CSE4004: Digital Forensics

Assignment 4
Name: Aditya Singh
Reg. no:18BCE0595

Boot sector sequence:

Each time a computer boots up, it goes through an initial series of
processes. This sequence of events is aptly named a "boot sequence."
During the boot sequence, the computer activates the necessary hardware
components and loads the appropriate software so that a user can interact
with the machine.

The boot sequence starts by accessing the computer's BIOS on Windows

PCs or the system ROM on a Macintosh. The BIOS and ROM contain
basic instructions that tell the computer how to boot up. These instructions
are then passed to the computer's CPU, which begins loading information
into the system RAM. Once a valid boot disk or startup disk is found, the
computer begins loading the operating system into the system memory.
After the operating system finishes loading, the computer is ready to be
used.

The boot sequence can take anywhere from a few seconds to several
minutes, depending on the computer's configuration. If the system is
booting from a CD or DVD, the boot time may be significantly longer than if
the computer is booted from a hard drive. Also, if your computer was turned
off unexpectedly, the boot time might increase since the system may
perform some additional checks to make sure everything is OK.
Prior to boot sequence is the power-on self-test (POST), which is the
initial diagnostic test performed by a computer when it is switched on.
When POST is finished, the boot sequence begins. If there are problems
during POST, the user is alerted by beep codes, POST codes or on-screen
POST error messages.

Unless programmed otherwise, the BIOS looks for the OS on drive A first,
then looks for the drive C. It is possible to modify the boot sequence from
BIOS settings. Different BIOS models have different key combination and
onscreen instructions to enter the BIOS and change the boot sequence.
Normally, after the POST, BIOS will try to boot using the first device
assigned in the BIOS boot order. If that device is not suitable for booting,
then the BIOS will try to boot from the second device listed, and this
process continues till the BIOS finds the boot code from the devices
listed.

If the boot device is not found, an error message is displayed and the
system crashes or freezes. Errors can be caused by an unavailable boot
device, boot sector viruses or an inactive boot partition.
Registry editor:
Why use a registry editor?

● Registries are Robust

● Helps individual software communicate better

● Stores data in a hierarchical structure to keep things organized

● Serves as an archive for collecting and storing configuration settings.

● Supports multiple users (User-specific data)

● System Components are stored in main folders called HIVE

● The information is Time Stamped

Importance of Registry in Windows Forensics:

1. Windows Registry can be considered as a gold mine of forensic evidence.

2. We can create new registries manually or we can modify the ones that already exist.

3. Original files that contain registry values are stored in the system directory itself.

4. Registry files are system protected and can not be accessed by any user unless

administration access is provided.

5. For the investigation purpose, the forensic investigator analyzes registry files via tools

such as Registry Viewer, Regshot, Registry Browser etc..

6. Trojans and Malware information can be found in the registries.

Implementation:

To get information about wifi connected with the computer and get network
status and other information.
Usb history viewer: