91.460.201 & 91.530.202 Selected Topics: Digital Forensics Xinwen Fu Chapter 8 Macintosh and Linux...
-
Upload
jacob-austin -
Category
Documents
-
view
216 -
download
0
Transcript of 91.460.201 & 91.530.202 Selected Topics: Digital Forensics Xinwen Fu Chapter 8 Macintosh and Linux...
91.460.201 & 91.530.202 Selected Topics: Digital
Forensics
Xinwen Fu
Chapter 8Macintosh and Linux Boot Processes
and File Systems
CS@UML2
Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases
CS@UML3
Review of HD Boot Sequence (DOS)
power on self test (POST) by BIOS
master boot record
extended partition?
load extended partition tables
volume boot code of c:
DOS
No
Yes
CS@UML4
POST Power is on CPU ready to run, but run what? The BIOS performs the Power On Self Test
(POST) RAM Video Keyboard drives, etc.
CS@UML5
Master Boot Record Every hard disk must have a consistent ‘starting
point’ The place where this information is stored is called
the master boot record (MBR) (also referred to as the master boot sector, or just boot sector) The MBR is always located at cylinder 0, head 0, and
sector 1 The master boot record contains the following
structures: Master Partition Table – this small table contains the
descriptions of the partitions that are contained on the hard disk
There is only room for the information describing 4 partitions
CS@UML6
Master Boot Code Master Boot Code – The MBR contains a
small initial boot program that the BIOS loads and executes to start the boot process
Since the master boot code is the first program executed in RAM when you turn on your pc, this is a favorite place for virus writers to target
CS@UML7
DOS System Files
To control the boot process, we must intercept it with a controlled-boot floppy.
Boot record identifies the operating system and points to the next file to be loaded, which is IO.SYS.
1 Master Boot RecordCHS = 0,0,1
2 Boot Record
3 IO.SYS
4 MSDOS.SYS
5 CONFIG.SYS
6 COMMAND.COM
7 AUTOEXEC.BAT
CS@UML8
Unix Boot Process
power on self test (POST) by BIOS
master boot record - boot loader
kernel
user environment (/sbin/init)
CS@UML9
Two-stage Boot Loader Unix systems implement a two-stage loading
process First stage, a small boot program is read into
memory from MBR Locate the second stage boot loader and load the first
part of it into memory Second stage (/boot/???)
Present the user with the operating system choice screen Locate the kernel and load the kernel /boot/vmlinuz-
<kernel-version> Place initrd (initial RAM disk image) into memory (used by
the kernel to load drivers)
CS@UML10
Kernel Once the kernel is loaded, it remains in the
memory during the running of the system and is usually run in a fixed amount of memory
The kernel probes the bus to locate the devices specified during the configuration, and initializes the located devices Hardware Virtual devices Unmount the initrd image Create a root device
CS@UML11
Kernel (Cont.)System Processes: The kernel identifies the root,
swap, and dump devices and then starts programs to
1. Schedule processes, Sched: The real-time scheduler.
2. Manage physical memory and virtual memory, and the
Swapper: It manages the physical memory by moving process from physical memory to swap space when more physical memory is needed.
Page Daemon: Various memory handlers run as process 2.
3. init process.
CS@UML12
Create User Environment (/sbin/init) The last step in bootstrapping and identified by
process id “1” /etc/inittab – init configuration file 1. /etc/rc.d/rc.sysinit – set path, clock2. /etc/rc.d/init.d/functions - how to determine
process id3. Run shell scripts based on the runlevel - e.g.,
/etc/rc.d/rc5.d The startup scripts are defined and organized differently
on different systems On BSD systems the startup scripts may be found in
the /etc directory and their names begin with rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.local and so on
CS@UML13
Run Level (Red Hat/Fedora Core)
RunLevel
Scripts Directory State
0 /etc/rc.d/rc0.d/ shutdown/halt system
1 /etc/rc.d/rc1.d/ Single user mode
2 /etc/rc.d/rc2.d/ Multiuser with no network services exported
3 /etc/rc.d/rc3.d/ Default text/console only start. Full multiuser
4 /etc/rc.d/rc4.d/Reserved for local use. Also X-windows
(Slackware/BSD)
5 /etc/rc.d/rc5.d/ XDM X-windows GUI mode (Redhat/System V)
6 /etc/rc.d/rc6.d/ Reboot
s or S Single user/Maintenance mode (Slackware)
M Multiuser mode (Slackware)
CS@UML14
Some Notes Single User Mode
Single user shell is always Bourne Shell (sh) and it runs as 'root'.
