Topic 5a Operating System Fundamentals

What is an operating system? a computer is comprised of various types of software device drivers (storage, I/O, etc.) process and control software memory management user interface software utility software application software

Early computers ( 's) required all of these types of software to be loaded every time an application was run this was early 'batch' processing The 'operating system' became the set of software that initialize the computer run diagnostic checks provide for device management prepare the computer for an application

As operating systems evolved through the 's they gained more functions provide graphic user interface provide set of user utility programs manage multiple processes and users provide network functionality some operating systems are special-purpose

An important base function of the operating system is to provide an interface between the application software and the hardware today, this set of low-level OS functions is called the OS 'kernel‘ An OS kernel is typically always kept in memory – for greatest speed Many OS’s today are built on top of the Linux kernel, or some variation

There are many operating systems - not all are current the forensics examiner must be on the lookout for older, obsolete operating systems a criminal might try using these hoping to thwart an investigation Here is a listing of scores of operating systems with pointers to more information

the most important operating systems for the forensic examiner today are: - Microsoft Windows (and DOS) - Macintosh OSX - Unix/Linux - Android - Apple iOS many forensics labs will need to have hardware and software to deal with these there may be the occasion to locate hardware/software for an older OS example OS9 - unix-like OS for 8-bit Motorola 6809 based micros

As much as 50% of all system vulnerabilities are in the OS system devices such as routers, IDS's and firewalls also have operating systems the most effective mitigation strategy is to harden the OS ensure that security patches are installed as soon as they are available

Hardening an operating system - installation/configuration measures that can reduce the OS exposure - closing unneeded ports - turning off (or not installing) unneeded services - removing auto-response banner messages - note: there are many more hardening steps – most of these are OS or application specific

patch management - applying security patches as soon as they are available - servers, network appliances, workstations, etc. - having a back-down strategy if needed - many applications may need to be tested after a patch is applied - zero-day vulnerability - one for which a patch is not available

processes (tasks) and states - early computers were single-process systems - could only run a single program (task) at a time - the DOS operating system worked like this - switching tasks had to be done manually

processes (tasks) and states - later computer operating systems introduced the concept of multi-processing (multi-tasking) - a single user could have multiple tasks running simultaneously - a given task could have multiple sub-tasks (threads) - the OS manages process memory (memory management) and other resources and would switch between tasks as needed - for example, listening to music while writing a paper while having a chat window open while having a browser window open

Process (task) management requires that the OS properly handle the memory/resource management of the various tasks and threads - various ways to do this include system calls, message passing, stacks/heaps

Processes have various states - running, waiting, created, terminated, etc. - the process management function of the OS ensures that memory is adjusted, that resources are available, and that processes run when appropriate

Process privilege and priority - some processes require greater privileges (such as root or administrtator) - this should be done only when absolutely needed - a popular way to attack a system is to exploit a vulnerability in a process that has root privs - using an LPA is one way to restrict privileges - sandboxing is another approach

Processes may be prioritized - real-time processes typically have greater priority - note: process management today is typically called 'task' management - the early term for computers able to manage multiple tasks on a single processor was 'multi-processing‘ - today we call it 'multi-tasking‘ - multi-processing is used to describe situations where there are multiple CPUs available

Memory management - process/task management requires that the memory associated with a task be available in the address space where it is requested - one can think of this as like a sliding window - memory may be swapped to/from storage - this is called virtual memory - gives the illusion of having more real memory than you actually have

File systems - this determines how the bits of files are mapped onto storage devices. - examples include FAT, NTFS, EXT3, etc. - it is extremely relevant to cyber-forensics, since file system features (like slack space) can be exploited to hide data - we will cover file systems in more detail in subsequent topics

Virtualization - this refers to running an instance of an operating system as a process - possible since, in theory, any UTM (Universal Turing Machine) can simulate any other UTM - for example, running Mac OSX in a VM on a Windows computer, or running Unbuntu Linux in a VM on a windows computer

Virtualization: - the actual program run is called a 'virtual machine' - it is a simulation of a processor, with specific resources - the OS is installed on the virtual machine - the program that creates or manages VMs is called a 'hypervisor' - virtualization has many uses in cyber-forensics, we will discuss this in greater depth later

Fundamental security design principles: - domain separation - separating tasks from resources - the hypervisor or OS would mediate resource access - sandboxing is an example of this

Fundamental security design principles: - process isolation - preventing processes/tasks from communicating with each other or sharing resources such as memory - resource encapsulation - methods used to protect a resource - for example, specific system calls and specific privilege requirements