91.580.203 Computer

1
91.580.203 Computer Network Forensics

• Xinwen Fu
• Chapter 8
• System Boot Process and File Systems

2
Homework Submission

• Follow the submission policy tightly
• To xinwenfu_at_cs.uml.edu
• Subject 91.580.203AssignmentXXXXXX
• Attach your assignment
• Midterm exam
• 20 multiple-choice questions
• Released after class on Oct. 9
• Collected at 1155 on Oct. 10

3
Outline

• The Boot Process
• Controlled Boot Environment
• Disk Write Blockers
• Disk Imaging Tool Testing
• NIST Test Cases

4
Review of HD Boot Sequence (DOS)
power on self test (POST) by BIOS
master boot record
No
extended partition?
Yes
load extended partition tables
volume boot code of c
DOS
5
POST

• Power is on
• CPU ready to run, but run what?
• The BIOS performs the Power On Self Test (POST)
• RAM
• Video
• Keyboard
• drives, etc.

6
Master Boot Record

• Every hard disk must have a consistent starting
  point
• The place where this information is stored is
  called the master boot record (MBR) (also
  referred to as the master boot sector, or just
  boot sector)
• The MBR is always located at cylinder 0, head 0,
  and sector 1
• The master boot record contains the following
  structures
• Master Partition Table this small table
  contains the descriptions of the partitions that
  are contained on the hard disk
• There is only room for the information describing
  4 partitions

7
Master Boot Code

• Master Boot Code The MBR contains a small
  initial boot program that the BIOS loads and
  executes to start the boot process
• Since the master boot code is the first program
  executed in RAM when you turn on your pc, this is
  a favorite place for virus writers to target

8
DOS System Files

• To control the boot process, we must intercept it
  with a controlled-boot floppy.
• Boot record identifies the operating system and
  points to the next file to be loaded, which is
  IO.SYS.

9
Unix Boot Process
power on self test (POST) by BIOS
master boot record - boot loader
kernel
user environment (/sbin/init)
10
Two-stage Boot Loader

• Unix systems implement a two-stage loading
  process
• First stage, a small boot program is read into
  memory from MBR
• Locate the second stage boot loader and load the
  first part of it into memory
• Second stage (/boot/???)
• Present the user with the operating system choice
  screen
• Locate the kernel and load the kernel
  /boot/vmlinuz-ltkernel-versiongt
• Place initrd (initial RAM disk image) into memory
  (used by the kernel to load drivers)

11
Kernel

• Once the kernel is loaded, it remains in the
  memory during the running of the system and is
  usually run in a fixed amount of memory
• The kernel probes the bus to locate the devices
  specified during the configuration, and
  initializes the located devices
• Hardware
• Virtual devices
• Unmount the initrd image
• Create a root device

12
Kernel (Cont.)

• System Processes The kernel identifies the root,
  swap, and dump devices and then starts programs
  to
• Schedule processes,
• Sched The real-time scheduler.
• Manage physical memory and virtual memory, and
  the
• Swapper It manages the physical memory by moving
  process from physical memory to swap space when
  more physical memory is needed.
• Page Daemon Various memory handlers run as
  process 2.
• init process.

13
Create User Environment (/sbin/init)

• The last step in bootstrapping and identified by
  process id 1
• /etc/inittab init configuration file
• /etc/rc.d/rc.sysinit set path, clock
• /etc/rc.d/init.d/functions - how to determine
  process id
• Run shell scripts based on the runlevel - e.g.,
  /etc/rc.d/rc5.d
• The startup scripts are defined and organized
  differently on different systems
• On BSD systems the startup scripts may be found
  in the /etc directory and their names begin with
  rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.loc
  al and so on

14
Run Level (Red Hat/Fedora Core)
Run Level Scripts Directory State
0 /etc/rc.d/rc0.d/ shutdown/halt system
1 /etc/rc.d/rc1.d/ Single user mode
2 /etc/rc.d/rc2.d/ Multiuser with no network services exported
3 /etc/rc.d/rc3.d/ Default text/console only start. Full multiuser
4 /etc/rc.d/rc4.d/ Reserved for local use. Also X-windows (Slackware/BSD)
5 /etc/rc.d/rc5.d/ XDM X-windows GUI mode (Redhat/System V)
6 /etc/rc.d/rc6.d/ Reboot
s or S Single user/Maintenance mode (Slackware)
M Multiuser mode (Slackware)
15
Some Notes

• Single User Mode
• Single user shell is always Bourne Shell (sh) and
  it runs as 'root'.
• It enables the system manager to perform various
  administrative functions, such as setting the
  date, checking the consistency of the file
  system, reconfiguring the list of on-line
  terminals, and so on.
• At this stage only the root partition is usually
  mounted.
• The file system consistency check may be
  performed by the command fsck, usually found in
  the /etc directory.

