Blog Feed

CHFI

Learn All About Linux File Systems

info savvy

In this blog explain Linux File System Architecture, File system Hierarchy atandard (FHS), Extended File System (EXT), Second Extended File System (EXT2), Second Extended File System (EXT2) (Cont’d), Second Extended File System (EXT2) (Cont’d) etc…

Linux OS uses different file systems to store the data. As the investigators may encounter the attack source or victim systems to be running on Linux, they should have comprehensive knowledge regarding the storage methods it employs. The following section will provide you a deep insight about the various Linux file systems and their storage mechanisms.

Linux File System Architecture

The Linux file system architecture consists of two parts namely:

  • User Space: The protected memory area where the user processes run and this area contains the available memory.
  • Kernel Space: The memory space where the system supplies all kernel services through kernel processes. The users can access this space through the system call only. A user process turns into kernel process only when it executes a system call.

Related Product : Computer Hacking Forensic Investigator | CHFI

The GNUC Library (glibc) sits between the User Space and Kernel Space and provides the system call interface that connects the kernel to the user-space applications.

The Virtual file system (VFS) is an abstract layer, residing on top of a complete file system. It allows client applications to access various file systems. Its internal architecture consists of a dispatching layer which provides file system abstraction and numerous caches to enhance the file system operations performance.

The main objects managed dynamically in the VES are the dentry and inode objects in cached manner to enhance file system access speed. Once a user opens a file, the dentry cache fills with entries that represent the directory levels which in turn represent the path. The system also creates an inode for the object which represents the file. The system develops a dentry cache using a hash table and allocates the dentry cache entries from the dentry_cache slab allocator. The system uses a least-recently-used (LRU) algorithm to prune the entries when the memory is scarce.

The inode cache acts as two lists and a hash table for quick look up. The first list defines the used inodes and the unused ones are positioned in the second list. The hash table also stores the used inodes.

Device drivers are pieces of code, linked with every physical or virtual device and help the OS in managing the device hardware. Functions of the device drivers include setting up hardware, getting the related devices in and out of services, getting data from hardware and giving it to the kernel, transferring data from the kernel to the device, and identifying and handling device errors.

Filesystem Hierarchy atandard (FHS)

Linux is a single hierarchical tree structure, representing the file system as one single entity. It supports many different file systems. It implements a basic set of common concepts, developed for UNIX. Some of the Linux file system types are minix, Filesystem Hierarchy Standard (FHS), ext, ext2, ext3, xia, msdos, umsdos, vfat, /proc, nfs, iso 9660, hpfs, sysv, smb, and ncpfs. Minix was Linux’s first file system.

The following are some of the most popular file systems:

Filesystem Hierarchy Standard (FHS)

The File system Hierarchy Standard (FHS) defines the directory structure and its contents in Linux and Unix-like operating systems. In the FHS, all files and directories are present under the root directory (represented by /).

Extended File System (EXT)

The Ext file system, released in April 1992, is the first file system developed for Linux. It came as an extension of the Minix file system and to overcome some of its limitations such as 64 MB partition size and short file names. The Ext file system provides a maximum partition size of 2 GB and a maximum file name size of 255 characters. The major limitation of this file system was that it did not offer support for separate access, inode modification, and data modification timestamps. It kept an unsorted list of free blocks and inodes, and fragmented the file system.

This has a metadata structure inspired by Unix File System (UFS). Other drawbacks of this file system include only one timestamp and linked lists for free space, which resulted in fragmentation and poor performance. The second extended file system (Ext2) replaced it.

Second Extended File System (EXT2)

Remy Card developed the second extended file system (ext2) as an extensible and powerful file system for Linux. Being the most successful file system so far in the Linux community, Ext2 is the basis for all of the currently shipping Linux distributions.

Read More : https://info-savvy.com/learn-all-about-linux-file-systems/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

An Overview of Encrypting File Systems | EFS

info savvy

In this blog explain The Encrypting File System | EFS is a feature of the Windows 2000 operating system that lets any file or folder be stored in encrypted form and decrypted only by an individual user and an authorized recovery agent.

