Cos413day3

Guide to Computer Forensics and Investigations, 2e2
AgendaAgenda
• Questions?
• Assignment 1 due
• Lab Write-ups (project 2-1 and 2-2) due next class
• Lab Recap and After Action Report
• Begin Discussion on Working with Windows and
DOS Systems
– Chapter 3 in 1e and Chapter 7 in 2e

Lab 1 RecapLab 1 Recap
• Always know what are going to do before you sit
down at the forensics workstations
– Methodical not “hack and slash”
– Requires reading and prior prep
• Learn DOS
– Most forensics work is down at low levels (not GUI)
– http://www.glue.umd.edu/~nsw/ench250/dostutor.htm
• Have part of the lab report started before the lab
– Know what it is you are looking for

Guide to ComputerGuide to Computer
Forensics andForensics and
InvestigationsInvestigations
Chapter 3
Working with Windows
and DOS Systems

ObjectivesObjectives
• Understand file systems
• Explore Microsoft file structures
• Examine New Technology File System (NTFS)
disks

Objectives (continued)Objectives (continued)
• Understand the Windows Registry
• Understand Microsoft boot tasks
• Understand MS-DOS startup tasks

Understanding File SystemsUnderstanding File Systems
• Understand how OSs work and store files
• CompTIA A+ certification
• File system
– Road map to data on a disk
– Determines how data is stored on disk
• Become familiar with file systems

Understanding the Boot SequenceUnderstanding the Boot Sequence
• Avoid data contamination or modification
• Complementary Metal Oxide Semiconductor
(CMOS)
– Stores system configuration, data, and time
• BIOS
– Performs input/output at hardware level

(continued)(continued)
• Make sure computer boots from a floppy disk
– Modify CMOS
– Accessing CMOS depends on the BIOS
• Delete key
• Ctrl+Alt+Insert
• Ctrl+A
• Ctrl+F1
• F2
• F12

Understanding Disk DrivesUnderstanding Disk Drives
• Composed of one or more platters
• Elements of a disk:
– Geometry
– Head
– Tracks
– Cylinders
– Sectors

Understanding Disk Drives (continued)Understanding Disk Drives (continued)

• Cylinder, head, sector (CHS) calculation
– 512 bytes per sector
– Tracks contain sectors
– Number of bytes on a disk
• Cylinders (platters) x Heads (tracks) x sectors
• First track is track 0
– So if a disc list 79 tracks (like a floppy) does, it has
80 tracks

• Zoned bit recording (ZBR)
– Platter’s inner tracks are smaller than outer tracks
– Group tracks by zone
• Track density
– Space between each track
• Areal density
– Number of bits on one square inch of a platter

Exploring Microsoft File StructuresExploring Microsoft File Structures
• Need to understand
– FAT
– NTFS
• Sectors are grouped on clusters
– Storage allocation units of at least 512 bytes
– Minimize read and write overhead
• Clusters are referred to as logical addresses
• Sectors are referred to as physical addresses

Disk PartitionsDisk Partitions
• Logical drive
• Hidden partitions or voids
– Large, unused gaps between partitions
– Also known as partition gaps
– Can hide data
• Use a disk editor to change partitions table
– Norton Disk Edit
– WinHex, Hex Workshop
– http://www.x-ways.net/winhex/index-m.html

Disk Partitions (continued)Disk Partitions (continued)

• Disk editor additional functions
– Identify OS on an unknown disk
– Identify file types

Master Boot RecordMaster Boot Record
• Stores information about partitions
– Location
– Size
– Others
• Software can replace master boot record (MBR)
– PartitionMagic
– LILO
– Can interfere with forensics tasks
– Use more than one tool

Examining FAT DisksExamining FAT Disks
• FAT was originally developed for floppy disks
– Filenames, directory names, date and time stamps,
starting cluster, attributes
• Typically written to the outermost track
• Evolution
– FAT12
– FAT16
– FAT32

Examining FAT Disks (continued)Examining FAT Disks (continued)

• Drive slack
– Unused space on a cluster
– RAM slack
• Can contain logon IDs and passwords
• Common on older systems
– File slack
• Bytes not used on the sector by the file
• FAT16 unintentionally reduced fragmentation

• Cluster chaining
– File clusters are together (when possible)
• Produces fragmentation
• Tools
– Norton DiskEdit
– DriveSpy’s Chain Fat Entry (CFE) command
• Rebuilding broken chains can be difficult

Deleting FAT FilesDeleting FAT Files
• Filename in FAT database starts with HEX E5
• FAT chain for that file is set to zero
• Free disk space is incremented
• Actual data remains on disk
• Can be recovered with computer forensics tools

