Dr.

Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
 What we are going to talk about today…. 2

o Understanding Boot Sequence

o CMOS, BIOS, EFI and UEFI
o Explain the Purpose, Structure and Capacity of Hard disk drives
o Solid State Storage Devices (SSSD), Wear-Leveling and TRIM
o Deciding where to look for possible Evidence
o Understanding CIA Traid
o File Metadata and Correlation with other Evidence
o Recovering the Evidence Files
o Extracts from a Report
Bootstrap Process?
 The Boot Sequence 4

1. Complementary Metal Oxide Semiconductor (CMOS)

2. Basic Input Output System (BIOS)
3. Extensible Firmware Interface (EFI)
4. Unified Extensible Firmware Interface (UEFI)
 Bootstrap Process

• Contained in ROM,
• Tells the computer how to proceed.
• As the computer starts, the screen
usually displays the key or keys, such
as the Delete key, you press to open
the CMOS setup screen.
• The key you press to access CMOS
depends on the computer’s BIOS.
• Many BIOS manufacturers use the
Delete key to access CMOS other
manufacturers use Ctrl1Alt1Insert,
Ctrl1A, Ctrl1S, or Ctrl1Fl, F2, or F10.
 The Boot sequence 6

o A computer stores system configuration and date and time

information in the CMOS when power to the system is off. The system
BIOS or EFI contains programs that perform input and output at the
hardware level.
o BIOS is Firmware build into the Computer Motherboard
o Initializes the computers hardware as the computer is being
booted
o Then searches for a boot device optical or storage , to boot
software such as OS
 The Boot sequence 7

o P.O.S.T power on self test with power on switch

o Beeps indicate errors
o BIOS Software is written on BIOS chip on the motherboard *(non
volatile)
o Computer configuration like boot sequence , hardware settings , date
and time (which are configured in BIOS) are stored on CMOS
chip(volatile) requires power source to retain the memory
 The Boot sequence… 8

o 1st Step : Power Good

o PC’s power supply checks the power and if it is good , issue a power good signal
o 2nd Step : CPU wakes UP
o The CPU starts and hands off the process to the BIOS
o BIOS starts the POST Process
o 3rd Step : POST
o When POST is complete , it launches the Bootstrap Loader
o 4th Step : Loading Drivers
o BIOS loads basic drivers for devices attached to the computer into system memory
o 5th Step : Video
o POST launches video display using the basic video settings (first display on the monitor)
 The Boot sequence… 9

o 6th Step : Memory

o POST writes and reads from the system RAM
o 7TH Step : The Hands OFF
o POST hands off to a process called the bootstrap loader
o 8th Step : Bootstrap Loader
o Loads operating system.
CMOS, BIOS, EFI, UEFI
 BIOS, CMOS, EFI AND UEFI 11

o BIOS and UEFI are two firmware

o work as an interpreter between the OS and the
computer firmware
o Used at the start-up of the computer to initialize the
hardware components and start the OS
o BIOS reads the first sector of the hard drive – Sector 0
o Contains address of the next boot partition
o BIOS is a legacy software, so it still works in 16-bit mode
o limiting the amount of code that can be read and
executed from the firmware ROM
12
 EFI AND UEFI 13

o UEFI (new) is user friendly, graphical user interface,

Recognizes larger storage drives, and able to use mouse in
the interface.
o Secure Boot (built in feature) stops any digitally unsigned
drivers from loading and helps to stop malicious software
such as rootkits.
14
 File System 15

o A file system gives an OS a road map to data on a disk. The

type of file system an OS uses determines how data is stored
on the disk.
o When you need to access a suspect’s computer to acquire
or inspect data related to your investigation, you should be
familiar with both the computer’s OS and file system so that
you can Access and Modify system settings when
necessary
 Hard Disk 16

o Platter is a Metalic Plate which is used to Store the Data in the

Electromagnetic form. They are physically connected in the middle
and driven by the spindle motor.
o There can be more than One Platter in a Hard Disk.
o Each disk is divided into Tracks and Sectors. Each sector(pie
shaped wedge on the track) can store 512 Bytes.
o The tracks immediately above and below each other are called
Cylinder.
o The Data is saved in Tracks , Sectors
and Cluster Format.
 Hard Disk Structure 17

o Hard disk drives are organized

as a Concentric stack of disks
or ‘Platters’.
o Each platter has 2 surface.
o The platters rotate on the
spindle The head move along
the radius of the platters , this
allows the head to access all
parts of the surface
Hard Disk Geometry 18
 Hard Disk Geometry… 19

