91.580.203 Computer - PowerPoint PPT Presentation

About This Presentation
Title:

91.580.203 Computer

Description:

Review of HD Boot Sequence (DOS) power on self test (POST) by BIOS ... Blockers vs. Hardware. 29. CS_at_UML. Normal HD Access. User. Application ... Hardware ... – PowerPoint PPT presentation

Number of Views:179
Avg rating:3.0/5.0
Slides: 57
Provided by: xinw
Learn more at: https://www.cs.uml.edu
Category:
Tags: computer | hardware | hd

less

Transcript and Presenter's Notes

Title: 91.580.203 Computer


1
91.580.203 Computer Network Forensics
  • Xinwen Fu
  • Chapter 8
  • System Boot Process and File Systems

2
Homework Submission
  • Follow the submission policy tightly
  • To xinwenfu_at_cs.uml.edu
  • Subject 91.580.203AssignmentXXXXXX
  • Attach your assignment
  • Midterm exam
  • 20 multiple-choice questions
  • Released after class on Oct. 9
  • Collected at 1155 on Oct. 10

3
Outline
  • The Boot Process
  • Controlled Boot Environment
  • Disk Write Blockers
  • Disk Imaging Tool Testing
  • NIST Test Cases

4
Review of HD Boot Sequence (DOS)
power on self test (POST) by BIOS
master boot record
No
extended partition?
Yes
load extended partition tables
volume boot code of c
DOS
5
POST
  • Power is on
  • CPU ready to run, but run what?
  • The BIOS performs the Power On Self Test (POST)
  • RAM
  • Video
  • Keyboard
  • drives, etc.

6
Master Boot Record
  • Every hard disk must have a consistent starting
    point
  • The place where this information is stored is
    called the master boot record (MBR) (also
    referred to as the master boot sector, or just
    boot sector)
  • The MBR is always located at cylinder 0, head 0,
    and sector 1
  • The master boot record contains the following
    structures
  • Master Partition Table this small table
    contains the descriptions of the partitions that
    are contained on the hard disk
  • There is only room for the information describing
    4 partitions

7
Master Boot Code
  • Master Boot Code The MBR contains a small
    initial boot program that the BIOS loads and
    executes to start the boot process
  • Since the master boot code is the first program
    executed in RAM when you turn on your pc, this is
    a favorite place for virus writers to target

8
DOS System Files
  • To control the boot process, we must intercept it
    with a controlled-boot floppy.
  • Boot record identifies the operating system and
    points to the next file to be loaded, which is
    IO.SYS.

9
Unix Boot Process
power on self test (POST) by BIOS
master boot record - boot loader
kernel
user environment (/sbin/init)
10
Two-stage Boot Loader
  • Unix systems implement a two-stage loading
    process
  • First stage, a small boot program is read into
    memory from MBR
  • Locate the second stage boot loader and load the
    first part of it into memory
  • Second stage (/boot/???)
  • Present the user with the operating system choice
    screen
  • Locate the kernel and load the kernel
    /boot/vmlinuz-ltkernel-versiongt
  • Place initrd (initial RAM disk image) into memory
    (used by the kernel to load drivers)

11
Kernel
  • Once the kernel is loaded, it remains in the
    memory during the running of the system and is
    usually run in a fixed amount of memory
  • The kernel probes the bus to locate the devices
    specified during the configuration, and
    initializes the located devices
  • Hardware
  • Virtual devices
  • Unmount the initrd image
  • Create a root device

12
Kernel (Cont.)
  • System Processes The kernel identifies the root,
    swap, and dump devices and then starts programs
    to
  • Schedule processes,
  • Sched The real-time scheduler.
  • Manage physical memory and virtual memory, and
    the
  • Swapper It manages the physical memory by moving
    process from physical memory to swap space when
    more physical memory is needed.
  • Page Daemon Various memory handlers run as
    process 2.
  • init process.

13
Create User Environment (/sbin/init)
  • The last step in bootstrapping and identified by
    process id 1
  • /etc/inittab init configuration file
  • /etc/rc.d/rc.sysinit set path, clock
  • /etc/rc.d/init.d/functions - how to determine
    process id
  • Run shell scripts based on the runlevel - e.g.,
    /etc/rc.d/rc5.d
  • The startup scripts are defined and organized
    differently on different systems
  • On BSD systems the startup scripts may be found
    in the /etc directory and their names begin with
    rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.loc
    al and so on

