Upload
pj2513
View
217
Download
0
Embed Size (px)
Citation preview
8/8/2019 25184952 Computer Forensic Chapter 03
1/65
Working with Windows and DOS Systems
Chapter 3
8/8/2019 25184952 Computer Forensic Chapter 03
2/65
Learning Objectives
Understand File Systems
Explore Microsoft Disk Structures
Examine New Technology File System (NTFS)Disks
Understand Microsoft Boot Tasks
Understand Microsoft Disk Operating System
(MS-DOS) Startup Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
3/65
Understand File SystemsFile System Provides an operating
system with a road map to the data on adisk.
8/8/2019 25184952 Computer Forensic Chapter 03
4/65
Understand File SystemsBootStrap Information contained in the
read-only memory (ROM) that thecomputer accesses during its startup
process that tells it how to access the
operating system and the hard drive.
8/8/2019 25184952 Computer Forensic Chapter 03
5/65
Understand File Systems
8/8/2019 25184952 Computer Forensic Chapter 03
6/65
Understand File SystemsRegistry A database that stores
hardware and software configurationinformation, user preferences, and setup
information.
8/8/2019 25184952 Computer Forensic Chapter 03
7/65
Understand File Systems
Disk Drive Overview
Geometry Reflects the internal organization of
the drive.Head Device that reads and writes data to thedrive.
Tracks Individual circles on a disk platter
where data is located.
Cylinder Column of tracks on two or more diskplatters.
Sector Individual section on a track.
8/8/2019 25184952 Computer Forensic Chapter 03
8/65
Understand File Systems
8/8/2019 25184952 Computer Forensic Chapter 03
9/65
Understand File Systems
8/8/2019 25184952 Computer Forensic Chapter 03
10/65
Understand File SystemsZoned Bit Recording How
manufacturers deal with the fact that theinner tracks of a platter are physically
smaller than the outer tracks. Grouping
the tracks by zones ensures that the
tracks are all the same size.
8/8/2019 25184952 Computer Forensic Chapter 03
11/65
Understand File SystemsTrack Density The space between
tracks on a disk. The smaller the spacebetween the tracks, the more tracks on a
disk. Older drives with wider track
densities allow wandering.
8/8/2019 25184952 Computer Forensic Chapter 03
12/65
Understand File SystemsAreal Density The number of bits per
square inch on a platter.
8/8/2019 25184952 Computer Forensic Chapter 03
13/65
Understand File SystemsHead and Cylinder Skew A method
used by manufacturers to minimize lagtime. The starting sectors of tracks are
slightly offset from each other to move
the read-write head.
8/8/2019 25184952 Computer Forensic Chapter 03
14/65
Understand File Systems
8/8/2019 25184952 Computer Forensic Chapter 03
15/65
Exploring Microsoft File StructuresClusters Storage allocation units of
512, 1024, 2048, 4096, or more bytes.
Logical Address Clusters that areassigned by the operating system.
Physical Address Addresses that
reside at the hardware or firmware level.
8/8/2019 25184952 Computer Forensic Chapter 03
16/65
Exploring Microsoft File StructuresPartition A logical drive on a disk. It
can be the entire disk or a portion thereof.
Inner-Partition Gap Partitions createdwith unused space or voids between the
primary partition and the first logicalpartition.
8/8/2019 25184952 Computer Forensic Chapter 03
17/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
18/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
19/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
20/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
21/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
22/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
23/65
Exploring Microsoft File StructuresMaster Boot Record (MBR) On
Windows and DOS computer systems,the boot disk file, which contains
information regarding the files on a disk
and their locations, size, and other critical
items.
8/8/2019 25184952 Computer Forensic Chapter 03
24/65
Exploring Microsoft File StructuresFile Allocation Table (FAT) The
original file structure database thatMicrosoft originally designed for floppy
disks. It is written to the outermost track
of a disk and contains information about
each file stored on the drive. The
variations are FAT12, FAT16, and
FAT32.
8/8/2019 25184952 Computer Forensic Chapter 03
25/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
26/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
27/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
28/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
29/65
Exploring Microsoft File StructuresChain FAT Entry A command used by
DriveSpy that displays all the clusters in achain that start at a specified cluster.
