25184952 Computer Forensic Chapter 03
Content
Working with Windows and DOS Systems
Chapter 3
Learning Objectives
•Understand File Systems •Explore Microsoft Disk Structures •Examine New Technology File System (NTFS) Disks •Understand Microsoft Boot Tasks •Understand Microsoft Disk Operating System (MS-DOS) Startup Tasks
Understand File Systems
File System – Provides an operating system with a road map to the data on a disk.
Understand File Systems
BootStrap – Information contained in the read-only memory (ROM) that the computer accesses during its startup process that tells it how to access the operating system and the hard drive.
Understand File Systems
Understand File Systems
Registry – A database that stores hardware and software configuration information, user preferences, and setup information.
Understand File Systems
Disk Drive Overview
Geometry – Reflects the internal organization of the drive. Head – Device that reads and writes data to the drive. Tracks – Individual circles on a disk platter where data is located. Cylinder – Column of tracks on two or more disk platters. Sector – Individual section on a track.
Understand File Systems
Understand File Systems
Understand File Systems
Zoned Bit Recording – How manufacturers deal with the fact that the inner tracks of a platter are physically smaller than the outer tracks. Grouping the tracks by zones ensures that the tracks are all the same size.
Understand File Systems
Track Density – The space between tracks on a disk. The smaller the space between the tracks, the more tracks on a disk. Older drives with wider track densities allow wandering.
Understand File Systems
Areal Density – The number of bits per square inch on a platter.
Understand File Systems
Head and Cylinder Skew – A method used by manufacturers to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
Understand File Systems
Exploring Microsoft File Structures
Clusters – Storage allocation units of 512, 1024, 2048, 4096, or more bytes. Logical Address – Clusters that are assigned by the operating system. Physical Address – Addresses that reside at the hardware or firmware level.
Exploring Microsoft File Structures
Partition – A logical drive on a disk. It can be the entire disk or a portion thereof. Inner-Partition Gap – Partitions created with unused space or voids between the primary partition and the first logical partition.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Master Boot Record (MBR) – On Windows and DOS computer systems, the boot disk file, which contains information regarding the files on a disk and their locations, size, and other critical items.
Exploring Microsoft File Structures
File Allocation Table (FAT) – The original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. The variations are FAT12, FAT16, and FAT32.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Chain FAT Entry – A command used by DriveSpy that displays all the clusters in a chain that start at a specified cluster.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
End-of-File Marker – 0x0FFFFFFF. This code is typically used with FAT file systems to show where the file ends. Unallocated Disk Space – The area of disk where the deleted file resides.
Examining NTFS Disks
New Technology File System – Introduced when Microsoft created Windows NT. NTFS is the primary file system for Windows XP. NTFS uses security features, allows for smaller cluster sizes, and uses Unicode, which makes it a much more versatile operating system.
Examining NTFS Disks
Partition Boot Sector – The first data set of an NTFS disk. It starts at sector [0] of the disk drive and it can be expanded up to 16 sectors. Master File Table – Used by NTFS to track files. It contains information about the access rights, date and time stamps, system attributes, and parts of the file.
Examining NTFS Disks
Examining NTFS Disks
Unicode – A 16-bit character code representation that is replacing ASCII. It is capable of representing over 64,000 characters. American Standard Code for Information Interchange (ASCII) – A coding scheme using 7 or 8 bits that assigns numeric values up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.
Examining NTFS Disks
Meta-Data – In NTFS, this refers to information stored in the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Resident Attributes – When referring to MFT, all attributes that are stored in the MFT of the NTFS. Nonresident Attributes – When referring to MFT of the NTFS, all data that is stored in a location separate from the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Logical Cluster Numbers (LCNs) – Used by the MFT of NTFS. It refers to a specific physical location on the drive. Virtual Cluster Number (VCN) – When a file is saved in the NTFS, it is assigned both a logical cluster number and a virtual cluster number. The logical cluster is a physical location, while the virtual cluster consists of chained clusters.
Examining NTFS Disks
Examining NTFS Disks
Multiple Data Streams – Ways in which data can be appended to a file intentionally or not. In NTFS, it becomes an additional data attribute of the file.
Examining NTFS Disks
Encrypted File System (EFS) – Symmetric key encryption first used in Windows 2000 on NTFS formatted disks. Public Key – In encryption, the key held by the system receiving the file. Private Key – In encryption, the key held by the owner of the file.
Examining NTFS Disks
EFS Recovery Agent Functions -CIPHER -COPY -EFSRECOVER
Understanding Microsoft Boot Tasks
Windows XP, 2000, and NT Startup -Power on self test -Initial startup -Boot loader -Hardware detection and configuration -Kernel loading -User logon
Understanding Microsoft Boot Tasks
NT Loader (NTLDR) – Loads Windows NT. It is located in the root folder of the system partition. Boot.ini – Specifies the Windows NT path installation. BootSect.dos – Contains the address of the boot sector location of each operating system. NTDetect.com – A command file that identifies hardware components during bootup and sends the information to NTLDR.
