Booting Process

In the following chapters of this book, we are going to discuss where data reside on a disk and which data are essential for the operation of the computer. Many times, I will refer to boot code, which are machine instructions used by the computer when it is starting. This section describes the boot process and where boot code can be found. Many disks reserve space for boot code, but do not use it. This section will help you to identify which boot code is being used.

Central Processing Units and Machine Code

The heart of a modern computer is one or more Central Processing Units (CPU). Example CPUs are the Intel Pentium and Itanium, AMD Athlon, Motorola PowerPC, and Sun UltraSPARC. CPUs by themselves are not very useful because they do only what they are told. They are similar to a calculator. A calculator can do amazing things, but a human needs to be sitting in front of it and entering numbers.

CPUs get their instructions from memory. CPU instructions are written in machine code, which is difficult to read and not user-friendly. It is, in general, two levels below the C or Perl programming languages that many people have seen. The level in between is an assembly language, which is readable by humans but still not very user-friendly.

I will briefly describe machine code so that you know what you are looking at when you see machine code on a disk. Each machine code instruction is several bytes long, and the first couple of bytes identify the type of instruction, called the opcode. For example, the value 3 could be for an addition instruction. Following the opcode are the arguments to the instruction. For example, the arguments for the addition instruction would be the two numbers to add.

We do not really need much more detail than that for this book, but I will finish with a basic example. One of the machine instructions is to move values into registers of the CPU. Registers are places where CPUs store data. An assembly instruction to do this is MOV AH,00 where the value 0 is moved into the AH register. The machine code equivalent is the hexadecimal value 0xB400 where B4 is the opcode for MOV AH and 00 is the value, in hexadecimal, to move in. There are tools that will translate the machine code to the assembly code for you, but as you can see, it is not always obvious that you are looking at machine code versus some other random data.

Boot Code Locations

We just discussed that the CPU is the heart of the computer and needs to be fed instructions. Therefore, to start a computer, we need to have a device that feeds the CPU instructions, also known as boot code. In most systems, this is a two-step process where the first step involves getting all the hardware up and running, and the second step involves getting the OS or other software up and running. We will briefly look into boot code because all volume and file systems have a specific location where boot code is stored, and it is not always needed.

When power is applied to a CPU, it knows to read instructions from a specific location in memory, which is typically Read Only Memory (ROM). The instructions in ROM force the system to probe for and configure hardware. After the hardware is configured, the CPU searches for a device that may contain additional boot code. If it finds such a device, its boot code is executed, and the code attempts to locate and load a specific operating system. The process after the bootable disk is found is platform-specific, and I will cover it in more detail in the following chapters.

As an example, though, we will take a brief look at the boot process of a Microsoft Windows system. When the system is powered on, the CPU reads instructions from the Basic Input / Output System (BIOS), and it searches for the hard disks, CD drives, and other hardware devices that it has been configured to support. After the hardware has been located, the BIOS examines the floppy disks, hard disks, and CDs in some configured order and looks at the first sector for boot code. The code in the first sector of a bootable disk causes the CPU to process the partition table and locate the bootable partition where the Windows operating system is located. In the first sector of the partition is more boot code, which locates and loads the actual operating system. We can see how the various components refer to each other in Figure 2.7.

Figure 2.7. The relationship among the various boot code locations in an IA32 system.

In the Windows example, if the boot code on the disk were missing, the BIOS would not find a bootable device and generate an error. If the boot code on the disk could not find boot code in one of the partitions, it would generate an error. We will examine each of these boot code locations in the following chapters.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography

show all menu





File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net