1. 91.580.203 Computer & Network Forensics
Xinwen Fu
Chapter 8
System Boot Process and File Systems

2. Homework Submission Follow the submission policy tightly Midterm exam
To:
Subject: :AssignmentXXX:XXX
Attach your assignment
Midterm exam
20 multiple-choice questions
Released after class on Oct. 9
Collected at 11:55 on Oct. 10

3. Outline The Boot Process Controlled Boot Environment
Disk Write Blockers
Disk Imaging Tool Testing
NIST Test Cases

4. Review of HD Boot Sequence (DOS)
power on self test (POST) by BIOS
master boot record No
extended partition?
Yes
load extended partition tables
volume boot code of c:
DOS

5. POST Power is on CPU ready to run, but run what?
The BIOS performs the Power On Self Test (POST)
RAM
Video
Keyboard
drives, etc.

6. Master Boot Record
Every hard disk must have a consistent ‘starting point’
The place where this information is stored is called the master boot record (MBR) (also referred to as the master boot sector, or just boot sector)
The MBR is always located at cylinder 0, head 0, and sector 1
The master boot record contains the following structures:
Master Partition Table – this small table contains the descriptions of the partitions that are contained on the hard disk
There is only room for the information describing 4 partitions

7. Master Boot Code
Master Boot Code – The MBR contains a small initial boot program that the BIOS loads and executes to start the boot process
Since the master boot code is the first program executed in RAM when you turn on your pc, this is a favorite place for virus writers to target

8. DOS System Files 1 Master Boot Record CHS = 0,0,1 2 Boot Record 3
IO.SYS 4
MSDOS.SYS 5
CONFIG.SYS 6
COMMAND.COM 7
AUTOEXEC.BAT
Keep in mind that discussion of the boot process is limited to arriving at a DOS prompt. The process of booting to Windows differs from the process described here.
To understand how to seize control of a computer, a review of the boot up sequence of a DOS computer is in order.
Once the computer has completed its Power On Self Test (POST), it starts searching for a bootable drive. Most of the time*, the system will look for a bootable diskette in floppy drive A and, if it finds one, will boot from the floppy. If the diskette is not bootable (does not contain the IO.SYS, MSDOS.SYS, and COMMAND.COM files) the following message is displayed:
Non-System disk or disk error
Replace and press any key when ready
* Most modern computers can be configured, in CMOS, to ignore the A Drive and boot directly from the C Drive. If the suspect's computer is doing this, you need to document the fact and disable the feature in CMOS.
If there is no diskette in the floppy drive, the computer will look for a hard disk and, if it finds one, it looks in the first sector of the disk for the Master Boot Record which contains, among other data, the Master Partition Table. The Master Partition Table points to the active primary partition (usually the C: Drive). The system then looks on that logical drive for the Boot Record, which identifies the operating system and points to the next file to be loaded, which is IO.SYS.
IO.SYS loads a portion of the operating system (OS) and, in earlier versions of MS-DOS, looks on the hard disk, even if booting from floppy, for DBLSPACE.INI. If this file is found it will mount the corresponding Compressed Volume File (CVF) *. THIS CAUSES A WRITE TO THE HARD DRIVE. This feature was present in DOS 6.22 and also in the Win 9x versions of DOS. Win ME DOS doesn’t support this function.
* A compressed volume file is created if the hard drive is compressed using Drive Space, a utility that comes with MS-DOS 6.22, or one of the other compatible disk compression technologies.
MSDOS.SYS, another portion of the OS, then loads and looks for CONFIG.SYS which is a user-configurable text file on the boot drive. It may or may not be present.
CONFIG.SYS is used to load device drivers such as SCSI drivers, CD-ROM drivers, etc. It may also include a LASTDRIVE=Z statement. If found, it gets executed. After CONFIG.SYS is loaded, the system then looks on the boot disk for COMMAND.COM and, if found, loads it.
The OS is now functionally loaded. The last step taken by COMMAND.COM is to look on the boot drive for AUTOEXEC.BAT, which is another user-configurable text file that is usually, but not always, present. AUTOEXEC.BAT is used to automatically load programs, such as memory management software, mouse programs, etc. It also usually contains a PATH statement which defines the order in which the system will search for programs on the drive.
SUMMARY
Understanding the boot sequence demonstrates the importance of having complete control of the computer when it boots. The suspect could have a hacked version of COMMAND.COM, which could have built-in booby traps, or could be loading trojan horses (a destructive program that masquerades as a benign application) or other potentially destructive software in the CONFIG.SYS or AUTOEXEC.BAT files. Even if these pitfalls aren’t present, proper forensic procedure mandates that we proceed with our seizure and examination without making any alterations to the original evidence.
To control the boot process, we must intercept it with a controlled-boot floppy.
Boot record identifies the operating system and points to the next file to be loaded, which is IO.SYS.

