Once you have a good inventory of the I/O devices on the network and have identified what kind of unapproved devices you might encounter, you need to look at what operating systems are in use throughout the organization. It used to be that you would find only one type of operating system on a network. With the advent of mobile computing, Internet business, and corporate mergers, networks have become more complex. Typical computer examinations must adhere to the fast-changing and diverse world in which computer forensic science examiners are required to work. Before you can begin your forensic investigation, you have to be familiar with the various operating systems you might encounter.
Not only do different operating systems exist, but each operating system has different versions, such as server and workstation, and new releases. How you handle and extract information from a computer running Linux will be very different from how you handle and extract information from a Windows computer.
Acts as a director and interpreter between the user and all the software and hardware on the computer.
Although you probably won't find it in use anymore, Microsoft's first attempt at a graphical operating system was Microsoft Windows 1. The versions that followed, Windows 3.1, Windows 3.11, and Windows for Workgroups 3.11, were used in the early 1990s, prior to the creation of Windows 95. In 1993, Windows NT was released. The 'NT' stands for 'New Technology.' Windows NT was specifically designed for the corporate environment and intended for use on high- powered servers and workstations. In 1995, Microsoft introduced Windows 95, which was a significant improvement over Windows 3. x and was Microsoft's first truly consumer-oriented graphical operating system for PCs. NT came into its own with Windows NT 4, which was released in 1996 and became quite popular in the late 1990s. Then came Windows 98, followed by Windows 2000 and Windows Me (Millennium Edition). Microsoft's latest release for workstations is Windows XP and Windows Server 2003 for servers. The most common Microsoft systems you will encounter are Windows 98, Windows 2000, and Windows XP.
The Unix operating system was originally created at AT&T's Bell Laboratories and licensed freely to most universities and research facilities. Unix was designed to allow a number of programmers to simultaneously access a single computer and share its resources. The operating system coordinates the use of the computer's resources, and it controls all of the commands from all of the keyboards and all of the data being generated. It permits each user to work as if he or she were the only person working on the computer.
Bell Labs distributed the operating system in its source language form. By the end of the1970s, dozens of different versions of Unix had been developed. The success of the Unix operating system has led to many of the technologies which today are part of the IT environment. Although Unix is usually installed on mainframes, versions of Unix have found their way into the PC world. Some of the different versions available are BSD, HP-UX, SCO, IBX AIX, Sun Solaris, and Digital.
Linux is a Unix-like operating system that was written by Linus Torvalds in 1991. Originally named Freax, it was hosted on the Minix operating system. Linux is an open source operating system, meaning that the code is readily available. This availability has allowed thousands of people to contribute patches, fixes, and improvements. Installing Linux has become easier as the versions and products have evolved. The earlier versions were all text-based and, frequently, hardware support had to be compiled into the kernel. Newer versions have graphical-based installations, making the process much less complicated. Various versions of Linux are available. Some of the more popular ones are Mandrake, SuSE, Caldera, MkLinux, Debian, Slackware, and Red Hat. You will probably encounter Red Hat most often.
Apple introduced the Macintosh line of personal computers in 1984. The first Macintosh, or Mac for short, had 128KB of memory and a unique design. The monitor and floppy disk drive were built into the same cabinet that housed its main circuitry . In 1994, Apple introduced the PowerMac. In 1998, the third generation of Macs was born with the release of the iMac. Early versions of the operating system were called System x.x , where x.x was the version number. With the release of Mac OS 8, however, Apple dropped the word 'System.' Now the versions are simply known as Mac OS with the version number. The most current version is OS X, which is based on the Unix BSD operating system. Macs are mostly used for high-end users and graphic or drawing applications, such as CAD. You might encounter Mac OS 8, 9, and X.
The first operating system used on the earliest IBM PCs was called the Disk Operating System (DOS). Microsoft's version of DOS is the most common one and is called MS-DOS. Those of you who have been around the computing environment for a while might remember that IBM Corporation also produced a DOS product called PC-DOS. If you run into a DOS machine, you probably won't find a mouse and you certainly won't find a colorful screen. To run a DOS operating system, you issue commands at a prompt on the screen.
Linspire, formerly Lindows, is a full-featured operating system like Microsoft Windows XP or Apple Mac. It will run Windows applications on top of Linux so they appear as they would on Windows 98, NT, and XP.
In the early 1990s, IBM and Microsoft joined forces to create OS/2. Microsoft and IBM created OS/2 with high hopes that it would revolutionize the PC desk- top by replacing DOS. OS/2 took longer to develop than originally planned, and Microsoft left IBM. IBM continues developing OS/2 to make improvements to its functionality and performance.
BeOS takes up less space than other modern operating systems, such as Mac OS and Windows, but it has a user-friendly graphical user interface (GUI). It is made by a company called Be, Inc. It's very fast, and extremely stable. On most computers, it boots in less than 15 seconds.
