Scribd
Upload
436 views

SCI4201 Lecture 8 - Macintosh and Linux Boot Processes and File Systems

The document discusses the boot processes and file systems of Macintosh, UNIX, and Linux operating systems. It explains that Macintosh uses the Hierarchical File System (HFS) and Extended File System (HFS+), with files stored in nested directories. The Mac boot process involves starting the hardware, locating the startup disk, opening system files, and loading extensions before launching the Finder. UNIX and Linux systems view everything as a file and use inodes to store file metadata and link to data blocks. The boot process loads a boot program from the boot block which loads the kernel to initialize devices and mount partitions before starting services.

Uploaded by

onele mabhena
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
436 views

SCI4201 Lecture 8 - Macintosh and Linux Boot Processes and File Systems

The document discusses the boot processes and file systems of Macintosh, UNIX, and Linux operating systems. It explains that Macintosh uses the Hierarchical File System (HFS) and Extended File System (HFS+), with files stored in nested directories. The Mac boot process involves starting the hardware, locating the startup disk, opening system files, and loading extensions before launching the Finder. UNIX and Linux systems view everything as a file and use inodes to store file metadata and link to data blocks. The boot process loads a boot program from the boot block which loads the kernel to initialize devices and mount partitions before starting services.

Uploaded by

onele mabhena
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

Digital Forensics

Lecture 8
Macintosh and Linux Boot Processes and File Systems
Objectives
• Explain Macintosh file structures and the
boot process
• Explain UNIX and Linux disk structures
and boot processes
• Describe other disk structures
Understanding the Macintosh
File Structure and Boot Process
• Hierarchical File System (HFS)
– Files stored in nested directories (folders)
• Extended Format File System (HFS+)
– Introduced with Mac OS 8.1
– Supports smaller file sizes on larger
volumes, resulting in more efficient disk use
Understanding the Macintosh
File Structure and Boot Process
(continued)
• File Manager utility
– Reading, writing, and storing data to physical
media
• Finder
– Keeps track of files and maintain users’
desktops
Understanding Macintosh OS 9
Volumes
• A volume is any storage medium used to
store files
– Can be all or part of a hard disk
– On a floppy disk is always the entire disk
• Allocation and logical blocks
– Logical blocks cannot exceed 512 bytes
– Allocation blocks are a set of consecutive
logical blocks
Exploring Macintosh Boot Tasks

• The boot process for OS 9 is as follows:


– 1. Power on the computer
– 2. Hardware self-test and Open Firmware run
– 3. Macintosh OS starts
– 4. The startup disk is located
– 5. System files are opened
– 6. System extensions are loaded
– 7. OS 9 Finder starts
Exploring Macintosh Boot Tasks
(continued)
• Older Macintosh OSs use
– First two logical blocks as boot blocks
– Master Directory Block (MDB) or Volume
Information Block (VIB)
• Stores all information about a volume
– Volume Control Block (VCB)
• Stores information from the MDB when OS mounts
• Extents overflow file
– Stores any file information not in the MDB or a
VCB
Exploring Macintosh Boot Tasks
(continued)
• Catalog
– Listing of all files and directories on the volume
– Maintains relationships between files and
directories
• Volume Bitmap
– Tracks used and unused blocks on a volume
• Mac OS 9 uses the B*-tree file system for File
Manager
– Actual file data is stored on the leaf nodes
– B*-tree also uses header, index, and map nodes
Using Macintosh Forensic
Software
• Tools and vendors
– BlackBag Technologies
– SubRosaSoft MacForensicsLab
– Guidance EnCase
– X-Ways Forensics
– ProDiscover Forensic Edition
– Sleuth Kit and Autopsy
Examining UNIX and Linux Disk
Structures and Boot Processes
• UNIX flavors
– System V variants, Sun Solaris, IBM AIX, and
HP-UX
– BSD, FreeBSD, OpenBSD, and NetBSD
• Linux distributions
– Red Hat, Fedora, Ubuntu, and Debian
– Most consistent UNIX-like OSs
• Linux kernel is regulated under the GNU
General Public License (GPL)
agreement
Examining UNIX and Linux Disk
Structures and Boot Processes

(continued)
BSD license is similar to the GPL
– But makes no requirements for derivative
works
• Some useful Linux commands to find
information about your Linux system
– uname –a
– ls –l
– ls –ul filename
– netstat -s
Examining UNIX and Linux Disk
Structures and Boot Processes

(continued)
Linux file systems
– Second Extended File System (Ext2fs)
– Ext3fs, journaling version of Ext2fs
• Employs inodes
– Contain information about each file or
directory
– Pointer to other inodes or blocks
– Keep internal link count
• Deleted inodes have count value 0
UNIX and Linux Overview
• Everything is a file
– Files are objects with properties and methods
• UNIX consists of four components
• Boot block
– Block is a disk allocation unit of at least 512
bytes
– Contains the bootstrap code
– UNIX/Linux computer has only one boot
block, located on the main hard disk
UNIX and Linux Overview
(continued)
• Superblock
– Indicates disk geometry, available space,
and location of the first inode
– Manages the file system
• Inode blocks
– First data after the superblock
– Assigned to every file allocation unit
• Data blocks
– Where directories and files are stored
– This location is linked directly to inodes
UNIX and Linux Overview
(continued)
UNIX and Linux Overview
(continued)
• Bad block inode
– Keeps track of disk’s bad sectors
• Linux ls command displays information
about files and directories
• Continuation inode
– Provides information about a file or directory
• Mode and file type, the quantity of links in the file
or directory, the file or directory status flag
Understanding UNIX and Linux
Boot Processes
• Instruction code in firmware is loaded into
RAM
• Instruction code then:
– Checks the hardware
– Load the boot program
• Boot program
– Loads kernel
– Transfers control to kernel
• Kernel’s first task is to identify all devices
Understanding UNIX and Linux
Boot Processes (continued)
• Kernel
– Boots system on single-user mode
– Runs startup scripts
– Changes to multiuser mode
– Identifies root directory, swap, and dump files
– Sets hostname and time zone
– Runs consistency checks on the file system
and mounts partitions
– Starts services and sets up the NIC
– Establishes user and system accounting and
Understanding Linux Loader
and GRUB
• Linux Loader (LILO)
– Old boot manager
– Can start two or more OSs
– Uses configuration file Lilo.conf
• Grand Unified Boot Loader (GRUB)
– More powerful than LILO
– As LILO, it resides on MBR
– Command line or menu driven
Understanding UNIX and Linux
Drives and Partition Schemes
• Labeled as path starting at root (/)
directory
– Primary master disk (/dev/hda)
• First partition is /dev/hda1
• Second partition is /dev/hda2
– Primary slave or secondary master or slave
(/dev/hdb)
• First partition is /dev/hdb1
– SCSI controllers
• /dev/sda with first partition /dev/sda1
• Linux treats SATA, USB, and FireWire devices the
Examining UNIX and Linux Disk
Structures
• Most commercial computer forensics
tools can analyze UNIX UFS and UFS2
– And Linux Ext2, Ext3, ReiserFS, and Reiser4
file systems
• Freeware tools include Sleuth Kit and its
Web browser interface, Autopsy Browser
• Foremost
– A freeware carving tool that can read many
image file formats
Summary
• Macintosh uses HFS
– Hierarchical structure
• Mac OS file structure
– Data fork and resource fork
• Volume refers to any storage media
– Allocation and logical blocks
• Ext2fs uses inodes
– Ext3fs: journaling version of Ext2fs
• Linux file structure
– Metadata and data
Thank You!

You might also like