parameter that can be repeated several times in a command line Between brackets ([]) Optional items Between braces ({}); choices separated by pipe (|). Set of choices from which the user must Example: {even|odd} choose only one Courier font Code or program output Comparison between MS-DOS and Linux MS-DOS and Linux have much in common, (Project., 2004) primarily because MS-DOS copied many ideas from UNIX. However, there are some very fundamental differences, including: 1. Linux is a full-fledged multiuser, multitasking operating system, whereas MS-DOS is a single-user, single-tasking operating system. 2. MS-DOS does not have built-in security concepts such as file-ownership and permissions, which are fundamental to Linux. 3. Linux has an inverted tree-like file system in which all directories and files branch from a single directory, i.e., the root directory, and its subdirectories. MS-DOS can have multiple, independent root directories, such as A:, C:, D:, etc. 4. Linux uses forward slashes "/" to separate directories, whereas MS-DOS uses backslashes "\" for the same purpose. Disk Structure, And Forensic Searching Evidence in MS-Dos 5. Linux filenames can contain up to 255 characters. MS-DOS filenames are limited to eight characters plus a three-character extension and have restrictions on allowable characters. Also, filenames are case-sensitive in Linux, whereas they are not in MS-DOS. 6. Linux has a vastly richer command set than does MS-DOS, with a much greater number of commands and individual commands having greater power, flexibility and ease of use. Commands are case-sensitive in Linux, but they are not in MS-DOS. 7. Although Linux and MS-DOS both have pipes and input/output redirection, the MS-DOS pipes use a completely different -- and inferior -- implementation. 8. MS-DOS is not sufficiently flexible and efficient to serve as a base for a high quality, general-purpose GUI (and thus it had to be abandoned by Microsoft). In sharp contrast, Linux is an excellent base for a GUI (and it is used as a base for the X Window System, which is extremely configurable and whose already excellent performance continues to improve). A hard disk's master boot record also known as MBR is the first sector ("sector zero") of a data storage device such as a hard disk. Sometimes it is used to boot the operating system bootstrap, sometimes is used to store a partition table and sometimes is used only to identify a single disk device, although the latter some machines and not used is ignored. The partition table is located at offset 01BE, containing up to four 16-byte entries. The fourth byte of each partition table entry is used to mark the partition type. Address Description -----------------------------------------------------------------0x0000 Area Code 0x01B8 4 bytes, disk signature (optional) 0x01BC 2 bytes, usually 0x0000 0x01BE Primary partition table, each entry is 16 bytes (standard schema partition table of MBR) 0x01FE 2 bytes; MBR signature (0x55AA) Partition Structure in MS-DOS According a Microsoft (Microsoft, MS-DOS Partitioning Summary, 2011), the MS-DOS began supporting hard disks in version 2.0. MS-DOS Versions 2.x supports one type 01 partition Disk Structure, And Forensic Searching Evidence in MS-Dos of up to 15 megabytes (MB) in size, which uses a 12-bit file allocation table (FAT). Fdisk creates only one MS-DOS partition per drive. MS-DOS 3.0 MS-DOS 3.0 supports partitions larger than 15 MB using a 16-bit FAT, which allows a smaller cluster size and more efficient disk usage. As a result, MS-DOS 2.x hard disks larger than 15 MB are incompatible with later versions of MS-DOS. Fdisk creates only one MS-DOS partition per drive. MS-DOS 3.3 MS-DOS 3.3 introduces support for more than one logical drive per hard disk. Logical drives are treated as completely separate disks under MS-DOS, even though they may occupy the same physical hard disk. This is supported by using non-bootable MS-DOS partitions known as extended MSDOS partitions. Fdisk reports these as EXT DOS; other MS-DOS partitions are reported as PRI DOS (for primary MS-DOS). Each primary MS-DOS partition12 is a logical drive, and extended MS-DOS partitions contain from 1 to 23 logical drives (MS-DOS supports drive letters up to Z). Logical drives in extended MS-DOS partitions have the same FAT type as a primary MS-DOS partition of the same size. Only one PRI DOS partition and one EXT DOS partition is allowed per drive. On computers with two physical hard disks, a PRI DOS partition is not required on the second physical disk. A PRI DOS partition is required on the first physical disk. (MS-DOS does not support more than two physical disks.) MS-DOS 4.0 MS-DOS versions 4.0 and later support logical drives larger than 32 MB. Full usage of these logical drives requires the MS-DOS program Share.exe to be loaded in MS-DOS 4.0. 