10/16/2015

Assignment 5
CFR105

DANIEL HOWELL

Daniel Howell
CFR105
Assignment 5

Over that course of the career of a computer investigator one well find multiple operating
systems with varying degrees of differences based on the version of the operating system. The
same is true for servers. The main areas of interest in investigating is the partitions that are on the
system. Each of these operating systems have their own way of creating and managing partitions.
For servers there are there types of operating systems that an investigator well encounter during
their career. The first of the server partition systems is on BSD Linux bases systems. The second
is Solaris Linux. The final is the GUID partition table or GPT. Each of these systems require
different analysis considerations when being investigated.
BSD Linux systems are the most common Linux systems found during an investigation.
The BSD systems require an IA32 based hardware in order to operate efficiently and are able to
support eight to sixteen partition. BSD uses DOS partition to manage its partition unlike apple
devices so some experience with DOS would help during the analyzing process. Aside from that
the BSD operating systems function differently from each other because they all use different
partitioning systems. There are three different kinds of BSD based systems that are in use today.
The first is BSD operating system is FreeBSD. FreeBSD automatically gives users access to all
DOS an BSD partition on the disk. It also uses different terminology than other system. In
FreeBSD a slice referrers to each of the DOS partition and partition referrers to all BSD
partition on a disk. All of the operations are pretty straight forward. However, NetBSD and
OpenBSD do not operate the same way as FreeBSD. NetBSD and OpenBSD only give users
access to the BSD partitions on the disk. They are both also able to create partitions anywhere on
the disk meaning they can have partitions outside of the bounds of DOS partition that it is
located in. the systems also have a different way of loading. Once the kernel is loaded the
operating system well ignore the DOS partitions table. The systems are both still able to support

Daniel Howell
CFR105
Assignment 5

up to sixteen partitions just like FreeBSD. When investigating a BSD system the investigator
should first figure out what type of BSD is running so that they are able to accurately investigate
the system thoroughly. After that they are able to determine the proper methods of investigation.
The Solaris operating system is less common than BSD since it is mostly used in a
corporate environment. If an investigator is working on a case involving a business of some kind
this server operating system well most like be present. The partitioning system that it uses is
based on the size of the disk. However the disk labeling structure for Solaris is the same as BSD.
Solaris uses the UFS file system for its partitions. The location of the partition is based on the
mounting point of the partition. A key feature in Solaris is that it is scalable so it can support a
large number of partitions. The analysis consideration is almost the exact same as the BSD
systems. However some of the unused space in partition can be used to store other days so in an
investigation one should allow check unused for possible information on the case. This is
because the type field for the partitions do not have enforced rules. A helpful tip for investigating
a Solaris system is that a signature value search can show where the partitions is located on the
disk.
The final partitions type that may be encountered is GULD partition table or GPT. This is
a very rare partition to find when investigating a case. GPT is for 64-bit systems running on IA64
hardware running Extensible Firmware Interface (EFI). GPT disks are only found on high end
servers not usually on desktops but it is possible to see it on a desktop. It is able to support up to
128 partitions while using 64-bit addresses. The GPT disk has five major areas where different
types of data is stored. The first area is the protective MBR that contains the DOS partition table
for the disk. The second is the GPT header that defines the size and location of the partition table
as well as the checksum for the partition. The third is the partition table that contains a starting

Daniel Howell
CFR105
Assignment 5

and ending address, a type value, a name, attribute flags, and a GUID value. The fourth area is
the partition area which is the largest area of the disk because it contains the space that well be
allocated to partitions that are created later. The final area is the backup area where all the
backup data that is saved from the system. Since the GPT partition is such a rare occurrence that
are almost no tools that support it for an investigation. Linux systems can break up the file
systems that can be analyzed by other tools. The Sleuth Kit can be used to break up the disk for
an investigation or a backup of the data structures can be used for examination as well. The GPT
partition system also makes backups of important data structures automatically. Much like
Solaris unused space from partition can be used to hide other data. Over the course of a case the
investigator should check all unallocated space for hidden data.
Even though all three partition types have some similarities they do operate under
different analysis consideration based on what operating system and partition systems are
running. While FreeBSD, NetBSD, and OpenBSD are all BSD based system there are different
methods for investigating in an efficient manner. Since this is the most common Linux partitions
system all investigator should become familiar with it. For Solaris, since it is mostly found in
businesses and is similar in operation to BSD systems it should be fairly easy to navigate and
examine if one has worked with BSD system before. Finally, GPT is rare and hard to work with
but it is possible to perform an investigation in an efficient manner. Other these partition types
one is not greater than the other just more common in the average world. It is important that a
computer investigator knows how to work in all of the system.

Daniel Howell
CFR105
Assignment 5

Recourse
Carrier, B. (2005). File system forensic analysis. Boston, Mass.: Addison-Wesley.