To protect files from mishandling and to ensure their security, the system should encrypt them. NTFS has Encrypting File System (EFS) as built-in feature. Encryption in file systems uses symmetric key encryption technology with public key technology for encryption. The user gets a digital certificate with a public key and private key pair. A private key is not applicable for the users logged on to the local systems; instead the system uses an EFS key to set the key for local users.

Also Read : New Technology File System (NTFS) – an Overview

This encryption technology maintains a level of transparency to the users, who have encrypted the file. There is no need for users to decrypt the file when they access it to make changes. Again, after the user has completed working on a file, the systems will save the changes and restore the encryption policy automatically. When any unauthorized user tries to access the encrypted file, he or she receives an “Access denied” message.

To enable encryption and decryption facilities in a Windows NT—based operating system, the user has to set the encryption attributes to files and folders that he or she wants to encrypt or decrypt.

The system automatically encrypts all the files and subfolders present in a folder. To take the best advantage of the encryption capability, experts recommend that the system should have encryption at the folder level. That means a folder should not contain encrypted files along with unencrypted files.

The users can manually encrypt the files using the graphical user interface (GUI) in Windows, or by the use of a command line tool like Cipher to encrypt a file or folder or using Windows Explorer and selecting proper options available in the menu.

Encrypting a file, as NTFS protects files from unauthorized access and ensures a high level of security, is important to the files present in the system. The system issues a file encryption certificate whenever a user encrypts a file. If the person loses that certificate and related private key (through a disk or any other reason), he or she can perform data recovery through the recovery key agent.

In a Windows 2000 server—based network, which maintains Active Directory, the domain administrator is the recovery agent by default. There is an advance preparation of recovery for the files even before the user or system encrypts them. The recovery agent holds a special certificate and related private key, which helps in data recovery, giving a scope of influence of the recovery policy supported by new versions of Windows.

Components of EFS

EFS Service

EFS service, which is part of the security subsystem, acts as an interface with the Encrypting File Systems driver by using local procedure call (LPC) communication port between the Local Security Authority (LSA) and the kernel-mode security reference monitor. It also acts as interface with CryptoAPI in user mode in order to derive file encryption keys to generate data decryption fields (DDFs) and data recovery fields (DRFs). This service also supports Win32 APIs.

The EFS service uses CryptoAPI to extract the file encryption key (FEK) for a data file, uses it to encode the FEK and produce the DDF.

Related Product : Computer Hacking Forensic Investigator | CHFI

EFS Driver

The EFS driver is a file system filter driver stacked on top of NTFS. It connects with the EFS service to obtain file encryption keys, DDFs, DRFs, and other key management services. it sends this information to the EFS FSRTL to perform file system functions, such as open, read, write, and append.

CryptoAPI

CryptoAPI contains a set of functions that allow application developers to encrypt their Win 32 as the functions allow applications to encrypt or digitally sign data and also offer security for private key data. it supports public key and symmetric-key operations such as generation, management and secure storage, exchange, encryption, decryption, hashing, digital signatures, and verification of signatures.

EFS FSRTL

The EFS FSRTL is part of EFS driver that implements NTFS callouts to handle various file system operations such as reads, writes, and opens on encrypted files and directories, and operations to encrypt, decrypt, and recover file data when the system writes it to or reads it from disk. The EFS driver and FSRTL act as single component, but never communicate directly. They communicate by using the NTFS file control callout mechanism for sending messages to each other.

Read More : https://info-savvy.com/an-overview-of-encrypting-file-systems-efs/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

New Technology File System (NTFS) – an Overview

info savvy

 In this blog explain New Technology File System | NTFS (NT file system) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk.

New Technology File System (NTFS) is one of the latest file systems supported by Windows. It is a high-performance file system, which repairs itself; it supports several advanced features such as file-level security, compression, and auditing. It also supports large and powerful volume storage solutions such as self-recovering disks.

