Title: 91.580.203 Computer
191.580.203 Computer Network Forensics
- Xinwen Fu
- Chapter 8
- System Boot Process and File Systems
2Homework Submission
- Follow the submission policy tightly
- To xinwenfu_at_cs.uml.edu
- Subject 91.580.203AssignmentXXXXXX
- Attach your assignment
- Midterm exam
- 20 multiple-choice questions
- Released after class on Oct. 9
- Collected at 1155 on Oct. 10
3Outline
- The Boot Process
- Controlled Boot Environment
- Disk Write Blockers
- Disk Imaging Tool Testing
- NIST Test Cases
4Review of HD Boot Sequence (DOS)
power on self test (POST) by BIOS
master boot record
No
extended partition?
Yes
load extended partition tables
volume boot code of c
DOS
5POST
- Power is on
- CPU ready to run, but run what?
- The BIOS performs the Power On Self Test (POST)
- RAM
- Video
- Keyboard
- drives, etc.
6Master Boot Record
- Every hard disk must have a consistent starting
point - The place where this information is stored is
called the master boot record (MBR) (also
referred to as the master boot sector, or just
boot sector) - The MBR is always located at cylinder 0, head 0,
and sector 1 - The master boot record contains the following
structures - Master Partition Table this small table
contains the descriptions of the partitions that
are contained on the hard disk - There is only room for the information describing
4 partitions
7Master Boot Code
- Master Boot Code The MBR contains a small
initial boot program that the BIOS loads and
executes to start the boot process - Since the master boot code is the first program
executed in RAM when you turn on your pc, this is
a favorite place for virus writers to target
8DOS System Files
- To control the boot process, we must intercept it
with a controlled-boot floppy. - Boot record identifies the operating system and
points to the next file to be loaded, which is
IO.SYS.
9Unix Boot Process
power on self test (POST) by BIOS
master boot record - boot loader
kernel
user environment (/sbin/init)
10Two-stage Boot Loader
- Unix systems implement a two-stage loading
process - First stage, a small boot program is read into
memory from MBR - Locate the second stage boot loader and load the
first part of it into memory - Second stage (/boot/???)
- Present the user with the operating system choice
screen - Locate the kernel and load the kernel
/boot/vmlinuz-ltkernel-versiongt - Place initrd (initial RAM disk image) into memory
(used by the kernel to load drivers)
11Kernel
- Once the kernel is loaded, it remains in the
memory during the running of the system and is
usually run in a fixed amount of memory - The kernel probes the bus to locate the devices
specified during the configuration, and
initializes the located devices - Hardware
- Virtual devices
- Unmount the initrd image
- Create a root device
12Kernel (Cont.)
- System Processes The kernel identifies the root,
swap, and dump devices and then starts programs
to - Schedule processes,
- Sched The real-time scheduler.
- Manage physical memory and virtual memory, and
the - Swapper It manages the physical memory by moving
process from physical memory to swap space when
more physical memory is needed. - Page Daemon Various memory handlers run as
process 2. - init process.
13Create User Environment (/sbin/init)
- The last step in bootstrapping and identified by
process id 1 - /etc/inittab init configuration file
- /etc/rc.d/rc.sysinit set path, clock
- /etc/rc.d/init.d/functions - how to determine
process id - Run shell scripts based on the runlevel - e.g.,
/etc/rc.d/rc5.d - The startup scripts are defined and organized
differently on different systems - On BSD systems the startup scripts may be found
in the /etc directory and their names begin with
rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.loc
al and so on
14Run Level (Red Hat/Fedora Core)
Run Level Scripts Directory State
0 /etc/rc.d/rc0.d/ shutdown/halt system
1 /etc/rc.d/rc1.d/ Single user mode
2 /etc/rc.d/rc2.d/ Multiuser with no network services exported
3 /etc/rc.d/rc3.d/ Default text/console only start. Full multiuser
4 /etc/rc.d/rc4.d/ Reserved for local use. Also X-windows (Slackware/BSD)
5 /etc/rc.d/rc5.d/ XDM X-windows GUI mode (Redhat/System V)
6 /etc/rc.d/rc6.d/ Reboot
s or S Single user/Maintenance mode (Slackware)
M Multiuser mode (Slackware)
15Some Notes
- Single User Mode
- Single user shell is always Bourne Shell (sh) and
it runs as 'root'. - It enables the system manager to perform various
administrative functions, such as setting the
date, checking the consistency of the file
system, reconfiguring the list of on-line
terminals, and so on. - At this stage only the root partition is usually
mounted. - The file system consistency check may be
performed by the command fsck, usually found in
the /etc directory.