14
Run Level (Red Hat/Fedora Core)
Run Level Scripts Directory State
0 /etc/rc.d/rc0.d/ shutdown/halt system
1 /etc/rc.d/rc1.d/ Single user mode
2 /etc/rc.d/rc2.d/ Multiuser with no network services exported
3 /etc/rc.d/rc3.d/ Default text/console only start. Full multiuser
4 /etc/rc.d/rc4.d/ Reserved for local use. Also X-windows (Slackware/BSD)
5 /etc/rc.d/rc5.d/ XDM X-windows GUI mode (Redhat/System V)
6 /etc/rc.d/rc6.d/ Reboot
s or S Single user/Maintenance mode (Slackware)
M Multiuser mode (Slackware)
15
Some Notes
  • Single User Mode
  • Single user shell is always Bourne Shell (sh) and
    it runs as 'root'.
  • It enables the system manager to perform various
    administrative functions, such as setting the
    date, checking the consistency of the file
    system, reconfiguring the list of on-line
    terminals, and so on.
  • At this stage only the root partition is usually
    mounted.
  • The file system consistency check may be
    performed by the command fsck, usually found in
    the /etc directory.

16
Windows 2000/NT/XP Bootstrapping
  • 6 Stages
  • POST
  • Choose OS
  • Kernel Load
  • Kernel Initialization
  • Services Load
  • Logon

http//www.compphix.com/xpbootprocess.html
17
Summary
  • Every disk has a consistent starting point (MBR
    or boot sector CHS 001)
  • A control boot disk (floppy/CD) allows us to
    control the bootstrapping process
  • DOS makes a good boot environment since we
    understand what is happening!

18
Outline
  • The Boot Process
  • Controlled Boot Environment
  • Disk Write Blockers
  • Disk Imaging Tool Testing
  • NIST Test Cases

19
Note Boot Considerations
  • Background we want to use a floppy disk and boot
    the suspect system
  • BIOS Setting
  • Need to ensure that system boots from proper
    device such as CDROM, Floppy
  • Interrupt keys (varies by manufacturers)
  • F12, Del, F1

20
Controlled Boot Floppy
  • A controlled boot floppy enables you to
  • Bypass possible destructive processes set by the
    suspect to destroy evidence
  • Maintain evidence integrity by preventing any
    possible changes to the suspects hard disk

21
A Basic Controlled DOS Boot Floppy
  • Minimum Requirements
  • Will boot the computer without allowing any
    writes to the Hard Disk
  • Will automatically install hard disk write
    protection
  • Will ensure drive letters are assigned to all FAT
    logical drives by including a LASTDRIVEZ
    statement in the CONFIG.SYS file

22
Media
  • Variety of disks in every possible format
  • 5¼ Low density, high density floppies
  • 3½ Low density, high density floppies
  • Bootable CD-ROMs

23
Media (Cont.)
  • New, clean media for each case
  • Pre-used media should be wiped
  • Error free and formatted by format
  • /U Format option
  • Standard Format AND overwrites data area with
    F6h
  • /S Format option
  • Standard Format AND copies system files to disk
    after format

24
Files (DOS)
http//www.digitalintelligence.com/software/disoft
ware/pdblock/
  • Required system files
  • IO.SYS
  • Altered if necessary to prevent write to disk
  • MSDOS.SYS
  • COMMAND.COM
  • AUTOEXEC.BAT
  • Edited to automatically load the hard drive
    write blocker, e.g., PDBLOCK from digital
    intelligence
  • CONFIG.SYS
  • Edited to include LASTDRIVEZ to ensure drive
    letter assignments

25
External DOS Commands
  • Not loaded with COMMAND.COM
  • Usually installed in the WINDOWS\COMMAND
    subdirectory
  • Our copies must be on the control boot floppy
  • Are either EXE or COM files

FDISK FORMAT DELTREE CHKDSK ATTRIB
UNFORMAT UNDELETE XCOPY
26
Note Why should we change IO.SYS?
  • DOS 6.22, Win95, Win98
  • IO.SYS can automatically mount Compressed Volume
    Files
  • If a compressed drive is mounted, it will make
    changes (write) to the hard drive
  • This can happen even if booting from a floppy
  • IO.SYS must be hacked to eliminate these calls to
    the hard drive
  • Why? http//www.xxcopy.com/xxcopy15.htm ---
    reading assignment

Writing to the hard drive, when the system is in
our custody and control, means that we have
altered the evidence!
27
Outline
  • The Boot Process
  • Controlled Boot Environment
  • Disk Write Blockers
  • Disk Imaging Tool Testing
  • NIST Test Cases

28
Disk Write Blockers
  • Prevent data being written to the suspect drive
  • Ensure the integrity of the suspect drive
  • Software Write Blockers vs. Hardware