NTFS provides data security as it has the capability to encrypt or decrypt data, files, or folders. NTFS uses a 16-bit Unicode method to character set naming of files and folders. This attribute of NTFS allows users around the world to manage their files in their native languages. It has fault tolerance for the file system. If the user makes any modifications or changes to the files, NTFS makes a note of all changes in specific log files. If the system crashes, NTFS uses these log files to restore the hard disk to a reliable condition with minimal data loss. NTFS also provides the concept of metadata and master file tables. Metadata contains the information about the data stored in the computer. A master file table also contains the same information in a tabular form, but its capacity to store data in its table is comparatively less.

NTFS uses the Unicode data format. NTFS has many versions and they are as follows:

  • v1,0 (found in Windows NT 3.1), v1.1 (Windows NT 3,5), and v1.2 (Windows NT 3.51 and Windows NT 4)
  • 0, found in Windows 2000
  • 1, found in Windows XP, Windows Server 2003, Windows Vista, and Windows 7
  • These final three versions are sometimes referred to as v4.0, v5.0, and v5.1

Features of NTFS include

  • Uses b-tree directory scheme to store information about file clusters
  • Stores the information about a file’s clusters and other data within the cluster
  • Supports files up to 16 billion bytes in size approximately
  • An access control list (ACL) allows the server administrator to access specific files
  • Integrated file compression
  • Data security on both removable and fixed disks

NTFS Architecture

At the time of formatting the volume of the file system, the system creates Master Boot Record. it contains some executable code called a master boot code and information about the partition table for the hard disk. When a new volume is mounted, the Master Boot Record runs the executable master boot code. It also transfers control to the boot sector on the hard disk, which allows the server to boot the operating system on the file system of that particular volume. Components of the NTFS architecture are as follows:

  • Hard disk: It contains one or more partitions
  • Master Boot Record: It contains executable master boot code that the computer system BIOS loads into memory; this code is used to scan the Master Boot Record to locate the partition table to find out which partition is active/bootable
  • Boot sector: It is a bootable partition that stores data related to the layout of the volume and the file system structures
  • dll: It reads the contents of the Boot.ini file
  • sys: It is a computer system file driver for NTFS
  • Kernel mode: It is the processing mode that permits the executable code to have direct access to all the system components
  • User mode: It is the processing mode in which an executable program or code runs

NTFS System Files

NTFS has many system files stored in root directory of the NTFS volume that store file system metadata.

NTFS Partition Book Sector

In an NTFS volume, system allocates the first 16 sectors to the boot metadata file and the next 15 sectors to the boot sector’s initial program loader OK). The first sector, which is a boot sector, contains the bootstrap including the file system type, size, and location of NUS data. The last sector contains an extra copy of the boot sector in order to increase file system reliability

The following instance demonstrates the boot sector of the NIB volume, formatted on Windows 2000. The layout has three parts, and they are as follows:

  • Bytes 0x00-0x0A constitute the jump instruction and the OEM ID
  • Bytes OxOB-0x53 are the BIOS parameter block BPB) and the extended BPB
  • The remaining code is the bootstrap code and the end of the sector marker

Read More : https://info-savvy.com/new-technology-file-system-ntfs-an-overview/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

ISO 27001

ISO 27001 Annex : A.18.1.3, A.18.1.4 and A.18.1.5

info savvy

 In this article explain ISO 27001 Annex : A.18.1.3 Protection of Records, A.18.1.4 Privacy and Protection of Personally Identifiable Information and A.18.1.5 Regulation of Cryptographic Controls this contols.

A.18.1.3 Protection of Records

Control- ISO 27001 Annex : A.18.1.3 Protection of Records Records shall, in accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.

Implementation Guidance- The related classification based on the organization’s classification scheme is to be taken into account when determining whether to secure relevant organizational documents. Categorized records in the following types of records, such as accounting records, database records, transaction records, audit logs, and operating procedures, should include details on retention periods and the type of media permitted for storage, such as paper, microfiche, magnetic, optical. Any associated encryption keys and programs related to encrypted or digital signatures (see Clause 10) must also be stored so that records are decrypted for a period of time during which records are kept.

