DOCSLIB.ORG

Branches of Digital Forensics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Branches of Digital Forensics © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION PART III © phyZick/Shutterstock © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Branches of Digital Forensics © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION CHAPTER 8 Windows Forensics 193 CHAPTER 9 Linux Forensics 223 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION CHAPTER 10 Mac OS ForensicsNOT FOR 253 SALE OR DISTRIBUTION CHAPTER 11 Email Forensics 271 CHAPTER 12 Mobile Forensics 291 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION CHAPTER 13 NOTNetwork FOR SALE Forensics OR DISTRIBUTION313 CHAPTER 14 Memory Forensics 343 © Jones & BartlettCHAPTER Learning, 15 Trends LLC and Future Directions© Jones 361 & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION CHAPTER © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE8 OR DISTRIBUTION Windows Forensics © phyZick/Shutterstock © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALEICROSOFT OR WINDOWS DISTRIBUTION IS A UBIQUITOUS operating system. It isNOT difficult FOR to imagine SALE you OR DISTRIBUTION working in digital forensics and not routinely encountering Windows machines. There- Mfore, it is important that you be very familiar with conducting forensics on Windows machines. In this chapter, you will learn how to perform forensic examination of a Windows © Jones & Bartlettcomputer. Learning, That includes LLC examining the Registry, the© Jonesindex.dat, & the Bartlett swap file, Learning, and more. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Chapter© Jones 8 Topics & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC This chapterNOT coversFOR the SALE following OR topics DISTRIBUTION and concepts: NOT FOR SALE OR DISTRIBUTION • The details of Windows • Evidence in volatile data © Jones & Bartlett• The Windows Learning, swap fi le LLC © Jones & Bartlett Learning, LLC NOT FOR SALE• Windows OR logs DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Windows directories • Data stored in index.dat • Windows Registry © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Chapter 8 Goals NOT FOR SALE OR DISTRIBUTION When you complete this chapter, you will be able to: • Understand the workings of the Windows operating system • © Gather Jones evidence & fromBartlett the Registry Learning, LLC © Jones & Bartlett Learning, LLC • NOT Retrieve FOR evidence SALE from logs OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Examine directories for evidence • Check the index.dat fi le for evidence © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 193 © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 194 PART III | Branches of Digital Forensics Windows© Jones &Details Bartlett Learning, LLC © Jones & Bartlett Learning, LLC BeforeNOT delving FOR deeply SALE into OR Windows DISTRIBUTION forensics, it is a good idea to get a betterNOT idea FOR of the SALE OR DISTRIBUTION operating system itself. In this section, you learn about the history of Windows and its struc- ture. This gives you a context within which to learn Windows forensics. For deeper coverage of Windows internals, refer to the book Windows Sysinternals Administrator’s Reference by © Jones &Mark Bartlett E. Russinovich Learning, and AaronLLC Margosis. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Windows History The first version of Windows to gain widespread use was version 3.1, released in 1992. It was then that the Windows system became widely popular. At that time, Windows was a © Jones & Bartlett Learning,graphical LLC user interface (GUI), and not© Jonesreally an &operating Bartlett system. Learning, The operating LLC system NOT FOR SALE OR DISTRIBUTIONwas Disk Operating System (DOS). WindowsNOT FOR provided SALE a visual OR interfaceDISTRIBUTION for interacting with the operating system by means of mouse clicks, rather than typing in DOS commands. During the early 1990s, you could use other, non-Microsoft user interfaces to work with DOS. You could also install Windows on systems running some non-Microsoft operating systems, such as Dr. DOS (an alternative to DOS). There were also several competing operat- ing ©systems Jones for &PCs, Bartlett including Learning, OS2 and OS2 LLC Warp from IBM. © Jones & Bartlett Learning, LLC ForNOT servers FOR and SALE serious OR professionals, DISTRIBUTION Microsoft had Windows NT VersionsNOT 3.1, FOR 3.51, SALE and OR DISTRIBUTION 4.0, which were widely used. Each version had both workstation and server editions. The NT version of Windows was widely considered more stable and more secure than Windows 3.1. The release of Windows 95 in 1995 marked a change in Windows. At this point, the und er- © Jones &lying Bartlett operating Learning, system and LLC the GUI—a point-and-click user© Jones interface—were & Bartlett fused Learning, into one LLC single, coherent product. This meant that you could not choose some non-Windows GUI. NOT FOR SALEShortly afterOR