Computer System
Introduction
Overview
• Computer systems
• How do computers work?
• Why computer forensics is hard?
• Hard disk drives
• Calculate disk partitions
• PC boot process
• File Systems
Computer systems
Layers of a computer system
• Evidence is
generated
from each
layer
• User
activities=
Applications+
OS+
Disk/Memory
https://windsongtraining.ca/the-technology-layer-cake-users-apps-os-and-hardware/
Parts of the computer
http://www.carnegiecyberacademy.com/facultyPages/computer/computers.html
Check system specification
Program vs. Process vs. Thread
• a process is the instance of a
computer program
How do computers work? • a process may be made up of
multiple threads of execution
that execute instructions
concurrently.
Malware Analysis
https://en.wikipedia.org/wiki/Process_(computing)
Why computer forensics is hard?
• Technical difficulties
• OS: different OS types, versions, complexity of OS
• Applications: many applications, different version of applications
• Hardware: CPU, GPU, camera
• Ever-advancing technology: e.g., database changes, SSD vs HDD, EV car
• A complex and connected world
• IoT devices: Alex, Camera, Fitbit, Smart Phone
• Information explosion
• too much information, different type of evidence
• how to collect, analyze, validate them systematically?
• Computer forensics is NOT only a computer science discipline
• criminal justice, law, computer science, security
Low level
Analysis: OS logs, Application logs, Memory forensics
malware
CPU execution analysis
Dynamical
Analysis:
Application PID
Hard disk drives
Understand disk drives
https://regmedia.co.uk/2006/12/12/fujitsu_300gb_1.jpg
Abraham Silberschatz, Greg Gagne, and Peter Baer Galvin, "Operating System Concepts, Ninth Edition "
What is a disk sector?
• The sector is the minimum storage
unit of a hard drive.
• Files occupy an integral number of
sectors regardless of the file's actual
size.
• # bytes per sector =512
Bytes
• one byte = one character (ASCII)
https://i.imgur.com/26BalHW.png
Calculate the total sectors
• #sectors per track
• # tracks (cylinders)
• # headers
• #Size of disk=# tracks (C) x #Heads x
#Sectors per track (CHS)
• no of sectors: 400
• no of heads: 12
• cylinders: 17000
• =81600000 sectors
Calculate the size of a disk
• 1024 Bytes=1K
• 1024 K=1M
• 1024 M=1G
• How to compute the size of the disk
81600000 sectors * 512 bytes= 41779200000
bytes
=40800000 KB
=39843.75MB
=38.91G
What is a partition
https://www.maketecheasier.com/assets/uploads/2012/05/partitions-partition-
diagram.png
16
Calculate the size of partitions
Open Winhex
List Physical Storage Devices
Winhex option setting
Enable Data Interpreter
Master Boot Record:
• 1980s
• Allow up to a maximum of 2 TB
Show the position of
the first sector
Covert Hex to decimal
(00000800)16=(2048)10
0x01c6 0x01ca
Show the size of the
total sectors in decimal
ox01CA
Compute the partition
size
83881984 sectors *512 bytes per sector = 39.99 G
GUID Partition Table: GPT
Why GPT
• MBR: 1980s
• Allow up to a maximum of 2 TB
• GPT: maximum size is 9.4 ZB
• 1ZB=1024TB
• logical block addressing (LBA)
• Replace CHS
By The original uploader was Kbolino at English Wikipedia. - Transferred from en.wikipedia to Commons. Transfer was stated to be made by User:Kbolino., CC BY-SA 2.5,
https://commons.wikimedia.org/w/index.php?curid=3036588
backward compatibility for MBR
Describe each partition
Backup of the primary GPT header and entries
Starting LBA of array of partition entries (always 2 in primary copy)
Why 0x400?
27
PC booting process
Booting a computer
• Power up; computer runs power-on self-
test (POST)
• Boot sequence governed by (Basic input/output
system) BIOS ROM
• BIOS parameters stored in CMOS
• Control passes to the Master Boot
Record (MBR)
• MBR points to boot record of selected
operating system Jump to bootable partition
• “system” volume = pre-load OS
• "boot" volume = load OS
• Operating system takes control
http://www.c-jump.com/CIS24/Slides/Booting/Booting.html
https://i2.wp.com/neosmart.net/wiki/wp-content/uploads/sites/5/2015/01/Master-Boot-Record.png?
resize=1024%2C416&ssl=1
Open Physical Devices
30
Show MBR
Show MBR details using template
Another example of MBR details
using template, which contains
multiple partitions
File Systems
Files and File Systems
• A file
• is a collection of correlated
information
• which is recorded on secondary or
non-volatile storage like magnetic
disks, optical disks, and tapes.
• A file system
• defines how files are named, stored,
and retrieved from a storage device.
http://home.easy-key.info/images/stories/file_structure.gif
File systems and operating systems
• Unix and Unix-like operating systems
• Linux: XFS, JFS, and btrfs. extended file system
• Solaris
• macOS:
• Hierarchical File System (HFS) + : No support for
dates beyond February 6, 2040
• Microsoft Windows
• FAT: File Allocation Table
• NTFS: New Technology File System
Assignment
• Verify the size of the
partition 1 and 2
• Record your
verification process
• Requirements:
• Without using
templates
• Compute size in GB