The possibility of media deterioration used for record storage should be taken into consideration. In accordance with the manufacturer ‘s recommendations, storage and handling procedures should be implemented.

When electronic storage media are selected, protocols should be developed in order to protect against loss due to potential technical changes to ensure access for data (either media or format readability) over the retention period.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Data storage systems should be assigned so that the data required can be recovered, depending on the requirements to be fulfilled, in a time and format acceptable.

The storage and handling system should, if appropriate, ensure that records and their retention periods are known as specified in national or regional laws. After that period, if records are not required by the organization, this system should allow appropriate destruction.

The following steps should be taken by an organization in order to achieve these record safeguarding goals:

  1. Guidelines should be provided with regard to documents and information processing, storage, handling and disposal;
  2. A schedule for retention of records and the period for which they should be retained should be defined.
  3. An inventory of main information sources should be maintained.

Other Information- Those documents need to be maintained safely to satisfy legislative, regulatory, or contractual requirements and to maintain key business operations. Examples include documents that might be necessary to show the legislative or regulatory operation of an entity to protect it from the potential civil or criminal acts of the public and to clarify to shareholders, external parties, and auditors the financial position of an organization. The period of time and data content for the retention of information may be determined by national law or regulation. More information on organizational record management is available in ISO 15489.

Also Read : ISO 27001 Annex : A.18 Compliance

A.18.1.4 Privacy and Protection of Personally Identifiable Information

Control- Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.

Implementation Guidance- data policy of the organization should be developed and implemented to protect the privacy and personal information identifiable. This policy should be communicated to everyone involved in personal information processing.

Compliance with this policy and all the relevant legislation and regulations regarding privacy and personal information protection requires a proper management structure and control. This is often best achieved by appointing a responsible person like a security officer, who should give management, users and service providers guidance on their responsibilities and specific procedures. Responsibility should be taken in compliance with applicable laws and regulations for managing personally identifiable information and awareness of the information security principles. Suitable technical and organizational measures should be implemented to protect personal information.

Read More : https://info-savvy.com/iso-27001-annex-a-18-1-3-a-18-1-4-a-18-1-5/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

Understanding File Systems

info savvy

Understanding File Systems in this computer not only computes data but also stores data. The issue of file structure and data storage is of prime concern. To solve this issue, manufacturers employ an effective storing and organization of the data on the computer called as a file system. The file system makes it easy to find and access the data. Data storage devices like hard disks or CD-ROMs can use the file system to store the data. The file system divides the file into smaller pieces and then stores them to hard disks or flash memory in clusters.

A file system is a set of data types employed for:

  • Storage
  • Hierarchical categorization
  • Management
  • Navigation
  • Access
  • Recovering the data

Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc. Users can access the files using the graphical user interfaces or command line user interfaces. File systems organize the data in the form of tree-structured directories. These are generally file cabinets and folders. Directories require authorized permission to access.

Types of File Systems

A file system refers to the structure a computer uses to organize data on media such as hard disks, CDs, DVDs, and many other storage devices or an index or database that contains the physical location of every piece of data on a hard drive or storage devices.

Related Product : Computer Hacking Forensic Investigator | CHFI

Following are the different types of file systems:

