WEBVTT 00:01.190 --> 00:02.870 In order to control the environment. 00:02.870 --> 00:06.590 As we start our investigation, we must understand the environment. 00:06.620 --> 00:10.350 Here, digital evidence is being stored, created and accessed. 00:10.370 --> 00:12.740 In most cases, this will be a computer system. 00:13.070 --> 00:17.840 I use the term computer system, and what that comprises is the operating system, the file system and 00:17.840 --> 00:21.410 the hardware bundled together to create this computer. 00:22.280 --> 00:25.830 So to be effective, you must understand the physical media. 00:25.850 --> 00:33.290 The data is stored on so the file system used on the storage device and how that data is tracked and 00:33.290 --> 00:35.570 accessed while on the storage device. 00:35.600 --> 00:41.120 Once you understand the process, you can then implement controls to protect the integrity of the digital 00:41.120 --> 00:41.900 evidence. 00:42.020 --> 00:45.410 So what is the boot process? 00:45.440 --> 00:52.040 Well, when you press the power button and electricity energizes the system, a series of commands is 00:52.040 --> 00:52.460 usual. 00:52.700 --> 00:59.630 So as it executes the commands, the system is taking steps just like on a ladder to achieve the goal 00:59.630 --> 01:02.580 of a running operating system. 01:02.600 --> 01:08.450 So if something breaks any of these steps, then the system will not load. 01:08.750 --> 01:10.220 So it will fail. 01:10.970 --> 01:13.550 So we have a post here. 01:14.090 --> 01:21.320 So what is the boot process is the first step is the boot process is the power on self-test post here. 01:26.770 --> 01:39.010 So this in post phase, the CPU will access the read only memory rom and the basic input output system 01:39.010 --> 01:43.870 and the test to test essential motherboard functions. 01:43.870 --> 01:52.510 So actually it's I will share this file with you after this lecture in assignments or I will create 01:52.510 --> 01:55.270 separate lecture for sharing these files. 01:55.270 --> 02:01.480 So I want to write that everything clearly here. 02:02.350 --> 02:06.220 So when you look at it, you can understand easily. 02:07.400 --> 02:08.000 And so. 02:10.600 --> 02:14.650 This is the CPU will access. 02:15.540 --> 02:15.740 Here. 02:15.790 --> 02:19.080 Angels make a bigger and. 02:20.700 --> 02:21.270 Text. 02:23.690 --> 02:26.930 But CPU will access. 02:28.810 --> 02:30.880 Uh, the great. 02:32.600 --> 02:33.020 It. 02:33.970 --> 02:34.690 Only. 02:38.440 --> 02:39.280 Memory. 02:49.030 --> 02:49.570 Memory. 02:50.800 --> 02:54.550 Uh, so this is the rum rum here, and. 02:55.710 --> 03:00.180 And the basic input. 03:00.960 --> 03:03.660 Out put system. 03:05.090 --> 03:08.030 Which in this case this is the bias, actually. 03:08.030 --> 03:23.150 You know, I think the bias is the when you enter with f, f 20 or f two, like tail buttons to boot 03:23.840 --> 03:24.890 device here. 03:25.100 --> 03:31.850 So this is where you hear the beep sound when you turn the power on the computer system. 03:32.240 --> 03:36.800 So it is beep sound is not. 03:37.650 --> 03:38.820 Using anymore. 03:39.210 --> 03:46.220 It is with sound Is the old computers using this sound. 03:46.560 --> 03:54.150 If there is an error, this is the system will notify you of the error on the computer fraud use of 03:54.150 --> 04:02.400 the beep codes like if you have an like ram error this will this. 04:04.670 --> 04:08.290 A motherboard buzzer will be three times. 04:08.300 --> 04:10.370 They didn't like that. 04:10.460 --> 04:14.150 So if there's any node, you will know about that. 04:14.150 --> 04:21.290 So, for example, you can search these beeps in Google and you will get the relevant result because 04:21.290 --> 04:32.180 if you if your video card is broken or something not working, you can see these errors or bios, motherboard 04:32.180 --> 04:35.990 can cannot show these errors on screen, right? 