CSN08101 Digital Forensics: Lecture 5A: PC Boot Sequence and Storage Devices
CSN08101 Digital Forensics: Lecture 5A: PC Boot Sequence and Storage Devices
CSN08101 Digital Forensics: Lecture 5A: PC Boot Sequence and Storage Devices
Objectives
Computer Hardware
Memory Central Processing Unit (CPU) Hard disk Basic Input/Output System (BIOS)
Considered Legacy, still very common
Boot Process
BIOS Instructions Disk Sector 0 Instructions Partition Sector 0 Instructions Operating System Files
1. When the PC is turned on, the CPU begins executing the instructions in the ROM BIOS chip, starting at a pre-defined instruction location. 2. The BIOS performs the poweron-self-test (POST). If there are errors, the BIOS generates appropriate messages and / or beep codes, and the boot process stops. 3. If the POST tests are successful, the BIOS from any other adapter cards are combined with the normal BIOS and loaded into memory (shadowing), where they can be executed faster than in ROM. http://www.cci-compeng.com
4. The list of devices found during the POST is compared with the list of devices in the non-volatile BIOS memory (CMOS) chip. 5. If the lists differ, then a new device must have been added. In this case, the BIOS memory is updated accordingly, and available system resources (such as IRQs) are assigned to the new devices. 6. The BIOS loads and executes the master boot code in the master boot record of the first bootable device.
http://www.cci-compeng.com
7. The master boot code locates the active partition of that device, then locates and executes the volume boot code in the volume boot record of that partition. 8. The volume boot code of the active partition locates and executes the operating system files on the partition, and transfers control to them. 9. The operating system now completes the boot process by loading appropriate device drivers. If device drivers for any new devices cannot be found, the operating system will generate an appropriate message, and give the user an opportunity to install the drivers now, or at a later time. http://www.cci-compeng.com
Storage Media
Hard disks, floppy disk, thumb drives etc. Hard disks are the richest in digital evidence Integrated Disk Electronics (IDE) or Advanced Technology Attachment (ATA) Higher performance SCSI drives Fireware is an adaptation of SCSI standards that provides high speed access to a chain of devices All hard drives contain platters made of light, righid material such aluminum, ceramic or glass
Hard Disks
Storage
Cylinders are the data tracks that the data is being recorded on Each track/cylinder is divided into sectors that contain 512 bytes of information
512*8 bits of information
Location of data can be determined by which cylinder they are on which head can access them and which sector contains them or CHS addressing Capacity of a hard drive # of C*H*S*512
Storage Characteristics
Volatility
Non-Volatile Volatile
Mutability
Read/Write Read Only Slow Write, Fast Read Storage
Accessibility
Random Access Sequential Access
Addressability
Location File Content
CHS Values
16-bit Cylinder value (C) 4-bit Head Value (H) 8-bit Sector Value (S) Old BIOS:
10-bit C 8-bit H 6-bit S Limited to 528MB disk
Storage Volume
Storage Volume
Partition 1
Partition 2
Storage Volume
Partition 1
Partition 2
Partition 1
Partition 2
Volume vs Partition
Volume
A selection of addressable sectors that can be used by an OS or application. These sectors do not have to be consecutive
Partition
A selection of addressable sectors that are consecutive. By definition, a partition is a volume
Disk 1
Partition 1
Partition 2
Partition3
Partition 4
Disk 2
C: Volume
D: Volume
Sector Addressing
Partition 1 Starting Address: 0 Partition 2 Starting Address: 864
Physical Address: 100 Logical Disk Volume Address: 100 Logical Partition Volume Address: 100 Physical Address: 569 Logical Disk Volume Address: 569 Logical Partition Volume Address: N/A
Physical Address: 964 Logical Disk Volume Address: 964 Logical Partition Volume Address: 100
Partition Analysis
Perform a sanity check to ensure that the partition table is telling the truth
This is important when imaging
Sanity Check
Partition 1 Partition 1 Partition 1
Partition 2 Partition 1
Partition 2 Partition 1
Partition 2
Partition 2
Partition 2
Partition Table
Starting CHS Address Ending CHS Address Starting LBA Address Number of Sectors in Partition Type of Partition Flags
Limitation
2 Terabyte Disk Partition Limitation
MBR Partition size field is 32 bits
Extended Partitions
Limitation of 4 Primary Partitions Creation of 3 Primary Partitions and 1 primary extended partition Primary Extended partition uses a similar MBR layout in order to create a linked list of records, showing where each new extended partitions exists in relation to the start of the last
Disk Analysis
MMLS - displays the contents of a volume system (media management). In general, this is used to list the partition table contents so that you can determine where each partition starts, ends, length of the partition and the type. SIGFIND - searches through a storage volume and looks for the hex-signature at a given offset. This can be used to search for lost boot sectors, superblocks, and partition tables.