9. Unix Boot Process power on self test (POST) by BIOS
master boot record - boot loader
kernel
AKA Bootstrapping
user environment (/sbin/init)

10. Two-stage Boot Loader
Unix systems implement a two-stage loading process
First stage, a small boot program is read into memory from MBR
Locate the second stage boot loader and load the first part of it into memory
Second stage (/boot/???)
Present the user with the operating system choice screen
Locate the kernel and load the kernel /boot/vmlinuz-<kernel-version>
Place initrd (initial RAM disk image) into memory (used by the kernel to load drivers)

11. Kernel
Once the kernel is loaded, it remains in the memory during the running of the system and is usually run in a fixed amount of memory
The kernel probes the bus to locate the devices specified during the configuration, and initializes the located devices
Hardware
Virtual devices
Unmount the initrd image
Create a root device

12. Kernel (Cont.)
System Processes: The kernel identifies the root, swap, and dump devices and then starts programs to
Schedule processes,
Sched: The real-time scheduler.
Manage physical memory and virtual memory, and the
Swapper: It manages the physical memory by moving process from physical memory to swap space when more physical memory is needed.
Page Daemon: Various memory handlers run as process 2.
init process.

13. Create User Environment (/sbin/init)
The last step in bootstrapping and identified by process id “1”
/etc/inittab – init configuration file
/etc/rc.d/rc.sysinit – set path, clock
/etc/rc.d/init.d/functions - how to determine process id
Run shell scripts based on the runlevel - e.g., /etc/rc.d/rc5.d
The startup scripts are defined and organized differently on different systems
On BSD systems the startup scripts may be found in the /etc directory and their names begin with rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.local and so on
Init typically will start multiple instances of “getty” which waits for console logins which spawn one’s user shell process. Upon shutdown, init controls the sequence and processes for shutdown. The init process is never shut down. It is a user process and not a kernel process although it does run as root.

14. Run Level (Red Hat/Fedora Core)
Scripts Directory
State
/etc/rc.d/rc0.d/
shutdown/halt system 1
/etc/rc.d/rc1.d/
Single user mode 2
/etc/rc.d/rc2.d/
Multiuser with no network services exported 3
/etc/rc.d/rc3.d/
Default text/console only start. Full multiuser 4
/etc/rc.d/rc4.d/
Reserved for local use. Also X-windows (Slackware/BSD) 5
/etc/rc.d/rc5.d/
XDM X-windows GUI mode (Redhat/System V) 6
/etc/rc.d/rc6.d/
Reboot
s or S
Single user/Maintenance mode (Slackware) M
Multiuser mode (Slackware)

15. Some Notes Single User Mode
Single user shell is always Bourne Shell (sh) and it runs as 'root'.
It enables the system manager to perform various administrative functions, such as setting the date, checking the consistency of the file system, reconfiguring the list of on-line terminals, and so on.
At this stage only the root partition is usually mounted.
The file system consistency check may be performed by the command fsck, usually found in the /etc directory.
Linux /etc/rc.d
LILO• does not understand filesystems• code and kernel image to be loaded is stored as raw disk offsets• uses the BIOS routines to loadLoading sequence• load menu code, typically /boot/boot.b• prompt for (or timeout to default) partition or kernel• for "image=" (ie Linux) option load kernel image• for "other=" (ie DOS) option load first 512 bytes of the partition

16. Windows 2000/NT/XP Bootstrapping
6 Stages
POST
Choose OS
Kernel Load
Kernel Initialization
Services Load
Logon
See handouts.

17. Summary
Every disk has a consistent starting point (MBR or boot sector CHS 001)
A control boot disk (floppy/CD) allows us to control the bootstrapping process
DOS makes a good boot environment since we understand what is happening!