16Windows 2000/NT/XP Bootstrapping
- 6 Stages
- POST
- Choose OS
- Kernel Load
- Kernel Initialization
- Services Load
- Logon
http//www.compphix.com/xpbootprocess.html
17Summary
- Every disk has a consistent starting point (MBR
or boot sector CHS 001) - A control boot disk (floppy/CD) allows us to
control the bootstrapping process - DOS makes a good boot environment since we
understand what is happening!
18Outline
- The Boot Process
- Controlled Boot Environment
- Disk Write Blockers
- Disk Imaging Tool Testing
- NIST Test Cases
19Note Boot Considerations
- Background we want to use a floppy disk and boot
the suspect system - BIOS Setting
- Need to ensure that system boots from proper
device such as CDROM, Floppy - Interrupt keys (varies by manufacturers)
- F12, Del, F1
20Controlled Boot Floppy
- A controlled boot floppy enables you to
- Bypass possible destructive processes set by the
suspect to destroy evidence - Maintain evidence integrity by preventing any
possible changes to the suspects hard disk
21A Basic Controlled DOS Boot Floppy
- Minimum Requirements
- Will boot the computer without allowing any
writes to the Hard Disk - Will automatically install hard disk write
protection - Will ensure drive letters are assigned to all FAT
logical drives by including a LASTDRIVEZ
statement in the CONFIG.SYS file
22Media
- Variety of disks in every possible format
- 5¼ Low density, high density floppies
- 3½ Low density, high density floppies
- Bootable CD-ROMs
23Media (Cont.)
- New, clean media for each case
- Pre-used media should be wiped
- Error free and formatted by format
- /U Format option
- Standard Format AND overwrites data area with
F6h - /S Format option
- Standard Format AND copies system files to disk
after format
24Files (DOS)
http//www.digitalintelligence.com/software/disoft
ware/pdblock/
- Required system files
- IO.SYS
- Altered if necessary to prevent write to disk
- MSDOS.SYS
- COMMAND.COM
- AUTOEXEC.BAT
- Edited to automatically load the hard drive
write blocker, e.g., PDBLOCK from digital
intelligence - CONFIG.SYS
- Edited to include LASTDRIVEZ to ensure drive
letter assignments
25External DOS Commands
- Not loaded with COMMAND.COM
- Usually installed in the WINDOWS\COMMAND
subdirectory - Our copies must be on the control boot floppy
- Are either EXE or COM files
FDISK FORMAT DELTREE CHKDSK ATTRIB
UNFORMAT UNDELETE XCOPY
26Note Why should we change IO.SYS?
- DOS 6.22, Win95, Win98
- IO.SYS can automatically mount Compressed Volume
Files - If a compressed drive is mounted, it will make
changes (write) to the hard drive - This can happen even if booting from a floppy
- IO.SYS must be hacked to eliminate these calls to
the hard drive - Why? http//www.xxcopy.com/xxcopy15.htm ---
reading assignment
Writing to the hard drive, when the system is in
our custody and control, means that we have
altered the evidence!
