91.460.201 & 91.530.202 Selected Topics: Digital

Forensics

Xinwen Fu

Chapter 8Macintosh and Linux Boot Processes

and File Systems

CS@UML2

Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases

CS@UML3

Review of HD Boot Sequence (DOS)

power on self test (POST) by BIOS

master boot record

extended partition?

load extended partition tables

volume boot code of c:

DOS

No

Yes

CS@UML4

POST Power is on CPU ready to run, but run what? The BIOS performs the Power On Self Test

(POST) RAM Video Keyboard drives, etc.

CS@UML5

Master Boot Record Every hard disk must have a consistent ‘starting

point’ The place where this information is stored is called

the master boot record (MBR) (also referred to as the master boot sector, or just boot sector) The MBR is always located at cylinder 0, head 0, and

sector 1 The master boot record contains the following

structures: Master Partition Table – this small table contains the

descriptions of the partitions that are contained on the hard disk

There is only room for the information describing 4 partitions

CS@UML6

Master Boot Code Master Boot Code – The MBR contains a

small initial boot program that the BIOS loads and executes to start the boot process

Since the master boot code is the first program executed in RAM when you turn on your pc, this is a favorite place for virus writers to target

CS@UML7

DOS System Files

To control the boot process, we must intercept it with a controlled-boot floppy.

Boot record identifies the operating system and points to the next file to be loaded, which is IO.SYS.

1 Master Boot RecordCHS = 0,0,1

2 Boot Record

3 IO.SYS

4 MSDOS.SYS

5 CONFIG.SYS

6 COMMAND.COM

7 AUTOEXEC.BAT

CS@UML8

Unix Boot Process

power on self test (POST) by BIOS

master boot record - boot loader

kernel

user environment (/sbin/init)

CS@UML9

Two-stage Boot Loader Unix systems implement a two-stage loading

process First stage, a small boot program is read into

memory from MBR Locate the second stage boot loader and load the first

part of it into memory Second stage (/boot/???)

Present the user with the operating system choice screen Locate the kernel and load the kernel /boot/vmlinuz-

<kernel-version> Place initrd (initial RAM disk image) into memory (used by

the kernel to load drivers)

CS@UML10

Kernel Once the kernel is loaded, it remains in the

memory during the running of the system and is usually run in a fixed amount of memory

The kernel probes the bus to locate the devices specified during the configuration, and initializes the located devices Hardware Virtual devices Unmount the initrd image Create a root device

CS@UML11

Kernel (Cont.)System Processes: The kernel identifies the root,

swap, and dump devices and then starts programs to

1. Schedule processes, Sched: The real-time scheduler.

2. Manage physical memory and virtual memory, and the

Swapper: It manages the physical memory by moving process from physical memory to swap space when more physical memory is needed.

Page Daemon: Various memory handlers run as process 2.

3. init process.

CS@UML12

Create User Environment (/sbin/init) The last step in bootstrapping and identified by

process id “1” /etc/inittab – init configuration file 1. /etc/rc.d/rc.sysinit – set path, clock2. /etc/rc.d/init.d/functions - how to determine

process id3. Run shell scripts based on the runlevel - e.g.,

/etc/rc.d/rc5.d The startup scripts are defined and organized differently

on different systems On BSD systems the startup scripts may be found in

the /etc directory and their names begin with rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.local and so on

CS@UML13

Run Level (Red Hat/Fedora Core)

RunLevel

Scripts Directory State

0 /etc/rc.d/rc0.d/ shutdown/halt system

1 /etc/rc.d/rc1.d/ Single user mode

2 /etc/rc.d/rc2.d/ Multiuser with no network services exported

3 /etc/rc.d/rc3.d/ Default text/console only start. Full multiuser

4 /etc/rc.d/rc4.d/Reserved for local use. Also X-windows

(Slackware/BSD)

5 /etc/rc.d/rc5.d/ XDM X-windows GUI mode (Redhat/System V)

6 /etc/rc.d/rc6.d/ Reboot

s or S Single user/Maintenance mode (Slackware)

M Multiuser mode (Slackware)

CS@UML14

Some Notes Single User Mode

Single user shell is always Bourne Shell (sh) and it runs as 'root'.

It enables the system manager to perform various administrative functions, such as setting the date, checking the consistency of the file system, reconfiguring the list of on-line terminals, and so on.

At this stage only the root partition is usually mounted.

The file system consistency check may be performed by the command fsck, usually found in the /etc directory.

CS@UML15

Windows 2000/NT/XP Bootstrapping 6 Stages

POST Choose OS Kernel Load Kernel Initialization Services Load Logon

http://www.compphix.com/xpbootprocess.html

CS@UML16

Summary Every disk has a consistent starting point

(MBR or boot sector CHS 001) A control boot disk (floppy/CD) allows us to

control the bootstrapping process DOS makes a good boot environment

since we understand what is happening!

