COS/PSA 413.


48 views
Uploaded on:
Description
Manual for Computer Forensics and Investigations, 2e. 7. Comprehension File Systems. See how OSs function and store documents. CompTIA A confirmation. Record framework ...
Transcripts
Slide 1

COS/PSA 413 Day 3

Slide 2

Agenda Questions? Task 1 due Lab Write-ups (venture 2-1 and 2-2) due next class Lab Recap and After Action Report Begin Discussion on Working with Windows and DOS Systems Chapter 3 in 1e and Chapter 7 in 2e Guide to Computer Forensics and Investigations, 2e

Slide 3

Lab 1 Recap Always recognize what are going to do before you take a seat at the legal sciences workstations Methodical not "hack and slice" Requires perusing and earlier prepare Learn DOS Most crime scene investigation work is down at low levels (not GUI) http://www.glue.umd.edu/~nsw/ench250/dostutor.htm Have part of the lab report began before the lab Know what it is you are searching for Guide to Computer Forensics and Investigations, 2e

Slide 4

Guide to Computer Forensics and Investigations Chapter 3 Working with Windows and DOS Systems

Slide 5

Objectives Understand document frameworks Explore Microsoft document structures Examine New Technology File System (NTFS) circles Guide to Computer Forensics and Investigations, 2e

Slide 6

Objectives (proceeded with) Understand the Windows Registry Understand Microsoft boot errands Understand MS-DOS startup assignments Guide to Computer Forensics and Investigations, 2e

Slide 7

Understanding File Systems Understand how OSs function and store records CompTIA A+ accreditation File framework Road guide to information on a circle Determines how information is put away on circle Become acquainted with record frameworks Guide to Computer Forensics and Investigations, 2e

Slide 8

Understanding the Boot Sequence Avoid information tainting or alteration Complementary Metal Oxide Semiconductor (CMOS) Stores framework arrangement, information, and time BIOS Performs information/yield at equipment level Guide to Computer Forensics and Investigations, 2e

Slide 9

Understanding the Boot Sequence (proceeded with) Make beyond any doubt PC boots from a floppy circle Modify CMOS Accessing CMOS relies on upon the BIOS Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12 Guide to Computer Forensics and Investigations, 2e

Slide 10

Understanding the Boot Sequence (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 11

Understanding Disk Drives Composed of one or more platters Elements of a plate: Geometry Head Tracks Cylinders Sectors Guide to Computer Forensics and Investigations, 2e

Slide 12

Understanding Disk Drives (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 13

Understanding Disk Drives (proceeded with) Cylinder, head, segment (CHS) computation 512 bytes for every segment Tracks contain areas Number of bytes on a plate Cylinders (platters) x Heads (tracks) x divisions First track will be track 0 So if a plate list 79 tracks (like a floppy) does, it has 80 tracks Guide to Computer Forensics and Investigations, 2e

Slide 14

Guide to Computer Forensics and Investigations, 2e

Slide 15

Understanding Disk Drives (proceeded with) Zoned bit recording (ZBR) Platter\'s internal tracks are littler than external tracks Group tracks by zone Track thickness Space between every track Areal thickness Number of bits on one square crawl of a platter Guide to Computer Forensics and Investigations, 2e

Slide 16

Exploring Microsoft File Structures Need to comprehend FAT NTFS Sectors are assembled on bunches Storage designation units of no less than 512 bytes Minimize read and compose overhead Clusters are alluded to as sensible locations Sectors are alluded to as physical locations Guide to Computer Forensics and Investigations, 2e

Slide 17

Disk Partitions Logical drive Hidden parcels or voids Large, unused holes between allotments Also known as segment crevices Can shroud information Use a circle proofreader to change segments table Norton Disk Edit WinHex , Hex Workshop http://www.x-ways.net/winhex/file m.html Guide to Computer Forensics and Investigations, 2e

Slide 18

Disk Partitions (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 19

Disk Partitions (proceeded with) Disk editorial manager extra capacities Identify OS on an obscure plate Identify record sorts Guide to Computer Forensics and Investigations, 2e

Slide 20

Disk Partitions (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 21

Guide to Computer Forensics and Investigations, 2e

Slide 22

Disk Partitions (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 23

Guide to Computer Forensics and Investigations, 2e

Slide 24

Master Boot Record Stores data about segments Location Size Others Software can supplant expert boot record (MBR) PartitionMagic LILO Can meddle with criminology undertakings Use more than one apparatus Guide to Computer Forensics and Investigations, 2e

Slide 25

Examining FAT Disks FAT was initially created for floppy circles Filenames, index names, date and time stamps, beginning bunch, credits Typically kept in touch with the furthest track Evolution FAT12 FAT16 FAT32 Guide to Computer Forensics and Investigations, 2e

