Professional Documents
Culture Documents
Module - 1
Module - 1
Forensics
Module -1: How Windows Works
Preface
• BIOS/UEFI
– When the system is powered on, firmware—the lowest level of software
programmed into the actual hardware—begins the boot process by locating the OS
software to launch.
• OS Load
– An OS kernel is located and executed.
– This in turn identifies its resources such as hardware devices and the filesystems
they support.
– Filesystems are mounted so that the kernel can access the necessary initial services
to execute.
The Boot Sequence (cont.)
• System Configuration
– The initial services will have been configured to run in specific ways depending on
the intended use of the system itself.
– It may be a server intended to provide network-based services to multiple users.
– It may be a more “single user” system with a graphical interface for ease of use by
an “end user.”
• Loading System Utilities
– In any case system utilities will be executed to provide the services required:
o “Background” utilities which run without the necessity of user input in order to provide
users with the necessary ability to interact with the system.
o “Foreground” utilities which provide users with the actual system interactivity.
User Authentication
• Once the system has booted, a user (or users) will be provided with the
ability to interact with and use the system for its intended purposes.
• Most commonly, this requires some form of authentication:
– Some systems allow totally anonymous use (such as HTTP).
– Some systems allow activity based on “role-based” authentication (belonging to a
particular group).
o In Active Directory, systems must authenticate to join the Domain.
o They become part of the group of Domain-controlled systems, and inherit configurations
and policies for role-based behavior.
– Most systems require individual authentication, even to join the allowed group.
• These days individual multi-factor authentication is commonly required to
defend against the brute-forcing of credentials.
Windows Background and Support Processes
• 16 character “challenge/response”
• Still no salt
• Interception of challenges leads to “pass-the-hash” attacks.
– The password never needs to be known.
– The hash itself is sufficient for authentication
• Solution: Active Directory and Kerberos
Module Quiz