COS/PSA 413 Day 4
Agenda Questions? Assignment 1 Corrected – 3 A’s, 2 B’s, 2 C’s, 2 D’s and 1 F’s Assignment 2 posted Due in one week Lab Write-ups (project 2-1 and 2-2) due Lab tomorrow at OMS –Project 2-5, Project 3-3, Project 3-4 (with modifications), Project 3-6 Begin Discussion on Macintosh and Linux Boot Process and Disk Structures –Chapter 4 in 1e and Chapter 8 in 2e
Assignment 1 Analysis Excessive Plagiarism –I do not accept “cut and paste” work from the web –Please review UMFK’s Academic Integrity Policy –Just changing the wording of something doesn’t mean you wrote it ( –Further Infractions will receive formal charges of cheating filed with student conduct officer, Grades of Zero and possible dismissal from this class.
Assignment 1 Answers Assignment 1 answers –The are 3 Laws all from Chapter 18 of Title 17-A of the Maine Criminal Code 432 Criminal Invasion of computer privacy (Class D) enacted Aggravated criminal invasion of computer privacy (Class C) enacted Solicitation of child by Computer to commit a prohibited Act (Class C) enacted in 2003 (2001) Cases –There are about 12 that I know of. What I was looking for cases prosecuted under the laws you listed and properly cited. –Many listed cases that nothing to do with the laws they found What are there not more cases, especially for 432 & 433 which have been around for 16 years?
Macintosh and Linux Boot Process and Disk Structures Chapter 4
Learning Objectives Understand Macintosh Disk Structures Explore Macintosh Boot Tasks Examine UNIX and Linux Disk Structures Understand UNIX and Linux Boot Processes Examine Compact Disk (CD) Data Structures Understand Other Disk Structures
Understanding the Macintosh File Structure Mac OS X version 10.3 –Darwin core –BSD UNIX application layer Hierarchical File System (HFC) –Extended Format (HFC+) File Manager and Finder Data fork and resource fork
Understand Macintosh File Structure (v ( and below) Hierarchical File System – The system used by the MAC OS to store files, consisting of folders and subfolders, which can be nested.
Understand Macintosh File Structure File Manager – In Macintosh file system, it handles the reading, writing, and storage of data to physical media. It also collects data to maintain the HFS along with manipulation of files, folders, and volumes.
Understand Macintosh File Structure Finder – Works with the Macintosh OS to keep track of files and maintain the user’s desktop.
Understand Macintosh File Structure Data Fork – The part of the Macintosh file structure that contains the actual data of a file. Resource Fork – The part of the Macintosh file system that contains the resource map, header information for the file, window locations, and icons.
Understand Macintosh File Structure
The resource fork contains the following information: -Resource map -Resource header information for each file -Window locations -Icons
Understand Macintosh File Structure Volume – Refers to any storage media in the Macintosh file system. A volume can be a single floppy disk, a partition on a hard drive, the entire drive, or several drives.
Understanding Volumes Storage medium used to store files A volume can be all or part of a hard disk –On a floppy disk, is always the entire disk Multiple clients per volume Allocation and logical blocks –Logical blocks cannot exceed 512 bytes –Allocation blocks are a set of logical blocks
Understand Macintosh File Structure
Allocation Blocks – The number of logical blocks assembled in the Macintosh file system when a file is saved. Logical Blocks – In the Macintosh file system, a collection of data that cannot exceed 512 bytes. These are assembled in allocation blocks to store files.
Understand Macintosh File Structure
Logical EOF – In the Macintosh file system, the number of bytes that contain data. Physical EOF – In the Macintosh file system, the number of allocation blocks assigned to the file. Difference between the two is free space
Understand Macintosh File Structure
Clumps – In the Macintosh file system, a contiguous allocation block. Clumps are used to keep file fragmentation to a minimum.