Slide 26

Examining FAT Disks (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 27

Examining FAT Disks (proceeded with) Drive slack Unused space on a bunch RAM slack Can contain logon IDs and passwords Common on more established frameworks File slack Bytes not utilized on the segment by the document FAT16 accidentally decreased discontinuity Guide to Computer Forensics and Investigations, 2e

Slide 28

Examining FAT Disks (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 29

Examining FAT Disks (proceeded with) Cluster binding File bunches are as one (when conceivable) Produces fracture Tools Norton DiskEdit DriveSpy\'s Chain Fat Entry (CFE) charge Rebuilding broken chains can be troublesome Guide to Computer Forensics and Investigations, 2e

Slide 30

Examining FAT Disks (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 31

Guide to Computer Forensics and Investigations, 2e

Slide 32

Deleting FAT Files Filename in FAT database begins with HEX E5 FAT chain for that record is set to zero Free circle space is increased Actual information stays on circle Can be recuperated with PC legal sciences devices Guide to Computer Forensics and Investigations, 2e

Slide 33

Examining NTFS Disks First presented with Windows NT Spin off HPFS From IBM O/S 2 Provides enhancements over FAT record frameworks Stores more data around a record Microsoft\'s turn toward a journaling document framework Keep track of exchanges Can be moved back Guide to Computer Forensics and Investigations, 2e

Slide 34

Examining NTFS Disks (proceeded with) Partition Boot Sector begins at segment 0 Master File Table (MFT) First document on circle Contains data about all records on circle (meta-information) Reduces slack space NTFS utilizes Unicode UTF-8, UTF-16, UTF-32 Guide to Computer Forensics and Investigations, 2e

Slide 35

Examining NTFS Disks (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 36

NTFS File Attributes All records and organizers have traits Resident characteristics Stored in the MFT Nonresident qualities Everything that can be put away on the MFT Uses inodes for alien properties Logical and virtual group numbers LCN and VCN Guide to Computer Forensics and Investigations, 2e

Slide 37

NTFS Data Streams Data can be annexed to a document while inspecting a plate Can cloud profitable evidentiary information Additional information property of a record Allow documents be connected with various applications Guide to Computer Forensics and Investigations, 2e

Slide 38

NTFS Compressed Files Improve information stockpiling Compression like FAT DriveSpace 3 File, envelopes, or a whole volume can be compacted Transparent when working with Windows XP, 2000, or NT Need to decompress it when dissecting Advanced instruments do it consequently Guide to Computer Forensics and Investigations, 2e

Slide 39

NTFS Encrypted File System (EFS) Introduced with Windows 2000 Implements an open key/private key encryption technique Recovery authentication Recovery components if there should be an occurrence of an issue Works for nearby workstations or remote servers Guide to Computer Forensics and Investigations, 2e

Slide 40

Deleting NTFS Files Similar to FAT NTFS is more proficient than FAT Reclaiming erased space Deleted documents are overwritten all the more rapidly Guide to Computer Forensics and Investigations, 2e

Slide 41

Understanding the Windows Registry Database that stores: Hardware and programming design User inclinations (client names and passwords) Setup data Use Regedit order for Windows 9x Use Regedt32 summon for Windows XP and 2000 FTK Registry Viewer Guide to Computer Forensics and Investigations, 2e

Slide 42

Understanding the Windows Registry (proceeded with) Windows 9x Registry User.dat System.dat Windows 2000 and XP Registry \Winnt\System32\Config \Windows\System32\Config System, SAM, Security, Software, and NTUser.dat Guide to Computer Forensics and Investigations, 2e

Slide 43

Understanding the Windows Registry (proceeded with) Guide to Computer Forensics and Investigations, 2e

Slide 44

Understanding Microsoft Boot Tasks Prevent harming computerized proof OSs adjust documents when PC begins up Guide to Computer Forensics and Investigations, 2e

Slide 45

Windows XP, 2000 and NT Startup Steps: Power-on individual test (POST) Initial startup Boot loader Hardware discovery and arrangement Kernel stacking User logon Guide to Computer Forensics and Investigations, 2e

Slide 46

Startup Files for Windows XP Files utilized amid boot process: NTLDR Boot.ini BootSec.dos NTDetect.com NTBootdd.sys Ntoskrnl.exe Hal.dll Device drivers Guide to Computer Forensics and Investigations, 2e

Slide 47

Windows XP System Files Guide to Computer Forensics and Investigations, 2e

Slide 48

Windows 9x and Me Startup Windows Me can\'t boot to a genuine MS-DOS mode Windows 9x OSs have two modes DOS ensured mode interface (DPMI) Command brief from boot menu Protected-mode GUI Dos shell in windows Startup documents Io.sys Msdos.sys Command.com Guide to Computer Forensics and Investigatio

Recommended
View more...