04:35.990 --> 04:39.740 So instead of that, the motherboard uses the. 04:41.770 --> 04:52.860 Buzzer to beep several times for searching and finding what's what's wrong with your computer. 04:52.870 --> 05:01.840 So once the post test has successfully completed, the Bios is activated and executed. 05:03.230 --> 05:11.510 Note that the system has not accessed the storage media for now at this phase of our booting process. 05:11.540 --> 05:19.670 All the program executions are taking place at the motherboard level and not in the storage devices. 05:19.970 --> 05:26.540 The user can access the bios by using the correct combination as displayed in the screen. 05:29.440 --> 05:39.510 So the bias then will have the basic information of the system, the amount of Ram, the type of CPU 05:39.520 --> 05:43.870 information about attached devices and system date and time. 05:43.900 --> 05:51.850 The easiest way to document this information is to take photographs of it as it displayed on the screen. 05:52.520 --> 05:56.840 So this is also where you can change the boot sequence. 05:56.840 --> 06:03.120 So typically the system checks the CD, DVD first and then the designed designated hard drive. 06:03.140 --> 06:09.440 So this is where you will be able to change the setting of the boot device when we create a boot media 06:09.440 --> 06:17.510 later on this lectures changing the boot device tells the Bios to access the device we are providing 06:17.510 --> 06:18.800 and not the suspects. 06:18.920 --> 06:28.100 So in 2010 the Bios function was replaced by the United Extensible firmware interface. 06:28.100 --> 06:31.310 This is the I think you know that already. 06:31.640 --> 06:32.450 Actually let's. 06:34.890 --> 06:35.850 United. 06:46.960 --> 06:48.850 This is the UAV. 06:54.080 --> 06:54.800 So. 07:06.350 --> 07:14.780 So these United Extensible firmware interface provides the same service as the bias, but this is the 07:14.780 --> 07:16.760 like version two of the bias. 07:16.760 --> 07:20.630 So this is an unchanged like. 07:21.660 --> 07:25.460 What's different is actually let's let's make a. 07:27.490 --> 07:29.050 Differences here. 07:48.230 --> 07:48.980 So. 07:51.050 --> 07:53.750 Actually, I want to delete that. 07:58.960 --> 08:02.350 Actually, I will read these differences down because I'm. 08:04.350 --> 08:06.600 Searching for the right. 08:07.640 --> 08:08.810 Table for that. 08:09.200 --> 08:09.590 So. 08:15.580 --> 08:15.970 So. 08:16.990 --> 08:26.560 Year in as I said earlier in bios had update so by actually replaced by a. 08:27.640 --> 08:30.490 United extensible firmware interface. 08:31.060 --> 08:33.850 Um actually let me note that down here. 08:36.090 --> 08:40.340 The extensible firmware. 08:44.270 --> 08:44.550 Here. 08:46.000 --> 08:53.470 So it provides the same services as the Bios, but has been encouraged like it has the better security 08:53.470 --> 08:55.430 at Pre-boot process. 08:55.450 --> 09:02.320 It has the fastest startup compared compared to Bios. 09:02.350 --> 09:12.430 It has the support storage device storage drives at larger than 2000GB like two terabytes. 09:12.970 --> 09:16.330 Support for 64 bit device drivers. 09:16.330 --> 09:24.130 And this has the support for GPT partition tables. 09:24.130 --> 09:28.390 So the secure boot feature allows us to. 09:30.370 --> 09:35.560 Using authenticated operating systems when booting the computer system. 09:35.560 --> 09:41.560 So this can be an issue if you are attempting to use an alternative booting device. 09:41.560 --> 09:43.510 So, um. 09:44.750 --> 09:47.820 Well, let me actually make another dry diagram here. 09:47.850 --> 09:48.990 This is the power. 09:57.030 --> 09:59.310 The post post. 10:00.220 --> 10:01.450 The post actually lets me. 10:02.350 --> 10:04.270 Bigger words. 