Understanding Microsoft Boot Tasks
NTBootdd.sys – Device driver that allows access to SCSI or ATA drives that are not related to the BIOS. Ntoskrnl.exe – The Windows NT operating system kernel. It is located in the Windows\System32 folder. Hal.dll – Hardware abstraction layer dynamic link library. It tells the operating system kernel how to interface with the hardware. Device Drivers – Contain instructions for the operating system for hardware devices.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
DOS Protected-Mode Interface (DPMI) – Used by many computer forensics tools that do not operate in the Windows environment.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Command.com – Provides a prompt when booting to MS-DOS mode. User interface for the MS-DOS operating system. Contains the following commands: -DIR -CD -CLS -DATE -COPY -DEL
Understanding Microsoft Boot Tasks
-MD -PATH -PROMPT -RD -SET -TIME -TYPE -VER -VOL
Understanding MS-DOS Startup Tasks
IO.SYS – The first file loaded after the ROM bootstrap loader finds the operating system. This file allows for communication between the computer’s BIOS and Hardware, and with MSDOS code. MSDOS.SYS – A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel. CONFIG.SYS – A text file that contains commands that are typically run only at system startup.
Understanding MS-DOS Startup Tasks
AUTOEXEC.BAT – An automatically executed batch file that contains customized commands and settings for MS-DOS.
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Chapter Summary
-The Microsoft operating systems used FAT12 and FAT16 on older systems such as MS-DOS, Windows 3.X and Windows 9x. -The Registry on older Windows OSs is used to keep a record of hardware attached, user preferences, network information, and installed software. -The capacity of a hard disk is obtained by using the cylinders, heads, and sectors. To find the capacity of a disk, multiply the number of heads, sectors, and tracks.
Chapter Summary
-Clusters are used to accommodate large files. Sectors are grouped into clusters and clusters are chained to minimize the overhead of reading and writing files to a disk. -The New Technology File System is more versatile because it uses the MFT to track information such as security items, the first 750 bytes of data, long and short filenames, and a list of nonresident attributes. -File slack, RAM slack, and drive slack are all areas in which valuable information may reside on a drive.
Chapter Summary
-To be an effective computer forensics investigator, you need to maintain a library of older operating systems and applications. -NTFS uses Unicode to store information. Unicode is an international code and uses a 16bit configuration instead of an 8-bit configuration used by ASCII. -Hexadecimal codes provide information about files and OSs. You can determine the file type by using various tools such as WinHex and Hex Workshop.
Chapter Summary
-NTFS uses inodes to link file attribute records to other file attribute records. Attributes fall into two categories: resident and nonresident. -NTFS can compress individual files, folders, or entire partitions. FAT16 can only compress entire volumes.
Chapter 3
Learning Objectives
•Understand File Systems •Explore Microsoft Disk Structures •Examine New Technology File System (NTFS) Disks •Understand Microsoft Boot Tasks •Understand Microsoft Disk Operating System (MS-DOS) Startup Tasks
Understand File Systems
File System – Provides an operating system with a road map to the data on a disk.
Understand File Systems
BootStrap – Information contained in the read-only memory (ROM) that the computer accesses during its startup process that tells it how to access the operating system and the hard drive.
Understand File Systems
Understand File Systems
Registry – A database that stores hardware and software configuration information, user preferences, and setup information.
Understand File Systems
Disk Drive Overview
Geometry – Reflects the internal organization of the drive. Head – Device that reads and writes data to the drive. Tracks – Individual circles on a disk platter where data is located. Cylinder – Column of tracks on two or more disk platters. Sector – Individual section on a track.
Understand File Systems
Understand File Systems
Understand File Systems
Zoned Bit Recording – How manufacturers deal with the fact that the inner tracks of a platter are physically smaller than the outer tracks. Grouping the tracks by zones ensures that the tracks are all the same size.
Understand File Systems
Track Density – The space between tracks on a disk. The smaller the space between the tracks, the more tracks on a disk. Older drives with wider track densities allow wandering.
Understand File Systems
Areal Density – The number of bits per square inch on a platter.
Understand File Systems
Head and Cylinder Skew – A method used by manufacturers to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
Understand File Systems
Exploring Microsoft File Structures
Clusters – Storage allocation units of 512, 1024, 2048, 4096, or more bytes. Logical Address – Clusters that are assigned by the operating system. Physical Address – Addresses that reside at the hardware or firmware level.
Exploring Microsoft File Structures
Partition – A logical drive on a disk. It can be the entire disk or a portion thereof. Inner-Partition Gap – Partitions created with unused space or voids between the primary partition and the first logical partition.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Master Boot Record (MBR) – On Windows and DOS computer systems, the boot disk file, which contains information regarding the files on a disk and their locations, size, and other critical items.
Exploring Microsoft File Structures
File Allocation Table (FAT) – The original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. The variations are FAT12, FAT16, and FAT32.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Chain FAT Entry – A command used by DriveSpy that displays all the clusters in a chain that start at a specified cluster.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
End-of-File Marker – 0x0FFFFFFF. This code is typically used with FAT file systems to show where the file ends. Unallocated Disk Space – The area of disk where the deleted file resides.
