![]() Activation of BootROM, which initializes system hardware and selects an operating system to run.Ģ. (DMW) process, which set the desktop for the user.ġ. Service control manager starts the Explorer.exe and initiates the Desktop Window Manager Once user logs in, Windows creates a session for the user.ġ3. Of the non-essential device drivers, the security subsystem LSASS.EXE and Group policyġ2. Session Manager Process Initiates Service control manager, which starts all the services, rest ![]() Session Manager Process triggers Winlogon.exe, which presents the user logon screen forġ1. Loads all other registry hives and drivers required to configure Win32 subsystem runġ0. Kernel passes the control of boot process to the Session Manager Process (SMSS.exe), which Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class deviceĭrivers marked as BOOT_START and the SYSTEM registry hive into the memory.ĩ. Windows loader loads the OS kernel ntoskrnl.exe.Ĩ. MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on the Windowsħ. (MBR), which search for basic boot information in Boot Configuration Data (BCD).Ħ. After POST, the computer's firmware scans boot disk and loads the master boot record The pre-boot process will complete with POST, detecting a valid system boot disk.ĥ. ![]() If POST is successful, add-on adapters perform a self-test for integration with the system.Ĥ. BIOS starts a POST and load all the firmware settings from nonvolatile memory on theģ. System switches ON, CPU sends a Power Good signal to mboard and checks for computer'sĢ. Create a list of key words or phrases to use when searching for relevant dataġ. Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession.ġ0. If possible, find out why the pc was accessed 9. If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. Compile a list of names, e-mails, and other info of those with whom the subject might have communicated 8. If possible, obtain passwords to access encrypted or password-protected filesħ. Once the machine is secured, obtain info about the machine, the peripherals, and network where connectedĦ. Perform a preliminary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examinationĥ. Suspend document destruction and recycling that may pertain to relevant media or users at the time of issueĤ. Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc subject may have usedģ. Do not turn the computer off or on, run any programs, or attempt to access data on the computer.Ģ.
0 Comments
Leave a Reply. |