25184952 Computer Forensic Chapter 03

8/8/2019 25184952 Computer Forensic Chapter 03

1/65

Working with Windows and DOS Systems

Chapter 3


2/65

Learning Objectives

Understand File Systems

Explore Microsoft Disk Structures

Examine New Technology File System (NTFS)Disks

Understand Microsoft Boot Tasks

Understand Microsoft Disk Operating System

(MS-DOS) Startup Tasks


3/65

Understand File SystemsFile System Provides an operating

system with a road map to the data on adisk.


4/65

Understand File SystemsBootStrap Information contained in the

read-only memory (ROM) that thecomputer accesses during its startup

process that tells it how to access the

operating system and the hard drive.


5/65



6/65

Understand File SystemsRegistry A database that stores

hardware and software configurationinformation, user preferences, and setup

information.


7/65


Disk Drive Overview

Geometry Reflects the internal organization of

the drive.Head Device that reads and writes data to thedrive.

Tracks Individual circles on a disk platter

where data is located.

Cylinder Column of tracks on two or more diskplatters.

Sector Individual section on a track.


8/65



9/65



10/65

Understand File SystemsZoned Bit Recording How

manufacturers deal with the fact that theinner tracks of a platter are physically

smaller than the outer tracks. Grouping

the tracks by zones ensures that the

tracks are all the same size.


11/65

Understand File SystemsTrack Density The space between

tracks on a disk. The smaller the spacebetween the tracks, the more tracks on a

disk. Older drives with wider track

densities allow wandering.


12/65

Understand File SystemsAreal Density The number of bits per

square inch on a platter.


13/65

Understand File SystemsHead and Cylinder Skew A method

used by manufacturers to minimize lagtime. The starting sectors of tracks are

slightly offset from each other to move

the read-write head.


14/65



15/65

Exploring Microsoft File StructuresClusters Storage allocation units of

512, 1024, 2048, 4096, or more bytes.

Logical Address Clusters that areassigned by the operating system.

Physical Address Addresses that

reside at the hardware or firmware level.


16/65

Exploring Microsoft File StructuresPartition A logical drive on a disk. It

can be the entire disk or a portion thereof.

Inner-Partition Gap Partitions createdwith unused space or voids between the

primary partition and the first logicalpartition.


17/65

Exploring Microsoft File Structures


18/65



19/65



20/65



21/65



22/65



23/65

Exploring Microsoft File StructuresMaster Boot Record (MBR) On

Windows and DOS computer systems,the boot disk file, which contains

information regarding the files on a disk

and their locations, size, and other critical

items.


24/65

Exploring Microsoft File StructuresFile Allocation Table (FAT) The

original file structure database thatMicrosoft originally designed for floppy

disks. It is written to the outermost track

of a disk and contains information about

each file stored on the drive. The

variations are FAT12, FAT16, and

FAT32.


25/65



26/65



27/65



28/65



29/65

Exploring Microsoft File StructuresChain FAT Entry A command used by

DriveSpy that displays all the clusters in achain that start at a specified cluster.


30/65



31/65

Exploring Microsoft File StructuresEnd-of-File Marker 0x0FFFFFFF. This

code is typically used with FAT filesystems to show where the file ends.

Unallocated Disk Space The area of

disk where the deleted file resides.


32/65

Examining NTFS DisksNew Technology File System Introduced when Microsoft createdWindows NT. NTFS is the primary file

system for Windows XP. NTFS uses

security features, allows for smaller

cluster sizes, and uses Unicode, which

makes it a much more versatile operating

system.


33/65

Examining NTFS DisksPartition Boot Sector The first data

set of an NTFS disk. It starts at sector [0]of the disk drive and it can be expanded

up to 16 sectors.

Master File Table Used by NTFS totrack files. It contains information about

the access rights, date and time stamps,system attributes, and parts of the file.


34/65

Examining NTFS Disks


35/65

Examining NTFS DisksUnicode A 16-bit character code

representation that is replacing ASCII. Itis capable of representing over 64,000

characters.

American Standard Code forInformation Interchange (ASCII) A

coding scheme using 7 or 8 bits thatassigns numeric values up to 256

characters, including letters, numerals,

punctuation marks, control characters,

and other symbols.


36/65

Examining NTFS DisksMeta-Data In NTFS, this refers to

information stored in the MFT.


37/65



38/65



39/65

Examining NTFS DisksResident Attributes When referring to

MFT, all attributes that are stored in theMFT of the NTFS.

Nonresident Attributes When

referring to MFT of the NTFS, all datathat is stored in a location separate from

the MFT.


