Computer Forensics Principles and Practices by Volonino Anzaldua

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission © Pearson Education Computer Forensics: Principles and Practices Basics for Digital Investigations

Objectives n n Define and recognize an operating system Identify the different types of operating system interfaces Identify the different components of an operating system Understand identify the different file systems © Pearson Education Computer Forensics: Principles and Practices 2

Objectives (Cont. ) n n Understand the OSI and TCP models Understand the basics of how data is transmitted on networks © Pearson Education Computer Forensics: Principles and Practices 3

Introduction Hardware and software work together to run the computer. It is important to understand what operating system you are dealing with, in order to understand how and where data is stored on the storage device(s). This chapter provides this foundation, along with how data is communicated from host to host across a network. © Pearson Education Computer Forensics: Principles and Practices 4

What Is an Operating System? n Simply stated, an operating system is a program that controls how a computer functions q n OS controls how data is accessed, saved, and organized on a storage device Core of the operating system is called the kernel © Pearson Education Computer Forensics: Principles and Practices 5

Operating System Functions n An operating system provides: q q q q Some type of user interface Single-user or multiple-user access to applications File management Memory management Job management Device management Security © Pearson Education Computer Forensics: Principles and Practices 6

Types of Interfaces n n n A user interface is the way a user communicates with the computer User interface may also be known as a shell Two major interface types: q q Graphical user interface (GUI) Command-line interface (CLI) © Pearson Education Computer Forensics: Principles and Practices 7

Categories of Use n Single-user systems q q q n Designed to be used by only one user DOS is a single-user single-tasking system Windows is a single-user multitasking system Multiple-user systems q q Allow multiple users to access the same application Servers and UNIX/Linux are multiple-user systems © Pearson Education Computer Forensics: Principles and Practices 8

File and Memory Management n n The OS controls reading, writing, accessing, and modification of data Basic units of file management are files and folders or directories Memory management deals with temporary storage or use of applications and data The OS controls where applications and data are stored in memory © Pearson Education Computer Forensics: Principles and Practices 9

Job and Device Management n n Computers can execute only one instruction at a time per processor or CPU The OS controls the order in which tasks or jobs are processed The OS acts as an intermediary between application software and physical hardware The OS uses device drivers to manage hardware devices © Pearson Education Computer Forensics: Principles and Practices 10

Security n n The primary method of security is to have the user authenticate his credentials when he logs into a system Newer operating systems are implementing rights and permissions to files and folders to increase security of OS © Pearson Education Computer Forensics: Principles and Practices 11

In Practice: Iraqi Computer Disks and Hard Drives Recovered n Computer disks and hard drives recovered from Iraq and Afghanistan during Saddam Hussein’s regime q 2 million items including: n n n Handwritten notes Typed documents Audiotapes Videotapes CDs, floppy disks, and hard drives © Pearson Education Computer Forensics: Principles and Practices 12

Common Operating Systems n n n DOS Windows Linux UNIX Macintosh © Pearson Education Computer Forensics: Principles and Practices 13

DOS and Windows 3. X n n n DOS was one of the first personal computer operating systems Command-line interface required users to know DOS commands and syntax Windows 3. 1 was the first stable GUI from Microsoft Windows 3. 1 was an application on top of DOS rather than a true operating system Windows 3. 11 added network capability © Pearson Education Computer Forensics: Principles and Practices 14

Windows 95 and Windows 98 n Windows 95 innovations include q q q Plug and play Registry Network and Internet capability n Windows 98 enhancements include q q © Pearson Education Computer Forensics: Principles and Practices Power management features Upgrade capability via the Internet Automated registry checks and repairs Upgraded plug and play support 15

Windows NT n Windows NT (New Technology) innovations include: q q q Privileged mode, which allows NT to isolate applications so one can be shut down without affecting others Support for multiple CPU processors Multilayered security functions such as n n n File and folder access protection via permissions Network share protection and auditing capability Use of domain controllers © Pearson Education Computer Forensics: Principles and Practices 16

Windows 2000 n Windows 2000 based on NT technology with some improvements in the areas of security and networking: q q q Group policies Secure authentication File encryption © Pearson Education Computer Forensics: Principles and Practices 17

Windows XP n n n Same kernel as Windows 2000 New GUI, simple firewall, remote control access, and increased speed of OS Versions: XP Home, XP Professional Server versions: Server 2003 XP Home is the upgrade path from Windows ME © Pearson Education Computer Forensics: Principles and Practices 18

Linux n n Linux is a relatively new OS based on the UNIX OS Linux advantages: q q Free or inexpensive Can run on older equipment Can run a multitude of hardware platforms Fast and stable © Pearson Education Computer Forensics: Principles and Practices 19

UNIX n n Most operating systems can trace their roots to UNIX Two main “camps” in the UNIX world: q q n n Berkeley Software Distribution (BSD) System V Release 4 (SVR 4) UNIX is a true multiuser multitasking OS designed with security in mind UNIX can use either a CLI or GUI © Pearson Education Computer Forensics: Principles and Practices 20

Macintosh n n n Macintosh was the first stable GUI and still the most intuitive GUI on the market Initial Apple philosophy was tight control over hardware and software Recently Apple changed processors which allows a Mac to also run Windows XP © Pearson Education Computer Forensics: Principles and Practices 21

Common File System Types n n Function of a file system is to manage files and folders on a system The OS performs the following to help with this: q q q Partitions and formats storage devices Creates a standard for naming files and folders Maintains the integrity of files and folders Provides for error recovery Provides for security of the file system © Pearson Education Computer Forensics: Principles and Practices 22