o Geometry: Refers to a disk’s logical structure of platters, tracks, and

sectors.
o Head: The head is the device that reads and writes data to a drive.
There are two heads per platter that read and write the top and
bottom sides.
o Tracks: Tracks are concentric circles on a disk platter where data is
located.
o Cylinders: A cylinder is a column of tracks on two or more disk platters.
normally each platter has two surfaces: top and bottom.
o Sectors: A sector is a section on a track, made up of 512 bytes.
Hard Disk capacity 20
Hard Disk capacity… 21
 Understanding Hard Disks 22

o Properties handled at the drive’s hardware or firmware level

o Zone bit recording (ZBR)
o Track density
o how tightly packed the tracks are on the surface of each platter
o Older disks: 100 tracks per inch, Modern: 30,000 tracks per inch
o Areal density
o the number of bits that can be packed into each unit of area on the
surface of the disk
o Head and cylinder skew
o It takes sometime for the head to move to adjacent track while platter
rotates normally – sector numbers are adjusted accordingly
 Understanding Hard Disks 23

o Recall that the tracks are Concentric Circles

o the ones on the outside of the platter are much larger than inner ones
o There is a constraint on how tight the inner circles can be packed with
bits
o The idea is then to pack them as tight as possible and allow the outer
circles to use the same number of sectors
o i.e. hold the same number of bits
o This resulted in underutilization of outer tracks in theory they could
hold many more sectors / bits
 Zoned Bit Recording 24

o Zoned Bit Recording - tracks are grouped into zones based on their
distance from the centre of the disk
o Each zone is assigned a number of sectors per track
o As you move from the innermost part of the disk to the outer edge,
you move through different zones
o Each containing more sectors per track than the one before
o This allows for more efficient use of the larger tracks on the outside of
the disk.
 Zoned Bit Recording 25

o An interesting side effect of ZBR is improvement in data

transfer rate – media transfer rate
o Speed is higher while reading the outer cylinders
o Recall that angular speed of the platter is constant
o But outer cylinders / tracks contain more data
 Solid State Storage (SSS) Devices 26

o Storage media made from silicon microchips

that stores data electronically instead of
magnetically, as spinning hard disk drives
(HDDs).
 It supports reading and writing data and
maintains stored data in a permanent state
even without power.
 It uses semiconductor chips, not magnetic
media, to store data.
 Internal SSDs connect to a computer like a hard
drive, using standard IDE or SATA connections.
 SSD has no moving parts whatsoever. SSD
storage is much faster than its HDD equivalent.
 Wear Leveling 27

• Technique for prolonging the service life of

some kinds of erasable computer storage
media, such as flash memory which is used in
solid-state drives (SSDs) and USB flash drives.
 All flash memory devices have a feature called
wear-leveling, an internal firmware feature used in
solid-state drives that ensures even wear of
read/writes for all memory cells.
 The memory can be used to its full capacity.
• Flash memory is an electronic (solid state) non
volatile computer storage medium that can be
electrically erased and reprogrammed.
 Wear- Leveling 28

o When data is deleted on a hard drive, the references to it are

removed
o Original data remains in unallocated disk space.
o Memory cells in a USB drives are different
o Usually have 10,000 to 100,000 read / writes limit
o Depends upon on the vendor.
o To make sure all memory cells wear evenly on a flash drive. Firmware
keeps shifting data to the cells with fewer reads / writes physically
 SSD Wear leveling 29

o When data is moved to another memory cell, the old memory cell
addresses are marked by “Garbage Collector”
o Flash drive’s firmware erases data in unallocated cells after certain
time
o Overwrites the value of 1 in all cells listed in the garbage collector file
o Improvement to the original wear leveling routine is TRIM, which
enhances the lifetime of the cells by allowing garbage collection
process as one complete operations
o Flash cells operates under method of delete before write which requires
a cell to be completely erased or zeored out before a write can be
committed.
 Deciding Where to Look for Potential Evidences 30

o Records of the Applications and Files used and the Operating System can
provide some useful electronic fingerprints to help practitioners reconstruct
what happened, when it happened, how it happened, and, hopefully,
why it happened.
o However, the number of files stored on a typical computer makes it
impracticable because of Time Constraints and the Fatigue of Checking
every file. Some are system files that will not normally be examined other
than for specific checking.
o for example, webpage files such as HTML and other categories were
conveniently categorized, it would make locating and selecting evidence
quicker and less tedious
CIA Traid
 Information Confidentiality 32