8/8/2019 25184952 Computer Forensic Chapter 03
30/65
Exploring Microsoft File Structures
8/8/2019 25184952 Computer Forensic Chapter 03
31/65
Exploring Microsoft File StructuresEnd-of-File Marker 0x0FFFFFFF. This
code is typically used with FAT filesystems to show where the file ends.
Unallocated Disk Space The area of
disk where the deleted file resides.
8/8/2019 25184952 Computer Forensic Chapter 03
32/65
Examining NTFS DisksNew Technology File System Introduced when Microsoft createdWindows NT. NTFS is the primary file
system for Windows XP. NTFS uses
security features, allows for smaller
cluster sizes, and uses Unicode, which
makes it a much more versatile operating
system.
8/8/2019 25184952 Computer Forensic Chapter 03
33/65
Examining NTFS DisksPartition Boot Sector The first data
set of an NTFS disk. It starts at sector [0]of the disk drive and it can be expanded
up to 16 sectors.
Master File Table Used by NTFS totrack files. It contains information about
the access rights, date and time stamps,system attributes, and parts of the file.
8/8/2019 25184952 Computer Forensic Chapter 03
34/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
35/65
Examining NTFS DisksUnicode A 16-bit character code
representation that is replacing ASCII. Itis capable of representing over 64,000
characters.
American Standard Code forInformation Interchange (ASCII) A
coding scheme using 7 or 8 bits thatassigns numeric values up to 256
characters, including letters, numerals,
punctuation marks, control characters,
and other symbols.
8/8/2019 25184952 Computer Forensic Chapter 03
36/65
Examining NTFS DisksMeta-Data In NTFS, this refers to
information stored in the MFT.
8/8/2019 25184952 Computer Forensic Chapter 03
37/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
38/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
39/65
Examining NTFS DisksResident Attributes When referring to
MFT, all attributes that are stored in theMFT of the NTFS.
Nonresident Attributes When
referring to MFT of the NTFS, all datathat is stored in a location separate from
the MFT.
8/8/2019 25184952 Computer Forensic Chapter 03
40/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
41/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
42/65
Examining NTFS DisksLogical Cluster Numbers (LCNs) Used by the MFT of NTFS. It refers to aspecific physical location on the drive.
Virtual Cluster Number (VCN) When a
file is saved in the NTFS, it is assignedboth a logical cluster number and a virtual
cluster number. The logical cluster is aphysical location, while the virtual cluster
consists of chained clusters.
8/8/2019 25184952 Computer Forensic Chapter 03
43/65
Examining NTFS Disks
8/8/2019 25184952 Computer Forensic Chapter 03
44/65
Examining NTFS DisksMultiple Data Streams Ways in which
data can be appended to a fileintentionally or not. In NTFS, it becomes
an additional data attribute of the file.
8/8/2019 25184952 Computer Forensic Chapter 03
45/65
Examining NTFS DisksEncrypted File System (EFS) Symmetric key encryption first used inWindows 2000 on NTFS formatted disks.
Public Key In encryption, the key held
by the system receiving the file.
Private Key In encryption, the key held
by the owner of the file.
8/8/2019 25184952 Computer Forensic Chapter 03
46/65
Examining NTFS DisksEFS Recovery Agent Functions
-CIPHER
-COPY
-EFSRECOVER
8/8/2019 25184952 Computer Forensic Chapter 03
47/65
Understanding Microsoft Boot TasksWindows XP, 2000, and NT Startup
-Power on self test
-Initial startup-Boot loader
-Hardware detection and configuration
-Kernel loading
-User logon
8/8/2019 25184952 Computer Forensic Chapter 03
48/65
Understanding Microsoft Boot TasksNT Loader (NTLDR) Loads Windows NT. It is
located in the root folder of the system partition.
Boot.ini Specifies the Windows NT path
installation.
BootSect.dos Contains the address of theboot sector location of each operating system.
NTDetect.com A command file that identifieshardware components during bootup and sendsthe information to NTLDR.