theDISTRIBUTION release of Windows 95, Windows NT 4.0NOT was FORreleased. SALE Many OR consider DISTRIBUTION Windows 98 just an intermediate step, an improvement on Windows 95. The interface looked very much the same as Windows 95, but the performance was vastly improved. Windows 95 and 98 used the FAT32 file system. © Jones & Bartlett Learning,Windows LLC 2000 was widely considered© Jones a major &improvement Bartlett Learning, in the Windows LLC line. Ess- NOT FOR SALE OR DISTRIBUTIONentially, the days of separate NT and WindowsNOT FOR lines SALEwere over. OR Now DISTRIBUTION there would simply be different editions of Windows 2000. There were editions for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. Windows 2000 was also the version of Windows wherein Microsoft began to recommend© Jones NTFS & Bartlettover FAT32 Learning, as a file system. LLC © Jones & Bartlett Learning, LLC WindowsNOT FOR XP was SALE the next OR milestone DISTRIBUTION for Microsoft, and Windows ServerNOT 2003 FOR was SALE OR DISTRIBUTION released the same year. This marked a return to the approach of having a separate server and desktop system (unlike Windows 2000). The interface was not very different, but there were structural improvements. Windows Vista and Windows 7 did not have significantly different user interfaces from © Jones & XP.Bartlett There were Learning, feature changes LLC and additional capabilities,© Jones but essentially & Bartlett the interface Learning, was LLC NOT FOR SALEmoderately OR tweaked DISTRIBUTION with each version. The same can beNOT said ofFOR the relationshipSALE OR between DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC,
Load more

Recommended publications
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • Server Support Interview Questions and Answers Guide
    Server Support Interview Questions And Answers Guide. Global Guideline. https://www.globalguideline.com/ Server Support Interview Questions And Answers Global Guideline . COM Server Support Job Interview Preparation Guide. Question # 1 Tell me where are cluster logs stored? Answer:- Please share your answers. Read More Answers. Question # 2 What are the Logical / Physical Structures of the AD Environment? Answer:- Active Directory Logical components are Forests, Trees, Domains, OUs and Objects. Active Directory Physical components are Domain Controllers, Sites and subnets. Read More Answers. Question # 3 What applications or services use AD application partitions? Name a couple? Answer:- Application partition contains the information of application data and other data related to application as well. But it does not contain any data related AD object such as USER, COMPUTER and GROUP. The saved data will be replicated to some of the particular DC not to all the DCs. Read More Answers. Question # 4 What are the types of hard disks used in servers? Answer:- Mostly we use scsi hardrive in server due few reason to it, high scalability & flexibility in raid array, faster from other type of hdd interface like-sata,ata,ide also it reliable & compatible with older scsi devices Read More Answers. Question # 5 What are some of the command-line tools available for managing a Windows 2003 Server/Active Directory environment? Answer:- Command Line Tools 1) GPupdate 2) Where 3) SystemInfo 4) CSVDE 5) LDIFDE 6) CMDCONS 7) Ipconfig 8) RoboCopy 9) CMDHere 10) PathPing Read More Answers. Question # 6 What if a FSMO server role fails? Answer:- FSMO roles are important role in server .
    [Show full text]
  • How Will You Troubleshoot the Issue? What Are the Steps to Followed? A
    1. A user in a corporate network contacts service desk saying he/she has lost network connectivity: How will you troubleshoot the issue? What are the steps to followed? A. First I will check the network cable is plugged in or not. Then check the network connections and the ip address is assigned or not. Then check connecting to website or not. IP conflict. 2. A User calls in and complains that her computer and network is running very slow. How would go about troubleshooting it? A. 3. How would you create an email account for a user already in AD? A. Open Microsoft Outlook if you are using office 2000, and click on "Tools" tab. Go to "Email Accounts". There you can find two option like Email and Directory. Click on "Add a new Account" and click next. If you are using Exchange Server then click over there, this depends on that particular Organization. According to the their setup you have to choose. And if you are using POP3 server then next popup will come along with your name, email address POP3 and SMTP IP address, Password etc. and after that click on Next and finish it..... 4. A PC did not receive an update from SMS. What steps would we take to resolve this? A. If SMS not updated in client system. 1. Need to check system getting IPaddress or not. 2. Need to check system in domain or not 3.Ensure that windows firewall should be off. 5. How do you set the IP address by using the command prompt A.
