COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.

Slides:



Advertisements
Similar presentations
COMP 4027 Windows and Forensics. MS File structures Need to understand MS file structures to know where files are stored in Windows Need to understand.
Advertisements

Windows Vista Boot process. All the computer running Windows vista have the same start up sequence: Power-on self test (POST) phase Initial startup phase.
Guide to Computer Forensics and Investigations Fourth Edition
BACS 371 Computer Forensics
Chapter 6 Working with Windows and DOS Systems Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 3 Understanding the Boot Process and Command Line.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fifth Edition
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Third Edition
MCT260-Operating Systems I Operating Systems I Introduction to Operating Systems.
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
COS/PSA 413 Day 9. Agenda Questions? Assignment 4 posted Quiz Corrected –3 A’s, 3 B’s, & 3 C’s Lab 3 w rite-ups corrected –7 A’s & 2 B’s –Difference between.
1 Web Server Administration Chapter 3 Installing the Server.
COS/PSA 413 Day 9. Agenda Questions? Assignment 2 Due Assignment 3 Due Assignment 4 posted Quiz 1 on September 30 –Chaps 1-5, Open book, Open notes –20.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Operating Systems.
PC Maintenance: Preparing for A+ Certification
Guide to Computer Forensics and Investigations, Second Edition
IT Essentials - Chapter 4 Operating System Fundamentals.
Guide to Computer Forensics and Investigations Fourth Edition
Objectives Learn what a file system does
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
9/4/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Disk Structures. CTEC 1102 Formatting a Disk Two parts to formatting a disk:  Low-level (physical) formatting  High level (logical) formatting Low-level.
Understanding the Boot Process and Command Line
Gene Perkins, Lassen High School Networking Academy
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 8 Managing and Supporting Windows XP.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 14 Managing and Troubleshooting Windows 2000.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Window NT File System JianJing Cao (#98284).
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.
Computer Hardware PC Operating Systems. What is an operating system? An OS is the interface between the user and the computer hardware It provides the.
How Hardware and Software Work Together
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
Guide to Computer Forensics and Investigations Fifth Edition
Windows NTFS Introduction to Operating Systems: Module 15.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
14 Step-by-Step Instructions for an Upgrade Installation n Prepare for the installation Verify that all devices and applications are Windows 2000 compatible.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
1 Windows 98 Ancillary Systems x The Process Scheduler provides system resources. The Windows Driver Model (WDM) allows Windows 98 and Microsoft Windows.
OPERAING SYSTEM 1 CA-210 WINDOWS XP. CHAPTER 1 OPERATING SYSTEM FUNDAMENTALS.
Chapter 6 Working with Windows and DOS Systems. 2 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures Explain.
MCSE Guide to Microsoft Windows Vista Professional Chapter 5 Managing File Systems.
Chapter Thirteen Booting Windows XP. Objectives Understand the Windows XP boot process Understand the Windows XP boot process Troubleshoot system restoration.
Lecture 18 Windows – NT File System (NTFS)
I T Essentials I Chapter 5 JEOPARDY Installing & UpgradingComputerBasicsErrorsServicePotpourri
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
IT Essentials 1 v3 Module 4 JEOPARDY IT Essentials 1 RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Chapter 6 Working with Windows and DOS Systems Guide to Computer Forensics and Investigations Third Edition.
Computers: Tools for an Information Age
Guide to Computer Forensics and Investigations Fifth Edition
Working with Disks Lesson 4.
Windows XP File Systems
Files Used in the Boot Process
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Guide to Computer Forensics and Investigations Fourth Edition
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
Chapter Overview Operating System Basics
Modern PC operating systems
Guide to Computer Forensics and Investigations Third Edition
FAT File System.
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 5 Working with Windows and CLI Systems.
Presentation transcript:

COS/PSA 413 Day 3

Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next class Lab Recap and After Action Report Begin Discussion on Working with Windows and DOS Systems –Chapter 3 in 1e and Chapter 7 in 2e

Guide to Computer Forensics and Investigations, 2e3 Lab 1 Recap Always know what are going to do before you sit down at the forensics workstations –Methodical not “hack and slash” –Requires reading and prior prep Learn DOS –Most forensics work is down at low levels (not GUI) – mhttp:// m Have part of the lab report started before the lab –Know what it is you are looking for

Guide to Computer Forensics and Investigations Chapter 3 Working with Windows and DOS Systems

Guide to Computer Forensics and Investigations, 2e5 Objectives Understand file systems Explore Microsoft file structures Examine New Technology File System (NTFS) disks

Guide to Computer Forensics and Investigations, 2e6 Objectives (continued) Understand the Windows Registry Understand Microsoft boot tasks Understand MS-DOS startup tasks