29
Normal HD Access
30
Normal HD Access - interrupt 0x13 interface
  1. An application program issues an interrupt 0x13
    command.
  2. The interrupt transfers control to the interrupt
    0x13 routine in the BIOS. The BIOS routine issues
    commands, ATA or SCSI as appropriate, directly to
    the hard drive controller.
  3. The device does the requested operation and
    returns the result to the BIOS and then to the
    application program.

http//www.bitzenbytes.com/Content-Arcanum-18-1-53
.html
31
Software Write Block
User Application
32
Software Write Block (SWB) Change Interrupt
0x13 Interface
  1. The SWB tool is executed. The SWB tool saves the
    current interrupt 0x13 routine entry address and
    installs a new interrupt 0x13 routine.
  2. The application program initiates a drive I/O
    operation by invoking interrupt 0x13. The
    replacement routine installed by the SWB tool
    intercepts the command.
  3. The SWB tool determines if the requested command
    should be blocked or if the command should be
    allowed.

33
Software Write Block
  1. If a command is blocked, the SWB tool returns to
    the application program without passing any
    command to the BIOS I/O routines. Depending on
    SWB tool configuration either success or error is
    returned for the command status.
  2. If the command is allowed (not blocked), the
    command is passed to the BIOS and the BIOS I/O
    routine issues required I/O commands (ATA, SCSI
    or other) to the drive controller so that the
    desired I/O operation occurs on the hard drive.
  3. Results are returned to the application program.

34
Hardware Write Block
  • A hardware write blocker (HWB) is a hardware
    device that attaches to a computer system with
    the primary purpose of intercepting and
    preventing (or blocking) any modifying commands
    from ever reaching the storage device.
  • Physically, the device is connected between the
    computer and a storage device.
  • Some of its functions include monitoring and
    filtering any activity that is transmitted or
    received between its interface connections to the
    computer and the storage device.

http//www.paralan.com/sr14.html
35
Summary
  • Write blockers prevent data being written to the
    suspect drive
  • 2 basic approaches
  • Hardware and Software
  • Software write blockers can be bypassed
    (sometimes unknowingly)
  • Hardware write blockers are now the industry
    standard.
  • NIST (National Institute of Standards and
    Technology) has excellent specs/standards for
    write blockers.

36
Outline
  • The Boot Process
  • Controlled Boot Environment
  • Disk Write Blockers
  • Disk Imaging Tool Testing
  • NIST Test Cases

37
Imaging Tool Requirements
  1. Exact duplicate of the original disk
  2. Not alter the original disk
  3. Able to verify integrity of image
  4. Log I/O errors
  5. Tool documentation correct

38
Definitions - Image
  • Digital
  • Sometimes compressed
  • Bit-stream duplicate of original digital object
  • Can be reconstructed

39
Definitions Qualified Copy
  • Qualified bit-stream duplicate (in case there are
    errors during imaging)
  • Duplicate except in identified areas
  • Identified areas replaced by values specified by
    a disk imaging tools documentation
  • Partition table entries to reflect relocated
    partitions
  • Boot records
  • Fill areas for cylinder alignment and excess disk
    space

40
Mandatory Requirements of Tools
  1. Shall not alter original
  2. No errors ? create bit-stream duplicate or image
    of source
  3. Errors ? create qualified bit-stream duplicate,
    identified values are marked
  4. Log errors in readable form, including type and
    location
  5. Destination larger than Source document areas of
    destination not included in source
  6. Destination smaller than Source notify user,
    truncate, and log

41
Optional Requirements of Tools (1/3)
  • If a tool provides the capability defined, the
    tool is tested as if the requirement were
    mandatory.
  • Create hash value of copy, compare to hash
    computed at time of creation, log comparisons do
    same if bit-stream divided in blocks

42
Optional Reqts (2/3)
  1. Create copy of partitions designated by user
  2. Log one or more tool version, subject disk ID,
    errors encountered, tool actions, start/finish
    run times, tool settings, user comments

43
Optional Reqts (3/3)
  • Create an image file on removable media that can
    be used to reconstruct a bit-stream duplicate
  • Bit-stream duplicate adjusts to alignment of
    cylinders on destination
  • On duplicate can only change Partition table
    entries Boot records Fill areas for cylinder
    alignment Excess space (fill areas values in
    documentation)

44
Test Methodology
  • Identify software and procedures
  • Represent how well vs. what actions
  • Document scope, parameters, testing environment,
    expected results

