1
00:00:01,190 --> 00:00:02,870
In order to control the environment.

2
00:00:02,870 --> 00:00:06,590
As we start our investigation, we must understand the environment.

3
00:00:06,620 --> 00:00:10,350
Here, digital evidence is being stored, created and accessed.

4
00:00:10,370 --> 00:00:12,740
In most cases, this will be a computer system.

5
00:00:13,070 --> 00:00:17,840
I use the term computer system, and what that comprises is the operating system, the file system and

6
00:00:17,840 --> 00:00:21,410
the hardware bundled together to create this computer.

7
00:00:22,280 --> 00:00:25,830
So to be effective, you must understand the physical media.

8
00:00:25,850 --> 00:00:33,290
The data is stored on so the file system used on the storage device and how that data is tracked and

9
00:00:33,290 --> 00:00:35,570
accessed while on the storage device.

10
00:00:35,600 --> 00:00:41,120
Once you understand the process, you can then implement controls to protect the integrity of the digital

11
00:00:41,120 --> 00:00:41,900
evidence.

12
00:00:42,020 --> 00:00:45,410
So what is the boot process?

13
00:00:45,440 --> 00:00:52,040
Well, when you press the power button and electricity energizes the system, a series of commands is

14
00:00:52,040 --> 00:00:52,460
usual.

15
00:00:52,700 --> 00:00:59,630
So as it executes the commands, the system is taking steps just like on a ladder to achieve the goal

16
00:00:59,630 --> 00:01:02,580
of a running operating system.

17
00:01:02,600 --> 00:01:08,450
So if something breaks any of these steps, then the system will not load.

18
00:01:08,750 --> 00:01:10,220
So it will fail.

19
00:01:10,970 --> 00:01:13,550
So we have a post here.

20
00:01:14,090 --> 00:01:21,320
So what is the boot process is the first step is the boot process is the power on self-test post here.

21
00:01:26,770 --> 00:01:39,010
So this in post phase, the CPU will access the read only memory rom and the basic input output system

22
00:01:39,010 --> 00:01:43,870
and the test to test essential motherboard functions.

23
00:01:43,870 --> 00:01:52,510
So actually it's I will share this file with you after this lecture in assignments or I will create

24
00:01:52,510 --> 00:01:55,270
separate lecture for sharing these files.

25
00:01:55,270 --> 00:02:01,480
So I want to write that everything clearly here.

26
00:02:02,350 --> 00:02:06,220
So when you look at it, you can understand easily.

27
00:02:07,400 --> 00:02:08,000
And so.

28
00:02:10,600 --> 00:02:14,650
This is the CPU will access.

29
00:02:15,540 --> 00:02:15,740
Here.

30
00:02:15,790 --> 00:02:19,080
Angels make a bigger and.

31
00:02:20,700 --> 00:02:21,270
Text.

32
00:02:23,690 --> 00:02:26,930
But CPU will access.

33
00:02:28,810 --> 00:02:30,880
Uh, the great.

34
00:02:32,600 --> 00:02:33,020
It.

35
00:02:33,970 --> 00:02:34,690
Only.

36
00:02:38,440 --> 00:02:39,280
Memory.

37
00:02:49,030 --> 00:02:49,570
Memory.

38
00:02:50,800 --> 00:02:54,550
Uh, so this is the rum rum here, and.

39
00:02:55,710 --> 00:03:00,180
And the basic input.

40
00:03:00,960 --> 00:03:03,660
Out put system.

41
00:03:05,090 --> 00:03:08,030
Which in this case this is the bias, actually.

42
00:03:08,030 --> 00:03:23,150
You know, I think the bias is the when you enter with f, f 20 or f two, like tail buttons to boot

43
00:03:23,840 --> 00:03:24,890
device here.

44
00:03:25,100 --> 00:03:31,850
So this is where you hear the beep sound when you turn the power on the computer system.

45
00:03:32,240 --> 00:03:36,800
So it is beep sound is not.

46
00:03:37,650 --> 00:03:38,820
Using anymore.

47
00:03:39,210 --> 00:03:46,220
It is with sound Is the old computers using this sound.

48
00:03:46,560 --> 00:03:54,150
If there is an error, this is the system will notify you of the error on the computer fraud use of

49
00:03:54,150 --> 00:04:02,400
the beep codes like if you have an like ram error this will this.

50
00:04:04,670 --> 00:04:08,290
A motherboard buzzer will be three times.

51
00:04:08,300 --> 00:04:10,370
They didn't like that.

52
00:04:10,460 --> 00:04:14,150
So if there's any node, you will know about that.

53
00:04:14,150 --> 00:04:21,290
So, for example, you can search these beeps in Google and you will get the relevant result because

54
00:04:21,290 --> 00:04:32,180
if you if your video card is broken or something not working, you can see these errors or bios, motherboard

55
00:04:32,180 --> 00:04:35,990
can cannot show these errors on screen, right?

56
00:04:35,990 --> 00:04:39,740
So instead of that, the motherboard uses the.

