Working with Windows and DOS Systems

Chapter 3
Learning Objectives

•Understand File Systems

•Explore Microsoft Disk Structures
•Examine New Technology File System (NTFS)
Disks
•Understand Microsoft Boot Tasks
•Understand Microsoft Disk Operating System
(MS-DOS) Startup Tasks
Understand File Systems
File System – Provides an operating
system with a road map to the data on a
disk.
Understand File Systems
BootStrap – Information contained in the
read-only memory (ROM) that the
computer accesses during its startup
process that tells it how to access the
operating system and the hard drive.
Understand File Systems
Understand File Systems
Registry – A database that stores
hardware and software configuration
information, user preferences, and setup
information.
Understand File Systems
Disk Drive Overview
Geometry – Reflects the internal organization of
the drive.
Head – Device that reads and writes data to the
drive.
Tracks – Individual circles on a disk platter
where data is located.
Cylinder – Column of tracks on two or more disk
platters.
Sector – Individual section on a track.
Understand File Systems
Understand File Systems
Understand File Systems
Zoned Bit Recording – How
manufacturers deal with the fact that the
inner tracks of a platter are physically
smaller than the outer tracks. Grouping
the tracks by zones ensures that the
tracks are all the same size.
Understand File Systems
Track Density – The space between
tracks on a disk. The smaller the space
between the tracks, the more tracks on a
disk. Older drives with wider track
densities allow wandering.
Understand File Systems
Areal Density – The number of bits per
square inch on a platter.
Understand File Systems
Head and Cylinder Skew – A method
used by manufacturers to minimize lag
time. The starting sectors of tracks are
slightly offset from each other to move
the read-write head.
Understand File Systems
Exploring Microsoft File Structures
Clusters – Storage allocation units of
512, 1024, 2048, 4096, or more bytes.
Logical Address – Clusters that are
assigned by the operating system.
Physical Address – Addresses that
reside at the hardware or firmware level.
Exploring Microsoft File Structures
Partition – A logical drive on a disk. It
can be the entire disk or a portion thereof.
Inner-Partition Gap – Partitions created
with unused space or voids between the
primary partition and the first logical
partition.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Master Boot Record (MBR) – On
Windows and DOS computer systems,
the boot disk file, which contains
information regarding the files on a disk
and their locations, size, and other critical
items.
Exploring Microsoft File Structures
File Allocation Table (FAT) – The
original file structure database that
Microsoft originally designed for floppy
disks. It is written to the outermost track
of a disk and contains information about
each file stored on the drive. The
variations are FAT12, FAT16, and
FAT32.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Chain FAT Entry – A command used by
DriveSpy that displays all the clusters in a
chain that start at a specified cluster.
Exploring Microsoft File Structures
Exploring Microsoft File Structures
End-of-File Marker – 0x0FFFFFFF. This
code is typically used with FAT file
systems to show where the file ends.
Unallocated Disk Space – The area of
disk where the deleted file resides.
Examining NTFS Disks
New Technology File System –
Introduced when Microsoft created
Windows NT. NTFS is the primary file
system for Windows XP. NTFS uses
security features, allows for smaller
cluster sizes, and uses Unicode, which
makes it a much more versatile operating
system.
Examining NTFS Disks
Partition Boot Sector – The first data
set of an NTFS disk. It starts at sector [0]
of the disk drive and it can be expanded
up to 16 sectors.
Master File Table – Used by NTFS to
track files. It contains information about
the access rights, date and time stamps,
system attributes, and parts of the file.
Examining NTFS Disks
Examining NTFS Disks
Unicode – A 16-bit character code
representation that is replacing ASCII. It
is capable of representing over 64,000
characters.
American Standard Code for
Information Interchange (ASCII) – A
coding scheme using 7 or 8 bits that
assigns numeric values up to 256
characters, including letters, numerals,
punctuation marks, control characters,
and other symbols.
Examining NTFS Disks
Meta-Data – In NTFS, this refers to
information stored in the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Resident Attributes – When referring to
MFT, all attributes that are stored in the
MFT of the NTFS.
Nonresident Attributes – When
referring to MFT of the NTFS, all data
that is stored in a location separate from
the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
