volonino_ppt_06
Download
Report
Transcript volonino_ppt_06
Computer Forensics
Principles and Practices
by Volonino, Anzaldua, and Godwin
Chapter 6: Operating Systems and Data Transmission
Basics for Digital Investigations
Objectives
Define and recognize an operating system
Identify the different types of operating
system interfaces
Identify the different components of an
operating system
Understand and identify the different file
systems
© Pearson Education Computer Forensics: Principles and Practices
2
Objectives (Cont.)
Understand the OSI and TCP models
Understand the basics of how data is
transmitted on networks
© Pearson Education Computer Forensics: Principles and Practices
3
Introduction
Hardware and software work together to run
the computer. It is important to understand
what operating system you are dealing with, in
order to understand how and where data is
stored on the storage device(s). This chapter
provides this foundation, along with how data is
communicated from host to host across a
network.
© Pearson Education Computer Forensics: Principles and Practices
4
What Is an Operating System?
Simply stated, an operating system is a
program that controls how a computer
functions
OS controls how data is accessed, saved, and
organized on a storage device
Core of the operating system is called the
kernel
© Pearson Education Computer Forensics: Principles and Practices
5
Operating System Functions
An operating system provides:
Some type of user interface
Single-user or multiple-user access to applications
File management
Memory management
Job management
Device management
Security
© Pearson Education Computer Forensics: Principles and Practices
6
Types of Interfaces
A user interface is the way a user
communicates with the computer
User interface may also be known as a shell
Two major interface types:
Graphical user interface (GUI)
Command-line interface (CLI)
© Pearson Education Computer Forensics: Principles and Practices
7
Categories of Use
Single-user systems
Designed to be used by only one user
DOS is a single-user single-tasking system
Windows is a single-user multitasking system
Multiple-user systems
Allow multiple users to access the same
application
Servers and UNIX/Linux are multiple-user
systems
© Pearson Education Computer Forensics: Principles and Practices
8
File and Memory Management
The OS controls reading, writing, accessing,
and modification of data
Basic units of file management are files and
folders or directories
Memory management deals with temporary
storage or use of applications and data
The OS controls where applications and data
are stored in memory
© Pearson Education Computer Forensics: Principles and Practices
9
Job and Device Management
Computers can execute only one instruction
at a time per processor or CPU
The OS controls the order in which tasks or
jobs are processed
The OS acts as an intermediary between
application software and physical hardware
The OS uses device drivers to manage
hardware devices
© Pearson Education Computer Forensics: Principles and Practices
10
Security
The primary method of security is to have the
user authenticate his credentials when he
logs into a system
Newer operating systems are implementing
rights and permissions to files and folders to
increase security of OS
© Pearson Education Computer Forensics: Principles and Practices
11
In Practice: Iraqi Computer Disks and
Hard Drives Recovered
Computer disks and hard drives recovered
from Iraq and Afghanistan during Saddam
Hussein’s regime
2 million items including:
Handwritten notes
Typed documents
Audiotapes
Videotapes
CDs, floppy disks, and hard drives
© Pearson Education Computer Forensics: Principles and Practices
12
Common Operating Systems
DOS
Windows
Linux
UNIX
Macintosh
© Pearson Education Computer Forensics: Principles and Practices
13
DOS and Windows 3.X
DOS was one of the first personal computer
operating systems
Command-line interface required users to
know DOS commands and syntax
Windows 3.1 was the first stable GUI from
Microsoft
Windows 3.1 was an application on top of
DOS rather than a true operating system
Windows 3.11 added network capability
© Pearson Education Computer Forensics: Principles and Practices
14
Windows 95 and Windows 98
Windows 95
innovations include
Plug and play
Registry
Network and Internet
capability
Windows 98
enhancements include
© Pearson Education Computer Forensics: Principles and Practices
Power management
features
Upgrade capability via
the Internet
Automated registry
checks and repairs
Upgraded plug and play
support
15
Windows NT
Windows NT (New Technology) innovations
include:
Privileged mode, which allows NT to isolate
applications so one can be shut down without
affecting others
Support for multiple CPU processors
Multilayered security functions such as
File and folder access protection via permissions
Network share protection and auditing capability
Use of domain controllers
© Pearson Education Computer Forensics: Principles and Practices
16
Windows 2000
Windows 2000 based on NT technology with
some improvements in the areas of security
and networking:
Group policies
Secure authentication
File encryption
© Pearson Education Computer Forensics: Principles and Practices
17
Windows XP
Same kernel as Windows 2000
New GUI, simple firewall, remote control
access, and increased speed of OS
Versions: XP Home, XP Professional
Server versions: Server 2003
XP Home is the upgrade path from Windows
ME
© Pearson Education Computer Forensics: Principles and Practices
18
Linux
Linux is a relatively new OS based on the
UNIX OS
Linux advantages:
Free or inexpensive
Can run on older equipment
Can run a multitude of hardware platforms
Fast and stable
© Pearson Education Computer Forensics: Principles and Practices
19
UNIX
Most operating systems can trace their roots
to UNIX
Two main “camps” in the UNIX world:
Berkeley Software Distribution (BSD)
System V Release 4 (SVR4)
UNIX is a true multiuser multitasking OS
designed with security in mind
UNIX can use either a CLI or GUI
© Pearson Education Computer Forensics: Principles and Practices
20
Macintosh
Macintosh was the first stable GUI and still
the most intuitive GUI on the market
Initial Apple philosophy was tight control over
hardware and software
Recently Apple changed processors which
allows a Mac to also run Windows XP
© Pearson Education Computer Forensics: Principles and Practices
21
Common File System Types
Function of a file system is to manage files
and folders on a system
The OS performs the following to help with
this:
Partitions and formats storage devices
Creates a standard for naming files and folders
Maintains the integrity of files and folders
Provides for error recovery
Provides for security of the file system
© Pearson Education Computer Forensics: Principles and Practices
22
Common File System Types (Cont.)
