CH 05
CH 05
and Investigations
Fifth Edition
Chapter 5
Working with Windows and CLI
Systems
Objectives
• File system
– Gives OS a road map to data on a disk
• Type of file system an OS uses determines how
data is stored on the disk
• When you need to access a suspect’s computer to
acquire or inspect data
– You should be familiar with both the computer’s OS
and file systems
• Bootstrap process
– Contained in ROM, tells the computer how to
proceed
– Displays the key or keys you press to open the
CMOS setup screen
• CMOS should be modified to boot from a forensic
floppy disk or CD
• Registry
– A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
systems
– Regedt32 for Windows 2000, XP, and Vista
– Both utilities can be used for Windows 7 and 8
• Windows 8 is a multiplatform OS
– Can run on desktops, laptops, tablets, and
smartphones
• The boot process uses a boot configuration data
(BCD) store
• The BCD contains the boot loader that initiates the
system’s bootstrap process
– Press F8 or F12 when the system starts to access
the Advanced Boot Options
• Virtual machine
– Allows you to create a representation of another
computer on an existing physical computer
• A virtual machine is just a few files on your hard
drive
– Must allocate space to it
• A virtual machine recognizes components of the
physical machine it’s loaded on
– Virtual OS is limited by the physical machine’s OS
• In digital forensics
– Virtual machines make it possible to restore a
suspect drive on your virtual machine
• And run nonstandard software the suspect might have
loaded
• From a network forensics standpoint, you need to
be aware of some potential issues, such as:
– A virtual machine used to attack another system or
network