8/8/2019 25184952 Computer Forensic Chapter 03
49/65
Understanding Microsoft Boot TasksNTBootdd.sys Device driver that allows
access to SCSI or ATA drives that are notrelated to the BIOS.
Ntoskrnl.exe The Windows NT operatingsystem kernel. It is located in theWindows\System32 folder.
Hal.dll Hardware abstraction layer dynamic
link library. It tells the operating system kernelhow to interface with the hardware.
Device Drivers Contain instructions for theoperating system for hardware devices.
8/8/2019 25184952 Computer Forensic Chapter 03
50/65
Understanding Microsoft Boot Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
51/65
Understanding Microsoft Boot TasksDOS Protected-Mode Interface (DPMI)
Used by many computer forensics toolsthat do not operate in the Windows
environment.
8/8/2019 25184952 Computer Forensic Chapter 03
52/65
Understanding Microsoft Boot Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
53/65
Understanding Microsoft Boot Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
54/65
Understanding Microsoft Boot Tasks
Command.com Provides a prompt when
booting to MS-DOS mode. User interface for theMS-DOS operating system. Contains the
following commands:-DIR
-CD
-CLS
-DATE
-COPY
-DEL
8/8/2019 25184952 Computer Forensic Chapter 03
55/65
Understanding Microsoft Boot Tasks
-MD
-PATH
-PROMPT-RD
-SET
-TIME
-TYPE
-VER
-VOL
8/8/2019 25184952 Computer Forensic Chapter 03
56/65
Understanding MS-DOS Startup Tasks
IO.SYS The first file loaded after the ROM
bootstrap loader finds the operating system.This file allows for communication between the
computers BIOS and Hardware, and with MS-DOS code.
MSDOS.SYS A hidden text file that containsstartup options for Windows 9x. In MS-DOS, this
file is the operating system kernel.
CONFIG.SYS A text file that contains
commands that are typically run only at systemstartup.
8/8/2019 25184952 Computer Forensic Chapter 03
57/65
Understanding MS-DOS Startup TasksAUTOEXEC.BAT An automatically
executed batch file that containscustomized commands and settings for
MS-DOS.
8/8/2019 25184952 Computer Forensic Chapter 03
58/65
Understanding MS-DOS Startup Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
59/65
Understanding MS-DOS Startup Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
60/65
Understanding MS-DOS Startup Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
61/65
Understanding MS-DOS Startup Tasks
8/8/2019 25184952 Computer Forensic Chapter 03
62/65
Chapter Summary
-The Microsoft operating systems used FAT12
and FAT16 on older systems such as MS-DOS,Windows 3.X and Windows 9x.
-The Registry on older Windows OSs is used tokeep a record of hardware attached, userpreferences, network information, and installedsoftware.
-The capacity of a hard disk is obtained by usingthe cylinders, heads, and sectors. To find the
capacity of a disk, multiply the number of heads,sectors, and tracks.
8/8/2019 25184952 Computer Forensic Chapter 03
63/65
Chapter Summary
-Clusters are used to accommodate large files.
Sectors are grouped into clusters and clustersare chained to minimize the overhead of reading
and writing files to a disk.-The New Technology File System is moreversatile because it uses the MFT to trackinformation such as security items, the first 750
bytes of data, long and short filenames, and alist of nonresident attributes.
-File slack, RAM slack, and drive slack are allareas in which valuable information may resideon a drive.
8/8/2019 25184952 Computer Forensic Chapter 03
64/65
Chapter Summary
-To be an effective computer forensics
investigator, you need to maintain a library ofolder operating systems and applications.
-NTFS uses Unicode to store information.Unicode is an international code and uses a 16-bit configuration instead of an 8-bit configurationused by ASCII.
-Hexadecimal codes provide information aboutfiles and OSs. You can determine the file type by
using various tools such as WinHex and HexWorkshop.
8/8/2019 25184952 Computer Forensic Chapter 03
65/65
Chapter Summary
-NTFS uses inodes to link file attribute records to
other file attribute records. Attributes fall into twocategories: resident and nonresident.
-NTFS can compress individual files, folders, orentire partitions. FAT16 can only compressentire volumes.