CS@UML17

Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases

CS@UML18

Note: Boot Considerations Background: we want to use a floppy disk

and boot the suspect system

BIOS Setting Need to ensure that system boots from proper

device such as CDROM, Floppy Interrupt keys (varies by manufacturers)

F12, Del, F1

CS@UML19

Controlled Boot Floppy A controlled boot floppy enables you to

Bypass possible destructive processes set by the suspect to destroy evidence

Maintain evidence integrity by preventing any possible changes to the suspect’s hard disk

CS@UML20

A Basic Controlled DOS Boot FloppyMinimum Requirements

Will boot the computer without allowing any writes to the Hard Disk

Will automatically install hard disk write protection

Will ensure drive letters are assigned to all FAT logical drives by including a LASTDRIVE=Z statement in the CONFIG.SYS file

CS@UML21

Media Variety of disks in every possible format

5¼” Low density, high density floppies 3½” Low density, high density floppies Bootable CD-ROMs

CS@UML22

Media (Cont.)

New, clean media for each case Pre-used media should be wiped

Error free and formatted by format /U Format option

Standard Format AND overwrites data area with F6h

/S Format option Standard Format AND copies system files to disk

after format

CS@UML23

Files (DOS)Required system files

IO.SYS Altered if necessary to prevent write to disk

MSDOS.SYS COMMAND.COM AUTOEXEC.BAT

Edited to automatically load the hard drive write blocker, e.g., PDBLOCK from digital intelligence

CONFIG.SYS Edited to include LASTDRIVE=Z to ensure drive

letter assignments

http://www.digitalintelligence.com/software/disoftware/pdblock/

CS@UML24

External DOS Commands Not loaded with COMMAND.COM Usually installed in the WINDOWS\COMMAND

subdirectory Our copies must be on the control boot floppy Are either “EXE” or “COM” files

FDISK FORMAT DELTREE CHKDSK ATTRIB UNFORMAT UNDELETE XCOPY

CS@UML25

Writing to the hard drive, when the system is in our custody and control, means that we have altered the

evidence!

Note: Why should we change IO.SYS?DOS 6.22, Win95, Win98

IO.SYS can automatically mount Compressed Volume Files If a compressed drive is mounted, it will make

changes (write) to the hard drive This can happen even if booting from a floppy

IO.SYS must be hacked to eliminate these calls to the hard drive Why? http://www.xxcopy.com/xxcopy15.htm ---

reading assignment

CS@UML26

Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases

CS@UML27

Disk Write Blockers Prevent data being written to the suspect

drive Ensure the integrity of the suspect drive

Software Write Blockers vs. Hardware

CS@UML28

Normal HD Access

User Application

CS@UML29

Normal HD Access - interrupt 0x13 interface 1. An application program issues an interrupt 0x13

command.

2. The interrupt transfers control to the interrupt 0x13 routine in the BIOS. The BIOS routine issues commands, ATA or SCSI as appropriate, directly to the hard drive controller.

3. The device does the requested operation and returns the result to the BIOS and then to the application program.

http://www.bitzenbytes.com/Content-Arcanum-18-1-53.html

CS@UML30

Software Write Block

User Application

CS@UML31

Software Write Block (SWB) – Change Interrupt 0x13 Interface1. The SWB tool is executed. The SWB tool saves

the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine.

2. The application program initiates a drive I/O operation by invoking interrupt 0x13. The replacement routine installed by the SWB tool intercepts the command.

3. The SWB tool determines if the requested command should be blocked or if the command should be allowed.

CS@UML32

Software Write Block4. If a command is blocked, the SWB tool returns to

the application program without passing any command to the BIOS I/O routines. Depending on SWB tool configuration either success or error is returned for the command status.

5. If the command is allowed (not blocked), the command is passed to the BIOS and the BIOS I/O routine issues required I/O commands (ATA, SCSI or other) to the drive controller so that the desired I/O operation occurs on the hard drive.

6. Results are returned to the application program.

CS@UML33

Hardware Write Block A hardware write blocker (HWB) is a hardware device that

attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.

Physically, the device is connected between the computer and a storage device.

Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

http://www.paralan.com/sr14.html

CS@UML34

Summary Write blockers prevent data being written to the

suspect drive 2 basic approaches:

Hardware and Software Software write blockers can be bypassed

(sometimes unknowingly) Hardware write blockers are now the industry

standard. NIST (National Institute of Standards and

Technology) has excellent specs/standards for write blockers.

CS@UML35

Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases

CS@UML36

Imaging Tool Requirements1. Exact duplicate of the original disk2. Not alter the original disk3. Able to verify integrity of image4. Log I/O errors5. Tool documentation correct

CS@UML37

Definitions - Image Digital Sometimes compressed Bit-stream duplicate of original digital

object Can be reconstructed

CS@UML38

Definitions – Qualified CopyQualified bit-stream duplicate (in case there are

errors during imaging): Duplicate except in identified areas Identified areas replaced by values specified by

a disk imaging tool’s documentation Partition table entries to reflect relocated partitions Boot records Fill areas for cylinder alignment and excess disk space

CS@UML39

Mandatory Requirements of Tools1. Shall not alter original2. No errors create bit-stream duplicate or

image of source3. Errors create qualified bit-stream duplicate,

identified values are marked4. Log errors in readable form, including type and

location5. Destination larger than Source: document areas

of destination not included in source 6. Destination smaller than Source: notify user,

truncate, and log

CS@UML40

Optional Requirements of Tools (1/3) “If a tool provides the capability defined,

the tool is tested as if the requirement were mandatory.”