16
Windows 2000/NT/XP Bootstrapping

• 6 Stages
• POST
• Choose OS
• Kernel Load
• Kernel Initialization
• Services Load
• Logon

http//www.compphix.com/xpbootprocess.html
17
Summary

• Every disk has a consistent starting point (MBR
  or boot sector CHS 001)
• A control boot disk (floppy/CD) allows us to
  control the bootstrapping process
• DOS makes a good boot environment since we
  understand what is happening!

18
Outline

• The Boot Process
• Controlled Boot Environment
• Disk Write Blockers
• Disk Imaging Tool Testing
• NIST Test Cases

19
Note Boot Considerations

• Background we want to use a floppy disk and boot
  the suspect system
• BIOS Setting
• Need to ensure that system boots from proper
  device such as CDROM, Floppy
• Interrupt keys (varies by manufacturers)
• F12, Del, F1

20
Controlled Boot Floppy

• A controlled boot floppy enables you to
• Bypass possible destructive processes set by the
  suspect to destroy evidence
• Maintain evidence integrity by preventing any
  possible changes to the suspects hard disk

21
A Basic Controlled DOS Boot Floppy

• Minimum Requirements
• Will boot the computer without allowing any
  writes to the Hard Disk
• Will automatically install hard disk write
  protection
• Will ensure drive letters are assigned to all FAT
  logical drives by including a LASTDRIVEZ
  statement in the CONFIG.SYS file

22
Media

• Variety of disks in every possible format
• 5¼ Low density, high density floppies
• 3½ Low density, high density floppies
• Bootable CD-ROMs

23
Media (Cont.)

• New, clean media for each case
• Pre-used media should be wiped
• Error free and formatted by format
• /U Format option
• Standard Format AND overwrites data area with
  F6h
• /S Format option
• Standard Format AND copies system files to disk
  after format

24
Files (DOS)
http//www.digitalintelligence.com/software/disoft
ware/pdblock/

• Required system files
• IO.SYS
• Altered if necessary to prevent write to disk
• MSDOS.SYS
• COMMAND.COM
• AUTOEXEC.BAT
• Edited to automatically load the hard drive
  write blocker, e.g., PDBLOCK from digital
  intelligence
• CONFIG.SYS
• Edited to include LASTDRIVEZ to ensure drive
  letter assignments

25
External DOS Commands

• Not loaded with COMMAND.COM
• Usually installed in the WINDOWS\COMMAND
  subdirectory
• Our copies must be on the control boot floppy
• Are either EXE or COM files

FDISK FORMAT DELTREE CHKDSK ATTRIB
UNFORMAT UNDELETE XCOPY
26
Note Why should we change IO.SYS?

• DOS 6.22, Win95, Win98
• IO.SYS can automatically mount Compressed Volume
  Files
• If a compressed drive is mounted, it will make
  changes (write) to the hard drive
• This can happen even if booting from a floppy
• IO.SYS must be hacked to eliminate these calls to
  the hard drive
• Why? http//www.xxcopy.com/xxcopy15.htm ---
  reading assignment

Writing to the hard drive, when the system is in
our custody and control, means that we have
altered the evidence!
27
Outline

• The Boot Process
• Controlled Boot Environment
• Disk Write Blockers
• Disk Imaging Tool Testing
• NIST Test Cases

28
Disk Write Blockers

• Prevent data being written to the suspect drive
• Ensure the integrity of the suspect drive
• Software Write Blockers vs. Hardware

29
Normal HD Access
30
Normal HD Access - interrupt 0x13 interface

1. An application program issues an interrupt 0x13
   command.
2. The interrupt transfers control to the interrupt
   0x13 routine in the BIOS. The BIOS routine issues
   commands, ATA or SCSI as appropriate, directly to
   the hard drive controller.
3. The device does the requested operation and
   returns the result to the BIOS and then to the
   application program.

http//www.bitzenbytes.com/Content-Arcanum-18-1-53
.html
31
Software Write Block
User Application
32
Software Write Block (SWB) Change Interrupt
0x13 Interface

1. The SWB tool is executed. The SWB tool saves the
   current interrupt 0x13 routine entry address and
   installs a new interrupt 0x13 routine.
2. The application program initiates a drive I/O
   operation by invoking interrupt 0x13. The
   replacement routine installed by the SWB tool
   intercepts the command.
3. The SWB tool determines if the requested command
   should be blocked or if the command should be
   allowed.