45
Disk Image Test Method
  • Test setup
  • Disk setup
  • Test execution
  • Test results analysis
  • Documentation

46
Test Lab Form Sample
Test Setup
Tester Pascal Openshaw Date Started 12 October
2004 Test Case ID A001 Test Case Summary Copy
XBIOS-IDE disk PT-N/A srcDST/NN fixed
errors Testing Environment PC - Beta 5 Disks
B0 Fujitsu MPF3153 AT 8.455 MB as master
and B1 Fujitsu MPF3153 AT 8.455 MB as slave
Interface XBIOS-IDE File Type - NTFS Test
Software Used DiskWipe 2.3 BadX13 2.1 DiskCmp
2.2 DiskHash 1.1 Setup Installed K3B Execute
Ran K3B Log Files ID Loc created folder on
office machine labeled XX-08 Expected Results
log file contains error messages and src/dest
should compare qualify equal Results A src
read error was identified at 1,000,000 other
sectors compaired equal Log File
Highlights Errors from log file
highlighted Analysis Expected results were
obtained
Disk Setup
Execution
Analysis
47
Test cases
  • Tests will verify each assertion
  • Each assertion provides a specific class of
    conditions that can be tested and the result that
    is expected
  • Identify parameters
  • Generate cases for study

48
Test form
  • Test case ID
  • Test case summary
  • Test environment
  • Test sw used
  • Setup
  • Execute
  • A001
  • Copy CD-ROM
  • Mandrake Linux
  • K3b
  • Installed K3b
  • Ran K3b, CD Copier

49
Sufficient testing
  • Show mandatory requirement
  • Test optional requirements

50
Outline
  • The Boot Process
  • Controlled Boot Environment
  • Disk Write Blockers
  • Disk Imaging Tool Testing
  • NIST Test Cases

51
DI-13
  • TEST Copy a BIOS IDE source disk to a BIOS IDE
    destination disk and the source contains a LINUX
    partition where source disk is the smaller than
    the destination and source contains a deleted
    file and a hidden file
  • After the duplicate is created on the
    destination, unhide the hidden file and undelete
    the deleted file
  • EXPECTED RESULT Source compares qualified equal
    to destination hidden and deleted files recovered

52
DI-44
  • TEST Create an image from a LINUX SCSI source
    disk to a LINUX SCSI destination disk and the
    source contains a LINUX partition where source
    disk is the same size as the destination
  • Create the image on a removable medium
  • EXPECTED RESULTS Source compares equal to
    destination

53
DI-77
  • TEST Copy a BIOS IDE source disk to a BIOS IDE
    destination disk and the source contains a NTFS
    partition where source disk is the smaller than
    the destination and source contains a deleted
    file and a hidden file
  • Create the image on a removable medium
  • Introduce an error on the image
  • After the duplicate is created on the
    destination, unhide the hidden file and undelete
    the deleted file
  • EXPECTED RESULT Image verification error

54
DI-96
  • TEST Create an image from an XBIOS IDE source
    disk to a XBIOS IDE destination disk and where
    source disk is the same size as the destination
  • Introduce a write error writing to the image
  • EXPECTED RESULT Error message logged

55
References
  1. Charles M. Kozierok, The DOS Boot Process,
    http//www.pcguide.com/ref/hdd/file/structBoot-c.h
    tml, April 17, 2001
  2. Primary, Extended and Logical Partitions,
    http//www.pcguide.com/ref/hdd/file/structPartitio
    ns-c.html, 2005
  3. WINDOWS XP BOOT SEQUENCE, http//www.compphix.com/
    xpbootprocess.html, 2005
  4. Red Hat Linux 9, A Detailed Look at the Boot
    Process, http//www.redhat.com/docs/manuals/linux/
    RHL-9-Manual/ref-guide/s1-boot-init-shutdown-proce
    ss.html, 2005
  5. National Institute of Standards and Technology
    (NIST), Disk Imaging Tool Specification,
    http//www.securitymanagement.com/library/NIST_dis
    kimage1003.pdf, October 12, 2001
  6. NIST, Software Write Block, http//www.cftt.nist.g
    ov/software_write_block.htm, 2003
  7. DIGITAL INTELLIGENCE, PDBLOCK, http//www.digitali
    ntelligence.com/software/disoftware/pdblock/,
    2006
  8. NIST, Setup and Test Procedures For Testing
    Interrupt 0x13 Based Software Write Block Tools,
    http//www.cftt.nist.gov/SWB20test20procedures.p
    df, April 1, 2004

56
Assignment 2
  • Partition Table Doctor
  • Refer P6 of 8, and Textbook P48
  • Investigate DOS 6.22 image
  • Check when it was made
  • Find C\ references in IO.SYS and command.com
  • Freeware Hex Editor XVI32
Write a Comment
User Comments (0)
About PowerShow.com