CSC414ComputerSystemFundamentals

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

Forensic Overview:MS-DOS

and Windows 3.11

Forensic Overview:MS-DOS

and Windows 3.11

MS-DOS / PC-DOSMicrosoft Disk Operating System

- PC-DOS was IBM's version for its PC

Programs usually self-contained- Programs were segregated- Program files in a single directory- Copy program directory to another

system and run it

Boot Disks only need three files- command.com- config.sys- io.sys

MS-DOS / PC-DOSSingle user system

- Only one program could run at a time

- Terminate and stay resident (TSR) programs were an exception- Utilities, viruses, key-loggers

Simple Operating System Environment

- No shared device drivers- Device drivers integrated in to programs

- No shared .dll files (Dynamically Linked Library)

- No Windows registry- Each program used a .ini or .cfg file

MS-DOS / PC-DOSFile names limited to 8 characters with 3 character extension

- No strong association between file extension and type

- Users could use extension for filename or initials - Could not search for .doc for *all*

documents

Some common applications- Lotus 1-2-3, Microsoft Multiplan

- Word Perfect, Microsoft Word

MS-DOS / PC-DOSDigital Forensics didn't exist

- No special forensics tools- Had to relay on system tools and

programs

- UNDELETE, UNFORMAT

- BACKUP, RESTORE

- Commercial tools were repurposed- Norton Utilities

- DiskEdit and Unerase

- Disk compression was an issue- DoubleSpace, DRVSPACE, Stacker

Windows 3.11Provided a GUI interface to DOS

- Not it's own operating system

- GUI replaces command line interface

- Icons were short-cuts to programs

- Files represented as icons or graphics

- Intermediary between user and operating system- GUI translates clicks and drags into DOS

commands

- DOS command line still available- Examining system

HARDWARE

MS-DOS

Windows 3.11

Windows 3.xFile Manager not integrated

- Separate program

DLL's introduced- Dynamic Link Library- Files common to Windows programs

- how to draw windows and menus

- Cannot simply copy application directory from one system to another an have it run (some did)- Missing DLL's caused errors and prevent

programs from running

- Common system-wide device drivers

Windows 3.xForensic Issues

- Issues mostly the same as DOS

User Specific Information- Desktop and preferences for users

- users create shortcuts for regularly used programs

- favorite groups of programs

- user preferences of activities

Virtual Memory Implemented- Evidence of recent computer activity

- Swap file located at- c:\windows\win386.swp

- Program information and data left in memory

Early Internet access- Gopher

- FTP

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

Forensic Overview:MS-DOS and

Windows 3.11

Forensic Overview:MS-DOS and

Windows 3.11