    [Show full text]
  • Boot Problem Solutions B 102/1
    B102.qxp_July 2018 25/05/2018 10:00 Page 23 BcdEdit: Boot Problem Solutions B 102/1 If Windows Goes on Strike while Booting Up: Use BcdEdit to Take Back Control Using the information given in this article you will be able to: Edit your Windows system’s boot configuration, Remove an old operating system from the boot menu, Restore a faulty boot sector using BootRec. On Windows XP, you could change the boot menu and configure the process simply by editing the BOOT.INI file. This was especially useful if you had a multi- boot system, and needed to quickly change the options displayed in the menu when you start up your PC. With the introduction of Windows 7, everything changed, and modifying your boot menu became much more complicated than editing a single file. That’s because Microsoft replaced the BOOT.INI file with the BCD (Boot Configuration Data) database. Unfortunately, this data could no longer be edited with a text editor and now it is only possible to make configuration changes using the BcdEdit tool. In this article, I’ll show you how to use the BcdEdit program in order to add operating systems to the boot configuration data, or remove entries from the list of displayed operating systems. • BcdEdit: The New Boot File Editor in Windows .... .......... B 102/2 • BcdEdit: The Boot Configuration Data Editor .... ............. B 102/4 • You Should Know these BcdEdit Parameters ..... ............. B 102/5 • Manage Multi-boot Systems Using BcdEdit .... ............... B 102/8 • How to Rescue Windows 10, 8.1 & 7 Multi-boot Systems ..
    [Show full text]
  • Windows Embedded Standard 2009 Prepkit
    MCTSi Exam 70-577 Windows Embedded Standard 2009 Preparation Kit Certification Exam Preparation Automation Not for resale. ii Published by Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publica- tion. Information in this document, including URL and other Internet Web site references, is subject to change with- out notice. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmit- ted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any pur- pose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2009 Microsoft Corporation. All rights reserved. Internet Explorer, Microsoft, MS-DOS, Visual Studio, Win32, Windows and Windows Vista are trademarks of the Microsoft group of companies.
    [Show full text]
  • The Evolution of TDL: Conquering X64
    The Evolution of TDL: Conquering x64 Revision 1.1 Eugene Rodionov, Malware Researcher Aleksandr Matrosov, Senior Malware Researcher 2 2 CONTENTS 3 INTRODUCTION ..................................................................................................................................................... 4 1 INVESTIGATION ............................................................................................................................................. 5 1.1 GANGSTABUCKS ............................................................................................................................................... 6 2 INSTALLATION ............................................................................................................................................. 11 2.1 INFECTING X86 SYSTEMS .................................................................................................................................. 11 2.2 INFECTING X64 SYSTEMS .................................................................................................................................. 13 2.3 THE DROPPER’S PAYLOAD ................................................................................................................................ 14 2.4 COMPARISON WITH TDL3/TDL3+..................................................................................................................... 15 3 THE BOT .....................................................................................................................................................
    [Show full text]
  • [ [ [ {[email protected]}
    UNDERSTANDING WINDOWS 2K SOURCES (part 1) Written By: AndreaGeddon [www.andreageddon.com] [www.reteam.org] [www.quequero.org] {[email protected]} :: INTRO :: This is the first of a series of articles in which I will deal a little bit in detail with the windows 2000 kernel. In particular I will refer to the stolen sources that have been published. For obvious causes I shall not write the code directly in this article, but I will make precise references to the files I will describe, so if you have the sources you will find easy it easy to understand this text. :: REQUIREMENTS :: Well, first of all it would be good if you have the sources, if you don’t have them you can read the article the same as it will have a quite generic stamp. Second, you have to know hardware x86 architecture basics, infact I will not deal with things like IDT etc, so get your Intel manuals and study them! Last, I will assume you have some basic knowledge about an operating system, that is you know what is a file system, what is a scheduler and so on. Now we can begin. :: BIBLIOGRAPHY :: Here are some books on the argument that I advise you to read: • The Windows 2000 Device Driver Book - Art Baker, Jerry Lozano • Inside Windows 2000 - Russinovich, Solomon (sysinternals) • Windows driver model - Oney • Windows NT Native Api - Gary Nebbett • Undocumented Windows NT - Dabak, Phadke, Borate • Windows NT File SYstem Internals - Nagar • Windows NT Device Driver Development - Viscarola :: THE BEGINNING :: The source leak is dated on the first ten days of february, with the direct responsibility for it, being Mainsoft; an old partner of Microsoft.