18. Outline The Boot Process Controlled Boot Environment
Disk Write Blockers
Disk Imaging Tool Testing
NIST Test Cases

19. Note: Boot Considerations
Background: we want to use a floppy disk and boot the suspect system
BIOS Setting
Need to ensure that system boots from proper device such as CDROM, Floppy
Interrupt keys (varies by manufacturers)
F12, Del, F1
Basic Input/Ouput System
Complementary metaloxide semiconductor (CMOS).

20. Controlled Boot Floppy
A controlled boot floppy enables you to
Bypass possible destructive processes set by the suspect to destroy evidence
Maintain evidence integrity by preventing any possible changes to the suspect’s hard disk

21. A Basic Controlled DOS Boot Floppy
Minimum Requirements
Will boot the computer without allowing any writes to the Hard Disk
Will automatically install hard disk write protection
Will ensure drive letters are assigned to all FAT logical drives by including a LASTDRIVE=Z statement in the CONFIG.SYS file
LASTDRIVE is a DOS command used in the CONFIG.SYS to set the maximum number of drives that can be accessed. Z specifies the last available disk drive. The default is E. LASTDRIVE=Z ensures drive letters being assigned to all FAT logical drives on the system.

22. Media Variety of disks in every possible format
5¼” Low density, high density floppies
3½” Low density, high density floppies
Bootable CD-ROMs
A variety of computers are in use today using media ranging from the very old (5¼”) to the very new (CDs, DVDs). It is best to be prepared by having a variety of disks in every possible format, including bootable CDs.

23. Media (Cont.) New, clean media for each case
Pre-used media should be wiped
Error free and formatted by format
/U Format option
Standard Format AND overwrites data area with F6h
/S Format option
Standard Format AND copies system files to disk after format
It is recommended that new clean media be used for each case. If media has been used before, a Wipe utility (such as the one included with Drivespy) can be used to zero out all areas of the disk.
Another option to wiping a floppy disk is to use the /U option with the Format command. An Unconditional Format performs a Standard Format (scans the logical drive for errors, rewrites the boot record, “zeroes out” the System area) AND overwrites the data area with F6h. This option won’t place a hidden mirror file on the logical drive.
The /S option, a System Format, performs a Standard Format AND copies the system files COMMAND.COM, IO.SYS, MSDOS.SYS to the formatted logical drive. This option is unavailable in WinME.

24. Files (DOS) Required system files IO.SYS MSDOS.SYS COMMAND.COM
Required system files
IO.SYS
Altered if necessary to prevent write to disk
MSDOS.SYS
COMMAND.COM
AUTOEXEC.BAT
Edited to automatically load the hard drive write blocker, e.g., PDBLOCK from digital intelligence
CONFIG.SYS
Edited to include LASTDRIVE=Z to ensure drive letter assignments
IO.SYS, MSDOS.SYS, and COMMAND.COM must be on the floppy in order for it to boot.
AUTOEXEC.BAT is edited to include the file necessary to automatically execute the hard drive write blocker application.
PBBLOCK (Physical Drive BLOCKer) owned by Digital Intelligence, is designed as a standalone utility used to prevent all writes to the physical drives. The “LITE” version of PDBLOCK (PDB_LITE) is free to all law enforcement agencies and personnel. Information from the web site suggests that when using PDB_LITE, it “may be desirable to selectively control the blocking operation on a drive-by-drive basis.” (see
CONFIG.SYS is edited to include the LASTDRIVE=Z statement. In the case of a bootable CDROM, it may be necessary to also include CDROM drivers.

25. External DOS Commands FDISK FORMAT DELTREE Not loaded with COMMAND.COM
Usually installed in the WINDOWS\COMMAND subdirectory
Our copies must be on the control boot floppy
Are either “EXE” or “COM” files
FDISK FORMAT DELTREE
CHKDSK ATTRIB UNFORMAT
UNDELETE XCOPY
There are a variety of other programs that come with DOS, but do not load into memory with COMMAND.COM. They are generally referred to as "external" commands and typically install themselves in the C:\Windows\COMMAND subdirectory, if the default installation is used.
The number and functionality of these programs has changed with each DOS revision. Some were not written by Microsoft, but are licensed from other vendors, such as Central Point Software and Symantec, etc.
Most of these programs are run infrequently, so there is no advantage to having them loaded in RAM all the time.
Like any other file, the names of the DOS external commands can be changed very easily or a destructive program can be given the name of a typical DOS file - another reason not to trust the suspect's software.