FAT (file allocation table) file system
File allocation table is a directory the OS uses to
keep track of where files are
Root directory is the top directory on a FAT
system
FAT16
Uses 16 bits in the file allocation table
Uses the 3-character extension to identify file type
Can assign attributes to files and folders
© Pearson Education Computer Forensics: Principles and Practices
23
Common File System Types (Cont.)
FAT 32
Expands the capabilities of FAT 16
Designed to accommodate large hard drives
Designed to use space more efficiently
2 terabyte limit on partition size
4GB file size (double FAT 16)
© Pearson Education Computer Forensics: Principles and Practices
24
Common File System Types (Cont.)
NTFS (New Technology File System)
introduced the following features:
Long file name support
Ability to handle large storage devices
Built-in security controls
POSIX support
Volume striping
File compression
Master file table (MFT)
© Pearson Education Computer Forensics: Principles and Practices
25
Common File System Types (Cont.)
UNIX/Linux
Can handle many different file systems
UNIX file system (UFS) is most native format
Extended file system (EXT) is primarily used by
Linux
UNIX uses inodes, clearinghouses of information
about files on UNIX systems
To access the actual file system, a superblock is
created
© Pearson Education Computer Forensics: Principles and Practices
26
OSI Model
Standard was needed for companies to
communicate with each other via their
computer systems
OSI model released in 1984
Created by the International Organization for
Standardization (ISO)
OSI model breaks down complexity of data
communications into a simple layered
approach
© Pearson Education Computer Forensics: Principles and Practices
27
OSI Model (Cont.)
Advantages of layered approach:
Different hardware/software vendors have a
standard to follow for designing products
Collaboration between companies to develop
network components is easier
Changes in one layer are not carried over into
other layers
Network design is broken down into smaller, more
manageable parts
Problem resolution is easier because problems
are usually confined to a single layer
© Pearson Education Computer Forensics: Principles and Practices
28
OSI Model (Cont.)
Layer 7: Application layer functions
Allows access to network services that support
applications
Handles network access, flow control, and error
recovery
Layer 6: Presentation layer functions
Converts all formats into a common uniform
format
Protocol and character conversion
Encryption/decryption
© Pearson Education Computer Forensics: Principles and Practices
29
OSI Model (Cont.)
Layer 5: Session layer functions
Establishes identification to exclude noncommunicating hosts
Establishes checkpoints
Manages data transmit times and length
Layer 4: Transport layer functions
Regulates flow control
Uses acknowledgements
Enables error handling
© Pearson Education Computer Forensics: Principles and Practices
30
OSI Model (Cont.)
Layer 3: Network layer functions
Logical addressing (IP addressing)
Translating logical addresses to physical
addressing
Packet switching
Routing
© Pearson Education Computer Forensics: Principles and Practices
31
OSI Model (Cont.)
Layer 2: Data link layer functions
Conversion of packets into raw bits
Error correction
Flow control
Layer 1: Physical layer functions
Defines hardware standards
Transmits raw data over different mediums
Defines protocols on how to transmit raw data
over different mediums
© Pearson Education Computer Forensics: Principles and Practices
32
OSI Model (Cont.)
Data flow in the OSI model
Protocols that function at each layer on Host A
communicate with the corresponding layer on
Host B
Protocol data units (PDUs) are used to include
header information on the packet being sent from
host to host
Each layer depends on the layer below it for
services, and each layer above adds PDUs via
encapsulation
© Pearson Education Computer Forensics: Principles and Practices
33
TCP/IP Model
De facto standard for communications
Direct result of the Department of Defense
efforts to require a protocol that could survive
wartime situations and still communicate with
other hosts via different communication
mediums
Has only four layers as compared to seven
layers of OSI model
© Pearson Education Computer Forensics: Principles and Practices
34
TCP/IP Model (Cont.)
OSI Model
TCP/IP Model
Application
Presentation
Application
Session
Transport
Transport
Network
Internet
Data Link
Network Interface
Physical
© Pearson Education Computer Forensics: Principles and Practices
35
TCP/IP Model (Cont.)
Application layer combines application,
presentation, and session layers of OSI
model
Transport layer similar to that in OSI model
Internet layer corresponds to layer of same
name in OSI model in form and function
Network interface layer combines data link
layer and physical layer of OSI model
© Pearson Education Computer Forensics: Principles and Practices
36
TCP/IP Model (Cont.)
How data is transmitted on a network
Switching networks
Packet switching
Circuit switching
Message switching
© Pearson Education Computer Forensics: Principles and Practices
37
Summary
The operating system is the program that
controls the basic functions of a computer
The OS is the intermediary between the
hardware and the software of a computer
Two types of interfaces
Command line (CLI)
Graphical user (GUI)
© Pearson Education Computer Forensics: Principles and Practices
38
Summary (Cont.)
Functions basic to an OS:
File management
Memory management
Job management
Device management
Security management
There are a variety of operating systems:
Windows, UNIX/Linux, Macintosh, DOS
© Pearson Education Computer Forensics: Principles and Practices
39
Summary (Cont.)
Various file systems are used:
FAT16, FAT32, NTFS, EXT, UFS, etc.
OSI model standardized the method of
transmitting data on a network using a sevenlayer approach
Application, presentation, session, transport,
network, data link, and physical
© Pearson Education Computer Forensics: Principles and Practices
40
Summary (Cont.)
TCP/IP model consists of four layers:
Application, transport, Internet, network interface
De facto standard on the Internet
Two address schemes are used to transmit
data across networks
Logical addressing
Physical addressing
© Pearson Education Computer Forensics: Principles and Practices
41