MS-DOS / PC-DOS CSC414 Forensic Overview: Computer Disk System MS-DOS - PC-DOS was IBM's version for its PC Fundamentals and Programs usually self-contained - Programs were segregated Windows 3.11 - Program files in a single directory - Copy program directory to another system and run it Digital Forensics Center Boot Disks only need three files Department of Computer Science and Statics THINK BIG WE DO - .com U R I - config.sys

http://www.forensics.cs.uri.edu - io.sys

MS-DOS / PC-DOS MS-DOS / PC-DOS

Single user names limited to 8 - Only one program could run at a time characters with 3 character - Terminate and stay resident (TSR) extension programs were an exception - No strong association between file - Utilities, viruses, key-loggers extension and type Simple Operating System - Users could use extension for Environment filename or initials - No shared device drivers - Could not search for .doc for *all* - Device drivers integrated in to programs documents - No shared .dll files (Dynamically Some common applications Linked Library) - No Windows registry - Lotus 1-2-3, Microsoft Multiplan - Each program used a .ini or .cfg file - Word Perfect, Microsoft Word

MS-DOS / PC-DOS Windows 3.11

Digital Forensics didn't exist Provided a GUI interface to DOS - No special forensics tools - Not it's own operating system - Had to relay on system tools and - GUI replaces command line interface programs Windows 3.11 - Icons were short-cuts to programs - UNDELETE, UNFORMAT - Files represented as icons or graphics - BACKUP, RESTORE MS-DOS - Intermediary between user and operating - Commercial tools were repurposed system - HARDWARE - GUI translates clicks and drags into DOS - DiskEdit and Unerase commands - was an issue - DOS command line still available - DoubleSpace, DRVSPACE, Stacker - Examining system Windows 3.x Windows 3.x

File Manager not integrated Forensic Issues Virtual Memory Implemented - Separate program - Issues mostly the same as DOS - Evidence of recent computer activity DLL's introduced User Specific Information - Swap file located at - Dynamic Link Library - Desktop and preferences for users - c:\windows\win386.swp - Files common to Windows programs - users create shortcuts for regularly used - Program information and data left in - how to draw windows and menus programs memory - Cannot simply copy application - favorite groups of programs Early Internet access directory from one system to another - user preferences of activities - Gopher an have it run (some did) - Missing DLL's caused errors and prevent - FTP programs from running - Common system-wide device drivers

Forensic Overview: MS-DOS and Windows 3.11

Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO

U R I

http://www.forensics.cs.uri.edu