Chapter 6 Working with Windows and DOS Systems.pdf

《Chapter 6 Working with Windows and DOS Systems.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、10-10-2008Objectives•ExplainthepurposeandstructureoffilesystemsGuidetoComputerForensics•DescribeMicrosoftfilestructuresandInvestigations•ExplainthestructureofNewTechnologyFileSystem(NTFS)disksThirdEditionThirdEdition•Listsomeoptionsfordecryptingdrivesencryptedwithwhole

2、diskencryptionChapter6WorkingwithWindowsandDOSSystemsGuidetoComputerForensicsandInvestigations2Objectives(continued)UnderstandingFileSystems•ExplainhowtheWindowsRegistryworks•Filesystem•DescribeMicrosoftstartuptasks–GivesOSaroadmaptodataonadisk•DescribeMS-DOSstartuptas

3、ks•TypeoffilesystemanOSusesdetermineshow•Exppplainthepurpposeofavirtualmachinedataisstoredonthedisk•AfilesystemisusuallydirectlyrelatedtoanOS•Whenyouneedtoaccessasuspect’scomputertoacquireorinspectdata–Youshouldbefamiliarwiththecomputer’splatformGuidetoComputerForensic

4、sandInvestigations3GuidetoComputerForensicsandInvestigations4UnderstandingtheBootSequenceUnderstandingtheBootSequence•ComplementaryMetalOxideSemiconductor•Bootstrapprocess(CMOS)–ContainedinROM,tellsthecomputerhowto–Computerstoressystemconfigurationanddateandproceedtime

5、informationintheCMOS–Displaysthekeyorkeysyoupresstoopenthe•WhenpowertothesystemisoffWhenpowertothesystemisoffCMOSsetupscreenCMOSsetupscreen•BasicInput/OutputSystem(BIOS)•CMOSshouldbemodifiedtobootfromaforensic–ContainsprogramsthatperforminputandoutputatfloppydiskorCDth

6、ehardwarelevelGuidetoComputerForensicsandInvestigations5GuidetoComputerForensicsandInvestigations6110-10-2008UnderstandingtheBootSequenceUnderstandingDiskDrives•Diskdrivesaremadeupofoneormoreplatterscoatedwithmagneticmaterial•Diskdrivecomponents–Geometry–Head–Tracks–Cy

7、linders–SectorsGuidetoComputerForensicsandInvestigations7GuidetoComputerForensicsandInvestigations8GuidetoComputerForensicsandInvestigations9GuidetoComputerForensicsandInvestigations10UnderstandingDiskDrives(continued)ExploringMicrosoftFileStructures•Propertieshandleda

8、tthedrive’shardwareor•InMicrosoftfilestructures,sectorsaregroupedtofirmwarelevelformclusters–Zonedbitrecording(ZBR)–S