It enables the system manager to perform various administrative functions, such as setting the date, checking the consistency of the file system, reconfiguring the list of on-line terminals, and so on.
At this stage only the root partition is usually mounted.
The file system consistency check may be performed by the command fsck, usually found in the /etc directory.
CS@UML15
Windows 2000/NT/XP Bootstrapping 6 Stages
POST Choose OS Kernel Load Kernel Initialization Services Load Logon
http://www.compphix.com/xpbootprocess.html
CS@UML16
Summary Every disk has a consistent starting point
(MBR or boot sector CHS 001) A control boot disk (floppy/CD) allows us to
control the bootstrapping process DOS makes a good boot environment
since we understand what is happening!
CS@UML17
Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases
CS@UML18
Note: Boot Considerations Background: we want to use a floppy disk
and boot the suspect system
BIOS Setting Need to ensure that system boots from proper
device such as CDROM, Floppy Interrupt keys (varies by manufacturers)
F12, Del, F1
CS@UML19
Controlled Boot Floppy A controlled boot floppy enables you to
Bypass possible destructive processes set by the suspect to destroy evidence
Maintain evidence integrity by preventing any possible changes to the suspect’s hard disk
CS@UML20
A Basic Controlled DOS Boot FloppyMinimum Requirements
Will boot the computer without allowing any writes to the Hard Disk
Will automatically install hard disk write protection
Will ensure drive letters are assigned to all FAT logical drives by including a LASTDRIVE=Z statement in the CONFIG.SYS file
CS@UML21
Media Variety of disks in every possible format
5¼” Low density, high density floppies 3½” Low density, high density floppies Bootable CD-ROMs
CS@UML22
Media (Cont.)
New, clean media for each case Pre-used media should be wiped
Error free and formatted by format /U Format option
Standard Format AND overwrites data area with F6h
/S Format option Standard Format AND copies system files to disk
after format
CS@UML23
Files (DOS)Required system files
IO.SYS Altered if necessary to prevent write to disk
MSDOS.SYS COMMAND.COM AUTOEXEC.BAT
Edited to automatically load the hard drive write blocker, e.g., PDBLOCK from digital intelligence
CONFIG.SYS Edited to include LASTDRIVE=Z to ensure drive
letter assignments
http://www.digitalintelligence.com/software/disoftware/pdblock/
CS@UML24
External DOS Commands Not loaded with COMMAND.COM Usually installed in the WINDOWS\COMMAND
subdirectory Our copies must be on the control boot floppy Are either “EXE” or “COM” files
FDISK FORMAT DELTREE CHKDSK ATTRIB UNFORMAT UNDELETE XCOPY
CS@UML25
Writing to the hard drive, when the system is in our custody and control, means that we have altered the
evidence!
Note: Why should we change IO.SYS?DOS 6.22, Win95, Win98
IO.SYS can automatically mount Compressed Volume Files If a compressed drive is mounted, it will make
changes (write) to the hard drive This can happen even if booting from a floppy
IO.SYS must be hacked to eliminate these calls to the hard drive Why? http://www.xxcopy.com/xxcopy15.htm ---
reading assignment
CS@UML26
Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases
CS@UML27
Disk Write Blockers Prevent data being written to the suspect
drive Ensure the integrity of the suspect drive
Software Write Blockers vs. Hardware
CS@UML28
Normal HD Access
User Application
CS@UML29
Normal HD Access - interrupt 0x13 interface 1. An application program issues an interrupt 0x13
command.