33
Software Write Block

1. If a command is blocked, the SWB tool returns to
   the application program without passing any
   command to the BIOS I/O routines. Depending on
   SWB tool configuration either success or error is
   returned for the command status.
2. If the command is allowed (not blocked), the
   command is passed to the BIOS and the BIOS I/O
   routine issues required I/O commands (ATA, SCSI
   or other) to the drive controller so that the
   desired I/O operation occurs on the hard drive.
3. Results are returned to the application program.

34
Hardware Write Block

• A hardware write blocker (HWB) is a hardware
  device that attaches to a computer system with
  the primary purpose of intercepting and
  preventing (or blocking) any modifying commands
  from ever reaching the storage device.
• Physically, the device is connected between the
  computer and a storage device.
• Some of its functions include monitoring and
  filtering any activity that is transmitted or
  received between its interface connections to the
  computer and the storage device.

http//www.paralan.com/sr14.html
35
Summary

• Write blockers prevent data being written to the
  suspect drive
• 2 basic approaches
• Hardware and Software
• Software write blockers can be bypassed
  (sometimes unknowingly)
• Hardware write blockers are now the industry
  standard.
• NIST (National Institute of Standards and
  Technology) has excellent specs/standards for
  write blockers.

36
Outline

• The Boot Process
• Controlled Boot Environment
• Disk Write Blockers
• Disk Imaging Tool Testing
• NIST Test Cases

37
Imaging Tool Requirements

1. Exact duplicate of the original disk
2. Not alter the original disk
3. Able to verify integrity of image
4. Log I/O errors
5. Tool documentation correct

38
Definitions - Image

• Digital
• Sometimes compressed
• Bit-stream duplicate of original digital object
• Can be reconstructed

39
Definitions Qualified Copy

• Qualified bit-stream duplicate (in case there are
  errors during imaging)
• Duplicate except in identified areas
• Identified areas replaced by values specified by
  a disk imaging tools documentation
• Partition table entries to reflect relocated
  partitions
• Boot records
• Fill areas for cylinder alignment and excess disk
  space

40
Mandatory Requirements of Tools

1. Shall not alter original
2. No errors ? create bit-stream duplicate or image
   of source
3. Errors ? create qualified bit-stream duplicate,
   identified values are marked
4. Log errors in readable form, including type and
   location
5. Destination larger than Source document areas of
   destination not included in source
6. Destination smaller than Source notify user,
   truncate, and log

41
Optional Requirements of Tools (1/3)

• If a tool provides the capability defined, the
  tool is tested as if the requirement were
  mandatory.
• Create hash value of copy, compare to hash
  computed at time of creation, log comparisons do
  same if bit-stream divided in blocks

42
Optional Reqts (2/3)

1. Create copy of partitions designated by user
2. Log one or more tool version, subject disk ID,
   errors encountered, tool actions, start/finish
   run times, tool settings, user comments

43
Optional Reqts (3/3)

• Create an image file on removable media that can
  be used to reconstruct a bit-stream duplicate
• Bit-stream duplicate adjusts to alignment of
  cylinders on destination
• On duplicate can only change Partition table
  entries Boot records Fill areas for cylinder
  alignment Excess space (fill areas values in
  documentation)

44
Test Methodology

• Identify software and procedures
• Represent how well vs. what actions
• Document scope, parameters, testing environment,
  expected results

45
Disk Image Test Method

• Test setup
• Disk setup
• Test execution
• Test results analysis
• Documentation