Examining NTFS DisksExamining NTFS Disks
• First introduced with Windows NT
• Spin off HPFS
– From IBM O/S 2
• Provides improvements over FAT file systems
– Stores more information about a file
• Microsoft’s move toward a journaling file system
– Keep track of transactions
– Can be rolled back

Examining NTFS Disks (continued)Examining NTFS Disks (continued)
• Partition Boot Sector starts at sector 0
• Master File Table (MFT)
– First file on disk
– Contains information about all files on disk
(meta-data)
• Reduces slack space
• NTFS uses Unicode
– UTF-8, UTF-16, UTF-32

Examining NTFS Disks (continued)Examining NTFS Disks (continued)

NTFS File AttributesNTFS File Attributes
• All files and folders have attributes
• Resident attributes
– Stored in the MFT
• Nonresident attributes
– Everything that can be stored on the MFT
• Uses inodes for nonresident attributes
• Logical and virtual cluster numbers
– LCN and VCN

NTFS Data StreamsNTFS Data Streams
• Data can be appended to a file when examining a
disk
– Can obscure valuable evidentiary data
• Additional data attribute of a file
• Allow files be associated with different applications

NTFS Compressed FilesNTFS Compressed Files
• Improve data storage
– Compression similar to FAT DriveSpace 3
• File, folders, or an entire volume can be
compressed
• Transparent when working with Windows XP, 2000,
or NT
• Need to decompress it when analyzing
– Advanced tools do it automatically

NTFS Encrypted File System (EFS)NTFS Encrypted File System (EFS)
• Introduced with Windows 2000
• Implements a public key/private key encryption
method
• Recovery certificate
– Recovery mechanisms in case of a problem
• Works for local workstations or remote servers

Deleting NTFS FilesDeleting NTFS Files
• Similar to FAT
• NTFS is more efficient than FAT
– Reclaiming deleted space
– Deleted files are overwritten more quickly

Understanding the Windows RegistryUnderstanding the Windows Registry
• Database that stores:
– Hardware and software configuration
– User preferences (user names and passwords)
– Setup information
• Use Regedit command for Windows 9x
• Use Regedt32 command for Windows XP and
2000
• FTK Registry Viewer

• Windows 9x Registry
– User.dat
– System.dat
• Windows 2000 and XP Registry
– WinntSystem32Config
– WindowsSystem32Config
– System, SAM, Security, Software, and NTUser.dat

Understanding Microsoft Boot TasksUnderstanding Microsoft Boot Tasks
• Prevent damaging digital evidence
• OSs alter files when computer starts up

Windows XP, 2000 and NT StartupWindows XP, 2000 and NT Startup
• Steps:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon

Startup Files for Windows XPStartup Files for Windows XP
• Files used during boot process:
– NTLDR
– Boot.ini
– BootSec.dos
– NTDetect.com
– NTBootdd.sys
– Ntoskrnl.exe
– Hal.dll
– Device drivers

Windows XP System FilesWindows XP System Files

Windows 9x and Me StartupWindows 9x and Me Startup
• Windows Me cannot boot to a true MS-DOS mode
• Windows 9x OSs have two modes
– DOS protected-mode interface (DPMI)
• Command prompt from boot menu
– Protected-mode GUI
• Dos shell in windows
• Startup files
– Io.sys
– Msdos.sys
– Command.com

Windows 9x and Me StartupWindows 9x and Me Startup

Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task
• Io.sys
– Loaded after the ROM bootstrap
– Finds the disk drive
– Provides basic input/output services
• Msdos.sys
– Loaded after Io.sys
– Actual kernel for MS-DOS
– Looks for Config.sys

Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task
• Msdos.sys (continued)
– Loads Command.com
– Loads Autoexec.bat
• Config.sys
– Commands run only at system startup
• Autoexec.bat
– Customized setting for MS-DOS
– Define default path and environmental variables

Other Disk Operating SystemsOther Disk Operating Systems
• Control Program for Microprocessors (CP/M)
• Digital Research Operating System (DR-DOS)
• Personal Computer Disk Operating System (PC-
DOS)
– Developed by IBM

DOS Commands and Batch FilesDOS Commands and Batch Files
• Batch files
– Fixed sequence of DOS commands
– Ideal for repetitive tasks
• Batch files work like a single command
• MS-DOS supports parameter passing and
conditional execution
– Can pass up to 10 parameters

SummarySummary
• FAT
– FAT12, FAT16, and FAT32
• Windows Registry keeps hardware and software
configuration and preferences
• CHS calculation
• NTFS
• Look for hidden information on file, RAM, and drive
slack

Summary (continued)Summary (continued)
• NTFS uses Unicode to store information
• Hexadecimal codes identify OSs and file types
• NTFS uses inodes to link file attribute records
– Resident and nonresident
• NTFS compressed files
• NTFS encrypted files (EFS)

Cos413day3

More Related Content

Cos413day3