    [Show full text]
  • Review NTFS Basics
    Australian Journal of Basic and Applied Sciences, 6(7): 325-338, 2012 ISSN 1991-8178 Review NTFS Basics Behzad Mahjour Shafiei, Farshid Iranmanesh, Fariborz Iranmanesh Bardsir Branch, Islamic Azad University, Bardsir, Iran Abstract: The Windows NT file system (NTFS) provides a combination of performance, reliability, and compatibility not found in the FAT file system. It is designed to quickly perform standard file operations such as read, write, and search - and even advanced operations such as file-system recovery - on very large hard disks. Key words: Format, NTFS, Volume, Fat, Partition INTRODUCTION Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table (MFT), which contains information about all the files and folders on the NTFS volume. The first information on an NTFS volume is the Partition Boot Sector, which starts at sector 0 and can be up to 16 sectors long. The first file on an NTFS volume is the Master File Table (MFT). The following figure illustrates the layout of an NTFS volume when formatting has finished. Fig. 5-1: Formatted NTFS Volume. This chapter covers information about NTFS. Topics covered are listed below: NTFS Partition Boot Sector NTFS Master File Table (MFT) NTFS File Types NTFS File Attributes NTFS System Files NTFS Multiple Data Streams NTFS Compressed Files NTFS & EFS Encrypted Files . Using EFS . EFS Internals . $EFS Attribute . Issues with EFS NTFS Sparse Files NTFS Data Integrity and Recoverability The NTFS file system includes security features required for file servers and high-end personal computers in a corporate environment.
    [Show full text]
  • Windows Embedded Standard 2009 Prepkit
    MCTSi Exam 70-577 Windows Embedded Standard 2009 Preparation Kit Certification Exam Preparation Automation Not for resale. ii Table of Contents Contents at a Glance 1 Creating and Customizing the Configuration 2 Managing the Development Environment 3 Integrating Embedded Enabling Features 4Creating Components 5 Generating and Deploying an Image 6 Adding Windows Functionality Chapter 3 Integrating Embedded Enabling Features This chapter discusses Microsoft® Windows Embedded Standard 2009 Embedded Enabling Features (EEFs), which are components that address scenarios specific to embedded devices, such as deploying run-time images on read-only media, managing and updating your device remotely, and mass deployment. Exam objectives in this chapter: ■ Implement Device Update Agent (DUA) ■ Implement a USB Boot solution ■ Implement Enhanced Write Filter (EWF) ■ Implement File Based Write Filter (FBWF) ■ Implement Message Box Default Reply Before You Begin To complete the lessons in this chapter you need the following: ■ Windows Embedded Studio for Windows Embedded Standard 2009 installed. ■ Completed Chapters 1 and 2. ■ The configuration you created in Chapter 1. 73 74 Chapter 3 Integrating Embedded Enabling Features Lesson 1: Implement DUA The DUA component enables you to remotely update the run-time image of your Windows Embedded Standard 2009 devices. It is a service that runs on your device and processes a script that performs update and maintenance operations. DUA is useful for updating Windows Embedded Standard 2009 images, and is a small component with few dependencies. With DUA, you can update applications or application data, deploy new binaries and device drivers, make registry changes, and automate cleanup and management tasks. After this lesson, you will be able to: ■ Add and configure DUA in your image configuration.