57
00:04:41,770 --> 00:04:52,860
Buzzer to beep several times for searching and finding what's what's wrong with your computer.

58
00:04:52,870 --> 00:05:01,840
So once the post test has successfully completed, the Bios is activated and executed.

59
00:05:03,230 --> 00:05:11,510
Note that the system has not accessed the storage media for now at this phase of our booting process.

60
00:05:11,540 --> 00:05:19,670
All the program executions are taking place at the motherboard level and not in the storage devices.

61
00:05:19,970 --> 00:05:26,540
The user can access the bios by using the correct combination as displayed in the screen.

62
00:05:29,440 --> 00:05:39,510
So the bias then will have the basic information of the system, the amount of Ram, the type of CPU

63
00:05:39,520 --> 00:05:43,870
information about attached devices and system date and time.

64
00:05:43,900 --> 00:05:51,850
The easiest way to document this information is to take photographs of it as it displayed on the screen.

65
00:05:52,520 --> 00:05:56,840
So this is also where you can change the boot sequence.

66
00:05:56,840 --> 00:06:03,120
So typically the system checks the CD, DVD first and then the designed designated hard drive.

67
00:06:03,140 --> 00:06:09,440
So this is where you will be able to change the setting of the boot device when we create a boot media

68
00:06:09,440 --> 00:06:17,510
later on this lectures changing the boot device tells the Bios to access the device we are providing

69
00:06:17,510 --> 00:06:18,800
and not the suspects.

70
00:06:18,920 --> 00:06:28,100
So in 2010 the Bios function was replaced by the United Extensible firmware interface.

71
00:06:28,100 --> 00:06:31,310
This is the I think you know that already.

72
00:06:31,640 --> 00:06:32,450
Actually let's.

73
00:06:34,890 --> 00:06:35,850
United.

74
00:06:46,960 --> 00:06:48,850
This is the UAV.

75
00:06:54,080 --> 00:06:54,800
So.

76
00:07:06,350 --> 00:07:14,780
So these United Extensible firmware interface provides the same service as the bias, but this is the

77
00:07:14,780 --> 00:07:16,760
like version two of the bias.

78
00:07:16,760 --> 00:07:20,630
So this is an unchanged like.

79
00:07:21,660 --> 00:07:25,460
What's different is actually let's let's make a.

80
00:07:27,490 --> 00:07:29,050
Differences here.

81
00:07:48,230 --> 00:07:48,980
So.

82
00:07:51,050 --> 00:07:53,750
Actually, I want to delete that.

83
00:07:58,960 --> 00:08:02,350
Actually, I will read these differences down because I'm.

84
00:08:04,350 --> 00:08:06,600
Searching for the right.

85
00:08:07,640 --> 00:08:08,810
Table for that.

86
00:08:09,200 --> 00:08:09,590
So.

87
00:08:15,580 --> 00:08:15,970
So.

88
00:08:16,990 --> 00:08:26,560
Year in as I said earlier in bios had update so by actually replaced by a.

89
00:08:27,640 --> 00:08:30,490
United extensible firmware interface.

90
00:08:31,060 --> 00:08:33,850
Um actually let me note that down here.

91
00:08:36,090 --> 00:08:40,340
The extensible firmware.

92
00:08:44,270 --> 00:08:44,550
Here.

93
00:08:46,000 --> 00:08:53,470
So it provides the same services as the Bios, but has been encouraged like it has the better security

94
00:08:53,470 --> 00:08:55,430
at Pre-boot process.

95
00:08:55,450 --> 00:09:02,320
It has the fastest startup compared compared to Bios.

96
00:09:02,350 --> 00:09:12,430
It has the support storage device storage drives at larger than 2000GB like two terabytes.

97
00:09:12,970 --> 00:09:16,330
Support for 64 bit device drivers.

98
00:09:16,330 --> 00:09:24,130
And this has the support for GPT partition tables.

99
00:09:24,130 --> 00:09:28,390
So the secure boot feature allows us to.

100
00:09:30,370 --> 00:09:35,560
Using authenticated operating systems when booting the computer system.

101
00:09:35,560 --> 00:09:41,560
So this can be an issue if you are attempting to use an alternative booting device.

102
00:09:41,560 --> 00:09:43,510
So, um.

103
00:09:44,750 --> 00:09:47,820
Well, let me actually make another dry diagram here.

104
00:09:47,850 --> 00:09:48,990
This is the power.

105
00:09:57,030 --> 00:09:59,310
The post post.

106
00:10:00,220 --> 00:10:01,450
The post actually lets me.

107
00:10:02,350 --> 00:10:04,270
Bigger words.

108
00:10:05,050 --> 00:10:07,480
And then we have bias and.

109
00:10:08,930 --> 00:10:09,200
Okay.

110
00:10:16,890 --> 00:10:17,490
Here.

111
00:10:18,490 --> 00:10:18,850
Homes.

112
00:10:25,070 --> 00:10:26,180
And this counselor.

