Computer, Boot Process, Lecture notes of Computer Science

All about the Boot system and its Process. Along Side NTFS filesystem.

Typology: Lecture notes

2021/2022

Available from 12/21/2022

KMMSHUB
KMMSHUB ๐Ÿ‡ต๐Ÿ‡ฐ

2 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
โ€ขUnderstanding the boot process
โ€ขUnderstanding filesystems
โ€ขNTFS File System
Computer Systems
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Computer, Boot Process and more Lecture notes Computer Science in PDF only on Docsity!

  • (^) Understanding the boot process
  • (^) Understanding filesystems
  • (^) NTFS File System

Computer Systems

Computer System

โ— To be effective, as an investigator you must

understand by understanding investigation

environment;

i) The physical media where the data is stored on

ii) The filesystem used on the storage device, and

iii) How that data is tracked and accessed while

on the storage device.

Booting Process

โ— (^) When you push the power button and electricity energizes the system, a series of commands is issued. โ— (^) As it executes the commands, the system is taking steps (just like on a ladder) to achieve the goal of a running operating system. โ— (^) If something breaks any of those steps, then the system will not load.

Booting Process

  • (^) Hardware doesnโ€™t know where the operating system resides and how to load it.
  • (^) Need a special program to do this job โ€“ Bootstrap loader.
  • (^) E.g. BIOS โ€“ Boot Input Output System.
  • (^) Bootstrap loader locates the kernel, loads it into main memory and starts its execution.
  • (^) Reset event on CPU (power up, reboot) causes instruction register to be loaded with a predefined memory location.

Booting Process

โ— The BIOS will have the basic information of the

system: the amount of RAM, the type of CPU,

information about the attached drives, and the

system date and time.

โ— The easiest way to document this information is to

take a photograph of it as it is displayed on the

screen.

โ— This is also where you can change the boot

sequence.

โ— Changing the boot device tells the BIOS to access

the device we are providing, and not the suspect's.

Booting Process

โ— (^) In 2010 , the BIOS function was replaced by the United Extensible Firmware Interface (UEFI). โ— (^) It provides the same service as the BIOS, but has been enhanced, as follows: โ— (^) By providing better security at the pre-boot process

  • Faster startup
  • Will support drives larger than 2 TB
  • Support for 64-bit device drivers
  • Support for the ( globally unique identifiers ) GUID partition table (GPT)

Booting Process

  • (^) The boot sector is often operating system specific, however in most operating systems its main function is to load and execute a kernel , which continues startup.
  • (^) It initializes CPU registers, device controllers and contents of the main memory. After this, it loads the OS.

Forensic Boot Media

โ— (^) It is a generally practice to remove the hard drive from the system to create a forensic image. โ— (^) However, sometimes, the storage device cannot be removed from the system, and you have to create a forensic image. โ— (^) To accomplish this task, you need to use a bootable CD/DVD or USB device to create a forensic environment in order to create a forensic image. โ— (^) Using boot media, you will want to ensure that it will create that sound forensic environment and not cause any changes to the source device.

Forensic Boot Media

โ— (^) Linux is a standard operating system that has been used to create a USB-based (live) operating system to create the forensic environment needed to examine these devices. โ— (^) Paladin is one such tool. It is freely available to download and to purchase if you wish to have it preinstalled on a USB device. โ— (^) Sumurai also provides some limited technical support in the operation of Paladin. โ— (^) There is also a Windows-based bootable environment known as WinFE (Windows Forensic Environment).

Forensic Boot Media

โ— (^) The benefit of using the Windows bootable environment is that you now have access to Windows-based forensic tools. โ— (^) It is possible to run X-Ways or FTK Imager from this secure environment โ— (^) It is not recommend using a tool that is resource- heavy. โ— (^) X-Ways can run from a USB device, as can some artifact-specific tools such as RegRipper.

Forensic Boot Media

โ— (^) To make a device bootable using Rufus consider doing the following steps: โ— (^) Device : This is the destination. It is the USB device you want to host the bootable operating system. โ— (^) Boot selection : This will be the "live" operating system. Here, using an ISO file for Paladin 8.01. โ— (^) Partition scheme : You have a choice of using MBR or GPT. Using MBR will give you greater flexibility in the devices you can boot. โ— (^) Target system : With the MBR selection for the partition scheme, you can use the device on either a BIOS or UEFI system. If you select GPT for the partition scheme, you can only target UEFI systems.

Forensic Boot Media

โ—‹ (^) Ensure the system can boot to a USB device โ€“ some older systems cannot. โ—‹ (^) Knowing which filesystems the bootable device can write-protect and which ones it cannot. โ—‹ (^) Dealing with the secure boot feature of the UEFI boot process

  • (^) As mentioned earlier, secure boot is a security feature of the UEFI process that allows trusted software to boot the system.
  • (^) If we want to use a bootable forensic operating system, the secure boot feature must be disabled.

Forensic Boot Media

โ— (^) You must enter the UEFI environment by pressing the catch key such as F2 or F12 (this will vary depending on the computer manufacturer). โ— (^) Once you have entered the setup utility, navigate to the Security menu (this might also vary depending on the computer manufacturer) and disable the secure boot option. โ— (^) Some Linux distributions and WinFE have received signed status and will boot a system that has secure boot enabled. โ— (^) As you go through this process, if you miss hitting the catch key and start the boot process in the host operating system, then you must document that it occurred.