The operating systems used by PDAs are not as complex as those used by PCs. PDAs typically have one of two types of operating systems: 3Com's Palm OS or Microsoft Windows CE, which is now called PocketPC. PocketPC is a Microsoft product that supports color displays, graphics, Word, Excel, and built-in MP3 players or MPEG movie players. Palm OS 5 has been available to customers for almost two years . Palm OS Garnet, an enhanced version of Palm OS 5, supports a broad range of screen resolutions , a dynamic input area, improved network communication, and Bluetooth.
Filesystems interact with the operating system so that the operating system can find files requested from the hard disk. The filesystem keeps a table of contents of the files on the disk. When a file is requested , the table of contents is searched to locate and access the file.
The operating system's method of organizing, managing, and accessing files through logical structuring on the hard drive.
To understand this better, let's take a quick look at hard disks. The hard disk on which an operating system is installed is broken into large pieces called clusters or allocation units . Each cluster contains a number of sectors. A disk partition contains the sectors. Without additional support, each partition would be one large unit of data. Operating systems add a directory structure to assign names to each file and manage the free space available to create new files. The directory structure and method for organizing a partition is called a filesystem. Different filesystems reflect different operating system requirements. Some work better on small machines; others work better on large servers. The same hard disk can have partitions with filesystems belonging to DOS, NT, or Linux. When more than one filesystem type is installed on a hard drive, this is called a multi- boot or dual-boot configuration .
The filesystem keeps a table of contents of the files on the drive. When a file is requested, the table of contents is searched to locate and access the file. One of the most common filesystems is File Allocation Table (FAT). Each cluster has an entry in the FAT that describes how it is used. The operating system uses the FAT entries to chain together clusters that form files. In the 1970s, PC filesystems were designed to support floppy disks. Hard disk support came a little later. DOS uses the FAT filesystem, which is also supported by all other DOS- and Windows-based operating systems. Early versions of DOS used FAT12. The FAT system for later versions of DOS and older versions of Windows 95 is called FAT16. It is simple, reliable, and uses little storage. The FAT is stored at the beginning of the partition to act as the table of contents. To protect the partition, two copies of the FAT are kept in the event that one becomes damaged. The FAT structure doesn't have a lot of organization; files are given the first open location on the disk.
File Allocation Table (FAT)
A simple filesystem used by DOS, but supported by later operating systems. The FAT resides at the beginning of a disk partition and acts as a table of contents for the stored data.
Virtual FAT (VFAT) is an enhanced version of the FAT filesystem. This file- system is also called FAT32, and it is available in Windows 95 and early versions of Windows NT. It allows files to have longer names than the 8.3 convention adopted by DOS. FAT32 also accommodates the use of smaller allocation units on a disk.
Virtual FAT (VFAT)
Also called FAT32, an enhanced version of the FAT filesystem that allows for names longer than the 8.3 convention and uses smaller allocation units on the disk.
New Technology File System (NTFS) was developed expressly for versions of Windows NT and Windows 2000. Windows NT supports NTFS 4 and Windows 2000 and higher support NTFS 5. Only Windows NT and higher Windows operating systems can use data on an NTFS volume. NTFS organizes files into directories, which are then sorted. It also keeps track of transactions against the filesystem, making it a recoverable filesystem. The following graphic shows a copy of the file structure on a Windows XP computer.
New Technology File System (NTFS)
A file system supported by Windows NT and higher Windows operating systems.
Notice the lines on the left side of the screen. Those lines indicate how many directories deep you are.
Unix has been around for decades, making it the oldest of all filesystems used on PC hardware. Unix filesystems are also probably the most different from the other filesystems used on PCs. The Unix filesystem is organized as a hierarchy of directories starting from a single directory called root, which is represented by a slash ( / ). Unix looks at all disks and storage devices as part of one filesystem. All of the Linux files are in one tree; there is no concept of drives such as A, C, and D. Storage devices are linked to the directory structure. In other words, a floppy disk may be accessed at /mnt/floppy and a CD-ROM on / cdrom . Any subdirectories that are created use the storage space assigned to their parent directory-unless they are assigned their own storage space. Filesnames are case sensitive. TEST and test are two different files.
High-Performance File System (HPFS) was designed for the OS/2 operating system to allow greater access to larger hard drives. HPFS maintains the directory organization of FAT, but it adds automatic sorting of the directory based on filenames. HPFS also includes two unique special data objects called super block and spare block. The super block contains a pointer to the root directory, and the spare block is used for hot fixing bad sectors.
High-Performance File System (HPFS)
A filesystem designed for the OS/2 operating system. HPFS automatically sorts the directory based on the filename, and it includes the super block and spare block.
If the super block is lost or corrupted due to a bad sector, the contents of the partition are also lost, even if the rest of the drive is fine.