  • Disk file systems: A disk file system is a technique designed for storing and recovering the file on a storage device, usually a hard disk, directly or indirectly connected to the computer. A few examples of the disk file system are FAT, NTH, ext2, ISO 9660, ODS-5, and UDF.
  • Network file systems: A network file system is a type of file system, which helps the users to access the files on other computers connected through a network. The file systems are transparent to the user. A few examples of network file systems are NFS, CIFS, and GFS.
  • Database file systems: It is a new method of storing data on the computer and effectively managing the file system. Earlier file systems used hierarchical structured management, but the database file system identifies the files by their characteristics, such as the name of the file, type of the file, topic, author, or similar metadata. Therefore, a user can search for a file by formulating the SQL query or in natural For example, if the user needs to find the documents written, then the query “documents written by ABC” will show the results.
  • Flash file systems: This system stores the files or data in flash memory devices. In today’s world, these file systems are becoming prevalent with the increasing number of mobile devices. With these file systems, the cost per memory size decreases, and the capacity of flash memory will increase.
  • Tape file systems: It stores files on tape in a self-describing form. Magnetic tapes work as sequential storage media with significantly longer random data access time as compared to disks, posing challenges to the creation of a general-purpose file system with efficient management. Tape drives require a linear motion to unwind and wind potentially very long reels of media. This might take several seconds or minutes to move the read/write head.
  • Shared disk file systems: A shared disk file system works on the principle of accessing an external disk subsystem (SAN) through a number of The file system arbitrates access to that subsystem, to prevent write collisions.
  • Special-purpose fide systems: In a special-purpose file system, the software organizes files during the run time and uses them for tasks such as communication between computer processes or temporary file space. File-centric operating systems such as UNIX use this file system. Any file system that is not a disk file system or network file system is a special-purpose file system. For example, ‘/pros` in UNIX, can help to get information regarding processes and other operating system features.

Read More : https://info-savvy.com/understanding-file-systems/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

Identifying GUID Partition Table (GPT)

info savvy

Identifying GUID Partition Table (GPT) in this GPT header will help an investigator analyze the layout of the disk including the locations of the partition table, partition area, and backup copies of the header and partition table. Investigators can use cmdlets given below in Windows PowerShell to identify the presence of GPT:

Get-GPT

Get-GPT command helps investigator to analyze the GUID Partition Table data structure of the hard disk. It requires the use of the -Path parameter which takes the Win32 Device Namespace (ex.\\.\ PHYSICALDRIVE1) for the device from which it should parse the GPT.

In case, the investigator uses the Get-CPT on a disk formatted with a Master Boot Record, it will display an error message prompting to use Get-MBR instead.

Alternate Method:

  • Open “Computer Management” application and click “Disk Management” on the left pane. Right-click on the primary disk (here, Disk 0) and then click Properties
  • In the Device Properties window, click ‘Volumes” tab to see the Partition style

Related Product : Computer Hacking Forensic Investigator | CHFI

Identifying GUID Partition Table (GPT) (Cont’d)

1. Get-Boot Sector

The Get-BootSector is a command that can help the investigator parse GPTs of both types of hard disks including the ones formatted with either UEFI or MBR. This command acts as replacement for Get-MBR and Get-GPT cmdlets. Get-BootSector analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.

2. Get-PartitionTable

This command analyzes the GUID partition table to find the exact type of boot sector (Master Boot Record or GUID PartitionTable) and displays the partition object.

3. Analyzing the GPT Header and Entries

Most of the operating systems that support GPT disk access come up with a basic partitioning tool, which displays details about CPT partition tables. In windows tools such as DiskPart tool display the partition details, whereas MAC systems use the OS X Disk utility and Linux uses GNU parted tool.

Sleuthkit mmls command can help the investigators to view detailed partition layout for GPT disk along with the MAR details. Alternatively, investigators can gather details about GPT header and partition entries through manual analysis of disk drive using a hex calculation or editing tool called Hex editor.

Also Read : What is the Booting Process?

4. GPT Artifacts

Deleted and Overwritten GUID Partitions

Case 1: In hard disks, the conversion or repartition of the MBR disk to GPT will generally overwrite the sector zero with a protective MBR, which will delete all the information about the old partition table. The investigators should follow the standard forensics methods of searching the filesystems to recover data about the previous MBR partitioned volumes.

Case 2: When conversion or repartition of the GPT to MBR disk takes place, then the GPT header and tables may remain intact based on the tool used. Investigators can easily recover or analyze data of such disk partitions.

Implementation of general partition deletion tools for deletion of partition on the GPT disk might will delete the protective MBR only, which investigators can easily recreate by simply reconstructing the disk.

As per UEFI

 specification, if all the fields in a partition entry have zeroed values, it implies that the entry is not in use. In this case, data recovery about deleted GUID partition entries is not possible.