26. Note: Why should we change IO.SYS?
DOS 6.22, Win95, Win98
IO.SYS can automatically mount Compressed Volume Files
If a compressed drive is mounted, it will make changes (write) to the hard drive
This can happen even if booting from a floppy
IO.SYS must be hacked to eliminate these calls to the hard drive
Why? reading assignment
IO.SYS (DOS 6.22, Win95, Win98) can automatically mount compressed volume files (CVF), even if you are booting from the floppy drive (Drive A). This modification was made so that if an individual is running a compressed drive using the Drvspace or Dblspace utility , the compressed drive will automatically be mounted and seen as a logical drive by the operating system. During the process of mounting the compressed drives some information is written to the hard disk. This changes the evidence.
For forensic purposes, this cannot happen. To avoid this potential problem, IO.SYS must be altered to redirect the calls from C:\ to A:\.
Writing to the hard drive, when the system is in our custody and control, means that we have altered the evidence!

27. Outline The Boot Process Controlled Boot Environment
Disk Write Blockers
Disk Imaging Tool Testing
NIST Test Cases

28. Disk Write Blockers Prevent data being written to the suspect drive
Ensure the integrity of the suspect drive
Software Write Blockers vs. Hardware

29. Normal HD Access
User
Application

30. Normal HD Access - interrupt 0x13 interface
An application program issues an interrupt 0x13 command.
The interrupt transfers control to the interrupt 0x13 routine in the BIOS. The BIOS routine issues commands, ATA or SCSI as appropriate, directly to the hard drive controller.
The device does the requested operation and returns the result to the BIOS and then to the application program.

31. Software Write Block
User
Application

32. Software Write Block (SWB) – Change Interrupt 0x13 Interface
The SWB tool is executed. The SWB tool saves the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine.
The application program initiates a drive I/O operation by invoking interrupt 0x13. The replacement routine installed by the SWB tool intercepts the command.
The SWB tool determines if the requested command should be blocked or if the command should be allowed.

33. Software Write Block
If a command is blocked, the SWB tool returns to the application program without passing any command to the BIOS I/O routines. Depending on SWB tool configuration either success or error is returned for the command status.
If the command is allowed (not blocked), the command is passed to the BIOS and the BIOS I/O routine issues required I/O commands (ATA, SCSI or other) to the drive controller so that the desired I/O operation occurs on the hard drive.
Results are returned to the application program.
More details found at:

34. Hardware Write Block
A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.
Physically, the device is connected between the computer and a storage device.
Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
More details found at:

35. Summary Write blockers prevent data being written to the suspect drive
2 basic approaches:
Hardware and Software
Software write blockers can be bypassed (sometimes unknowingly)
Hardware write blockers are now the industry standard.
NIST (National Institute of Standards and Technology) has excellent specs/standards for write blockers.

36. Outline The Boot Process Controlled Boot Environment
Disk Write Blockers
Disk Imaging Tool Testing
NIST Test Cases

37. Imaging Tool Requirements
Exact duplicate of the original disk
Not alter the original disk
Able to verify integrity of image
Log I/O errors
Tool documentation correct

38. Definitions - Image Digital Sometimes compressed
Bit-stream duplicate of original digital object
Can be reconstructed

39. Definitions – Qualified Copy
Qualified bit-stream duplicate (in case there are errors during imaging):
Duplicate except in identified areas
Identified areas replaced by values specified by a disk imaging tool’s documentation
Partition table entries to reflect relocated partitions
Boot records
Fill areas for cylinder alignment and excess disk space

40. Mandatory Requirements of Tools
Shall not alter original
No errors  create bit-stream duplicate or image of source
Errors  create qualified bit-stream duplicate, identified values are marked
Log errors in readable form, including type and location
Destination larger than Source: document areas of destination not included in source
Destination smaller than Source: notify user, truncate, and log

41. Optional Requirements of Tools (1/3)
“If a tool provides the capability defined, the tool is tested as if the requirement were mandatory.”
Create hash value of copy, compare to hash computed at time of creation, log comparisons; do same if bit-stream divided in blocks

42. Optional Req’ts (2/3) Create copy of partitions designated by user
Log one or more: tool version, subject disk ID, errors encountered, tool actions, start/finish run times, tool settings, user comments