• CIA Triad is Confidentiality, Integrity and Availability

• Confidentiality or Privacy is required to prevent Unauthorized Access to
information. Even if the Access is authorized, a user may use that
information in an unauthorized way. For example, a coworker sees that a
colleague has left the office but has left the computer running, thus
permitting unauthorized access.
• The coworker accesses the computer and reads some Confidential
documents and puts knowledge of that information to improper
(unauthorized) use. Later, the custodian of the Information is Investigated
and there is no record of unauthorized access to his or her computer.
 The practitioner may Still be able to reconstruct the events and times of the
unauthorized access.
 Information Integrity 33

• The Integrity of Information also requires protection that the

information has remained in pristine condition, is unaltered, and is
uncontaminated by unauthorized action via human intervention or
perhaps as a result of a computer or system glitch.
• Take, for example, a hacker gaining access to a victim's computer,
such as a bank computer, and secretly changing the contents of
important financial records as part of an online fraud. Such attacks
not only alter the integrity of the records, but somebody gains and
somebody loses.
 It also follows that bank personnel who have legitimate access to the records
initially become the prime suspects.
 Information Availability 34

• Information availability means that information is accessible to those

wishing to use it. However, a user may unintentionally deny
themselves or others access to information, or a system process may
render the Information Unavailable.
• Hackers and other malcontents use cyber attacks to deny users and
organizations access to their own information.
• These attacks are termed denial of availability attacks and may also
involve some form of extortion, demanding financial payment to
ensure the information is made accessible once again to its rightful
owners.
 A forensic examination of the networks and infected computer terminals may find
the cause of the denial and allow the organization to restore access to continue
normal business.
 Determining the Transgressor’s Motive 35

• It is Not Essential to Prove Motive, and it is often difficult to do

so without perhaps some form of confession. However, Data
may exist on a device that may offer explanation to possible
motivation or, for that matter, an absence of motive and
criminal intent.
• Motive may be determined by collecting evidence that links
the user to some activities that confirm a degree of
knowledge and control over the computer and relevant
applications and files used in the transgression.

* Transgressor-------Anyone who violates a rule or oversteps a boundary

File Metadata and Correlation with other Evidence 36

• Files recovered as Digital Evidence contain useful

background in the form of file content and metadata as to
their history in terms of their creation, modification, and last
accessed timestamps.
• The location and name of the file often remains on the
computer, as does some information as to when it was last
opened and viewed.
 Such information can be most helpful in reconstructing past events
relevant to an investigation and is frequently present in digital
evidence
File Metadata and Correlation with other Evidence.. 37

• File metadata is stored in a broad range of applications. Windows

Registry, for example, records standard peripheral devices attached to
the computer, such as hard drives, monitors, keyboards, and printers.
• Record of a USB device attached to the computer and a record of the
last modified timestamp and the type and serial number of the USB
device can be viewed form Windows Registry. How? Find it out…
 Recovering the Evidence Files 38

If e-mail messages or
multimedia files were
being sought, then the
helpful catalogs would
be a convenient start to
a search. The main areas
of interest may be
cataloged and provide
some useful starting
points for a broad range
of cases
 Recovering the Evidence Files.. 39

Category Reason for search

• Archive files These include zipped and compressed files

• Audio These files may record some Skype conversations or provide evidence of
downloading music files in breach of copyright regulations.
• Databases These include databases files (.db) and other records
• E-mails These are a rich source of information about human communications.
• Event logs These are records of various user and system activities retained by the
device—useful for recreating timelines of events.
• Internet browser files: These provide a record of browsing activities as well as a record of
searches
• Link files These files tell us about the files and applications most recently used and help
reconstruct user activities and timelines of events.
 Recovering the Evidence Files.. 40

• Microsoft Office suite

 This includes text and other documents relating to the activities of users and other
respondents.
• Recycler
 Deleted files and folders are often a rich source of evidence.
• Registry files
 The registry records the state of various features available to users and has a record of
various devices attached to the computer.
• System files
 Most of these may be irrelevant to an examination but some play an important role in
reconstructing relevant events.
• Video
 These files may contain evidence of user activities of relevance to a case.
File System
 Understanding File System 42

FILE
• A collection of Data or Information that has a name, called the File. Almost all
information stored in a computer must be in a file. There are many different types of files:
data files, text file, program files, directory files, and so on. Different types of files store
different types of information. For example, program files store programs, whereas text
files store text.
FILE ALLOCATION TABLE (FAT)
• A Table that the OS uses to locate Files on a Disk. Due to fragmentation, a file may be
divided into many sections that are scattered around the disk. The FAT keeps track of all
these pieces. Fats are stored just after the boot sector. The FAT system for older versions
of Windows 95 is called FAT16, and the one for new versions of Windows 95 and Windows
98 is called FAF32
 Understanding File System.. 43

• To protect the volume, two copies of the table are kept, in case one
becomes damaged. The file allocation tables must also be stored in a fixed
location so that the files needed to start the system can be correctly
located.
• The file allocation table contains the following types of information about
each cluster on the volume:
• Unused (0x0000)
• Cluster in use by a file
• Bad cluster (0xFFF7)
• Last cluster in a file (0xFFF8-0xFFFF)

• There is no organization to the FAT folder structure, and files are given the
first available location on the volume. The starting cluster number is the
address of the first cluster used by the file.
 Understanding File System… 44

• Each cluster contains a pointer to the next cluster in the file, or an indication
(0xFFFF) that this cluster is the end of the file. These links and end of file
indicators are shown below

• This illustration shows three files. The file File1.txt is a file that is large enough to
use three clusters. The second file, File2.txt, is a fragmented file that also
requires three clusters. A small file, File3.txt, fits completely in one cluster. In
each case, the folder entry points to the first cluster of the file.
 Understanding File System… 45

LOST CLUSTER
• Also called a Lost Allocation Unit, or a Lost File Fragment. A data fragment
that does not belong to any file, and, therefore, is not associated with a
file name in the FAT.
FRAGMENTATION
• Fragmentation refers to the condition of a disk in which files are divided
into pieces scattered around the disk. Fragmentation occurs naturally
when you use a disk frequently, creating, deleting, and modifying files. At
some point, the operating system needs to store parts of a file in non
contiguous clusters.
• This is entirely invisible to users, but it can slow down the speed at which
Data is accessed because the disk drive must search through different
parts of the disk to put together a single file.
 Understanding File System… 46

FAT 12
• Also called 12-bit FAT, the File Allocation Table (FAT) for a floppy disk. The
location of files on a floppy disk are listed in a one-column table in the
FAT. Because the width of each entry in a floppy disks column is 12 bits,
the FAT is called FAT12. FAT12 supports disks up to 16MB.
FAT32
• A version of the FAT available in Win 95 and Win 98. FAT32 increases the
number of bits used to address clusters and also reduces the size of each
cluster. The result is that it can support larger disks (up to 2 TB) and better
storage efficiency (less slack space).
 Understanding File System… 47

exFAT
• exFAT, first introduced in 2006, is yet another file system created
by Microsoft although it's not the "next" FAT version after
FAT32.exFAT is primarily intended to be used on portable media
devices
• exFAT officially supports portable media storage devices up to
512 TB in size but theoretically could support drives as large as
64 ZB, which is considerably larger than any media available as
of this writing.
• The exFAT file system is supported by almost all coming versions
of Windows, Mac OS X as well as on many TV, media, and
other devices.
 Understanding File System… 48

Master File Table

• Short for NT File System, one of the File System for the Win NT OS (Windows
NT also supports the FAT file system).
• NTFS has features to improve reliability, such as transaction logs to help
recover from disk failures. To control access to files, you can set
permissions for directories and/or individual files. NTFS files are not
accessible from other OS such as DOS.
• For large applications, NTFS supports spanning volumes, which means files
and directories can be spread out across several physical disks. The data
stored in the MFT is what the OS needs to retrieve the files. For example, it
contains file permissions, the name and size of the file, the date and time
it was created and the date and time it was modified.
 File System and the Operating System 49

• File system depends firstly on the operating system that you are using.
• In general, the more recent the operating system, the greater the
number of files it will support. DOS and on the first versions of Windows 95,
FAT16 is required.
 Starting with Windows 95 OS, choice between FAT16 and FAT32 file systems.
 If the partition size is greater than 2GB, then FAT16 file systems are excluded and you
need to use the FAT32 system (or modify the size of the partition).

Below this limit, FAT16 is recommended..

File System and the Operating System 50
 Hiberfile.sys 51

• Hibernate Mode conserves power by writing the information in

memory out to the hard drive and essentially shutting down.
• The benefit is when bringing PC back up is much quicker than
bringing it up from a fully off state.
 hiberfil.sys is a file the system creates when the computer goes into
hibernation mode.
 Hibernate mode uses the hiberfil.sys file to store the current state
(memory) of the PC on the hard drive and the file is used when
Windows is turned back on.
• Forensic investigation of Memory dump, Pagefile and hiberfil files
can provide a lot of information.
52
Extracts from Forensic Reports
54
55
56
57
58
59
60
61
ANY QUESTIONS