12 The Operating systems do not work directly with physical units but with logical drives. Within a single physical hard drive can have multiple logical drives. Only primary partitions can be activated. In addition, some operating systems cannot access primary partitions other than your own. Disk Structure, And Forensic Searching Evidence in MS-Dos Partition Fdisk Starting in Type Reports Size FAT Type MS-DOS version -----------------------------------------------------------------01 PRI DOS 0-15 MB 12-Bit 2.0 (a) 04 PRI DOS 16-32 MB 16-Bit 3.0 05 EXT DOS 0-2 GB (b) n/a 3.3 06 PRI DOS 32 MB-2 GB (b) 16-bit 4.0 a) 15-MB size limitation extended in version 3.0. b) 2 GB (gigabytes) includes a limit of 1024 cylinders per drive imposed by the standard AT ROM BIOS interrupt 13 protocol. MS-DOS 5.0 MS-DOS versions 5.0 and later support up to eight physical hard disks. Share.exe is not required for full large-drive support; this support is included in the MS-DOS kernel. MS-DOS versions 5.0 and later support the same partitioning strategy as version 4.x, including Fdisk's inability to create more than one primary MS- DOS partition on a physical disk. However, because some original equipment manufacturer (OEM) partitioning software allows you to create more than one primary MS-DOS partition, MS-DOS versions 5.0 and later have kernel support for up to four primary MS-DOS partitions. This makes it easier to upgrade from previous versions of OEM-modified MS-DOS. Fdisk still creates only one PRI DOS partition on a physical disk. NOTE: Many OEMs have changed their versions of MS-DOS to support more than one primary MS-DOS partition, larger type 04 partitions, and new partition types. Windows 95 OSR2, Windows 98, and Windows Me include an updated version of the FAT file system. This updated version is called FAT32. The FAT32 file system allows for a default cluster size as small as 4 KB, and includes support for EIDE hard disk sizes larger than 2 gigabytes (GB). NOTE: Microsoft Windows NT 4.0 does not support the FAT32 file system. For additional information about supported file systems in Windows NT 4.0, click the article number below to Disk Structure, And Forensic Searching Evidence in MS-Dos view the article in the Microsoft Knowledge Base: Overview of FAT, HPFS and NTFS File Systems FAT32 Features For Microsoft in (Microsoft, Description of the FAT32 File System, 2007) a) FAT32 provides the following enhancements over previous implementations of the FAT file system: b) FAT32 supports drives up to 2 terabytes in size. c) FAT32 uses space more efficiently. FAT32 uses smaller clusters (that is, 4-KB clusters for drives up to 8 GB in size), resulting in 10 to 15 percent more efficient use of disk space relative to large FAT or FAT16 drives. d) FAT32 is more robust. FAT32 can relocate the root folder and use the backup copy of the file allocation table instead of the default copy. In addition, the boot record on FAT32 drives is expanded to include a backup copy of critical data structures. Therefore, FAT32 drives are less susceptible to a single point of failure than existing FAT16 drives. e) FAT32 is more flexible. The root folder on a FAT32 drive is an ordinary cluster chain, so it can be located anywhere on the drive. The previous limitations on the number of root folder entries no longer exist. In addition, file allocation table mirroring can be disabled, allowing a copy of the file allocation table other than the first one to be active. These features allow for dynamic resizing of FAT32 partitions. Note, however, that although the FAT32 design allows for this capability, it will not be implemented by Microsoft in the initial release. NOTE: Microsoft Windows 2000 only supports FAT32 partitions up to a size of 32 GB. Disk Structure, And Forensic Searching Evidence in MS-Dos FAT32 Compatibility Considerations To maintain the greatest compatibility possible with existing programs, networks, and device drivers, FAT32 was implemented with as little change as possible to the existing Windows architecture, internal data structures, Application Programming Interfaces (APIs), and on-disk format. However, because 4 bytes are now required to store cluster values, many internal and on-disk data structures and published APIs have been revised or expanded. In some cases, existing APIs will not work on FAT32 drives. Most programs will be unaffected by these changes. Existing tools and drivers should continue to work on FAT32 drives. However, MSDOS block device drivers (for example, Aspidisk.sys) and disk tools will need to be revised to support FAT32 drives. All of the Microsoft bundled disk tools (Format, Fdisk, Defrag, and MS-DOS- based and Windows-based ScanDisk) have been revised to work with FAT32. In addition, Microsoft is working with leading device driver and disk tool manufacturers to support them in revising their products to support FAT32. NOTE: A FAT32 volume cannot be compressed by using Microsoft DriveSpace or DriveSpace 3. FAT32 Performance Converting to the FAT32 file system is one of the biggest performance enhancements you can make to your Windows 98-based computer. Dual-Boot Computers At this time, Windows 95 OSR2, Windows 98, Windows 2000, and Windows Me are the only Microsoft operating systems that can access FAT32 volumes. MS-DOS, the original version of Windows 95, and Windows NT 4.0 do not recognize FAT32 