0% found this document useful (0 votes)
52 views84 pages

Digital Forensics Lec6 Spring 2021

The document discusses the boot process of computers and data representation in digital forensics. It explains that the boot process has three stages: CPU reset, POST, and disk boot. It describes the roles of BIOS and UEFI in booting computers and their differences. It also discusses how data is represented digitally in binary, hexadecimal, and ASCII formats and the endianness of number representation. Understanding these fundamentals of computer startup and data is important for digital forensic analysts to properly interpret digital evidence.

Uploaded by

change abc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
52 views84 pages

Digital Forensics Lec6 Spring 2021

The document discusses the boot process of computers and data representation in digital forensics. It explains that the boot process has three stages: CPU reset, POST, and disk boot. It describes the roles of BIOS and UEFI in booting computers and their differences. It also discusses how data is represented digitally in binary, hexadecimal, and ASCII formats and the endianness of number representation. Understanding these fundamentals of computer startup and data is important for digital forensic analysts to properly interpret digital evidence.

Uploaded by

change abc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 84

Digital Forensics

Computer Basics for Forensic Analysts

1. Digital Number
Systems

2. PC Boot Process

3. BIOS vs UEFI

4. Data Representation

5. File Carving

All rights reserved


Objectives
 Reference Book !!!!!!
– Text Book 3
– Learn Computer Forensics (Packt) (Supporting Book)
 We are covering Chapter 15 of Text Book 3 & Chapter 4 of
Supporting Book
 Online resources

Digital Forensics- Riphah International University 2


All rights reserved
Digital Evidence
 Most digital forensic experts make use of tools
– For file recovery / forensic analysis

 However, lack of computer inner working knowledge can


lead to incorrect interpretation of evidence

 All tools have some limitations

Digital Forensics- Riphah International University 3


All rights reserved
Computer Startup – Bootstrapping
 The boot process has three basic stages
– the central processing unit (CPU) reset, the power-on self-test (POST), and the disk boot

 CPU is the core of any computer


– Everything depends on its working

– BIOS deals with the basic movement of data around the computer

CPU Resetting

Digital Forensics- Riphah International University 4


All rights reserved
Computer Startup – Bootstrapping
 POST is the first program, part of the PC firmware (BIOS /
UEFI), that tests the fundamental components of the
computer
– Disk drives, monitor, RAM, Keyboard

 POST verifies CPU working & its own code integrity first

 CMOS configuration utility is also a part of this process

 CMOS RAM chips has a battery backup


– Remembers the date, time, hard drive parameters, and other
configuration details during shutdown

Digital Forensics- Riphah International University 5


All rights reserved
Computer Startup – Bootstrapping

Digital Forensics- Riphah International University 6


All rights reserved
Computer Startup – Bootstrapping
 From forensic perspective, BIOS parameters can be of
significant value
– date and time, the configuration of hard drives, and the boot
sequence

– Boot from other sources; network or DVD or USB etc.

 POST results are verified against a permanent record stored


in the CMOS microchip

 Beep patterns are used to signal the type of error


– Normal POST activity will finally load OS

Digital Forensics- Riphah International University 7


All rights reserved
BIOS vs UEFI
 BIOS and UEFI are two distinct PC firmware
– work as an interpreter between the OS and the computer
firmware

 BIOS, the antique/legacy firmware, which reads the first


sector of the hard drive – Sector 0
– Contains address of the next boot partition
– BIOS works in 16-bit mode since its birth
• limiting the amount of code that can be read and executed from
the firmware ROM – 1MB

Digital Forensics- Riphah International University 8


All rights reserved
Cont...

Digital Forensics- Riphah International University 9


All rights reserved
BIOS Booting
 Each PC has one or more disks which have an MBR
– The MBR is another de facto standard
– BIOS only needs to know which disk contains the system

 MBR lies in the first sector, Sector 0, of a bootable hard disk


– BIOS firmware knows how to get to sector 0 of your hard disk

– Sector 0 contains a ‘boot loader’


• BIOS firmware knows how to execute, whose job it is to boot the
operating system

 Multi-boot in BIOS are handled above the firmware

Digital Forensics- Riphah International University 10


All rights reserved
Cont.… Booting Process

Digital Forensics- Riphah International University 11


All rights reserved
Understanding the Boot Sequence (BIOS)

Digital Forensics- Riphah International University 12


All rights reserved
BIOS shortcomings
 BIOS has several weaknesses?
– MBR in BIOS is not big enough for many modern boot-loaders

– BIOS design doesn’t provide any standardized layer or


mechanism for selecting boot targets other than hard-disks
• Remote servers for example

– No mechanism for levels above the firmware to configure the


firmware’s boot behavior

– Secure Boot is another feature of UEFI

Digital Forensics- Riphah International University 13


All rights reserved
UEFI
 In 2010, the BIOS function was replaced by the Unified
Extensible Firmware Interface(UEFI).