Read More : https://info-savvy.com/identifying-guid-partition-table-gpt/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

What is the Booting Process?

info savvy

 Booting is the process of starting or resetting the computer when the user turns the system on. The process includes getting both the hardware and software ready and running. The booting process is of two types:

  • Cold booting: The process happening when we first turn on the computer. Also called as hard boot, this happens when user completely cuts the power supply to the system.
  • Warm booting is the process happening when we reset the computer. In this process, the user restarts the system via operating system.

During the process of booting, the computer loads the operating system to its memory or RAM and prepares it for use. During initialization, the system switches on the BIOS and loads it onto the ROM. BIOS stores the first instruction, which is the command to perform the power-on self-test (POST). Under POST, the system checks the BIOS chip and CMOS RAM.

If the POST detects no battery failure, it continues to start other parts of the CPU by checking the hardware devices and secondary storage devices.

Essential Windows System Files

After installation of an operating system, the setup program creates folders and required files on the system drive. The following are the essential Windows system files.

1. Windows Boot Process

Windows XP, Vista, and 7 OSs power on and start up using the traditional BIOS-MBR method. Whereas, the Microsoft operating systems starting with Windows 8 and later versions will use either traditional BIOS-MBR method or newer UEFI-GPT method according to the user choice.

Below is process that occurs within the system when switched ON.

  1. When the user switches the system ON, CPU sends a Power Good signal to motherboard and checks for computer’s BIOS firmware.
  2. BIOS starts a Power-On Self-Test (POST) which checks if all the hardware required for system boot are available and load all the firmware settings from nonvolatile memory on the motherboard.
  3. If POST is successful, add-on adapters perform a self-test for integration with the system.
  4. The pre-boot process will complete with POST, detecting a valid system boot disk.
  5. After POST, the computer’s firmware scans boot disk and loads the master boot record (MBR), which search for basic boot information in Boot Configuration Data (BCD),
  6. MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe.
  7. Windows loader loads the OS kernel ntoskrnl.exe.
  8. Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device drivers marked as BOOT START and the SYSTEM registry hive into the memory.
  9. Kernel passes the control of boot process to the Session Manager Process (5MSS.exe), which loads all other registry hives and drivers required to configure Win32 subsystem run
  10. Session Manager Process triggers Winfogon.exe, which presents the user logon screen for user authorization.
  11. Session Manager Process initiates Service control manager, which starts all the services, rest of the non-essential device drivers, the security subsystem L5ASS.EXE and Group policy scripts.
  12. Once user logs in, Windows creates a session for the user.
  13. Service control manager starts the Explorer.exe and initiates the Desktop Window Manager (DMW) process, which set the desktop for the user.

Related Product : Computer Hacking Forensic Investigator | CHFI

Windows Boot Process (Cont’d)

The EFI boot manager controls the UM boot process. It starts with platform firmware initialization; the boot manager loads UEFI drivers and UEFI applications (including UEFI OS boot loaders) to initialize platform functions. The system loads the OS loader at the final stage and then OS starts booting. Once the OS receives the controls, it halts the UEFI boot service.

The LIEF’ boot process has five phases and each phase has its own role. These five phases are:

  • SEC (Security) Phase

This phase of EFI consists of initialization code that the system executes after powering the EFI system on. It manages platform reset events and sets the system so that it can find, validate, install, and run the PEI.

Read More : https://info-savvy.com/what-is-the-booting-process/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

ISO 27001

ISO 27001 Annex : A.18 Compliance

info savvy

ISO 27001 Annex : A.18 Compliance in this article explain Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights this controls.

A.18.1 Compliance with Legal and Contractual Requirements

It’s objective is to protect against violation of legal, statutory, regulatory, or contractual obligations relating to information security and any other security requirements.

A.18.1.1 Identification of Applicable Legislation and Contractual Requirements

Control- Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.

Implementation Guidance- There must also be identification and documentation of basic controls and individual obligations to fulfill those criteria.

In order to satisfy the criteria for their business form, administrators should recognize all the legislation that relates to their organization. If the organization is operating in other countries, managers in all related countries will ensure compliance.