Common File System Types (Cont. ) n FAT (file allocation table) file system q q n File allocation table is a directory the OS uses to keep track of where files are Root directory is the top directory on a FAT system FAT 16 q q q Uses 16 bits in the file allocation table Uses the 3 -character extension to identify file type Can assign attributes to files and folders © Pearson Education Computer Forensics: Principles and Practices 23

Common File System Types (Cont. ) n FAT 32 q q q Expands the capabilities of FAT 16 Designed to accommodate large hard drives Designed to use space more efficiently 2 terabyte limit on partition size 4 GB file size (double FAT 16) © Pearson Education Computer Forensics: Principles and Practices 24

Common File System Types (Cont. ) n NTFS (New Technology File System) introduced the following features: q q q q Long file name support Ability to handle large storage devices Built-in security controls POSIX support Volume striping File compression Master file table (MFT) © Pearson Education Computer Forensics: Principles and Practices 25

Common File System Types (Cont. ) n UNIX/Linux q q q Can handle many different file systems UNIX file system (UFS) is most native format Extended file system (EXT) is primarily used by Linux UNIX uses inodes, clearinghouses of information about files on UNIX systems To access the actual file system, a superblock is created © Pearson Education Computer Forensics: Principles and Practices 26

OSI Model n n Standard was needed for companies to communicate with each other via their computer systems OSI model released in 1984 Created by the International Organization for Standardization (ISO) OSI model breaks down complexity of data communications into a simple layered approach © Pearson Education Computer Forensics: Principles and Practices 27

OSI Model (Cont. ) n Advantages of layered approach: q q q Different hardware/software vendors have a standard to follow for designing products Collaboration between companies to develop network components is easier Changes in one layer are not carried over into other layers Network design is broken down into smaller, more manageable parts Problem resolution is easier because problems are usually confined to a single layer © Pearson Education Computer Forensics: Principles and Practices 28

OSI Model (Cont. ) n Layer 7: Application layer functions q q n Allows access to network services that support applications Handles network access, flow control, and error recovery Layer 6: Presentation layer functions q q q Converts all formats into a common uniformat Protocol and character conversion Encryption/decryption © Pearson Education Computer Forensics: Principles and Practices 29

OSI Model (Cont. ) n Layer 5: Session layer functions q q q n Establishes identification to exclude noncommunicating hosts Establishes checkpoints Manages data transmit times and length Layer 4: Transport layer functions q q q Regulates flow control Uses acknowledgements Enables error handling © Pearson Education Computer Forensics: Principles and Practices 30

OSI Model (Cont. ) n Layer 3: Network layer functions q q Logical addressing (IP addressing) Translating logical addresses to physical addressing Packet switching Routing © Pearson Education Computer Forensics: Principles and Practices 31

OSI Model (Cont. ) n Layer 2: Data link layer functions q q q n Conversion of packets into raw bits Error correction Flow control Layer 1: Physical layer functions q q q Defines hardware standards Transmits raw data over different mediums Defines protocols on how to transmit raw data over different mediums © Pearson Education Computer Forensics: Principles and Practices 32

OSI Model (Cont. ) n Data flow in the OSI model q q q Protocols that function at each layer on Host A communicate with the corresponding layer on Host B Protocol data units (PDUs) are used to include header information on the packet being sent from host to host Each layer depends on the layer below it for services, and each layer above adds PDUs via encapsulation © Pearson Education Computer Forensics: Principles and Practices 33

TCP/IP Model n n n De facto standard for communications Direct result of the Department of Defense efforts to require a protocol that could survive wartime situations and still communicate with other hosts via different communication mediums Has only four layers as compared to seven layers of OSI model © Pearson Education Computer Forensics: Principles and Practices 34

TCP/IP Model (Cont. ) OSI Model TCP/IP Model Application Presentation Application Session Transport Network Internet Data Link Network Interface Physical © Pearson Education Computer Forensics: Principles and Practices 35

TCP/IP Model (Cont. ) n n Application layer combines application, presentation, and session layers of OSI model Transport layer similar to that in OSI model Internet layer corresponds to layer of same name in OSI model in form and function Network interface layer combines data link layer and physical layer of OSI model © Pearson Education Computer Forensics: Principles and Practices 36

TCP/IP Model (Cont. ) n n How data is transmitted on a network Switching networks q q q Packet switching Circuit switching Message switching © Pearson Education Computer Forensics: Principles and Practices 37

Summary n n n The operating system is the program that controls the basic functions of a computer The OS is the intermediary between the hardware and the software of a computer Two types of interfaces q q Command line (CLI) Graphical user (GUI) © Pearson Education Computer Forensics: Principles and Practices 38

Summary (Cont. ) n Functions basic to an OS: q q q n File management Memory management Job management Device management Security management There a variety of operating systems: q Windows, UNIX/Linux, Macintosh, DOS © Pearson Education Computer Forensics: Principles and Practices 39

Summary (Cont. ) n Various file systems are used: q n FAT 16, FAT 32, NTFS, EXT, UFS, etc. OSI model standardized the method of transmitting data on a network using a sevenlayer approach q Application, presentation, session, transport, network, data link, and physical © Pearson Education Computer Forensics: Principles and Practices 40

Summary (Cont. ) n TCP/IP model consists of four layers: q q n Application, transport, Internet, network interface De facto standard on the Internet Two address schemes are used to transmit data across networks q q Logical addressing Physical addressing © Pearson Education Computer Forensics: Principles and Practices 41