46
Test Lab Form Sample
Test Setup
Tester Pascal Openshaw Date Started 12 October
2004 Test Case ID A001 Test Case Summary Copy
XBIOS-IDE disk PT-N/A srcDST/NN fixed
errors Testing Environment PC - Beta 5 Disks
B0 Fujitsu MPF3153 AT 8.455 MB as master
and B1 Fujitsu MPF3153 AT 8.455 MB as slave
Interface XBIOS-IDE File Type - NTFS Test
Software Used DiskWipe 2.3 BadX13 2.1 DiskCmp
2.2 DiskHash 1.1 Setup Installed K3B Execute
Ran K3B Log Files ID Loc created folder on
office machine labeled XX-08 Expected Results
log file contains error messages and src/dest
should compare qualify equal Results A src
read error was identified at 1,000,000 other
sectors compaired equal Log File
Highlights Errors from log file
highlighted Analysis Expected results were
obtained
Disk Setup
Execution
Analysis
47
Test cases

• Tests will verify each assertion
• Each assertion provides a specific class of
  conditions that can be tested and the result that
  is expected
• Identify parameters
• Generate cases for study

48
Test form

• Test case ID
• Test case summary
• Test environment
• Test sw used
• Setup
• Execute

• A001
• Copy CD-ROM
• Mandrake Linux
• K3b
• Installed K3b
• Ran K3b, CD Copier

49
Sufficient testing

• Show mandatory requirement
• Test optional requirements

50
Outline

• The Boot Process
• Controlled Boot Environment
• Disk Write Blockers
• Disk Imaging Tool Testing
• NIST Test Cases

51
DI-13

• TEST Copy a BIOS IDE source disk to a BIOS IDE
  destination disk and the source contains a LINUX
  partition where source disk is the smaller than
  the destination and source contains a deleted
  file and a hidden file
• After the duplicate is created on the
  destination, unhide the hidden file and undelete
  the deleted file
• EXPECTED RESULT Source compares qualified equal
  to destination hidden and deleted files recovered

52
DI-44

• TEST Create an image from a LINUX SCSI source
  disk to a LINUX SCSI destination disk and the
  source contains a LINUX partition where source
  disk is the same size as the destination
• Create the image on a removable medium
• EXPECTED RESULTS Source compares equal to
  destination

53
DI-77

• TEST Copy a BIOS IDE source disk to a BIOS IDE
  destination disk and the source contains a NTFS
  partition where source disk is the smaller than
  the destination and source contains a deleted
  file and a hidden file
• Create the image on a removable medium
• Introduce an error on the image
• After the duplicate is created on the
  destination, unhide the hidden file and undelete
  the deleted file
• EXPECTED RESULT Image verification error

54
DI-96

• TEST Create an image from an XBIOS IDE source
  disk to a XBIOS IDE destination disk and where
  source disk is the same size as the destination
• Introduce a write error writing to the image
• EXPECTED RESULT Error message logged

55
References

1. Charles M. Kozierok, The DOS Boot Process,
   http//www.pcguide.com/ref/hdd/file/structBoot-c.h
   tml, April 17, 2001
2. Primary, Extended and Logical Partitions,
   http//www.pcguide.com/ref/hdd/file/structPartitio
   ns-c.html, 2005
3. WINDOWS XP BOOT SEQUENCE, http//www.compphix.com/
   xpbootprocess.html, 2005
4. Red Hat Linux 9, A Detailed Look at the Boot
   Process, http//www.redhat.com/docs/manuals/linux/
   RHL-9-Manual/ref-guide/s1-boot-init-shutdown-proce
   ss.html, 2005
5. National Institute of Standards and Technology
   (NIST), Disk Imaging Tool Specification,
   http//www.securitymanagement.com/library/NIST_dis
   kimage1003.pdf, October 12, 2001
6. NIST, Software Write Block, http//www.cftt.nist.g
   ov/software_write_block.htm, 2003
7. DIGITAL INTELLIGENCE, PDBLOCK, http//www.digitali
   ntelligence.com/software/disoftware/pdblock/,
   2006
8. NIST, Setup and Test Procedures For Testing
   Interrupt 0x13 Based Software Write Block Tools,
   http//www.cftt.nist.gov/SWB20test20procedures.p
   df, April 1, 2004

56
Assignment 2

• Partition Table Doctor
• Refer P6 of 8, and Textbook P48
• Investigate DOS 6.22 image
• Check when it was made
• Find C\ references in IO.SYS and command.com
• Freeware Hex Editor XVI32