Examining NTFS Disks
New Technology File System – Introduced when Microsoft created Windows NT. NTFS is the primary file system for Windows XP. NTFS uses security features, allows for smaller cluster sizes, and uses Unicode, which makes it a much more versatile operating system.
Examining NTFS Disks
Partition Boot Sector – The first data set of an NTFS disk. It starts at sector [0] of the disk drive and it can be expanded up to 16 sectors. Master File Table – Used by NTFS to track files. It contains information about the access rights, date and time stamps, system attributes, and parts of the file.
Examining NTFS Disks
Examining NTFS Disks
Unicode – A 16-bit character code representation that is replacing ASCII. It is capable of representing over 64,000 characters. American Standard Code for Information Interchange (ASCII) – A coding scheme using 7 or 8 bits that assigns numeric values up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.
Examining NTFS Disks
Meta-Data – In NTFS, this refers to information stored in the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Resident Attributes – When referring to MFT, all attributes that are stored in the MFT of the NTFS. Nonresident Attributes – When referring to MFT of the NTFS, all data that is stored in a location separate from the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Logical Cluster Numbers (LCNs) – Used by the MFT of NTFS. It refers to a specific physical location on the drive. Virtual Cluster Number (VCN) – When a file is saved in the NTFS, it is assigned both a logical cluster number and a virtual cluster number. The logical cluster is a physical location, while the virtual cluster consists of chained clusters.
Examining NTFS Disks
Examining NTFS Disks
Multiple Data Streams – Ways in which data can be appended to a file intentionally or not. In NTFS, it becomes an additional data attribute of the file.
Examining NTFS Disks
Encrypted File System (EFS) – Symmetric key encryption first used in Windows 2000 on NTFS formatted disks. Public Key – In encryption, the key held by the system receiving the file. Private Key – In encryption, the key held by the owner of the file.
Examining NTFS Disks
EFS Recovery Agent Functions -CIPHER -COPY -EFSRECOVER
Understanding Microsoft Boot Tasks
Windows XP, 2000, and NT Startup -Power on self test -Initial startup -Boot loader -Hardware detection and configuration -Kernel loading -User logon
Understanding Microsoft Boot Tasks
NT Loader (NTLDR) – Loads Windows NT. It is located in the root folder of the system partition. Boot.ini – Specifies the Windows NT path installation. BootSect.dos – Contains the address of the boot sector location of each operating system. NTDetect.com – A command file that identifies hardware components during bootup and sends the information to NTLDR.
Understanding Microsoft Boot Tasks
NTBootdd.sys – Device driver that allows access to SCSI or ATA drives that are not related to the BIOS. Ntoskrnl.exe – The Windows NT operating system kernel. It is located in the Windows\System32 folder. Hal.dll – Hardware abstraction layer dynamic link library. It tells the operating system kernel how to interface with the hardware. Device Drivers – Contain instructions for the operating system for hardware devices.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
DOS Protected-Mode Interface (DPMI) – Used by many computer forensics tools that do not operate in the Windows environment.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Command.com – Provides a prompt when booting to MS-DOS mode. User interface for the MS-DOS operating system. Contains the following commands: -DIR -CD -CLS -DATE -COPY -DEL
Understanding Microsoft Boot Tasks
-MD -PATH -PROMPT -RD -SET -TIME -TYPE -VER -VOL
Understanding MS-DOS Startup Tasks
IO.SYS – The first file loaded after the ROM bootstrap loader finds the operating system. This file allows for communication between the computer’s BIOS and Hardware, and with MSDOS code. MSDOS.SYS – A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel. CONFIG.SYS – A text file that contains commands that are typically run only at system startup.
Understanding MS-DOS Startup Tasks
AUTOEXEC.BAT – An automatically executed batch file that contains customized commands and settings for MS-DOS.
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Chapter Summary
-The Microsoft operating systems used FAT12 and FAT16 on older systems such as MS-DOS, Windows 3.X and Windows 9x. -The Registry on older Windows OSs is used to keep a record of hardware attached, user preferences, network information, and installed software. -The capacity of a hard disk is obtained by using the cylinders, heads, and sectors. To find the capacity of a disk, multiply the number of heads, sectors, and tracks.
Chapter Summary
-Clusters are used to accommodate large files. Sectors are grouped into clusters and clusters are chained to minimize the overhead of reading and writing files to a disk. -The New Technology File System is more versatile because it uses the MFT to track information such as security items, the first 750 bytes of data, long and short filenames, and a list of nonresident attributes. -File slack, RAM slack, and drive slack are all areas in which valuable information may reside on a drive.
Chapter Summary
-To be an effective computer forensics investigator, you need to maintain a library of older operating systems and applications. -NTFS uses Unicode to store information. Unicode is an international code and uses a 16bit configuration instead of an 8-bit configuration used by ASCII. -Hexadecimal codes provide information about files and OSs. You can determine the file type by using various tools such as WinHex and Hex Workshop.
Chapter Summary
-NTFS uses inodes to link file attribute records to other file attribute records. Attributes fall into two categories: resident and nonresident. -NTFS can compress individual files, folders, or entire partitions. FAT16 can only compress entire volumes.