The Linux operating system supports multiple different filesystems. To enable the upper levels of the core of the operating system to deal with these filesystems, Linux defines an intermediary layer, known as the Virtual Filesystem (VFS). Just as in Unix, there are no drive letters in Linux. Instead, Linux creates a virtual file- system, which makes all the files on all the devices appear to exist on one device. In Linux, just as in Unix, there is one root directory, and every file you can access is located under it.
Second/Third Extended Filesystems (ext2/ext3)
State-based filesystems used by the Linux operating system.
Second/Third Extended Filesystems (ext2/ext3) are state-based filesystems. This means the filesystem maintains the state of all open files in memory. All open files have entries in data structures in memory. Beginning with the release of Red Hat Linux 7.2, the default filesystem changed from the ext2 format to the journaling ext3 filesystem. The ext3 filesystem is an enhanced version of the ext2 filesystem. It keeps logs and checkpoints for all the transactions so that a filesystem check is no longer necessary after an unclean system shutdown. This way, if a system crashes, it can restore the filesystem using the logs.
Network File System (NFS) was originally developed by Sun Microsystems in the 1980s as a way to create a filesystem on diskless clients . NFS provides remote access to shared filesystems across networks. The primary function of NFS is to mount directories to other computers. These directories can then be accessed as though they were local. This works the same way that mapped drives work in Microsoft networking.
Network File System (NFS)
Provides remote access to shared file systems across networks. The primary function of NFS is to mount directories to other computers. These directories can then be accessed as though they were local.
The BeOS operating system is designed to use its own filesystem, called the BeOS File System (BFS , or sometimes BeFS). Its primary strength is that it has the built-in capability to access other filesystems such as FAT12, FAT16, VFAT, and HPFS partitions. Support for FAT32 and NTFS partitions has been added with the appropriate drivers.
BeOS File System (BFS)
Designed for the BeOS, BFS has the builtin capability to work with FAT 12, FAT 16, VFAT, and HPFS partitions.
The challenge to computer forensic scientists is to develop methods and techniques that provide valid and reliable results while preserving evidence and preventing harm to information. You need to have procedures and tools in place so that you can more easily collect the evidence you need.
What happens if a system is set up to log every event imaginable? The system's hard drive space will fill up, and someone will have to weed through all the collected information to figure out which events really can help an investigation. Having good procedures in place and conducting proper maintenance of your tools will help make the forensic process run more smoothly.
For computer forensic science to be effective, it must be driven by information discovered during an investigation. Many systems currently have 60GB or higher capacity hard disks. From a practical standpoint, it could be impossible to examine every file stored on a seized computer system. It could be equally difficult for law enforcement personnel to sort through, read, and comprehend the amount of information contained within files on today's huge systems. So, we will take a look at some tools that can help you with this enormous task.
Eventually, you will work with a forensic toolkit. For now, let's look at the tools that are already installed on most operating systems. These are tools that you can readily take advantage of and use. All operating systems come with the ability to log events. Because Windows XP is a popular operating system these days, we'll look at how it logs events.
Event Viewer allows you to audit certain events. Event Viewer maintains three log files: one for system processes, one for security information, and one for applications. The following graphic was captured on a Windows XP computer. In Windows 2000 Server and Windows Server 2003, you will also find directory services, DNS server, and file replication logs.
Auditing is the process of tracking users and their actions on a network. You should audit access use and rights changes to prevent unauthorized or unintentional access by a guest or restricted user account. This will prevent access to sensitive or protected resources. How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut plan built around goals and policies.
The process of keeping track of who is logging in and accessing what files.
When deciding what to audit, first identify potential resources at risk within your networking environment. These resources might typically include sensitive files, financial applications, and personnel files. After the resources are identified, set up the audit policy through the operating system tools. It can be useful to monitor successful as well as failed access attempts. Failure events allow you to identify unauthorized access attempts; successful events can reveal an accidental or intentional escalation of access rights.
Each operating system will have its own method for tracking and logging access. Auditing is resource intensive and can easily add an additional 25 percent load on a server. Make time to view the logs. Log files won't help protect against a system compromise if an intrusion is recorded in your logs and you don't read the logs for the next six months. Most operating systems produce log files in text file format. Viewing data graphically is much easier than interpreting text. If possible, import the log files into some type of database.
Auditing can be as simple or as complex as you want to make it. Regardless of the plan you devise , be consistent.
Most operating systems also have built-in utilities for tracking the address of a computer and tracing the route it takes to get to a destination on the Internet. This type of information can be of significant importance when internal users are causing malicious activity. With the advent of business-to-business activities, using tracking utilities is also a good way to know when employees are accessing the sites of business partners .
This section discussed tools that are already in place to track information traveling across a network. After you obtain this information, how can you use it? Can you accuse an employee of hacking based on the information that you have gathered? This type of question falls under the scope of knowing your legal limits, so let's move on and see what you can and cannot do with this information.