Guide to Computer Forensics and Investigations, 2e7 Understanding File Systems Understand how OSs work and store files CompTIA A+ certification File system –Road map to data on a disk –Determines how data is stored on disk Become familiar with file systems

Guide to Computer Forensics and Investigations, 2e8 Understanding the Boot Sequence Avoid data contamination or modification Complementary Metal Oxide Semiconductor (CMOS) –Stores system configuration, data, and time BIOS –Performs input/output at hardware level

Guide to Computer Forensics and Investigations, 2e9 Understanding the Boot Sequence (continued) Make sure computer boots from a floppy disk –Modify CMOS –Accessing CMOS depends on the BIOS Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12

Guide to Computer Forensics and Investigations, 2e10 Understanding the Boot Sequence (continued)

Guide to Computer Forensics and Investigations, 2e11 Understanding Disk Drives Composed of one or more platters Elements of a disk: –Geometry –Head –Tracks –Cylinders –Sectors

Guide to Computer Forensics and Investigations, 2e12 Understanding Disk Drives (continued)

Guide to Computer Forensics and Investigations, 2e13 Understanding Disk Drives (continued) Cylinder, head, sector (CHS) calculation –512 bytes per sector –Tracks contain sectors –Number of bytes on a disk Cylinders (platters) x Heads (tracks) x sectors First track is track 0 –So if a disc list 79 tracks (like a floppy) does, it has 80 tracks

Guide to Computer Forensics and Investigations, 2e14

Guide to Computer Forensics and Investigations, 2e15 Understanding Disk Drives (continued) Zoned bit recording (ZBR) –Platter’s inner tracks are smaller than outer tracks –Group tracks by zone Track density –Space between each track Areal density –Number of bits on one square inch of a platter

Guide to Computer Forensics and Investigations, 2e16 Exploring Microsoft File Structures Need to understand –FAT –NTFS Sectors are grouped on clusters –Storage allocation units of at least 512 bytes –Minimize read and write overhead Clusters are referred to as logical addresses Sectors are referred to as physical addresses

Guide to Computer Forensics and Investigations, 2e17 Disk Partitions Logical drive Hidden partitions or voids –Large, unused gaps between partitions –Also known as partition gaps –Can hide data Use a disk editor to change partitions table –Norton Disk Edit –WinHex, Hex Workshop –

Guide to Computer Forensics and Investigations, 2e18 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e19 Disk Partitions (continued) Disk editor additional functions –Identify OS on an unknown disk –Identify file types

Guide to Computer Forensics and Investigations, 2e20 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e21

Guide to Computer Forensics and Investigations, 2e22 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e23

Guide to Computer Forensics and Investigations, 2e24 Master Boot Record Stores information about partitions –Location –Size –Others Software can replace master boot record (MBR) –PartitionMagic –LILO –Can interfere with forensics tasks –Use more than one tool

Guide to Computer Forensics and Investigations, 2e25 Examining FAT Disks FAT was originally developed for floppy disks –Filenames, directory names, date and time stamps, starting cluster, attributes Typically written to the outermost track Evolution –FAT12 –FAT16 –FAT32

Guide to Computer Forensics and Investigations, 2e26 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e27 Examining FAT Disks (continued) Drive slack –Unused space on a cluster –RAM slack Can contain logon IDs and passwords Common on older systems –File slack Bytes not used on the sector by the file FAT16 unintentionally reduced fragmentation

Guide to Computer Forensics and Investigations, 2e28 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e29 Examining FAT Disks (continued) Cluster chaining –File clusters are together (when possible) Produces fragmentation Tools –Norton DiskEdit –DriveSpy’s Chain Fat Entry (CFE) command Rebuilding broken chains can be difficult

Guide to Computer Forensics and Investigations, 2e30 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e31

Guide to Computer Forensics and Investigations, 2e32 Deleting FAT Files Filename in FAT database starts with HEX E5 FAT chain for that file is set to zero Free disk space is incremented Actual data remains on disk Can be recovered with computer forensics tools

Guide to Computer Forensics and Investigations, 2e33 Examining NTFS Disks First introduced with Windows NT Spin off HPFS –From IBM O/S 2 Provides improvements over FAT file systems –Stores more information about a file Microsoft’s move toward a journaling file system –Keep track of transactions –Can be rolled back

Guide to Computer Forensics and Investigations, 2e34 Examining NTFS Disks (continued) Partition Boot Sector starts at sector 0 Master File Table (MFT) –First file on disk –Contains information about all files on disk (meta-data) Reduces slack space NTFS uses Unicode –UTF-8, UTF-16, UTF-32

Guide to Computer Forensics and Investigations, 2e35 Examining NTFS Disks (continued)