 It provides the same service as the BIOS, but has been


enhanced, as follows:

 By providing better security at the pre-boot process

 Faster startup

 Will support drives larger than 2 TB

 Support for 64-bit device drivers

 Support for the GUID partition table (GPT)

Digital Forensics- Riphah International University 14


All rights reserved
Cont.…

 UEFI does the same task of Bootstrapping


– But you can not apply your BIOS knowledge to UEFI
• Do not ever do that

 UEFI firmware implement some kind of BIOS compatibility


mode
– Sometimes incorrectly referred to as “disabling UEFI”

 When UEFI boots in ‘BIOS’ style, it follows the same


sequence
– Look for MBR & Boot-loader

Digital Forensics- Riphah International University 15


All rights reserved
UEFI
 Native UEFI booting makes use of GPT based disks
– EFI system partitions (ESP)
• EFI-FAT32 defined for UEFI

 Unlike BIOS, UEFI certainly does understand, to varying


degrees, some important concepts:
– ‘disk partitions’ , ‘boot-loaders’ and ‘operating systems’

Digital Forensics- Riphah International University 16


All rights reserved
UEFI
 UEFI specs defines an exe format and requires all UEFI
firmware to comply
– .efi files

 .efi files are stored in EFI System Partition (ESP)


– The ESP partition will also contain the boot-loaders for the OS
installed on the computer

 UEFI is for 64-bit systems

Digital Forensics- Riphah International University 17


All rights reserved
BIOS vs UEFI
 The biggest benefit of UEFI is its security over BIOS
– UEFI can allow only authentic drivers and services to load at
boot time
• no malware can be loaded at computer startup

 UEFI has been used by all major OS e.g. Linux, Apple’s OS X

Digital Forensics- Riphah International University 18


All rights reserved
UEFI Setup

Digital Forensics- Riphah International University 19


All rights reserved
Computer Startup – Bootstrapping
 From forensic perspective, during evidence collection,
analysts may interrupt the boot process
– Examine date and time, the configuration of hard drives, and
the boot sequence

– Boot from other sources; network or DVD or USB etc.

 POST results are verified against a permanent record stored


in the CMOS microchip

 Beep patterns are used to signal the type of error


– Normal POST activity will finally load OS

Digital Forensics- Riphah International University 20


All rights reserved
Computer Startup – Disk Boot
 OS is an interface between PC & the outside world (users)

 Most computers look for an OS


– on a floppy diskette, hard disk, or compact disk

 Hence can be configured to boot from other devices


– DVD, USB etc.

Digital Forensics- Riphah International University 21


All rights reserved
Computer Startup – Data Representation
 All digital data are basically combinations of ones and zeros,
commonly called Bits

 “There are only 10 types of people in the world: Those who


understand binary, and those who don’t.”

 Big-endian vs Little-endian
– Big-endian architectures place the most significant bytes on the
left
– Little-endian architectures place the most significant bytes on
the right

Number(dec) Little-endian Big-endian


511 11111111 00000001 00000001 11111111

Digital Forensics- Riphah International University 22


All rights reserved
Cont… Computer Startup – Data Representation

Digital Forensics- Riphah International University 23


All rights reserved
Digital Forensics- Riphah International University 24
All rights reserved
Digital Forensics- Riphah International University 25
All rights reserved
Computer Startup – Data Representation

Digital Forensics- Riphah International University 26


All rights reserved
Computer Startup – Data Representation
 Binary representation is hard to remember or code
– Hexadecimal is more common
– ASCII is another type

 ASCII philosophy is that certain combinations of ones and


zeros represent certain letters and numbers

 Hex editors display Hex-numbers & their ASCII equivalent

Digital Forensics- Riphah International University 27


All rights reserved
Computer Startup – Data Representation

Digital Forensics- Riphah International University 28


All rights reserved
Computer Startup – Data Representation

Digital Forensics- Riphah International University 29


All rights reserved
File Carving
 Computer files have countless formats
– Each type of file has a distinctive structure designed by
software developers or standards bodies
• Example: doc files have different structure than JPG files

 Structure of the files can be used for classification & merging


of data fragments

 Most files has:


– A run of starting bytes – Header of the file
• File signature

– A run of ending bytes – Footer of the file

Digital Forensics- Riphah International University 30


All rights reserved
File Carving
 The process of searching for a certain file signature and
attempting to extract the associated data is called “carving”
– Involves cutting a specific piece of data out of a larger dataset
– hence the name ‘carving’

 Carving in digital forensics uses characteristics of a given


class of files to locate those files in a raw data stream
– unallocated clusters on a hard drive for instance

Digital Forensics- Riphah International University 31


All rights reserved
File Carving

Digital Forensics- Riphah International University 32


All rights reserved
File Carving

Beginning of a JPEG-encoded EXIF file.