Create hash value of copy, compare to hash computed at time of creation, log comparisons; do same if bit-stream divided in blocks

CS@UML41

Optional Req’ts (2/3)2. Create copy of partitions designated by

user3. Log one or more: tool version, subject

disk ID, errors encountered, tool actions, start/finish run times, tool settings, user comments

CS@UML42

Optional Req’ts (3/3)4. Create an image file on removable media

that can be used to reconstruct a bit-stream duplicate

5. Bit-stream duplicate adjusts to alignment of cylinders on destination

On duplicate can only change: Partition table entries; Boot records; Fill areas for cylinder alignment; Excess space (fill areas values in documentation)

CS@UML43

Test Methodology Identify software and procedures Represent ‘how well’ vs. ‘what actions’ Document scope, parameters, testing

environment, expected results

CS@UML44

Disk Image Test Method Test setup Disk setup Test execution Test results analysis Documentation

CS@UML45

Test Lab Form Sample

Tester: Pascal OpenshawDate Started: 12 October 2004Test Case ID: A001Test Case Summary: Copy XBIOS-IDE disk PT-N/A src=DST/NN fixed errorsTesting Environment: PC - Beta 5; Disks – B0 Fujitsu MPF3153 AT 8.455 MB as master and B1 Fujitsu MPF3153 AT 8.455 MB as slave; Interface – XBIOS-IDE; File Type - NTFSTest Software Used: DiskWipe 2.3; BadX13 2.1; DiskCmp 2.2; DiskHash 1.1

Setup: Installed K3BExecute: Ran K3BLog Files ID & Loc: created folder on office machine labeled XX-08Expected Results: log file contains error messages and src/dest should compare qualify equalResults: A src read error was identified at 1,000,000 – other sectors compaired equalLog File Highlights: Errors from log file highlightedAnalysis: Expected results were obtained

Analysis

Test Setup

ExecutionDisk Setup

CS@UML46

Test cases Tests will verify each assertion

Each assertion provides a specific class of conditions that can be tested and the result that is expected

Identify parameters Generate cases for study

CS@UML47

Test form Test case ID Test case summary Test environment Test sw used Setup Execute

A001 Copy CD-ROM Mandrake Linux K3b Installed K3b Ran K3b, CD Copier

CS@UML48

Sufficient testing Show mandatory requirement Test optional requirements

CS@UML49

Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases

CS@UML50

DI-13 TEST : Copy a BIOS IDE source disk to a BIOS IDE

destination disk and the source contains a LINUX partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file

After the duplicate is created on the destination, unhide the hidden file and undelete the deleted file

EXPECTED RESULT: Source compares qualified equal to destination hidden and deleted files recovered

CS@UML51

DI-44 TEST: Create an image from a LINUX SCSI source

disk to a LINUX SCSI destination disk and the source contains a LINUX partition where source disk is the same size as the destination

Create the image on a removable medium EXPECTED RESULTS: Source compares equal to

destination

CS@UML52

DI-77 TEST : Copy a BIOS IDE source disk to a BIOS IDE

destination disk and the source contains a NTFS partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file

Create the image on a removable medium Introduce an error on the image After the duplicate is created on the destination,

unhide the hidden file and undelete the deleted file

EXPECTED RESULT: Image verification error

CS@UML53

DI-96 TEST : Create an image from an XBIOS IDE

source disk to a XBIOS IDE destination disk and where source disk is the same size as the destination

Introduce a write error writing to the image

EXPECTED RESULT: Error message logged

CS@UML54

References1. Charles M. Kozierok, The DOS Boot Process,

http://www.pcguide.com/ref/hdd/file/structBoot-c.html, April 17, 20012. Primary, Extended and Logical Partitions,

http://www.pcguide.com/ref/hdd/file/structPartitions-c.html, 20053. WINDOWS XP BOOT SEQUENCE,

http://www.compphix.com/xpbootprocess.html, 20054. Red Hat Linux 9, A Detailed Look at the Boot Process,

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-boot-init-shutdown-process.html, 2005

5. National Institute of Standards and Technology (NIST), Disk Imaging Tool Specification, http://www.securitymanagement.com/library/NIST_diskimage1003.pdf, October 12, 2001

6. NIST, Software Write Block, http://www.cftt.nist.gov/software_write_block.htm, 2003

7. DIGITAL INTELLIGENCE, PDBLOCK, http://www.digitalintelligence.com/software/disoftware/pdblock/, 2006

8. NIST, Setup and Test Procedures For Testing Interrupt 0x13 Based Software Write Block Tools, http://www.cftt.nist.gov/SWB%20test%20procedures.pdf, April 1, 2004

CS@UML55

Assignment 2 Partition Table Doctor Refer P6 of [8], and Textbook P48

Investigate DOS 6.22 image Check when it was made Find C:\ references in IO.SYS and command.com

Freeware Hex Editor XVI32