Related Product :  ISO 27001 Lead Auditor Training And Certification ISMS

A.18.1.2 Intellectual Property Rights

Control- Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.

Implementation Guidance- In order to protect any material regarded as intellectual property, the following guidelines should be adopted:

  • Publish a guideline for the legitimate use of software and information products in line with intellectual property rights;
  • To purchase software so that copies are not breached, software only from known and reputable sources;
  • Maintaining awareness and notifying the intention to take disciplinary steps against personnel who violate intellectual property rights policy;
  • Maintain adequate registers of assets and identify all assets with intellectual rights protection requirements;
  • Maintaining evidence and evidence of license ownership, master disks, manuals, etc.;
  • Implement controls to ensure that no maximum number of approved users is exceeded;
  • Conduct reviews to check that product and software installed are solely licensed;
  • Provide a policy for the enforcement of appropriate conditions of license;
  • Provide an information disposal/transfer of strategy to others;
  • Compliance with software terms and conditions and public network information;
  • Not replicate, transform, or extract from commercial (film, audio) recordings, other than those permitted under the law of copyright;
  • Books, articles, reports, or other documents not fully or partially copied except as permitted by copyright legislation.

Also Read : ISO 27001 Annex : A.17.1.3 Verify, Review and Evaluate Information Security Continuity

Other Information- Copyright for software or material, design rights, trademarks, patents, and licenses to code sources include intellectual property rights.

Read More : https://info-savvy.com/iso-27001-annex-a-18-compliance/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

Hard Disk Partitions

info savvy

Hard Disk Partitions refers to the creation of logical drives for effective memory management and a partition is the logical drive for storing the data. Hidden partition created on a drive can hide the data. The inter-partition gap is the space between the primary partition and the secondary partition. If the inter-partition drive contains the hidden data, use disk editor utilities like Disk Editor to change the information in the partition table. Doing so will remove all the references to the hidden partition, which have been hiding it from the operating system. Another way of hiding the data is to place the digital evidence at the end of the disk by declaring a smaller number of bytes than the actual size of the drive. Disk Editor allows investigator to access these hidden or vacant areas of the disk.

The partitions are of two types:

  • Primary partition: it is the drive that holds the information regarding the operating system, system area, and other information required for booting. In MS-DOS and earlier versions of Microsoft Windows systems, the first partition (C:) must be a “primary partition,”
  • Extended partition: It is the logical drive that holds the information regarding the data and files that are stored in the disk. Various tools are available for examining the disk partitions. A few of the disk editor tools are Disk Edit WinHex, and Hex Workshop. These tools can help users to view the file headers and important information about the file. Both require analyzing the hexadecimal codes that an operating system identifies and uses to maintain the file system.

BIOS Parameter Block (BPB)

The BPB is data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume. It describes the volume partition on partitioned devices such as hard disks, whereas on the un-partitioned devices it describes the entire medium. Any partition that includes the floppy disks can use BPB, which would also describe the basic file system architecture. The length of BPB varies across the listed file systems listed (i.e. FAT16, FAT32, and NTFS) due to the volume of the data it contains and also due to the types of fields present.

Master Boot Record (MBR) 

Master Boot Record (MBR) refers to a hard disk’s first sector or sector zero that specifies the location of an operating system for the system to load into the main storage. Also called as, partition sector or master partition table contains a table, which locates partitioned disk data. A program in the record loads the rest of the OS into the RAM.

Information about various files present on the disk, their location, and size is the Master Boot Record file. In practice, MBR almost always refers to the 512-byte boot sector or partition sector of a disk. FDISK/MBR commands help in creating MBR in Windows and DOS operating systems. When a computer starts and boots, the B105 refers this first sector for the boot process instructions and information about how to load the operating system.

Related Product : Computer Hacking Forensic Investigator | CHFI

The master boot record consists of the structures as mentioned below:

1. Partition Table

Partition table is a 64-byte data structure storing information about the type of partitions present on the hard disk and their location. This table has a standard layout that does not depend on the operating system. The table is capable of describing only four partitions, which are primary or physical partitions. All other partitions are logical partitions linked to one of the primary partitions.