113
00:10:36,230 --> 00:10:36,710
So.

114
00:10:37,950 --> 00:10:40,560
Now, as you can see in this diagram.

115
00:10:41,580 --> 00:10:48,300
Well, actually, yes, yes, yes, you can You can see here once the power is turned on.

116
00:10:49,720 --> 00:10:50,170
Um.

117
00:10:51,650 --> 00:10:55,220
And has completed the post test here.

118
00:10:57,330 --> 00:11:01,200
Depending on the system, it may boot for bios or.

119
00:11:01,230 --> 00:11:04,350
It may boot with Wi-Fi.

120
00:11:04,380 --> 00:11:15,420
Seem so the bias will look for the bias will look for the master boot record of the boot device so fast

121
00:11:15,420 --> 00:11:21,270
will So MBR is a typical for bios.

122
00:11:22,660 --> 00:11:23,020
Here.

123
00:11:25,090 --> 00:11:34,710
NBR So the NBR located at is Sector Zero and holds information about the partitions.

124
00:11:35,680 --> 00:11:36,550
So.

125
00:11:37,970 --> 00:11:38,600
Yes.

126
00:11:39,110 --> 00:11:42,860
So NBR holds the information about partitions.

127
00:11:59,980 --> 00:12:00,670
So.

128
00:12:04,650 --> 00:12:13,110
So host information about partitions and also holds information also filesystem and the bootloader code

129
00:12:13,110 --> 00:12:14,970
for installed operating system.

130
00:12:15,690 --> 00:12:21,120
So once they found at the bootloader here.

131
00:12:25,040 --> 00:12:26,630
And has been activated.

132
00:12:26,630 --> 00:12:34,130
Control is then passed over to the operating system to complete the boot process.

133
00:12:35,910 --> 00:12:36,360
So.

134
00:12:39,130 --> 00:12:45,460
The operating system for completing the boot process here.

135
00:12:50,040 --> 00:12:51,690
Operating system.

136
00:12:57,600 --> 00:12:58,320
So.

137
00:13:01,880 --> 00:13:03,140
After operating system.

138
00:13:04,010 --> 00:13:04,270
The.

139
00:13:06,860 --> 00:13:12,290
Promptly started and you can use a computer like so.

140
00:13:13,450 --> 00:13:14,740
Then we will.

141
00:13:14,740 --> 00:13:16,570
Let's go to Wi-Fi.

142
00:13:16,600 --> 00:13:28,180
So the Wi-Fi United Extensible firmware interface, as you can see here, it's in changed version of

143
00:13:28,180 --> 00:13:28,750
bios.

144
00:13:28,750 --> 00:13:33,450
So Wi-Fi will look for the GPT.

145
00:13:33,820 --> 00:13:39,630
So as you know, GPT is the Guid partition table.

146
00:13:39,640 --> 00:13:41,500
We will talk about it later.

147
00:13:43,170 --> 00:13:48,210
Then let's create a new here.

148
00:13:50,130 --> 00:13:52,470
So if I will look for the GPT.

149
00:13:54,310 --> 00:13:55,150
Actually, it's.

150
00:13:56,180 --> 00:13:56,530
Right.

151
00:14:00,560 --> 00:14:01,150
Deputy.

152
00:14:02,710 --> 00:14:03,220
Here.

153
00:14:08,850 --> 00:14:09,540
So.

154
00:14:10,780 --> 00:14:18,460
It will have a protective image to ensure legacy systems will not mistakenly read this as being unpartitioned

155
00:14:18,460 --> 00:14:19,900
and overwrite the data.

156
00:14:19,930 --> 00:14:29,470
It will also contain the partition entries and backup partition table header so a GPT disk can contain

157
00:14:29,470 --> 00:14:34,960
up to 128 partitions.

158
00:14:34,960 --> 00:14:42,940
Yes, GPT can contain up to 128 partitions for Windows operating system, just like the Bios theme.

159
00:14:43,150 --> 00:14:51,550
Once the active partition and bootloader have been found, the operating system will take over the booting

160
00:14:51,550 --> 00:14:52,570
process.

161
00:14:55,150 --> 00:14:55,360
Here.

162
00:15:00,740 --> 00:15:08,450
So since you understand the boot process, we still want to control the boot environment with creation

163
00:15:08,450 --> 00:15:14,150
of forensics boot media, which we will discuss in next lecture.

164
00:15:14,150 --> 00:15:15,010
So I'm waiting you in.

165
00:15:15,030 --> 00:15:15,710
Next lecture.

166
00:15:15,710 --> 00:15:22,640
Actually, we will have a little test after this actual practice test after this lecture.

167
00:15:22,640 --> 00:15:23,270
So.

168
00:15:24,450 --> 00:15:30,270
I'm sure you can make and complete by 100% of these practice tests.

169
00:15:30,270 --> 00:15:35,400
So after completing the practices, I'm waiting you in next lecture.

170
00:15:35,520 --> 00:15:36,510
Thank you for watching.