2.2 PC Introduction

---

Computer Systems

A computer system can be broken down into four layers.

1. User: The person or program that interacts with the computer

2. Applications: Software built on the operating system that allow for user interaction

3. Operating system: The software layer between application programs and the hardware

4. Device or computer hardware: The physical computer

When a user takes an action, the effects of that action trickles down to the other three layers. As a result, evidence of that action is generated at each layer.

An operating system is a type of system software that manages hardware and software resources on a computer. Common features of operating systems include:

• Process management

• Memory management

• File system

• Device drivers

• Networking

• Security

• Input-output (I/O)

A computer can be broken down into many parts, as shown in the diagram below. The most important parts of a computer for digital forensic practitioner are the drive bayes, RAM, and CPU.

Parts of a computer include the power supply, network cards, RAM, CPU, and peripherals. Source

We can check out information about a Windows system in the command line using the systeminfo command.

The output of systeminfo includes the various system information, including the operating system name and version.

A process is an instance of a computer program. On a multi-core computer, a process can create child processes as well. A process may be made up of multiple threads, or sub-tasks, of execution that execute instructions of the computer program concurrently.

Programs, processes and threads differ. Malware analysis can occur on the disk, in RAM, or using the program instructions. Source.

On Windows, the task manager allows us to view the processes associated with an application.

The task manager shows the Arc application, which has a "(37)" next to its name, and its associated processes in the drop down menu.

Computer Forensics Challenges

Computer forensics is difficult and complex because of technical complexities and ever-advancing technology. Computer forensics professionals works with different types and versions of operating systems, different types and versions of applications, and a variety of hardware. The need to analyze non-traditional devices such as Internet of Things (IoT) devices pose an additional challenge.

Computer forensics practitioners may work with malware, OS and application logs, memory, application processes, CPU execution, etc. With such a large quantity of varied information, we need to be able to collect, analyze, and verify evidence in a systematic manner.

Skilled computer forensic practitioners understand not only computer science and security, but also criminal justice and law.

Hard Disk Drives

A hard disk consists of a set of magnetic platters. Data is stored in the polarity of the platters.

Each platter, or plate, consists of a surface many tracks. A track is a concentric circle made of a ring of magnets. Each track can be subdivided into sections called a sector. All tracks with a certain radial distance from the center is called a cylinder.

The platters spin around, and the arm moves and reads data through its heads.

Hard disk drives consist of an arm assembly and stack of platters. Source.

Sectors

A sector is the minimum storage unit of a hard drive. Regardless of a file's actual size, files occupy an integral number of sectors.

We can calculate the number of sectors in a disk calculated as such:

$$numSectors = numTracks \cdot numHeads \cdot sectorsPerTrack$$

For example, if there are 400 sectors per track, 12 heads, and 17,000 tracks, then there are 8,1600,000 sectors.

We can calculate the size of a disk as such:

$$diskSize = numSectors \cdot bytesPerSector$$

For example, if each sector is 512 bytes and there are 8,1600,000, then the disk is 41779200000 bytes or 38.91GB. Notice that because we work in powers of 2, 1KB is 1024 bytes, not 1000. Likewise, 1MB is 1024KB, and 1GB is 1024MB.

Disk Partitions

A disk partition is a region of a disk. We can view partitions on a Windows device in Disk Management.

Partitions on a Windows computer can be viewed with Disk Management.

PC Boot Process

A PC boot sequence is governed by Basic Input/Output System (BIOS) ROM. BIOS parameters are stored in CMOS. A PC boot process includes these steps:

1. The computer runs the power-on self-test (POST).

2. Control passes to the Master Boot Record (MBR) partition table.

3. The MBR points to the boot record of a selected operating system.

4. The operating system takes control.

The MBR partition table is used by legacy BIOS systems. GUID Partition Table (GPT) is an alternative partition used by UEFI systems. While MBR allows for a maximum of 2TB, GPT allows for a maximum of 9.4ZB.

The GPT scheme is as follows:

The Primary GPT section of the scheme describes each partition while the Secondary GPT section of the scheme backs up the Primary GPT header and entries. Source.

File Systems

A file system is an operating system abstraction of storage. A file system how files are named, stored, and retrieved from a storage device. A file, really just a bunch of bytes, is a storage object and disk abstraction that is created and destroyed on demand.

We often think of file systems as a hierarchical tree where the nodes of the tree are directories, or folders, and files.

The Linux file system is organized in a hierarchical tree. Source.

Different operating systems use different file systems:

• Linux uses XFS, JFS, and btrfs.

• macOS uses the Hierarchical File System (HFS).

• Microsoft Windows uses File Allocation Table (FAT) and New Technology File System (NTFS).

There are many types of file systems. A virtual file system (VFS) allows clients applications to access different types of concrete file systems in a uniform way.

Up Next: Windows Command Line Tutorial

---

Home ⋅ Work ⋅ Thoughts