27Outline
- The Boot Process
- Controlled Boot Environment
- Disk Write Blockers
- Disk Imaging Tool Testing
- NIST Test Cases
28Disk Write Blockers
- Prevent data being written to the suspect drive
- Ensure the integrity of the suspect drive
- Software Write Blockers vs. Hardware
29Normal HD Access
30Normal HD Access - interrupt 0x13 interface
- An application program issues an interrupt 0x13
command. - The interrupt transfers control to the interrupt
0x13 routine in the BIOS. The BIOS routine issues
commands, ATA or SCSI as appropriate, directly to
the hard drive controller. - The device does the requested operation and
returns the result to the BIOS and then to the
application program.
http//www.bitzenbytes.com/Content-Arcanum-18-1-53
.html
31Software Write Block
User Application
32Software Write Block (SWB) Change Interrupt
0x13 Interface
- The SWB tool is executed. The SWB tool saves the
current interrupt 0x13 routine entry address and
installs a new interrupt 0x13 routine. - The application program initiates a drive I/O
operation by invoking interrupt 0x13. The
replacement routine installed by the SWB tool
intercepts the command. - The SWB tool determines if the requested command
should be blocked or if the command should be
allowed.
33Software Write Block
- If a command is blocked, the SWB tool returns to
the application program without passing any
command to the BIOS I/O routines. Depending on
SWB tool configuration either success or error is
returned for the command status. - If the command is allowed (not blocked), the
command is passed to the BIOS and the BIOS I/O
routine issues required I/O commands (ATA, SCSI
or other) to the drive controller so that the
desired I/O operation occurs on the hard drive. - Results are returned to the application program.
34Hardware Write Block
- A hardware write blocker (HWB) is a hardware
device that attaches to a computer system with
the primary purpose of intercepting and
preventing (or blocking) any modifying commands
from ever reaching the storage device. - Physically, the device is connected between the
computer and a storage device. - Some of its functions include monitoring and
filtering any activity that is transmitted or
received between its interface connections to the
computer and the storage device.
http//www.paralan.com/sr14.html
35Summary
- Write blockers prevent data being written to the
suspect drive - 2 basic approaches
- Hardware and Software
- Software write blockers can be bypassed
(sometimes unknowingly) - Hardware write blockers are now the industry
standard. - NIST (National Institute of Standards and
Technology) has excellent specs/standards for
write blockers.
36Outline
- The Boot Process
- Controlled Boot Environment
- Disk Write Blockers
- Disk Imaging Tool Testing
- NIST Test Cases
37Imaging Tool Requirements
- Exact duplicate of the original disk
- Not alter the original disk
- Able to verify integrity of image
- Log I/O errors
- Tool documentation correct
38Definitions - Image
- Digital
- Sometimes compressed
- Bit-stream duplicate of original digital object
- Can be reconstructed
39Definitions Qualified Copy
- Qualified bit-stream duplicate (in case there are
errors during imaging) - Duplicate except in identified areas
- Identified areas replaced by values specified by
a disk imaging tools documentation - Partition table entries to reflect relocated
partitions - Boot records
- Fill areas for cylinder alignment and excess disk
space
40Mandatory Requirements of Tools
- Shall not alter original
- No errors ? create bit-stream duplicate or image
of source - Errors ? create qualified bit-stream duplicate,
identified values are marked - Log errors in readable form, including type and
location - Destination larger than Source document areas of
destination not included in source - Destination smaller than Source notify user,
truncate, and log
41Optional Requirements of Tools (1/3)
- If a tool provides the capability defined, the
tool is tested as if the requirement were
mandatory. - Create hash value of copy, compare to hash
computed at time of creation, log comparisons do
same if bit-stream divided in blocks
42Optional Reqts (2/3)
- Create copy of partitions designated by user
- Log one or more tool version, subject disk ID,
errors encountered, tool actions, start/finish
run times, tool settings, user comments
43Optional Reqts (3/3)
- Create an image file on removable media that can
be used to reconstruct a bit-stream duplicate - Bit-stream duplicate adjusts to alignment of