GPART command that can scan drives and re-create a partition table based on "guesses. This command can identify a number of file system types by testing sectors and assessing which file system type is the most probable
MMLS
DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors
Slot Meta ----00:00 ----Start 0000000000 0000000000 0000000063 0003894912 End 0000000000 0000000062 0003894911 0004999679 Length 0000000001 0000000063 0003894849 0001104768 Description Primary Table(#0) Unallocated NTFS (0x07) Unallocated
SIGFIND
Block size: 512 Offset: 510 Signature: 55AA Block: 0 (-) Block: 63 (+63) Block: 92795 (+92732) Block: 92796 (+1) Block: 94839 (+2037) Block: 94855 (+16) Block: 237724 (+142869) OUTPUT OMITTED ... Block: 3473830 (+109635) Block: 3894911 (+421081) Block: 3894912 (+1) Block: 3894975 (+63) Block: 3894976 (+1) Block: 3894983 (+1) Block: 3905831 (+10848) error reading bytes 4999680
0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0:
eb52 0000 0000 daf3 f600 0000 8ed8 10e8 08cd 0fb6 b7c9 1624 7404 0306 0066 0f85 b442 6658 66f7 1a00 0102 ff06 c3a0 b401 ebf2 2065 0d0a 6e67 6d70 2043 2072 0000
904e 0000 0000 0400 0000 0000 e816 5300 1373 d180 66f7 00cd fe06 1c00 5006 0c00 8a16 6658 f1fe 86d6 cd13 1000 f801 8bf0 c30d 7272 4e54 000d 7265 7472 6573 0000
5446 00f8 8000 0000 0200 fa33 00b8 6800 05b9 e23f e166 1372 1400 663b 5366 e8b3 2400 1feb c28a 8a16 0f82 ff0e e809 ac3c 0a41 6f72 4c44 0a4e 7373 6c2b 7461 0000
5320 0000 8000 0000 0000 c08e 000d 0d68 ffff f7e2 a320 0f81 c366 0620 6810 ff80 161f 2d66 ca66 2400 1900 0e00 00a0 0074 2064 206f 5220 544c 6564 416c 7274 0000
2020 3f00 406e c86d f343 d0bc 8ec0 6a02 8af1 86cd 00c3 fb55 601e 000f 0001 3e14 8bf4 33d2 8bd0 8ae8 8cc0 0f85 fb01 09b4 6973 6363 6973 4452 000d 742b 0d0a 83a0
2000 8000 3b00 0700 0504 007c 33db cb8a 660f c0ed b441 aa75 0666 823a 0080 0000 cd13 660f 66c1 c0e4 0520 6fff e803 0ebb 6b20 7572 206d 2069 0a50 4465 0000 b3c9
0204 3f00 0000 0000 7405 fbb8 c606 1624 b6c6 0641 bbaa 09f6 a110 001e 3e14 0f84 6658 b70e ea10 060a 008e 071f 00fb 0700 7265 7265 6973 7320 7265 6c20 0000 0000
0000 0000 0000 0000 042a c007 0e00 00b4 4066 660f 558a c101 0066 666a 0000 6100 5b07 1800 f736 ccb8 c066 6661 ebfe cd10 6164 6400 7369 636f 7373 746f 0000 55aa
.R.NTFS ..... ........?...?... ........@n;..... .........m...... .........C..t..* .....3.....|.... ..........3..... ..S.h..hj....$.. ...s......f...@f .....?.......Af. ..f..f. ...A..U. .$...r...U.u.... t......f`..f...f ....f;. ...:..fj .fP.Sfh.....>... ........>.....a. .B..$.......fX[. fXfX..-f3.f..... f......f..f....6 ......$......... ........... ...f ..........o...fa ................ .....<.t........ .....A disk read error occurred. ..NTLDR is missi ng...NTLDR is co mpressed...Press Ctrl+Alt+Del to restart........ ..............U.
GPART Scan
Begin scan... Possible partition(Windows NT/W2K FS), size(1901mb), offset(0mb) Possible partition(DOS FAT), size(539mb), offset(1901mb) End scan. OUTPUT OMITTED
Guessed primary partition table: Primary partition(1) type: 000(0x00)(unused) size: 0mb #s(0) s(0-0) chs: (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r
Primary partition(2) type: 000(0x00)(unused) size: 0mb #s(0) s(0-0) chs: (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r
ANY QUESTIONS
Answer:
Answer:
Answer: