A Baseline for XP Boot Changes AAFS - 26 February 2010 Ben Livelsberger NIST Information Technology Laboratory CFTT Project 1.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.
AP STUDY SESSION 2.
1
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
MS Windows 2000 PRO Widely used version of the Microsoft windows operating system Designed for use on computer workstations and portable computers Workstation.
We need a common denominator to add these fractions.
1. HDD Partition Setup Insert Booting Diskette to A: drive and turn on the power. Then it will be boot by floppy diskette. 1 Type FDISK and press Enter.
CALENDAR.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Office 2003 Introductory Concepts and Techniques M i c r o s o f t Windows XP Project An Introduction to Microsoft Windows XP and Office 2003.
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
INFORMATION TECHNOLOGY, THE INTERNET, AND YOU
Jamie Glendinning ENGL Imaging Toolkit 6 Windows XP unattended install using bootable USB.
Break Time Remaining 10:00.
Tasks in Setting Up a Hard Disk
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 6: Managing Disks and Data Storage.
Chapter 7 Configuring and Managing Data Storage
File and Disk Maintenance
Troubleshooting Startup Problems
Lecture 13 storage management
File Management.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
PP Test Review Sections 6-1 to 6-6
1 IMDS Tutorial Integrated Microarray Database System.
TCCI Barometer March “Establishing a reliable tool for monitoring the financial, business and social activity in the Prefecture of Thessaloniki”
Operating Systems Operating Systems - Winter 2011 Dr. Melanie Rieback Design and Implementation.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 5 – Installing Windows XP.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
Install Window XP. Begin the Installation 1. Insert the Windows XP CD and restart your computer. 2. If prompted to start from the CD, press SPACEBAR.
Slide#: 1© GPS Financial Services Revised 05/27/2011 cms 2 SY Setup-Windows7 on WS ™ (generous discounts on multiple purchase) Cougar Mountain.
Volume Analysis. What is a volume?  Carrier defines a volume: “… a collection of addressable sectors that an Operating System (OS) or application can.
Windows XP Operating Systems  COSC513 Operating Systems  Mr. Nut Prommongkonkun  Student ID #
Week 1.
Jim Lyle National Institute of Standards and Technology.
Essential Cell Biology
Converting a Fraction to %
Clock will move after 1 minute
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
Chapter 14: Disk Fundamentals. 2 Disk Storage Systems Tracks, Cylinders, and Sectors Disk Partitions (Volumes)
Select a time to count down from the clock above
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
1 DIGITAL INTERACTIVE MEDIA Wednesday, October 28, 2009.
Drill down Reconciliation Analysis Report (RFMFGRCN_RP1) in the Background Instructions Guide June, 2012.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Presented to: Sir Ahmad Karim
BACS 371 Computer Forensics
WINDOWS XP PROFESSIONAL Bilal Munir Mughal Chapter-1 1.
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
Chapter 3 Installing Windows XP Professional. Preparing for installation Pre-installation requirement; ◦ Hardware requirements ◦ Hardware compatibility.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Microsoft Windows XP Professional MCSE Exam
FAT File Allocation Table
DIT314 ~ Client Operating System & Administration
Presentation transcript:

A Baseline for XP Boot Changes AAFS - 26 February 2010 Ben Livelsberger NIST Information Technology Laboratory CFTT Project 1

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. 2

Outline Introduction Methodology/Approach Expected Results Analysis/Findings Conclusion 3

Introduction Question: What changes on a hard drive when you boot a system? Answer: Sector content of installed devices containing volumes Accessed, write, created date and time metadata Files created Files deleted 4

Methodology and Approach Build Vanilla XP system not networked Cycle through several boots and shutdowns Image with dd Boot, 2 minutes idle, shutdown, and reimage (5x) Compare images- Linux & perl Analyze differences- perl scripts and SleuthKit Tools 5

Methodology and Approach Build (vanilla) XP system DCO drive to 12 GB Partitioned 7 GB primary FAT32 2 GB secondary NTFS & 2 GB secondary FAT32 Windows XP Professional SP2 Add user files to secondary partitions 5 files Mb Types:.inf,.pdf,.exe,.ico, &.html 6

Expected Results MBR (boot code, partition table, signature value) + 62 sectors) 7.3 GB FAT32 boot partition with XP SP2 installed Primary extended partition table + 62 sectors) Secondary extended partition table + 62 sectors) 2.1 GB secondary NTFS partition.Payload of 5 files copied from bootable CD (a 43 byte autorun.inf, a 17 Kb.pdf, a 2.4 Mb.exe, a 13 Kb.ico, & a 13 Kb.html file). 898,594 unallocated sectors 2.1 GB secondary FAT32 partition. Payload same as NTFS partition Primary extended partition Secondary extended partition 7

Analysis/Findings 7.3 GB FAT32 boot partition with XP SP2 installed 2.1 GB secondary NTFS partition.Payload of 5 files copied from bootable CD (a 43 byte autorun.inf, a 17 Kb.pdf, a 2.4 Mb.exe, a 13 Kb.ico, & a 13 Kb.html file). 2.1 GB secondary FAT32 partition. Payload same as NTFS partition Changes confined to file system partitions Few changes to the secondary file system partitions 8

Analysis/Findings: Boot Volume analyze_partitions.pl p0 Output (from run 1) Reserved Area: 1 (FS Info Sector) FAT Area: FAT 0: FAT 1:

Analysis/Findings: Boot Volume Data Area Total data area sectors changed: 12,501-14,827 sectors, MB Average: 13,865 sectors (6.9 MB) Changes to content of: 9, ,931 (10,883 ave or 78%) allocated sectors, file content 2,740-3,359 (2,923 ave or 21%) unallocated sectors sectors (1%) containing directory entries 10

Unallocated Space: File Growth File Growth: Log Files & Prefetch Files Collective growth: sectors sectors to prefetch boot trace file 11 # cycles file grew Files that Grew 5WINDOWS/Debug/UserMode/userenv.log 5WINDOWS/system32/wbem/Logs/wbemess.log 5WINDOWS/WindowsUpdate.log 2WINDOWS/SchedLgU.Txt 3WINDOWS/Prefetch/NTOSBOOT-B00DFAAD.pf 2WINDOWS/Prefetch/WSCNTFY.EXE-1B24F5EB.pf

Unallocated Space: New & Temporary Files New Files 5 restore point files change.log cycled Temporary Files WINDOWS/Temp/_sg034g7.TM P (616 KB) & WINDOWS/SoftwareDistribution /DataStore/Logs/_mp.edb (65 KB) No Persistent Files Deleted Some changes to unallocated space not accounted for 12 New Files ( paths abbreviated ) System Volume Information/_restore{ … }/RP1/change.log System Volume Information/_restore{ … }/RP1/A INI System Volume Information/_restore{ … }/RP1/A INI System Volume Information/_restore{ … }/RP1/A INI System Volume Information/_restore{ … }/RP1/A ini

Changes to File Content 39 common files every cycle Files Amount Changed Average: 11,049 sectors 95% were to PAGEFILE.SYS & SYSTEM files 13

Changes to File Content (by Directory) Documents and Settings & WINDOWS/system32/config 22 registry files (Usrclass.dat, Ntuser.dat, DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM,.log files) Average Total: 1322 sectors WINDOWS/system32/wbem 7 WMI Files Average Total: 30 sectors WINDOWS/Prefetch 3.pf Prefetch Files (NTOSBOOT-B00DFAAD.pf, WSCNTFY.EXE-1B24F5EB.pf, & WUAUCLT.EXE- 399A8E72.pf) Average Total: 651 sectors 14

Changes to File Content (Misc) Miscellaneous Other Files # of cycles file chgd ave # sectors chgd Misc. Files that Changed PAGEFILE.SYS 51 System Volume Information/_restore{1E17E5A1-FE9A- 4F64-AA4B-1C4617CFC305}/_driver.cfg 53 WINDOWS/system32/config/AppEvent.E vt 57.8 WINDOWS/system32/config/SysEvent.E vt 41WINDOWS/system32/wpa.dbl 22 System Volume Information/_restore{1E17E5A1-FE9A- 4F64-AA4B- 1C4617CFC305}/drivetable.txt 12WINDOWS/Tasks/SA.DAT 53 WINDOWS/Debug/UserMode/userenv.lo g 51.6WINDOWS/SchedLgU.Txt 56WINDOWS/WindowsUpdate.log 15

Changes to File Content (Summary) 16

Conclusion The boot process creates new files. Some files grew, notably log files. Some temporary files were created and then deleted. No system files were deleted. If an XP SP2 PC is booted an average of 13,873 sectors will change in files, metadata, and unallocated space.

Future Research Use of an NTFS boot partition Investigate changes in secondary partitions Use of other OSes- Vista, Windows 7 Pulling plug vs. proper shut down Directory entry/meta data analysis Investigate prefetch file change variance

6/4/2014AAFS Project Sponsors (aka Steering Committee) National Institute of Justice (Major funding) FBI (Additional funding) Department of Defense, DCCI (Equipment and support) Homeland Security (Major funding) State & Local agencies (Technical input) Internal Revenue, IRS (Technical input) NIST/OLES (Program management)

Contacts Ben LivelsbergerJim Lyle Sue Ballou, Office of Law Enforcement Standards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.