partitions, and are unable to boot from a FAT32 volume. Also, FAT32 volumes cannot be accessed properly if the computer is started by using another operating system (for example, a Windows 95 or MS-DOS boot disk). Windows 95 OSR2 and Windows 98 can be started in Real mode (for example, to run a game) and can use FAT32 volumes. Disk Structure, And Forensic Searching Evidence in MS-Dos Creating FAT32 Drives In Windows 95 OSR2, Windows 98, and Windows Me, if you run the Fdisk tool on a hard disk that is over 512 megabytes (MB) in size, Fdisk prompts you whether or not to enable large disk support. If you answer "Yes" (enabling large disk support), any partition you create that is larger than 512 MB is marked as a FAT32 partition. Different between FAT32 and NTFS NTFS has advanced performance features safety and reliability, (Microsoft, Comparing NTFS and FAT32 file systems, 2013) improved support for larger hard disks; the FAT32 is currently used for most USB flash drives. FAT32 doesn't have the same security-related features as NTFS. FAT32 also has size limitations. You can't create a FAT32 partition greater than 32 gigabytes (GB), and you can't store a single file that's larger than 4 GB on a FAT32 partition. Convert from FAT, FAT32 to NTFS Although the probability of data corruption or loss during the conversion is minimal, we recommend that you back up the data on the volume you want to convert before you start the conversion. Is important use the command convert.exe The syntax is: At the command prompt, type the following, where drive letter is the drive you want to convert: convert drive letter: /fs:ntfs If the operating system is installed on the drive that you are converting, you will be prompted to schedule the task when you restart the computer because the conversion cannot be completed while the operating system is running. When prompted, click YES. When the following message in the command prompt, type the volume label of the drive that you are converting, and then press ENTER: and When the conversion to NTFS is complete, the following error message in the command prompt: conversion complete (the conversion is done). The Alcala University (Alcala, 2013)in Spain explains clearly the characteristics of the NTFS file system: 1. Recoverability: NTFS provides the system recovery feature based transaction processing model, modification technique that manages a database so that failures do not affect its Disk Structure, And Forensic Searching Evidence in MS-Dos integrity. If a system failure interrupts the transaction, the party has already made must cancel and leave the database in the previous state. 2. Safety: Safety is a very important feature of a file system. In NTFS is derived object model of Windows NT. Open files are implemented as file objects that have a security descriptor that ensures that no process can access a file unless you have the permissions set by the system administrator or the owner of the file. So before a process can open a handle to any object, the system checks with proper authorization. 3. Data redundancy: If a power outage or a system failure NTFS cannot guarantee complete recovery of data therefore applications must implement data redundancy to provide a higher level of protection. 4. Fault Tolerance: The tiered driver model allows fault tolerance disk, formed by a fault tolerant controller that communicates with the hard disk controller to write the data to disk. Tolerant controller can replicate the data to another disk so that you can always find a redundant copy. PGP: Is the PGP encryption system symmetric, asymmetric, both, neither or something else? Explain. As part of your answer discuss what is meant by symmetric and asymmetric encryption and relate this to the PGP system. This is the more common encryption software, PGP “Pretty Good Privacy”. Is a family of software systems developed by Philip R. Zimmermann in MIT, in the present is the base for development other PGP applications, provides data integrity services for messages and data files by using these core technologies: digital signatures, encryption, compression, and Radix-64 conversion In addition, PGP provides key management and certificate services, but many of these are beyond the scope of this document. PGP combines symmetric-key encryption and public-key encryption to provide confidentiality. When made confidential, first the object is encrypted using a symmetric encryption algorithm. Each symmetric key is used only once, for a single object. A new "session key" is generated as a random number for each object (sometimes referred to as a session). Disk Structure, And Forensic Searching Evidence in MS-Dos Public key cryptography is an asymmetric scheme that uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. Anyone with a copy of your public key can then encrypt information that only you can read. Even people you have never met. Assured Software: According to National Security Information 13 and based in national security directive 42 the government assurance mission focus is: a) Comprehensive vulnerability and threat analysis b) Guidance on IA