Logical Cluster Numbers (LCNs) –
Used by the MFT of NTFS. It refers to a
specific physical location on the drive.
Virtual Cluster Number (VCN) – When a
file is saved in the NTFS, it is assigned
both a logical cluster number and a virtual
cluster number. The logical cluster is a
physical location, while the virtual cluster
consists of chained clusters.
Examining NTFS Disks
Examining NTFS Disks
Multiple Data Streams – Ways in which
data can be appended to a file
intentionally or not. In NTFS, it becomes
an additional data attribute of the file.
Examining NTFS Disks
Encrypted File System (EFS) –
Symmetric key encryption first used in
Windows 2000 on NTFS formatted disks.
Public Key – In encryption, the key held
by the system receiving the file.
Private Key – In encryption, the key held
by the owner of the file.
Examining NTFS Disks
EFS Recovery Agent Functions
-CIPHER
-COPY
-EFSRECOVER
Understanding Microsoft Boot Tasks
Windows XP, 2000, and NT Startup
-Power on self test
-Initial startup
-Boot loader
-Hardware detection and configuration
-Kernel loading
-User logon
Understanding Microsoft Boot Tasks
NT Loader (NTLDR) – Loads Windows NT. It is
located in the root folder of the system partition.
Boot.ini – Specifies the Windows NT path
installation.
BootSect.dos – Contains the address of the
boot sector location of each operating system.
NTDetect.com – A command file that identifies
hardware components during bootup and sends
the information to NTLDR.
Understanding Microsoft Boot Tasks
NTBootdd.sys – Device driver that allows
access to SCSI or ATA drives that are not
related to the BIOS.
Ntoskrnl.exe – The Windows NT operating
system kernel. It is located in the
Windows\System32 folder.
Hal.dll – Hardware abstraction layer dynamic
link library. It tells the operating system kernel
how to interface with the hardware.
Device Drivers – Contain instructions for the
operating system for hardware devices.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
DOS Protected-Mode Interface (DPMI)
– Used by many computer forensics tools
that do not operate in the Windows
environment.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Command.com – Provides a prompt when
booting to MS-DOS mode. User interface for the
MS-DOS operating system. Contains the
following commands:
-DIR
-CD
-CLS
-DATE
-COPY
-DEL
Understanding Microsoft Boot Tasks
-MD
-PATH
-PROMPT
-RD
-SET
-TIME
-TYPE
-VER
-VOL
Understanding MS-DOS Startup Tasks
IO.SYS – The first file loaded after the ROM
bootstrap loader finds the operating system.
This file allows for communication between the
computer’s BIOS and Hardware, and with MS-
DOS code.
MSDOS.SYS – A hidden text file that contains
startup options for Windows 9x. In MS-DOS, this
file is the operating system kernel.
CONFIG.SYS – A text file that contains
commands that are typically run only at system
startup.
Understanding MS-DOS Startup Tasks
AUTOEXEC.BAT – An automatically
executed batch file that contains
customized commands and settings for
MS-DOS.
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Understanding MS-DOS Startup Tasks
Chapter Summary
-The Microsoft operating systems used FAT12
and FAT16 on older systems such as MS-DOS,
Windows 3.X and Windows 9x.
-The Registry on older Windows OSs is used to
keep a record of hardware attached, user
preferences, network information, and installed
software.
-The capacity of a hard disk is obtained by using
the cylinders, heads, and sectors. To find the
capacity of a disk, multiply the number of heads,
sectors, and tracks.
Chapter Summary
-Clusters are used to accommodate large files.
Sectors are grouped into clusters and clusters
are chained to minimize the overhead of reading
and writing files to a disk.
-The New Technology File System is more
versatile because it uses the MFT to track
information such as security items, the first 750
bytes of data, long and short filenames, and a
list of nonresident attributes.
-File slack, RAM slack, and drive slack are all
areas in which valuable information may reside
on a drive.
Chapter Summary
-To be an effective computer forensics
investigator, you need to maintain a library of
older operating systems and applications.
-NTFS uses Unicode to store information.
Unicode is an international code and uses a 16-
bit configuration instead of an 8-bit configuration
used by ASCII.
-Hexadecimal codes provide information about
files and OSs. You can determine the file type by
using various tools such as WinHex and Hex
Workshop.
Chapter Summary
-NTFS uses inodes to link file attribute records to
other file attribute records. Attributes fall into two
categories: resident and nonresident.
-NTFS can compress individual files, folders, or
entire partitions. FAT16 can only compress
entire volumes.