2. The interrupt transfers control to the interrupt 0x13 routine in the BIOS. The BIOS routine issues commands, ATA or SCSI as appropriate, directly to the hard drive controller.
3. The device does the requested operation and returns the result to the BIOS and then to the application program.
http://www.bitzenbytes.com/Content-Arcanum-18-1-53.html
CS@UML30
Software Write Block
User Application
CS@UML31
Software Write Block (SWB) – Change Interrupt 0x13 Interface1. The SWB tool is executed. The SWB tool saves
the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine.
2. The application program initiates a drive I/O operation by invoking interrupt 0x13. The replacement routine installed by the SWB tool intercepts the command.
3. The SWB tool determines if the requested command should be blocked or if the command should be allowed.
CS@UML32
Software Write Block4. If a command is blocked, the SWB tool returns to
the application program without passing any command to the BIOS I/O routines. Depending on SWB tool configuration either success or error is returned for the command status.
5. If the command is allowed (not blocked), the command is passed to the BIOS and the BIOS I/O routine issues required I/O commands (ATA, SCSI or other) to the drive controller so that the desired I/O operation occurs on the hard drive.
6. Results are returned to the application program.
CS@UML33
Hardware Write Block A hardware write blocker (HWB) is a hardware device that
attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.
Physically, the device is connected between the computer and a storage device.
Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
http://www.paralan.com/sr14.html
CS@UML34
Summary Write blockers prevent data being written to the
suspect drive 2 basic approaches:
Hardware and Software Software write blockers can be bypassed
(sometimes unknowingly) Hardware write blockers are now the industry
standard. NIST (National Institute of Standards and
Technology) has excellent specs/standards for write blockers.
CS@UML35
Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases
CS@UML36
Imaging Tool Requirements1. Exact duplicate of the original disk2. Not alter the original disk3. Able to verify integrity of image4. Log I/O errors5. Tool documentation correct
CS@UML37
Definitions - Image Digital Sometimes compressed Bit-stream duplicate of original digital
object Can be reconstructed
CS@UML38
Definitions – Qualified CopyQualified bit-stream duplicate (in case there are
errors during imaging): Duplicate except in identified areas Identified areas replaced by values specified by
a disk imaging tool’s documentation Partition table entries to reflect relocated partitions Boot records Fill areas for cylinder alignment and excess disk space
CS@UML39
Mandatory Requirements of Tools1. Shall not alter original2. No errors create bit-stream duplicate or
image of source3. Errors create qualified bit-stream duplicate,
identified values are marked4. Log errors in readable form, including type and
location5. Destination larger than Source: document areas
of destination not included in source 6. Destination smaller than Source: notify user,
truncate, and log
CS@UML40
Optional Requirements of Tools (1/3) “If a tool provides the capability defined,
the tool is tested as if the requirement were mandatory.”