Guide to Computer Forensics and Investigations, 2e36 NTFS File Attributes All files and folders have attributes Resident attributes –Stored in the MFT Nonresident attributes –Everything that can be stored on the MFT Uses inodes for nonresident attributes Logical and virtual cluster numbers –LCN and VCN

Guide to Computer Forensics and Investigations, 2e37 NTFS Data Streams Data can be appended to a file when examining a disk –Can obscure valuable evidentiary data Additional data attribute of a file Allow files be associated with different applications

Guide to Computer Forensics and Investigations, 2e38 NTFS Compressed Files Improve data storage –Compression similar to FAT DriveSpace 3 File, folders, or an entire volume can be compressed Transparent when working with Windows XP, 2000, or NT Need to decompress it when analyzing –Advanced tools do it automatically

Guide to Computer Forensics and Investigations, 2e39 NTFS Encrypted File System (EFS) Introduced with Windows 2000 Implements a public key/private key encryption method Recovery certificate –Recovery mechanisms in case of a problem Works for local workstations or remote servers

Guide to Computer Forensics and Investigations, 2e40 Deleting NTFS Files Similar to FAT NTFS is more efficient than FAT –Reclaiming deleted space –Deleted files are overwritten more quickly

Guide to Computer Forensics and Investigations, 2e41 Understanding the Windows Registry Database that stores: –Hardware and software configuration –User preferences (user names and passwords) –Setup information Use Regedit command for Windows 9x Use Regedt32 command for Windows XP and 2000 FTK Registry Viewer

Guide to Computer Forensics and Investigations, 2e42 Understanding the Windows Registry (continued) Windows 9x Registry –User.dat –System.dat Windows 2000 and XP Registry –\Winnt\System32\Config –\Windows\System32\Config –System, SAM, Security, Software, and NTUser.dat

Guide to Computer Forensics and Investigations, 2e43 Understanding the Windows Registry (continued)

Guide to Computer Forensics and Investigations, 2e44 Understanding Microsoft Boot Tasks Prevent damaging digital evidence OSs alter files when computer starts up

Guide to Computer Forensics and Investigations, 2e45 Windows XP, 2000 and NT Startup Steps: –Power-on self test (POST) –Initial startup –Boot loader –Hardware detection and configuration –Kernel loading –User logon

Guide to Computer Forensics and Investigations, 2e46 Startup Files for Windows XP Files used during boot process: –NTLDR –Boot.ini –BootSec.dos –NTDetect.com –NTBootdd.sys –Ntoskrnl.exe –Hal.dll –Device drivers

Guide to Computer Forensics and Investigations, 2e47 Windows XP System Files

Guide to Computer Forensics and Investigations, 2e48 Windows 9x and Me Startup Windows Me cannot boot to a true MS-DOS mode Windows 9x OSs have two modes –DOS protected-mode interface (DPMI) Command prompt from boot menu –Protected-mode GUI Dos shell in windows Startup files –Io.sys –Msdos.sys –Command.com

Guide to Computer Forensics and Investigations, 2e49 Windows 9x and Me Startup (continued)

Guide to Computer Forensics and Investigations, 2e50 Understanding MS-DOS Startup Task Io.sys –Loaded after the ROM bootstrap –Finds the disk drive –Provides basic input/output services Msdos.sys –Loaded after Io.sys –Actual kernel for MS-DOS –Looks for Config.sys

Guide to Computer Forensics and Investigations, 2e51 Understanding MS-DOS Startup Task (continued) Msdos.sys (continued) –Loads Command.com –Loads Autoexec.bat Config.sys –Commands run only at system startup Autoexec.bat –Customized setting for MS-DOS –Define default path and environmental variables

Guide to Computer Forensics and Investigations, 2e52 Other Disk Operating Systems Control Program for Microprocessors (CP/M) Digital Research Operating System (DR-DOS) Personal Computer Disk Operating System (PC- DOS) –Developed by IBM

Guide to Computer Forensics and Investigations, 2e53 DOS Commands and Batch Files Batch files –Fixed sequence of DOS commands –Ideal for repetitive tasks Batch files work like a single command MS-DOS supports parameter passing and conditional execution –Can pass up to 10 parameters

Guide to Computer Forensics and Investigations, 2e54 DOS Commands and Batch Files (continued)

Guide to Computer Forensics and Investigations, 2e55 DOS Commands and Batch Files (continued)

Guide to Computer Forensics and Investigations, 2e56 Summary FAT –FAT12, FAT16, and FAT32 Windows Registry keeps hardware and software configuration and preferences CHS calculation NTFS Look for hidden information on file, RAM, and drive slack

Guide to Computer Forensics and Investigations, 2e57 Summary (continued) NTFS uses Unicode to store information Hexadecimal codes identify OSs and file types NTFS uses inodes to link file attribute records –Resident and nonresident NTFS compressed files NTFS encrypted files (EFS)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.