    [Show full text]
  • Major System Files, and Their Purpose: Windows 9X –Specific Files • IO.SYS the Io.Sys File Is an MS-DOS and Windows 9X
    Major System Files, and their purpose: Windows 9x –specific files IO.SYS The io.sys file is an MS-DOS and Windows 9x hidden system file that is used to load the operating system each time the computer boots. The file is not editable using normal text editors. MSDOS.SYS The MSDOS.SYS file is a hidden system file created on the root of the boot drive. To edit this file, type edit msdos.sys. The PC boot environment can be changed by changing the file contents. Given below is a typicalMSDOS.SYS file: Below is a sample MSDOS.SYS File [Paths] WinDir=C:\WINDOWS WinBootDir=C:\WINDOWS HostWinBootDrv=C [Options] BootGUI=1 Network=1 BootMulti=1 ; ;The following lines are required for compatibility with other programs. ;Do not remove them (MSDOS.SYS needs to be >1024 bytes). AUTOEXEC.BAT An AUTOEXEC.BAT file contains DOS commands that are executed automatically when a PC boots. The file is usually located in the root directory of the hard drive of the computer. The AUTOEXEC.BAT file is used to set defaults and to run programs that should be executed during startup. Example: PROMPT $P$G Use the PROMPT command to alter the default DOS prompt. The above command makes the DOS prompt display the current path and drive, and is very useful. COMMAND.COM 1. It does: The file contains internal command set and error messages 2. Default Attributes: Nil 3. Is it required for OS Start up: YES 4. Responsible for displaying the command prompt in a DOS based computer.
    [Show full text]
  • Start Linux from the Windows XP Bootloader
    Start Linux from the Windows XP bootloader The idea is to do the same as Windows XP does automatically if installed after Windows 98. It copies the MBR (see http://en.wikipedia.org/wiki/Master_boot_record) made by Windows 98 in a file usually named bootsect.dos and add a line in the Windows XP bootloader (NTLDR) configuration file C:\boot.ini similar to C:\BOOTSECT.DOS="Microsoft Windows". Then, the Windows XP installer replaces the MBR with what it needs and so on. And when you start your computer and choose the entry "Microsoft Windows" on the Windows XP bootloader menu, it launches the code in C:\BOOTSECT.DOS and lets it play as if wants. Therefore, for Linux, we need to capture the MBR made by Linux (with : dd if=/dev/hda of=/bootsect.lnx bs=512 count=1 on Linux in root or with dskprobe on Windows in Administrator : d'abord ouvrir le handle du disque, puis lire de 0 à 16) in a file bootsect.lnx, install Windows XP, put bootsect.lnx on C:\ and add a line C:\BOOTSECT.LNX="Linux" at the end of the C:\Boot.ini file (be sure to remove the read-only attribute and enable the view of hidden and system files in Windows folder options to be able to edit it). This will probably also work with Vista and Seven if you add an entry with bcdedit to handle NTLDR. Note : You can restore at any time the MBR made by XP with the command FIXMBR on the Windows XP recovery console, or with the tool bootsect (type bootsect /nt52 C: /mbr) from Windows Seven or a Windows PE CD or USB key.
    [Show full text]
  • Guide to Computer Forensics and Investigations Fourth Edition
    Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Objectives • Explain the purpose and structure of file systems • Describe Microsoft file structures • Explain the structure of New Technology File System (NTFS) disks • List some options for decrypting drives encrypted with whole disk encryption Guide to Computer Forensics and Investigations 2 Objectives (continued) • Explain how the Windows Registry works • Describe Microsoft startup tasks • Describe MS-DOS startup tasks • Explain the purpose of a virtual machine Guide to Computer Forensics and Investigations 3 Understanding File Systems • File system – Gives OS a road map to data on a disk • Type of file system an OS uses determines how data is stored on the disk • A file system is usually directly related to an OS • When you need to access a suspect’s computer to acquire or inspect data – You should be familiar with the computer’s platform Guide to Computer Forensics and Investigations 4 Understanding the Boot Sequence • Complementary Metal Oxide Semiconductor (CMOS) – Computer stores system configuration and date and time information in the CMOS • When power to the system is off • Basic Input/Output System (BIOS) – Contains programs that perform input and output at the hardware level Guide to Computer Forensics and Investigations 5 Understanding the Boot Sequence (continued) • Bootstrap process – Contained in ROM, tells the computer how to proceed – Displays the key or keys you press to open the CMOS setup screen • CMOS should
    [Show full text]