Explore Macintosh Boot Tasks Master Directory Block (MDB) – On older Macintosh systems, the location where all information about a volume is stored. A copy of the MDB is kept in the next to the last block on the volume. Volume Information Block (VIB) – Another name for the Master Directory Block.
Explore Macintosh Boot Tasks Extents Overflow File – Used by the Macintosh File Manager when the list of contiguous blocks of a file becomes too long. The overflow of the list is placed in the extents overflow file. Any file extents not in the MDB or VCB are contained here.
Explore Macintosh Boot Tasks Volume Control Block (VCB) – Contains information from the MDB and is used by the File Manager in the Macintosh file system. Catalog – Is used to maintain the relationships between files and directories on a volume. Volume Bitmap – Tracks each block on a volume. B*-Tree – Organizes the directory hierarchy and file block mapping for the File Manager. Header Node – Stores information about the B*-Tree file.
Exploring Macintosh Boot Tasks Use Open Firmware –Processor- and system-independent firmware Older Macintosh OSs –First two logical blocks are boot blocks –Master Directory Block (MDB) or Volume Information Block (VIB) –Extents overflow file –Volume Control Block (VCB)
Exploring Macintosh Boot Tasks (continued) Volume Bitmap –Tracks used and unused blocks on a volume Mac OS 9 uses a B*-tree file system for File Manager –Actual file data is stored on the leaf nodes –Header, index, and map nodes
Using Macintosh Forensic Software For Mac OSs earlier that Mac OS x –Expert Witness originally from ASRData, now owned by Guidance Software –Black Bag Technologies tools Deal specifically with files Macintosh hides PhantomSearch For Mac OS X –Almost any UNIX/Linux forensic tool
Examining UNIX and Linux Disk Structures UNIX flavors –System 7, SGI IRIX, Sun Solaris, IBM AIX, and HP-UX –BSD, FreeBSD, OpenBSD, and NetBSD Linux distributions –Caldera, Red Hat, SuSe, Mandrake, and Debian –Most consistent UNIX-like OSs GNU and BSD licenses
Examining UNIX and Linux Disk Structures (continued)
Linux file systems –Second Extended File System (Ext2fs) –Ext3fs, journaling version of Ext2fs Employs inodes –Pointer to other inodes or blocks –Keep internal link count Deleted inodes have count value 0 Linux file structure –Meta-data and data
Examining UNIX and Linux Disk Structures (continued)
UNIX and Linux Overview Everything is a file –Files are defined as objects UNIX consists of four components Boot block –Disk allocation unit of at least 512 bytes –Contains the bootstrap code –Only one
UNIX and Linux Overview (continued) Superblock –Indicates disk geometry, available space, and location of the first inode –Manages the file system Inode blocks –First data after the superblock –Assigned to every file allocation unit Data blocks –Where directories and files are stored
UNIX and Linux Overview (continued)
Bad block inode –Keeps track of disk bad sectors –Commands: badblocks, mke2fs, and E2fsck/ Linux ls command displays information about files Continuation inode provides more information about a file or directory
UNIX and Linux Overview (continued)
Understanding Inodes Link data stored in data blocks Ext2fs and Ext3fs are improvements over Ext –Data recovery easier on Ext3fs than on Ext2fs First inode has 13 pointers –Pointers 1 to 10 are direct pointers –Pointer 11 is an indirect pointer –Pointer 12 is a double-indirect pointer –Pointer 13 is a triple-indirect pointer
Understanding Inodes (continued)
Understanding UNIX and Linux Boot Processes Instruction code in firmware is loaded into RAM Instruction code then –Checks the hardware –Load the boot program Boot program –Loads kernel –Transfers control to kernel
Understanding UNIX and Linux Boot Processes (continued) Kernel –Boots system on single-user mode –Runs startup scripts –Changes to multiuser mode –Identifies root directory, swap and dump files –Sets host name, time zone –Runs consistency checks on the file system and mounts partitions –Starts services