10:05.050 --> 10:07.480 And then we have bias and. 10:08.930 --> 10:09.200 Okay. 10:16.890 --> 10:17.490 Here. 10:18.490 --> 10:18.850 Homes. 10:25.070 --> 10:26.180 And this counselor. 10:36.230 --> 10:36.710 So. 10:37.950 --> 10:40.560 Now, as you can see in this diagram. 10:41.580 --> 10:48.300 Well, actually, yes, yes, yes, you can You can see here once the power is turned on. 10:49.720 --> 10:50.170 Um. 10:51.650 --> 10:55.220 And has completed the post test here. 10:57.330 --> 11:01.200 Depending on the system, it may boot for bios or. 11:01.230 --> 11:04.350 It may boot with Wi-Fi. 11:04.380 --> 11:15.420 Seem so the bias will look for the bias will look for the master boot record of the boot device so fast 11:15.420 --> 11:21.270 will So MBR is a typical for bios. 11:22.660 --> 11:23.020 Here. 11:25.090 --> 11:34.710 NBR So the NBR located at is Sector Zero and holds information about the partitions. 11:35.680 --> 11:36.550 So. 11:37.970 --> 11:38.600 Yes. 11:39.110 --> 11:42.860 So NBR holds the information about partitions. 11:59.980 --> 12:00.670 So. 12:04.650 --> 12:13.110 So host information about partitions and also holds information also filesystem and the bootloader code 12:13.110 --> 12:14.970 for installed operating system. 12:15.690 --> 12:21.120 So once they found at the bootloader here. 12:25.040 --> 12:26.630 And has been activated. 12:26.630 --> 12:34.130 Control is then passed over to the operating system to complete the boot process. 12:35.910 --> 12:36.360 So. 12:39.130 --> 12:45.460 The operating system for completing the boot process here. 12:50.040 --> 12:51.690 Operating system. 12:57.600 --> 12:58.320 So. 13:01.880 --> 13:03.140 After operating system. 13:04.010 --> 13:04.270 The. 13:06.860 --> 13:12.290 Promptly started and you can use a computer like so. 13:13.450 --> 13:14.740 Then we will. 13:14.740 --> 13:16.570 Let's go to Wi-Fi. 13:16.600 --> 13:28.180 So the Wi-Fi United Extensible firmware interface, as you can see here, it's in changed version of 13:28.180 --> 13:28.750 bios. 13:28.750 --> 13:33.450 So Wi-Fi will look for the GPT. 13:33.820 --> 13:39.630 So as you know, GPT is the Guid partition table. 13:39.640 --> 13:41.500 We will talk about it later. 13:43.170 --> 13:48.210 Then let's create a new here. 13:50.130 --> 13:52.470 So if I will look for the GPT. 13:54.310 --> 13:55.150 Actually, it's. 13:56.180 --> 13:56.530 Right. 14:00.560 --> 14:01.150 Deputy. 14:02.710 --> 14:03.220 Here. 14:08.850 --> 14:09.540 So. 14:10.780 --> 14:18.460 It will have a protective image to ensure legacy systems will not mistakenly read this as being unpartitioned 14:18.460 --> 14:19.900 and overwrite the data. 14:19.930 --> 14:29.470 It will also contain the partition entries and backup partition table header so a GPT disk can contain 14:29.470 --> 14:34.960 up to 128 partitions. 14:34.960 --> 14:42.940 Yes, GPT can contain up to 128 partitions for Windows operating system, just like the Bios theme. 14:43.150 --> 14:51.550 Once the active partition and bootloader have been found, the operating system will take over the booting 14:51.550 --> 14:52.570 process. 14:55.150 --> 14:55.360 Here. 15:00.740 --> 15:08.450 So since you understand the boot process, we still want to control the boot environment with creation 15:08.450 --> 15:14.150 of forensics boot media, which we will discuss in next lecture. 15:14.150 --> 15:15.010 So I'm waiting you in. 15:15.030 --> 15:15.710 Next lecture. 15:15.710 --> 15:22.640 Actually, we will have a little test after this actual practice test after this lecture. 15:22.640 --> 15:23.270 So. 15:24.450 --> 15:30.270 I'm sure you can make and complete by 100% of these practice tests. 15:30.270 --> 15:35.400 So after completing the practices, I'm waiting you in next lecture. 15:35.520 --> 15:36.510 Thank you for watching.