security solutions c) Tiered security assessments d) Tailored solutions for specialized needs e) Network security products and solutions to enable assured information sharing across security domains or between communities of interest f) A 24/7 watch and analysis activity providing threat warnings, attack alerts and bulletins g) Training and security awareness support h) The Key Management Infrastructure that provisions end cryptographic units i) Security engineering services that leverage government and commercial solutions The build and process of assured software used is based in DoD Software Assurance Initiative (Britton, 2006) which mentions: “The level of confidence that software is free of exploitable vulnerabilities, either intentionally designed into the software or accidentally inserted and that the software functions in a manner as expected” The assurance software has a structure (Britton, 2006): a) Work securely and appropriately in perform its intended functions. b) In confidence that software will not perform any unauthorized functions. c) The assurance software does not contain implementation flaws that could be exploited. Confidentiality, Integrity and Availability: The systems and Network attack center (Agency, 2006) have an excellent definition about: 13 http://www.nsa.gov/ia/ia_at_nsa/index.shtml Disk Structure, And Forensic Searching Evidence in MS-Dos a) Confidentiality: Is a property that offers assurance that information is shared only among authorized entities, normally consist of I/A, access control, and cryptography. Assurance that information is not disclosed to unauthorized individuals, processes, or devices. [CNSS4009] b) Integrity: Is a property that offers assurance that information is accurate, reliable, and consistent to maintain information integrity; a system must prevent, detect, and correct the unauthorized or inadvertent modification of data and executable. Property of data or software that assures that it has not been altered or destroyed in an unauthorized manner. c) Availability: Is a property that ensures that resources and services are available for use when they are needed; also Availability is typically achieved through redundancy with insolation, quotas on resource usage. Timely, reliable access to data and information services for authorized users. Discretionary, Mandatory, and Role-Based Access Control (RBAC): In the security information process system the access control restrict subjects “Users or process” and “Performing and operations” on objects “Data, devices etc.” (Stephen Dranger, 2010) In Discretionary Access Controls (DACs), each object has an owner who exercises primary control over the object. DACs are oldest and most widely used class of access controls, the access controls for both Windows and UNIX are DAC. The Unix DAC, for example, has the wellknown three primitive permissions read, write, and execute. For IBM Mandatory access control is a system-enforced method of restricting access to objects based on the sensitivity of the object and the clearance of the user. By contrast, Discretionary Access Control is enforced by individual file owners rather than by the system. 14 In the case of RBAC, allows the creation of roles for system administration and the delegation of administrative tasks across a set of trusted system users.15 14 http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Ftaix_ mac.htm 15 http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Ftaix_ mac.htm Disk Structure, And Forensic Searching Evidence in MS-Dos We must also emphasize that RBAC have 3 elements: 16 a) Authorization: Indicate the privilege operation b) Privileges: Is an attribute of a process that allows the process to bypass specific system restrictions and limitations. c) Roles: allow users to combine a set of management functions in the system and assign these functions to be managed by a regular user. Principle of Least Privilege: Principle requiring that each subject be granted the most restrictive set of privileges needed for the performance of that subject’s authorized tasks. Application of this principle limits the damage that can result from accident, error, or unauthorized use of a component or system. Least privilege includes the principle that trusted programs should voluntarily limit their own sensitive capabilities to be usable in as few areas of the program as possible. Least privilege helps to reduce the damage from software errors or from unexpected side effects. All trusted software should be designed according to the principle of least privilege. 17 Least privilege separates the once-powerful root user into a privilege mechanism with finer granularity. This division of privileges ensures that if there is a programming error or other defect in the trusted software, very little damage to system security is possible. Asymmetric Warfare and Security Imbalances: This imbalance meant an alternate or “asymmetrical” (ROLES, 2001) tactic would have to be utilized that would result in gaining an advantage that would otherwise be unachievable through traditional or conventional methods. Cyber warfare has emerged as a serious challenge to the world’s most technologically sophisticated nations, including the United States. 