40/65



41/65



42/65

Examining NTFS DisksLogical Cluster Numbers (LCNs) Used by the MFT of NTFS. It refers to aspecific physical location on the drive.

Virtual Cluster Number (VCN) When a

file is saved in the NTFS, it is assignedboth a logical cluster number and a virtual

cluster number. The logical cluster is aphysical location, while the virtual cluster

consists of chained clusters.


43/65



44/65

Examining NTFS DisksMultiple Data Streams Ways in which

data can be appended to a fileintentionally or not. In NTFS, it becomes

an additional data attribute of the file.


45/65

Examining NTFS DisksEncrypted File System (EFS) Symmetric key encryption first used inWindows 2000 on NTFS formatted disks.

Public Key In encryption, the key held

by the system receiving the file.

Private Key In encryption, the key held

by the owner of the file.


46/65

Examining NTFS DisksEFS Recovery Agent Functions

-CIPHER

-COPY

-EFSRECOVER


47/65

Understanding Microsoft Boot TasksWindows XP, 2000, and NT Startup

-Power on self test

-Initial startup-Boot loader

-Hardware detection and configuration

-Kernel loading

-User logon


48/65

Understanding Microsoft Boot TasksNT Loader (NTLDR) Loads Windows NT. It is

located in the root folder of the system partition.

Boot.ini Specifies the Windows NT path

installation.

BootSect.dos Contains the address of theboot sector location of each operating system.

NTDetect.com A command file that identifieshardware components during bootup and sendsthe information to NTLDR.


49/65

Understanding Microsoft Boot TasksNTBootdd.sys Device driver that allows

access to SCSI or ATA drives that are notrelated to the BIOS.

Ntoskrnl.exe The Windows NT operatingsystem kernel. It is located in theWindows\System32 folder.

Hal.dll Hardware abstraction layer dynamic

link library. It tells the operating system kernelhow to interface with the hardware.

Device Drivers Contain instructions for theoperating system for hardware devices.


50/65

Understanding Microsoft Boot Tasks


51/65

Understanding Microsoft Boot TasksDOS Protected-Mode Interface (DPMI)

Used by many computer forensics toolsthat do not operate in the Windows

environment.


52/65



53/65



54/65


Command.com Provides a prompt when

booting to MS-DOS mode. User interface for theMS-DOS operating system. Contains the

following commands:-DIR

-CD

-CLS

-DATE

-COPY

-DEL


55/65


-MD

-PATH

-PROMPT-RD

-SET

-TIME

-TYPE

-VER

-VOL


56/65

Understanding MS-DOS Startup Tasks

IO.SYS The first file loaded after the ROM

bootstrap loader finds the operating system.This file allows for communication between the

computers BIOS and Hardware, and with MS-DOS code.

MSDOS.SYS A hidden text file that containsstartup options for Windows 9x. In MS-DOS, this

file is the operating system kernel.

CONFIG.SYS A text file that contains

commands that are typically run only at systemstartup.


57/65

Understanding MS-DOS Startup TasksAUTOEXEC.BAT An automatically

executed batch file that containscustomized commands and settings for

MS-DOS.


58/65



59/65



60/65



61/65



62/65

Chapter Summary

-The Microsoft operating systems used FAT12

and FAT16 on older systems such as MS-DOS,Windows 3.X and Windows 9x.

-The Registry on older Windows OSs is used tokeep a record of hardware attached, userpreferences, network information, and installedsoftware.

-The capacity of a hard disk is obtained by usingthe cylinders, heads, and sectors. To find the

capacity of a disk, multiply the number of heads,sectors, and tracks.


63/65

Chapter Summary

-Clusters are used to accommodate large files.

Sectors are grouped into clusters and clustersare chained to minimize the overhead of reading

and writing files to a disk.-The New Technology File System is moreversatile because it uses the MFT to trackinformation such as security items, the first 750

bytes of data, long and short filenames, and alist of nonresident attributes.

-File slack, RAM slack, and drive slack are allareas in which valuable information may resideon a drive.


64/65

Chapter Summary

-To be an effective computer forensics

investigator, you need to maintain a library ofolder operating systems and applications.

-NTFS uses Unicode to store information.Unicode is an international code and uses a 16-bit configuration instead of an 8-bit configurationused by ASCII.

-Hexadecimal codes provide information aboutfiles and OSs. You can determine the file type by

using various tools such as WinHex and HexWorkshop.


65/65

Chapter Summary

-NTFS uses inodes to link file attribute records to

other file attribute records. Attributes fall into twocategories: resident and nonresident.

-NTFS can compress individual files, folders, orentire partitions. FAT16 can only compressentire volumes.

Documents

25184952 Computer Forensic Chapter 03