Digital Forensics- Riphah International University 33
All rights reserved
File Carving
 Tools like foremost, scalpel and DataLifter can automate the
process of carving
– Specialized forensic tools like EnCase, FTK, and X-Ways also
have some carving capabilities

 The carving technique are generic


– works for extracting files from physical memory dumps, mobile
devices and raw network traffic

Digital Forensics- Riphah International University 34


All rights reserved
File Carving
 However, the carving technique has some limitations
1. the file name and date-time stamps that were associated with
a file

2. the size of the original file may not be known

3. Assuming a simple carving process, a fragmented file may be


incorrectly assembled with fragments from multiple source
files

Digital Forensics- Riphah International University 35


All rights reserved
Hard Drive

Digital Forensics- Riphah International University 36


All rights reserved
Digital Forensics- Riphah International University 37
All rights reserved
Digital Forensics- Riphah International University 38
All rights reserved
Digital Forensics- Riphah International University 39
All rights reserved
Digital Forensics- Riphah International University 40
All rights reserved
Digital Forensics- Riphah International University 41
All rights reserved
Digital Forensics- Riphah International University 42
All rights reserved
Digital Forensics- Riphah International University 43
All rights reserved
Digital Forensics- Riphah International University 44
All rights reserved
Digital Forensics- Riphah International University 45
All rights reserved
Digital Forensics- Riphah International University 46
All rights reserved
Digital Forensics- Riphah International University 47
All rights reserved
Digital Forensics- Riphah International University 48
All rights reserved
Digital Forensics- Riphah International University 49
All rights reserved
Digital Forensics- Riphah International University 50
All rights reserved
Digital Forensics- Riphah International University 51
All rights reserved
Digital Forensics- Riphah International University 52
All rights reserved
Cont.…. Platters and Tracks

Digital Forensics- Riphah International University 53


All rights reserved
Cont.…. Top view of Platers

Digital Forensics- Riphah International University 54


All rights reserved
Cont.…. Side View of Platters

Digital Forensics- Riphah International University 55


All rights reserved
Cont.…. Tracks without Platters

Digital Forensics- Riphah International University 56


All rights reserved
Cont.….

Digital Forensics- Riphah International University 57


All rights reserved
Cont.….

Digital Forensics- Riphah International University 58


All rights reserved
Cont.…. Read & Write Operation

Digital Forensics- Riphah International University 59


All rights reserved
Cont.….

Digital Forensics- Riphah International University 60


All rights reserved
Cont.….

Digital Forensics- Riphah International University 61


All rights reserved
Cont… Rotationa Assembly

Digital Forensics- Riphah International University 62


All rights reserved
Cont… Hard disk Structure

Digital Forensics- Riphah International University 63


All rights reserved
Cont…. Hard disk Tracks

Digital Forensics- Riphah International University 64


All rights reserved
Cont… Reaching the Desired Sector

Digital Forensics- Riphah International University 65


All rights reserved
Cont…

Digital Forensics- Riphah International University 66


All rights reserved
Cont…. Access Time

Digital Forensics- Riphah International University 67


All rights reserved
Cont…. Read Time

Digital Forensics- Riphah International University 68


All rights reserved
Cont…. Sector Contents

Digital Forensics- Riphah International University 69


All rights reserved
Cont… Reading a Sector

Digital Forensics- Riphah International University 70


All rights reserved
Cont… Reading a Sector

Digital Forensics- Riphah International University 71


All rights reserved
Cont… Read Time

Digital Forensics- Riphah International University 72


All rights reserved
Cont… Transmission Time

Digital Forensics- Riphah International University 73


All rights reserved
Cont… Time taken for Acquiring data from Hard Disk

Digital Forensics- Riphah International University 74


All rights reserved
Representation of Data on Hard Disk

Digital Forensics- Riphah International University 75


All rights reserved
Electromagnet

Digital Forensics- Riphah International University 76


All rights reserved
Digital Forensics- Riphah International University 77
All rights reserved
Digital Forensics- Riphah International University 78
All rights reserved
Digital Forensics- Riphah International University 79
All rights reserved
Digital Forensics- Riphah International University 80
All rights reserved
Digital Forensics- Riphah International University 81
All rights reserved
Digital Forensics- Riphah International University 82
All rights reserved
Digital Forensics- Riphah International University 83
All rights reserved
Thanks
?

Digital Forensics- Riphah International University 84


All rights reserved

You might also like