Create hash value of copy, compare to hash computed at time of creation, log comparisons; do same if bit-stream divided in blocks
CS@UML41
Optional Req’ts (2/3)2. Create copy of partitions designated by
user3. Log one or more: tool version, subject
disk ID, errors encountered, tool actions, start/finish run times, tool settings, user comments
CS@UML42
Optional Req’ts (3/3)4. Create an image file on removable media
that can be used to reconstruct a bit-stream duplicate
5. Bit-stream duplicate adjusts to alignment of cylinders on destination
On duplicate can only change: Partition table entries; Boot records; Fill areas for cylinder alignment; Excess space (fill areas values in documentation)
CS@UML43
Test Methodology Identify software and procedures Represent ‘how well’ vs. ‘what actions’ Document scope, parameters, testing
environment, expected results
CS@UML44
Disk Image Test Method Test setup Disk setup Test execution Test results analysis Documentation
CS@UML45
Test Lab Form Sample
Tester: Pascal OpenshawDate Started: 12 October 2004Test Case ID: A001Test Case Summary: Copy XBIOS-IDE disk PT-N/A src=DST/NN fixed errorsTesting Environment: PC - Beta 5; Disks – B0 Fujitsu MPF3153 AT 8.455 MB as master and B1 Fujitsu MPF3153 AT 8.455 MB as slave; Interface – XBIOS-IDE; File Type - NTFSTest Software Used: DiskWipe 2.3; BadX13 2.1; DiskCmp 2.2; DiskHash 1.1
Setup: Installed K3BExecute: Ran K3BLog Files ID & Loc: created folder on office machine labeled XX-08Expected Results: log file contains error messages and src/dest should compare qualify equalResults: A src read error was identified at 1,000,000 – other sectors compaired equalLog File Highlights: Errors from log file highlightedAnalysis: Expected results were obtained
Analysis
Test Setup
ExecutionDisk Setup
CS@UML46
Test cases Tests will verify each assertion
Each assertion provides a specific class of conditions that can be tested and the result that is expected
Identify parameters Generate cases for study
CS@UML47
Test form Test case ID Test case summary Test environment Test sw used Setup Execute
A001 Copy CD-ROM Mandrake Linux K3b Installed K3b Ran K3b, CD Copier
CS@UML48
Sufficient testing Show mandatory requirement Test optional requirements
CS@UML49
Outline The Boot Process Controlled Boot Environment Disk Write Blockers Disk Imaging Tool Testing NIST Test Cases
CS@UML50
DI-13 TEST : Copy a BIOS IDE source disk to a BIOS IDE
destination disk and the source contains a LINUX partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file
After the duplicate is created on the destination, unhide the hidden file and undelete the deleted file
EXPECTED RESULT: Source compares qualified equal to destination hidden and deleted files recovered
CS@UML51
DI-44 TEST: Create an image from a LINUX SCSI source
disk to a LINUX SCSI destination disk and the source contains a LINUX partition where source disk is the same size as the destination
Create the image on a removable medium EXPECTED RESULTS: Source compares equal to
destination
CS@UML52
DI-77 TEST : Copy a BIOS IDE source disk to a BIOS IDE
destination disk and the source contains a NTFS partition where source disk is the smaller than the destination and source contains a deleted file and a hidden file
Create the image on a removable medium Introduce an error on the image After the duplicate is created on the destination,
unhide the hidden file and undelete the deleted file
EXPECTED RESULT: Image verification error
CS@UML53
DI-96 TEST : Create an image from an XBIOS IDE
source disk to a XBIOS IDE destination disk and where source disk is the same size as the destination
Introduce a write error writing to the image
EXPECTED RESULT: Error message logged
CS@UML54
References1. Charles M. Kozierok, The DOS Boot Process,
http://www.pcguide.com/ref/hdd/file/structBoot-c.html, April 17, 20012. Primary, Extended and Logical Partitions,
http://www.pcguide.com/ref/hdd/file/structPartitions-c.html, 20053. WINDOWS XP BOOT SEQUENCE,
http://www.compphix.com/xpbootprocess.html, 20054. Red Hat Linux 9, A Detailed Look at the Boot Process,
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-boot-init-shutdown-process.html, 2005
5. National Institute of Standards and Technology (NIST), Disk Imaging Tool Specification, http://www.securitymanagement.com/library/NIST_diskimage1003.pdf, October 12, 2001
6. NIST, Software Write Block, http://www.cftt.nist.gov/software_write_block.htm, 2003
7. DIGITAL INTELLIGENCE, PDBLOCK, http://www.digitalintelligence.com/software/disoftware/pdblock/, 2006
8. NIST, Setup and Test Procedures For Testing Interrupt 0x13 Based Software Write Block Tools, http://www.cftt.nist.gov/SWB%20test%20procedures.pdf, April 1, 2004
CS@UML55
Assignment 2 Partition Table Doctor Refer P6 of [8], and Textbook P48
Investigate DOS 6.22 image Check when it was made Find C:\ references in IO.SYS and command.com
Freeware Hex Editor XVI32