cylinders on destination - On duplicate can only change Partition table
entries Boot records Fill areas for cylinder
alignment Excess space (fill areas values in
documentation)
44Test Methodology
- Identify software and procedures
- Represent how well vs. what actions
- Document scope, parameters, testing environment,
expected results
45Disk Image Test Method
- Test setup
- Disk setup
- Test execution
- Test results analysis
- Documentation
46Test Lab Form Sample
Test Setup
Tester Pascal Openshaw Date Started 12 October
2004 Test Case ID A001 Test Case Summary Copy
XBIOS-IDE disk PT-N/A srcDST/NN fixed
errors Testing Environment PC - Beta 5 Disks
B0 Fujitsu MPF3153 AT 8.455 MB as master
and B1 Fujitsu MPF3153 AT 8.455 MB as slave
Interface XBIOS-IDE File Type - NTFS Test
Software Used DiskWipe 2.3 BadX13 2.1 DiskCmp
2.2 DiskHash 1.1 Setup Installed K3B Execute
Ran K3B Log Files ID Loc created folder on
office machine labeled XX-08 Expected Results
log file contains error messages and src/dest
should compare qualify equal Results A src
read error was identified at 1,000,000 other
sectors compaired equal Log File
Highlights Errors from log file
highlighted Analysis Expected results were
obtained
Disk Setup
Execution
Analysis
47Test cases
- Tests will verify each assertion
- Each assertion provides a specific class of
conditions that can be tested and the result that
is expected - Identify parameters
- Generate cases for study
48Test form
- Test case ID
- Test case summary
- Test environment
- Test sw used
- Setup
- Execute
- A001
- Copy CD-ROM
- Mandrake Linux
- K3b
- Installed K3b
- Ran K3b, CD Copier
49Sufficient testing
- Show mandatory requirement
- Test optional requirements
50Outline
- The Boot Process
- Controlled Boot Environment
- Disk Write Blockers
- Disk Imaging Tool Testing
- NIST Test Cases
51DI-13
- TEST Copy a BIOS IDE source disk to a BIOS IDE
destination disk and the source contains a LINUX
partition where source disk is the smaller than
the destination and source contains a deleted
file and a hidden file - After the duplicate is created on the
destination, unhide the hidden file and undelete
the deleted file - EXPECTED RESULT Source compares qualified equal
to destination hidden and deleted files recovered
52DI-44
- TEST Create an image from a LINUX SCSI source
disk to a LINUX SCSI destination disk and the
source contains a LINUX partition where source
disk is the same size as the destination - Create the image on a removable medium
- EXPECTED RESULTS Source compares equal to
destination
53DI-77
- TEST Copy a BIOS IDE source disk to a BIOS IDE
destination disk and the source contains a NTFS
partition where source disk is the smaller than
the destination and source contains a deleted
file and a hidden file - Create the image on a removable medium
- Introduce an error on the image
- After the duplicate is created on the
destination, unhide the hidden file and undelete
the deleted file - EXPECTED RESULT Image verification error
54DI-96
- TEST Create an image from an XBIOS IDE source
disk to a XBIOS IDE destination disk and where
source disk is the same size as the destination - Introduce a write error writing to the image
- EXPECTED RESULT Error message logged
55References
- Charles M. Kozierok, The DOS Boot Process,
http//www.pcguide.com/ref/hdd/file/structBoot-c.h
tml, April 17, 2001 - Primary, Extended and Logical Partitions,
http//www.pcguide.com/ref/hdd/file/structPartitio
ns-c.html, 2005 - WINDOWS XP BOOT SEQUENCE, http//www.compphix.com/
xpbootprocess.html, 2005 - Red Hat Linux 9, A Detailed Look at the Boot
Process, http//www.redhat.com/docs/manuals/linux/
RHL-9-Manual/ref-guide/s1-boot-init-shutdown-proce
ss.html, 2005 - National Institute of Standards and Technology
(NIST), Disk Imaging Tool Specification,
http//www.securitymanagement.com/library/NIST_dis
kimage1003.pdf, October 12, 2001 - NIST, Software Write Block, http//www.cftt.nist.g
ov/software_write_block.htm, 2003 - DIGITAL INTELLIGENCE, PDBLOCK, http//www.digitali
ntelligence.com/software/disoftware/pdblock/,
2006 - NIST, Setup and Test Procedures For Testing
Interrupt 0x13 Based Software Write Block Tools,
http//www.cftt.nist.gov/SWB20test20procedures.p
df, April 1, 2004
56Assignment 2
- Partition Table Doctor
- Refer P6 of 8, and Textbook P48
- Investigate DOS 6.22 image
- Check when it was made
- Find C\ references in IO.SYS and command.com
- Freeware Hex Editor XVI32