Understanding Linux Loader and GRUB Linux Loader (LILO) –Old boot manager –Can start two or more OSs –Uses configuration file lilo.conf Grand Unified Boot Loader (GRUB) –More powerful than LILO –As LILO resides on MBR –Command line or menu driven
UNIX and Linux Drives and Partition Schemes Labeled as path starting at root (/) directory –Primary master disk First partition is /dev/hda Second partition is /dev/hda2 –Primary slave or secondary master or slave First partition is /dev/hdb –SCSI controllers /dev/sda with first partition /dev/sda1
Examining CD Data Structures Laser burns flat areas (lands) Lower areas are called pits Transitions –From lands to pits have binary value 1, or on –No transition has binary value 0, or off ISO standards –ISO 9660 for CD, CD-R, and CD-RW –ISO for DVDs
Examining CD Data Structures (continued)
Frame is the unit storage –Contains bit symbols Frames are combined into blocks Blocks are combined into sectors –2352 bytes for CD-DA –2048 bytes for CD Constant Linear Velocity (< 12X) Constant Angular Velocity (>= 12X)
Understanding Other Disk Structures SCSI disks IDE/EIDE disks RAID configurations
Examining SCSI Disks SCSI –Provides a common bus communication device During investigation –Check if the device is internal or external –Check if card, cables, adapters, terminators, and drivers are available –Advance SCSI Programming Interface (ASPI) Might need to adjust settings –Port numbers and terminators
Examining IDE/EIDE Devices ATA drives from ATA-33 to ATA-133 –Standard 40-pin ribbon or shielded cable –40-pin/80-wire cable for ATA-66, 100, and 133 CMOS identifies proper disk settings –Logical block addressing (LBA) –Enhanced CHS configurations –Can pose a problem during an investigation
Examining IDE/EIDE Devices Solutions –Disk imaging tools –Old PC –Cards and adapters ISA SCSI card A-Card IDE adapter SCSI-to-IDE adapter EISA FireWire card FireWire-to-EIDE adapter
Examining the IDE Host Protected Area ATAPI-5 AT introduced in 1998 reserved and protected areas on IDE devices –Protected Area Run Time Interface Extension Service (PARTIES) Contains data stored by diagnostic and restore programs Tools –Area 51 –BIOS, XBIOS Direct Access Reporter (BXDR)
Understanding RAID RAID 0 –Provides rapid access and increased storage –Lack of redundancy RAID 1 –Designed for data recovery –More expensive than RAID 0 RAID 2 –Data is written to a disk on a bit level –Slower than RAID 0
Understanding RAID (continued)
RAID 3 –Uses data stripping and dedicated parity RAID 4 –Data is written in blocks RAID 5 –Places parity recovery data on each disk RAID 6 –Redundant parity on each disk
Understanding RAID (continued)
Chapter Summary -The Macintosh uses a hierarchical file system where files are stored in folders, which can be nested in other folders. The File Manager handles the reading, writing, and storage of data to physical media. -In the Mac OS, a file consists of two parts: a data fork and a resource fork. The resource fork contains a resource map and resource header information for each file, window locations, and icons. The data fork typically contains data that the user creates, such as text or spreadsheets.
Chapter Summary -A volume is any storage media that is used to store files. -Volumes have allocation blocks and logical blocks. A logical block is a collection of data that cannot exceed 512 bytes. An allocation block is a group of consecutive logical blocks. -For older Macintosh operating systems, the first two logical blocks on each volume are the boot blocks, which contain information about the system startup. The startup block contains information about the system configuration.
Chapter Summary -The Linux second extended file system uses inodes. When the internal link count reaches “0”, a file is considered to be deleted. -The Linux file structure is made up of meta-data and data. Meta-data includes items such as the user ID and group ID. An inode contains the modification/access/creation time, not a filename. -Compact discs and digital video discs are optical media used to store large amounts of data. They are regulated by the ISO 9660 and ISO SCSI connectors are used for a variety of peripheral devices.