2. Master Boot Code
A small part of the computer code, which the system loads into the BIOS and executes to initiate the system’s boot process. After execution, the system transfers the controls to the boot program present on the active partition to load the operating system.

Read More : https://info-savvy.com/hard-disk-partitions/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

CHFI

Understanding Bit, Nibble and Byte

info savvy

Understanding Bit, Nibble and Byte in this article explained  Bit , Nibble and Byte Data storage format of hard disk with how to calculate it.

Bit

A bit, short for binary digit is the smallest unit of data or basic information unit in computing and digital communications. It can contain only one of the two values represented as 0 or 1. They also represent logical values such as true/false, yes/no, activation states (on/off), algebraic signs (+/-) or any other two-valued attribute.

Byte

A byte, short for binary term is a digital information unit of data that consists of eight bits. The byte is representation of the number of bits a system has used to encode one text character. Therefore, it is the smallest addressable memory unit in many computer architectures. Two hexadecimal digits represent a full byte or octet.

Nibble

A nibble, also known as half-byte or tetrade is a collection of four bits or half of an octet in computing. Common representation of a byte is two nibbles.

Related Product : Computer Hacking Forensic Investigator | CHFI

Hard Disk Data Addressing

Hard disk data addressing is the technique of assigning addresses to physical blocks of data on the hard drives. There are two types of hard disk data addressing:

1. CHS (Cylinder-Head-Sector)

This process identifies individual sectors on a hard disk according to their positions in a track, and the head and cylinder numbers determine these tracks. It associates information on the hard drive by specifications such as head (platter side), cylinder (radius), and the sector (angular position).

2. LBA (Logical Block Address)

It addresses data by allotting a sequential number to each sector of the hard disk. The addressing mechanism specifies the location of blocks of data on computer storage devices and secondary storage systems such as hard disk drives, SCSI, and enhanced IDE drives. This method does not expose the physical details of the storage device to the operating system.

Data Densities on a Hard Disk

Hard disks store data using the zoned bit recording method, which is also known as multiple-zone recording. In this technique, tracks form a collection of zones depending on their distance from the center of the disk and the outer tracks have more sectors on them than the inner tracks. This allows the drive to store more bits in each outer track compared to the innermost zone and helps to achieve a higher total data capacity.

1. Track Density

It refers to the space a particular number of tracks require on a disk. The disks with greater track density can store more information as well as offer better performance.

2. Areal Density

It refers to the number of bits per square inch on a platter and it represents the amount of data a hard disk can hold.

3. Bit Density

It is the number of bits a unit length of track can accommodate.

Also Read : Tracks & Advanced Format of Sectors

Disk Capacity Calculation

Calculate

A disk drive that has:
  • 16,384 cylinders
  • 80 heads
  • 63 sectors per track

Assume a sector has 512 bytes. What is the capacity of such a disk?

Answer :  The conversion factors appropriate to this hard disk are

  • 16,384 cylinders / disk
  • 80 heads / cylinder
  • 63 sectors / track
  • 512 bytes / sector

Solution

Total bytes = 1 disk * (16,384 cylinders / disk) * (80 heads / cylinder) (1 track / head) * {63 sectors / track) * (512 bytes / sector) = 42,278,584,320 bytes 1 Kilobyte (KB) = 2^10 bytes = 1,024 bytes

1 Megabyte (MB) = 2^20 bytes = 1,048,576 bytes = 1,024 KB

1 Gigabyte (GB) = 2^90 bytes = 1073,741,824 bytes =1,048,576 KB = 1,024 MB

1 Terabyte (TB) = 2^40 bytes = 1,099,511,627,776 bytes = 1,073,741,824 KB = 1,048,576 MB= 1,024 GB

Using these definitions, express the result in GB as:

42,278,584,320 bytes / {1,073,741,824 bytes / GB) = 39.375 GB

Hard disk in a typical computer system has a storage capacity. Data is stored on the hard disk in the form of files.

Read More : https://info-savvy.com/understanding-bit-nibble-and-byte/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com