8.2 Basic Operation of Computers

8.2 Basic Operation of Computers

Each time a computer is turned on, it must familiarize itself with its internal components and the peripheral world. This start-up process is called the boot process, because it is as if a computer has to pull itself up by its bootstraps. The boot process has three basic stages: the Central Processing Unit (CPU) reset, the Power-On Self Test (POST), and the disk boot.

8.2.1 Central Processing Unit

The CPU is the core of any computer. Everything depends on the CPU's ability to process instructions that it receives. So, the first stage in the boot process is to get the CPU started - reset - with an electrical pulse. This pulse is usually generated when the power switch or button is activated but can also be initiated over a network on some systems. Once the CPU is reset it starts the computer's basic input and output system (BIOS) (Figure 8.2).

Figure 8.2: An electrical pulse resets the CPU, which, in turn, activates the BIOS.

8.2.2 Basic Input and Output System

The BIOS deals with the basic movement of data around the computer. Every program run on a computer uses the BIOS to communicate with the CPU. Some BIOS programs allow an individual to set a password and then until the password is typed in the BIOS will not run and the computer will not function.

8.2.3 Power-On Self Test and CMOS Configuration Tool

The BIOS contains a program called the Power-On Self Test (POST) that tests the fundamental components of the computer. When the CPU first activates the BIOS, the POST program is initiated. To be safe, the first test verifies the integrity of the CPU and POST program itself. The rest of the POST verifies that all of the computer's components are functioning properly, including the disk drives, monitor, RAM, and keyboard. Notably, after the BIOS is activated and before the POST is complete, there is an opportunity to interrupt the boot process and have it perform specific actions. For instance, Intel-based computers allow the user to open the Complementary Metal Oxide Silicon (CMOS) configuration tool at this stage. Computers use CMOS RAM chips to retain the date, time, hard drive parameters, and other configuration details while the computer's main power is off. A small battery powers the CMOS chip - older computers may not boot even when the main power is turned on because this CMOS battery is depleted, causing the computer to "forget" its hardware settings.

Using the CMOS configuration tool, it is possible to determine the system time, ascertain if the computer will try to find an operating system on the primary hard drive or another disk first, and change basic computer settings as needed. When collecting digital evidence from a computer, it is often necessary to interrupt the boot process and examine CMOS setting such as the system date and time, the configuration of hard drives, and the boot sequence. In some instances it may be necessary to change the CMOS settings to ensure that the computer will boot from a floppy diskette rather than the evidentiary hard drive (see Section 8.2.4).

Preview (Chapter 9): BIOS passwords can present a significant barrier when digital investigators need to boot a computer from a floppy disk to collect evidence from a computer. In many cases, it is possible to circumvent the password by resetting the CMOS or having a data recovery expert manually control the read/write heads to overwrite the password. However, these processes can alter the system settings significantly and cause more problems than they solve and should only be used as a last resort. Therefore, when prompted for a BIOS password, try to obtain the password from the user along with all other passwords for the system and its contents. Alternatively, remove the hard drive from the computer and copy it using an evidence collection system as described in later chapters. Some systems, such as IBM ThinkPads, associate the hard drive, motherboard, and BIOS in a way that makes it very difficult to get around the BIOS password. Again, the easiest way to deal with this type of situation is to obtain the password from the user but there are some organizations such as Nortek (www.nortek.on.ca/nortek) that can physically manipulate the drive to overwrite the BIOS passwords.

CASE EXAMPLE (UNITED STATES v. ZACARIAS MOUSSAOUI 2003):

During the trial of convicted terrorist Zacarias Moussaoui, a question arose regarding the original CMOS settings of his laptop. The laptop had lost all power by the time the government examined its contents, making it more difficult to authenticate the associated digital evidence.

The loss of all power means that the original date and time settings cannot be retrieved, and that other settings, such as how the computer performed its boot sequence, the types of ports and peripherals enabled, and the settings regarding the hard disk and the controller, are all lost as well. All of this is essential information on how the laptop was set up. (United States v. Moussaoui 2003)

Fortunately, the CMOS settings were recorded when the laptop was originally processed by a Secret Service Agent on September 11, 2001 before the power was lost.

In many computers, the results of the POST are checked against a permanent record stored in the CMOS microchip. If there is a problem at any stage in the POST, the computer will emit a series of beeps and possibly an error message on the screen. The computer manual should explain the beep combinations for various errors. When all of the hardware tests are complete, the BIOS instructs the CPU to look for a disk containing an operating system.

Sun and Macintosh computers follow slightly different boot sequences and terminology. For instance, newer Macintosh computers call the CMOS chip Parameter RAM (PRAM). After the POST, a program called Open Firmware (similar to the PC-BIOS) initializes and attempts to locate attached hardware. Open Firmware then performs a sequence of operations to load the Macintosh operating system (Mac OS). Sun systems have an initial low-level POST that tests the most basic functions of the hardware. After Sun machines perform this initial POST, they send control to the OpenBoot PROM (OBP) firmware (similar to the PC-BIOS) and perform additional system tests and initialization tasks.

8.2.4 Disk Boot

An operating system extends the functions of the BIOS, and acts as an interface between a computer and the outside world. Without an operating system it would be very difficult to interact with the computer - basic commands would be unavailable, data would not be arranged in files and folders, and software would not run on the machine.

Most computers expect an operating system to be provided on a floppy diskette, hard disk, or compact disk. So, when the computer is ready to load an operating system, it looks on these disks in the order specified by the boot sequence setting mentioned in the previous section. The computer loads the first operating system it finds. This fact allows anyone to preempt a computer's primary operating system by providing an alternate operating system on another disk. For instance, a floppy diskette containing an operating system can be inserted into an Intel-based computer to prevent the operating system on the hard disk from loading. The Macintosh Open Firmware can be instructed to boot from a CD-ROM by holding down the "c" key. The Sun OBP can be interrupted by depressing the "Stop" and "A" keys simultaneously and the boot device can be specified at the ok prompt (e.g. boot cdrom).

This ability to prevent a computer from using the operating system on the hard disk is important when the disk contains evidence. For instance, in one case a technician was asked to note system time of a Macintosh iBook before removing its hard drive. He booted the system and tried to interrupt the boot process to access the CMOS, not realizing that this feature does not exist on Macintosh. As a result, the system booted from the evidentiary hard drive, altering date-time stamps of files and other potentially useful data on the disk.