43. Optional Req’ts (3/3)
Create an image file on removable media that can be used to reconstruct a bit-stream duplicate
Bit-stream duplicate adjusts to alignment of cylinders on destination
On duplicate can only change: Partition table entries; Boot records; Fill areas for cylinder alignment; Excess space (fill areas values in documentation)

44. Test Methodology Identify software and procedures
Represent ‘how well’ vs. ‘what actions’
Document scope, parameters, testing environment, expected results

45. Disk Image Test Method Test setup Disk setup Test execution
Test results analysis
Documentation

46. Test Lab Form Sample Test Setup Analysis Disk Setup Execution
Tester: Pascal Openshaw
Date Started: 12 October 2004
Test Case ID: A001
Test Case Summary: Copy XBIOS-IDE disk PT-N/A src=DST/NN fixed errors
Testing Environment: PC - Beta 5; Disks – B0 Fujitsu MPF3153 AT 8.455
MB as master and B1 Fujitsu MPF3153 AT MB as slave;
Interface – XBIOS-IDE; File Type - NTFS
Test Software Used: DiskWipe 2.3; BadX13 2.1; DiskCmp 2.2; DiskHash 1.1
Setup: Installed K3B
Execute: Ran K3B
Log Files ID & Loc: created folder on office machine labeled XX-08
Expected Results: log file contains error messages and src/dest should
compare qualify equal
Results: A src read error was identified at 1,000,000 – other sectors
compaired equal
Log File Highlights: Errors from log file highlighted
Analysis: Expected results were obtained
Disk Setup
Execution
Analysis
K3b (from KDE Burn Baby Burn)[1] is a CD and DVD authoring application for the KDE desktop for Unix-like computer operating systems. It provides a graphical user interface to perform most CD/DVD burning tasks like creating an Audio CD from a set of audio files or copying a CD/DVD, as well as more advanced tasks such as burning eMoviX CD/DVDs. It can also perform direct disc-to-disc copies.

47. Test cases Tests will verify each assertion Identify parameters
Each assertion provides a specific class of conditions that can be tested and the result that is expected
Identify parameters
Generate cases for study

48. Test form Test case ID Test case summary Test environment Test sw used
Setup
Execute
A001
Copy CD-ROM
Mandrake Linux
K3b
Installed K3b
Ran K3b, CD Copier

49. Sufficient testing Show mandatory requirement
Test optional requirements

50. Outline The Boot Process Controlled Boot Environment
Disk Write Blockers
Disk Imaging Tool Testing
NIST Test Cases

51. DI-13
TEST : Copy a BIOS IDE source disk to a BIOS IDE destination disk and the source contains a LINUX partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file
After the duplicate is created on the destination, unhide the hidden file and undelete the deleted file
EXPECTED RESULT: Source compares qualified equal to destination hidden and deleted files recovered

52. DI-44
TEST: Create an image from a LINUX SCSI source disk to a LINUX SCSI destination disk and the source contains a LINUX partition where source disk is the same size as the destination
Create the image on a removable medium
EXPECTED RESULTS: Source compares equal to destination

53. DI-77
TEST : Copy a BIOS IDE source disk to a BIOS IDE destination disk and the source contains a NTFS partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file
Create the image on a removable medium
Introduce an error on the image
After the duplicate is created on the destination, unhide the hidden file and undelete the deleted file
EXPECTED RESULT: Image verification error

54. DI-96
TEST : Create an image from an XBIOS IDE source disk to a XBIOS IDE destination disk and where source disk is the same size as the destination
Introduce a write error writing to the image
EXPECTED RESULT: Error message logged
Xbios – extended bios

55. References
Charles M. Kozierok, The DOS Boot Process, April 17, 2001
Primary, Extended and Logical Partitions,
WINDOWS XP BOOT SEQUENCE,
Red Hat Linux 9, A Detailed Look at the Boot Process,
National Institute of Standards and Technology (NIST), Disk Imaging Tool Specification, October 12, 2001
NIST, Software Write Block,
DIGITAL INTELLIGENCE, PDBLOCK,
NIST, Setup and Test Procedures For Testing Interrupt 0x13 Based Software Write Block Tools, April 1, 2004

56. Assignment 2 Partition Table Doctor Refer P6 of [8], and Textbook P48
Investigate DOS 6.22 image
Check when it was made
Find C:\ references in IO.SYS and command.com
Freeware Hex Editor XVI32