16 http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Ftaix_ mac.htm 17 http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Ftaix_ mac.htm Disk Structure, And Forensic Searching Evidence in MS-Dos Russia has developed a robust cyber warfare capability, partially in consultation with China, Asymmetric warfare is violent action undertaken by the ‘have-nots’ against the ‘haves’ whereby the have-nots, be they state or sub-state actors, seek to generate profound effects. (Geltzer, 2011) Risk: The Threat is a potential cause of an incident that may result in harm to a system or organization. (AGENCY, 2007) Any circumstance or event with the potential to adversely impact an Information System through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. The National Security Systems (CNSS) Instruction 4009 National Informational Assurance (IA) defined malicious as: “software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IS [Information System].” This definition is also used in the CAS Software Assurance Glossary. The definition includes the following:   Unauthorized software that has an adverse effect; Authorized software that, when used improperly, has an adverse effect. This may include software in which exploitable faults have been intentionally included. Threats to software can occur at any point in the software life cycle. Because the risk to a system or piece of software comes from the likelihood that a particular threat will exploit vulnerability, it is import the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence. [Source: ISO/IEC 13335-1:2005 Information technology—Security techniques—Management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management] Combination of the probability of an event and its consequence. [Source: ISO/IEC Guide 73:2002 Risk management vocabulary. Guidelines for use in standards] ant to discuss the ways vulnerable software can affect the risks to the entire system. Disk Structure, And Forensic Searching Evidence in MS-Dos Bibliography Agency, N. S. (2006). Guide to Microsoft .NET Framework Security. Systems and Network Attack Center, 298. AGENCY, N. S. (2007). GUIDANCE FOR ADDRESSING. Guidance for Addressing Malicious Code Risk, 73. Albert J. Marcella, R. S. (2007). Cyber Forensic: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crime. Washington D.C: Auerbach Publication. Alcala, U. d. (04 de February de 2013). Sistemas Operativos. Obtenido de Carcateristicas del NTFS: ftp://www.cc.uah.es/pub/Alumnos/I.T.I.Gestion/Sist.Operativos/TECWeb/T1/web/taxono my/term/11.html Anthony, S. (27 de 07 de 2011). MS-DOS is 30 years old today. Obtenido de Extreme Tech: http://www.extremetech.com/computing/91202-ms-dos-is-30-years-old-today Britton, K. (2006). NSA Center for Assured Software. Information Security and Privacy Board, 35. Casey, E. (2003). Digital Evidence and Computer Crime. San Diego, CA: Academic Press. Corporation, M. (31 de 12 de 2012). Devices With End-User Services. Obtenido de 2012 Annual Report: http://www.microsoft.com/investor/reports/ar12/shareholder-letter/index.html Corporation, M. (1 de January de 2013). MS-DOS Overview. Obtenido de Windows XP Professional Product Documentation: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/windows_dos_overview.mspx?mfr=true Defense, D. o. (2011). Strategy for Operating in Cyberspace. Washington: DoD. Geltzer, M. B. (2011). Asymmetric Strategies as Strategies of the Strong. Truman National Security Project, 15. Golnaz Elahi, a. E. (2006). Modeling and Analysis of Security Trade-Offs – A Goal. Department of Computer Science, 30. Microsoft. (19 de January de 2007). Description of the FAT32 File System. Obtenido de Support: http://support.microsoft.com/kb/154997 Disk Structure, And Forensic Searching Evidence in MS-Dos Microsoft. (24 de September de 2011). MS-DOS Partitioning Summary. Obtenido de Support: http://support.microsoft.com/kb/69912/EN-US Microsoft. (03 de February de 2013). Command-line reference A-Z. Obtenido de XP, Commandline: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/ntcmds.mspx?mfr=true Microsoft. (04 de February de 2013). Comparing NTFS and FAT32 file systems. Obtenido de Support: http://windows.microsoft.com/en-US/windows7/Comparing-NTFS-and-FAT32file-systems Morlupi, P. A. (2012). Computer Installations. Units of Measure, 1-3. Project., T. L. (25 de April de 2004). MS-DOS history, description, commands, clones, future outlook. Obtenido de MS-DOS: A Brief Introduction: http://www.linfo.org/ms-dos.html ROLES, U. A. (2001). MASTER OF MILITARY ART AND SCIENCE. General Studies, 127. Schweitzer, D. (2003). Computer Forensic Toolkit. Indianapolis, IN: Wiley Publisher. Sirer, E. G. (2003). Security Models. Cornell University. Stephen Dranger, R. H. (2010). The Complexity of Discretionary Access Control. Dept. of Computer Science, 16. Support, M. (12 de May de 2003). MS-DOS: Directory and Subdirectory Limitations. Obtenido de MS-Support: http://support.microsoft.com/kb/39927#appliesto